Grouping firewalls into classes allows for the abstraction of the hardware from the needs of the service; service requirements can then be matched against class features. As long as a firewall fits into a specific class, it can support all the services that the class of firewalls is required to support. The various classes are as follows:
· Personal firewalls
· Router firewalls
· Low-end hardware firewalls
· High-end hardware firewalls
· Server firewalls
It is important to understand that some of these classes overlap; this is by design. The overlap allows one type of firewall solution to span multiple classes. Many classes can also be served by more than one hardware model from the same vendor, so that an organization can select a model that best suits their needs both now and in the future. Apart from the price and feature set, firewalls can be classified on the basis of performance (or throughput). However, manufacturers do not provide any figures of throughput for most classes of firewalls. Where they are provided (typically for hardware firewall devices), no standard measurement process is followed, which makes comparisons between manufacturers difficult. For example, one measure is the number of bits per second (bps), but as the firewall is actually passing IP packets, this measure is meaningless if the packet size used in measuring the rate is not included.
The following subsections define firewall classes in detail.
A personal firewalls is defined as a software service running within an operating system that provides simple firewall capability for a personal computer. As the number of permanent Internet connections (as opposed to dial-up connections) has grown, the use of personal firewalls has increased.
Although designed to protect a single personal computer, a personal firewall can also protect a small network if the computer on which it is installed is used as the route to the Internet. However, the performance of a personal firewall is limited and it degrades the performance of the personal computer on which it is installed. The protection mechanisms are usually less effective than a dedicated firewall solution because they are usually restricted to blocking IP and port addresses, although generally speaking a lower level of protection is needed on a personal computer.
Personal firewalls may come free-of-cost within an operating system or at a very low cost. They are suitable for their intended purpose but should not be considered for use in an enterprise, even small satellite offices, due to their restricted performance and functionality. They are, however, particularly suitable for mobile users on laptop computers.
The following table shows the features that may be available in personal firewalls; they vary tremendously in their capabilities and price. However, lack of a specific feature, especially on a laptop, might not be of great importance.
|
Class 1—Personal Firewalls |
|
|
Firewall Attribute |
Value |
|
Basic features supported |
Most personal firewalls support static packet filters, NAT, and stateful inspection, while some support circuit-level inspection and/or application layer filtering. |
|
Configuration |
Automatic (manual option also available) |
|
Block or allow IP addresses |
Yes |
|
Block or allow protocol or port numbers |
Yes |
|
Block or allow incoming ICMP messages |
Yes |
|
Control outgoing access |
Yes |
|
Application protection |
Possibly |
|
Audible/ or visible alerts |
Possibly |
|
Log file of attacks |
Possibly |
|
Real-time alerts |
Depends on the product |
|
VPN support |
Typically no |
|
Remote management |
Typically no |
|
Manufacturer support |
Varies widely (depends on the product) |
|
High-availability option |
No |
|
Number of concurrent sessions |
1 to 10 |
|
Modular upgradeability (hardware or software) |
None to limited |
|
Price range |
Low (free in some cases) |
Advantages
The advantages of personal firewalls include:
· Inexpensive: When only a limited number of licenses are required, personal firewalls are an inexpensive option. A personal firewall is integrated into versions of Windows® XP. Additional products that work with other versions of Windows or other operating systems are available for free or at limited cost.
· Easy to configure: Personal firewall products tend to have basic workable out-of-the-box configurations with straightforward configuration options.
Disadvantages
The disadvantages of personal firewalls include:
· Difficult to manage centrally: Personal firewalls need to be configured on every client, which adds management overhead.
· Only basic control: Configuration tends to be a combination of static packet filtering and permission-based blocking of applications only.
· Performance limitations: Personal firewalls are designed to protect single personal computers. Using them on a personal computer that serves as a router for a small network will lead to degraded performance.
Routers usually support one or more of the firewall features discussed previously. Router firewalls are usually available by default on low-end routers designed for Internet connections; they provide basic firewall features for blocking and allowing specific IP addresses and port numbers and use NAT to hide interior IP addresses.
High-end routers can be configured to tighten up access by barring more obvious intrusions, such as pings, and by implementing other IP address and port restrictions through the use of ACLs. Additional firewall features may be available that provide stateful packet filtering in some routers. In high-end routers, the firewall capability is similar to that of a hardware firewall device at a lower cost but also lower throughput.
|
Class 2—Router Firewall |
|
|
Firewall Attribute |
Value |
|
Basic features supported |
Most router firewalls support static packet filters. Lower-end routers typically support NAT. Higher-end routers may support stateful inspection and/or application layer filtering. |
|
Configuration |
Typically automatic on lower-end routers (with manual options). Oftentimes manual on higher-end routers. |
|
Block or allow IP addresses |
Yes |
|
Block or allow protocol/port numbers |
Yes |
|
Block or allow incoming ICMP messages |
Yes |
|
Control outgoing access |
Yes |
|
Application protection |
Possibly |
|
Audible or visible alerts |
Typically |
|
Log file of attacks |
In many cases |
|
Real-time alerts |
In many cases |
|
VPN Support |
Many times in lower-end routers, not as common in higher-end routers. Separate dedicated devices or servers for this task are available. |
|
Remote management |
Yes |
|
Manufacturer support |
Typically limited in lower-end routers and good in higher-end routers |
|
High-availability option available |
Low End: No - High End: Yes |
|
Number of concurrent sessions |
10 – 1,000 |
|
Modular upgradeability (hardware or software) |
Low End: No – High End: Limited |
|
Price range |
Low to High |
Advantages
The advantages of router firewalls include:
· Low cost solution: Activation of an existing router firewall feature may not add any cost to the price of the router, and it requires no additional hardware.
· Configuration can be consolidated: Router firewall configuration can be accomplished when the router is configured for normal operations, thereby minimizing the management effort. This solution is particularly suitable for satellite branch offices, since network hardware and manageability are simplified.
· Investment protection: Router firewall configuration and management is familiar to the operations staff and no retraining is required. Network cabling is simplified because no additional hardware is installed, which also simplifies network management.
Disadvantages
The disadvantages of router firewalls include:
· Limited functionality: In general, low-end router firewalls only offer basic firewall features. High-end routers typically offer higher-level firewall features but may need considerable configuration, much of which is done through the addition of controls that are easily forgotten, making it somewhat difficult to configure correctly.
· Only basic control: Configuration tends to be a combination of static packet filtering and permission-based blocking of applications only.
· Performance impact: Using a router as a firewall detracts from the performance of the router and slows the routing function, which is its primary task
· Log file performance: Use of a log file to catch unusual activities can seriously reduce performance of the router, especially when it is already under an attack.
Class 3—Low-end Hardware Firewall
At the low end of the hardware firewall market are Plug and Play units requiring little or no configuration; these devices often incorporate switch and/or VPN functionality as well. Low-end hardware firewalls are targeted at small businesses and for internal use within larger organizations; they generally offer static filtering capabilities and basic remote management functionality. Devices from larger manufacturers may run the same software as their higher-end counterparts, providing an upgrade path should one be required.
|
Class 3—Low–End Hardware Firewall |
|
|
Firewall Attribute |
Value |
|
Basic features supported |
Most low-end hardware firewalls support static packet filters and NAT. May support stateful inspection and/or application layer filtering. |
|
Configuration |
Automatic (manual option also available) |
|
Block or allow IP addresses |
Yes |
|
Block or allow protocol/port numbers |
Yes |
|
Block or allow incoming ICMP messages |
Yes |
|
Control outgoing access |
Yes |
|
Application protection |
Typically not |
|
Audible or visible alerts |
Typically not |
|
Log file of attacks |
Typically not |
|
Real-time alerts |
Typically not |
|
VPN Support |
Sometimes |
|
Remote management |
Yes |
|
Manufacturer support |
Limited |
|
High-availability option available |
Typically not |
|
Number of concurrent sessions |
> 10 – 7500 |
|
Modular upgradeability (hardware or software) |
Limited |
|
Price range |
Low |
Advantages
The advantages of low-end hardware firewalls include:
· Low cost: Low-end firewalls can be purchased inexpensively.
· Simple Configuration: Almost no configuration is required.
Disadvantages
The disadvantages of low-end hardware firewalls include:
· Limited functionality: In general, low-end hardware firewalls only offer basic firewall functionality. They cannot be run in parallel for redundancy.
· Poor throughput: Low-end hardware firewalls are not designed to handle high-throughput connections, which may cause bottlenecks.
· Limited manufacturer support: As these are low cost items, manufacturer support is usually limited to e-mail and/or a Web site.
· Limited upgradeability: Usually there can be no hardware upgrades, though there are often periodic firmware upgrades available.
Class 4—High-end Hardware Firewall
At the high end of the hardware firewall market there are high performance, highly resilient products suitable for the enterprise or service provider. These usually offer the best protection without reducing the performance of the network.
Resilience can be achieved by adding a second firewall running as a hot standby unit that maintains the current table of connections through automatic stateful synchronization.
Firewalls should be used in every network connected to the Internet because intrusion happens constantly; DoS attacks, theft, and data corruption are being attempted all the time. High-end hardware firewall units should be considered for deployment in central or headquarters locations.
|
Class 4—High–End Hardware Firewall |
|
|
Firewall Attribute |
Value |
|
Basic features supported |
Most high-end hardware firewalls support static packet filters and NAT. They may support stateful inspection and/or application layer filtering. |
|
Configuration |
Typically manual |
|
Block or allow IP addresses |
Yes |
|
Block or allow protocol/port numbers |
Yes |
|
Block or allow incoming ICMP messages |
Yes |
|
Control outgoing access |
Yes |
|
Application protection |
Potentially |
|
Audible or visible alerts |
Yes |
|
Log file of attacks |
Yes |
|
Real-time alerts |
Yes |
|
VPN support |
Potentially |
|
Remote management |
Yes |
|
Manufacturer support |
Good |
|
High-availability option available |
Yes |
|
Number of concurrent sessions |
> 7500 – 500,000 |
|
Modular upgradeability (hardware or software) |
Yes |
|
Price range |
High |
Advantages
The advantages of high-end hardware firewalls include:
· High performance: Hardware firewall products are designed for a single purpose and provide high levels of intrusion-blocking together with the least degradation of performance.
· High availability: High-end hardware firewalls can be connected together for optimal availability and load balancing.
· Modular systems: Both hardware and software can be upgraded for new requirements. Hardware upgrades may include additional Ethernet ports, while software upgrades may include detection of new methods of intrusion.
· Remote management: High-end hardware firewalls offer better remote management functionality than their low-end counterparts.
· Resilience: May have availability and resilience features such as hot or active standby with a second unit.
· Application layer filtering: Unlike their low-end counterparts, high-end hardware firewalls provide filtering at L4, L5, L6, and L7 layers of the OSI model for well-known applications.
Disadvantages
The disadvantages of high-end hardware firewalls include:
· High cost: High-end hardware firewalls tend to be expensive. Although they can be purchased for as little as $100, the cost is much higher for an enterprise firewall and is often based on the number of concurrent sessions, throughput, and availability requirements.
· Complex configuration and management: Because this class of firewalls has much greater capability than low-end firewalls, it is also more complex to configure and manage.
Class 5—High-end Server Firewall
High-end server firewalls add firewall capability to a high-end server, providing robust fast protection on standard hardware and software systems. The benefit of this approach is the use of familiar hardware or software, which provides a reduced number of inventory items, simplified training and management, reliability, and expandability. Many of the high-end hardware firewall products are implemented on industry standard hardware platforms with an industry standard operating system running on it (but hidden from the view) and therefore have little difference, technically and in performance from a server firewall. However, because the operating system is still visible, the server firewall feature can be upgraded and made more resilient by techniques such as clustering.
Because the server firewall is a server running a commonly used operating system, additional software, features, and functionality can be added to the firewall from a variety of vendors (not just one vendor, which is the case with the hardware firewall). Familiarity with the operating system can also lead to more effective firewall protection, because some of the other classes need considerable expertise for full and correct configuration.
This class is suitable where there is a high investment in a particular hardware or software platform, as using the same platform for the firewall makes the management task simpler. The caching capability of this class can also be very effective.
|
Class 5—High–End Server Firewall |
|
|
Firewall Attribute |
Value |
|
Features supported |
Most high-end server firewalls support static packet filters and NAT. They may also support stateful inspection and/or application layer filtering. |
|
Configuration |
Typically manual |
|
Block or allow IP addresses |
Yes |
|
Block or allow protocol/port numbers |
Yes |
|
Block or allow incoming ICMP messages |
Yes |
|
Control outgoing access |
Yes |
|
Application protection |
Potentially |
|
Audible/visible alerts |
Yes |
|
Log file of attacks |
Yes |
|
Real-time alerts |
Yes |
|
VPN support |
Potentially |
|
Remote management |
Yes |
|
Manufacturer support |
Good |
|
High-availability option available |
Yes |
|
Number of concurrent sessions |
>50,000 (across multiple network segments) |
|
Modular upgradeability (hardware or software) |
Yes |
|
Other |
Commonly used operating system |
|
Price range |
High |
Advantages
The advantages of server firewalls include:
· High performance: When run on a suitably sized server, these firewalls can offer high levels of performance.
· Integration and consolidation of services: Server firewalls can make use of features in the operating system they run on. For example, firewall software that runs on the Windows Server 2003 operating system can take advantage of the Network Load Balancing functionality built into the operating system. Additionally, the firewall could also serve as a VPN server, again utilizing functionality in the Windows Server 2003 operating system.
· Availability, resilience, and scalability: Because this firewall runs on standard personal computer hardware, it has all the availability, resilience, and scalability features of the personal computer platform on which it runs.
Disadvantages
The disadvantages of server firewalls include:
· Requires high-end hardware: For high performance, most server firewall products require high-end hardware in terms of central processing unit (CPU), memory, and network interfaces.
· Susceptible to vulnerabilities: Because server firewall products run on well-known operating systems, they are susceptible to the vulnerabilities present in the operating system and other software running on the server. Although this is also the case for hardware firewalls, their operating systems are typically not as familiar to attackers as most server operating systems.
