Choosing the best firewall for your specific environment requires knowledge of firewall options and understanding of the security needs of your network environment. Automatically selecting the most expensive option, the least expensive one, or an open-source solution fails to properly assess the situation. Firewalls are essential elements of security. It would be careless to select a product without due diligence.

Before you research and evaluate firewalls, you should make sure that your organization has created a written security policy. You would then select the firewall that can fulfill and comply with the policy.

The basic concept of any firewall is the same, so you should evaluate a firewall based on the level of security and features it offers. First and foremost, the firewall should be able to fulfill and comply with your security policy. Some other characteristics to consider are:

• Security assurance—Independent assurance that the relevant firewall technology meets its specifications.
• Privilege control—The degree to which the product can impose user access restrictions.
• Authentication—The ability to authenticate clients and allow different types of access control for different users.
• Audit capabilities—The ability to monitor network traffic, generate logs, and provide statistical reports. Logs may include both authorized traffic and unauthorized attempts and may be able to trigger alarms in response to certain events.

When considering the features, consider the product’s ability to meet the needs of the organization. A good firewall product should provide:

• Flexibility—The firewall should be open enough to accommodate the security policy of your organization, as well as allow for changes. Security policies can change, and security procedures should be able to change and adapt to those different needs.
• Performance—A firewall should be fast enough that users do not notice the screening of packets. The volume of data throughput and transmission speed associated with the product should be reasonable and consistent with the organization’s network bandwidth to the Internet.
• Scalability—Firewalls should be able to handle additional workload. The additional workload can be due to growth within the organization or due to increased use of the Internet connection.

When considering integrated features, consider the ability of the firewall to meet your network and users’ needs. This includes:

• Ease of use—The firewall product should ideally have a graphical user interface (GUI), which simplifies the job of installing, configuring, and managing it.
• Customer support—Vendors that sell firewalls often provide support. This includes providing prompt access to technical expertise for installation, use, and maintenance. It also includes training.

Knowing the amount of money available for firewall protection helps you quickly eliminate those products clearly outside your price range. Do not automatically discard every product above the budget limit, but realize that anything more than about 15 percent of your maximum allowance is probably out of reach.

Next, consider whether an open-source solution is a viable option for your corporate culture. Some organizations are philosophically opposed to open-source solutions, while others embrace and encourage such endeavors.

Do you want to include the option to build your own or focus on only off-the-shelf, ready-to-deploy options? Making this decision early will help guide you toward a viable choice.

Familiarize yourself with the wire speed of the network, general traffic levels, the types of filtering desired, types or forms of recent attacks, and future growth and expansion plans. Armed with this information, you can begin a serious review for the most appropriate firewall solutions.

Read current firewall reviews both online and in technical publications and trade journals, and consult buyer’s guides for expert advice. Browse IT association blogs and discussion forums. Find firewall options that fall within the parameters you identified based on your understanding of the network and known threats.

Some general guidelines will assist you in this process:

• If speed, flexibility, and simplicity are priorities, then select a packet-filtering firewall or a stateful inspection firewall.
• If real-time applications and high-bandwidth communications are priorities, then select a dedicated application-specific proxy firewall.
• If strong authentication is a priority, then select an application gateway firewall or a dedicated application-specific proxy firewall.
• If detailed logging is a priority, then select an application proxy firewall.
• If customized, unique, or complicated filtering options are a priority, then select a dedicated application-specific proxy firewall or a stateful inspection firewall.
• If stopping internal attacks is a priority, then select a dedicated application-specific proxy firewall or a personal host firewall.

Firewall technology advances quickly. Often, new attacks and exploits crafted by hackers drive these advancements and upgrades. A specific recommendation for a specific model, product line, or even vendor has a finite life. Before selecting a specific firewall product, do research to verify that the vendor is still supporting the firewall product. In the case of a software firewall, ensure that the solution is compatible with and maintained for your OS. You do not want to buy a product that has already been marked for retirement or at risk of being quickly superseded. Check on the revision history and, based on previous time frames, estimate if the current version release is due for a revision.

A single firewall product rarely satisfies every need. However, you should be able to find one or more firewall solutions that address the primary security concerns of your organization.

After purchase, regularly visit the vendor’s website and discussion forums (including non-vendor-supported sites) for news and information about your firewall product. Keep current with announcements of updates, problems with updates, newly discovered holes or exploits, alternative configuration ideas, troubleshooting options, and more.