Firewall Shopping 101 Page II

Printer Friendly Version

Users, Locations, and Numbers

A consideration that should be very high on your list is how many users do you need to protect, and how many firewalls will you need? The number of users you are going to protect will determine whether you need an enterprise class firewall or a SOHO firewall. (You can certainly use an enterprise firewall, even for one user, but you might be paying a lot more than you need to pay, and might end up with features you will never use.)

Most SOHO firewalls can accommodate enough connection requests for up to 50 users. If you plan on protecting more than 50 users with your firewall, it's time to move up to an enterprise firewall. SOHO firewalls typically range in price from $30.00 to $500.00. $30.00 firewalls are typically used for one person, one system. A $500.00 SOHO firewall is sufficient for a small field office of less than 50 people.

Enterprise firewalls, typically ranging in price from $500.00 to $20,000, are commonly used in organizations that require multiple firewalls that need to be managed from one location. This means that enterprise firewalls need to be able to communicate with some sort of central management console. Most vendors who make enterprise firewalls offer a central management console as an option.

Alternatively, there is a young and growing security market segment of Security Information Management (SIM) devices that can essentially be used as third-party management consoles. Both netForensics and e-Security make third-party SIMs that can integrate with various leading enterprise firewalls.

Depending on how your architecture your security perimeter network, and how much money you are able to spend, one robust firewall on your perimeter may be sufficient for your organization's needs. The important thing is to ask the vendor's you are interviewing how many users each firewall can support. Most reputable firewall vendors rate their firewalls for a certain range of user connections. Typically the more users you need to support, the more RAM and processing power you will need in your firewall.

A sizing guideline that will apply to most reputable firewall vendors is found in Table 1. Note that the RAM listed in Table 1 is what the firewall itself requires. If you have other applications running on your firewall system, you will have to take into account this amount of RAM, on top of what your other applications require.

Number of Users	RAM Needed by Firewall	Processing Power	# of Offices	Packet Filter Throughput	Price Range
Under 50 (SOHO)	Less than 10 mb	~ 66 Mhz	1	Less than 10 Mbps	Less than $500.00
51-1000	65 mb	~ 200 Mhz	2-299	Less than 100 Mbps	Approximately $5,000.00
1001-5000	128 mb	~ 500 Mhz	300	Less than 200 Mbps	Approximately $ 10,000.00
Over 5000	256 mb	~ 500 Mhz +	Over 300	Over 200 Mbps	Approximately $20,000.00

Table: Guidelines for firewall sizing

If you plan on pumping streaming media through your firewall, or plan on using a VPN, both of these applications can benefit from more processing power, and more RAM.

The Trade-Offs

Software firewalls offer more flexibility than appliance firewalls, because you can choose what hardware platform you want to run the firewall on. However, sometimes having to make a decision on what hardware platform and operating system to build your firewall on, is not a decision that some information technology managers and engineers have time to make. If the concept of "I don't care what type of hardware platform the firewall runs on as long as it works," appeals to you, then an appliance firewall might be preferable. With an appliance firewall, you get a complete turnkey firewall bundled into one box. Because there are less procurement decisions to make, and everything comes pre-packaged as much as possible, getting an appliance firewall up and running usually is much faster than getting a software firewall up and running.

Go to page: 1  2  3