Appliance-based firewalls offer functionality similar to agent-based firewalls. If you're looking for a corporate solution where you'll need to either centrally manage your installed base of personal firewalls or provide firewall protection for a small number of hosts at a remote office, these appliances might work. It might even be more practical and economical to use appliance-based firewalls if you have two or more PCs in your home office that concurrently access the Internet. But their price will scare away most casual users.
Appliance-based firewalls from LinkSys, such as the BEFSR11, and SonicWALL's SOHO firewall, are the most common. These firewalls protect your hosts from attack, and include a wide range of additional features.
The SonicWALL SOHO firewall includes Network Address Translation (NAT), Web proxy, anti-virus protection, multiple user IDs, Remote Authentication Dial-In User Service (RADIUS), DHCP server and client services, Web-content filtering, VPN, digital- certificate authentication, centralized policy management, and customizable firewall protection.
Arguably, one of the most important of these features is centralized policy management. The ability to push security policies from a central policy server to firewalls deployed in remote offices is paramount. For many organizations, centralized policy management is the only option. Without such a capability, the logistics can be insurmountable. For this reason, the SOHO firewall is uniquely positioned as both a cost-effective and manageable security solution.
The SOHO firewall can also help to protect your pocketbook by using private IP addresses. Because the SOHO firewall operates at the front end of your Internet connection, you only have to purchase a single IP address from your service provider to protect hosts behind it. Without this ability, you would need to install firewall software on each PC you own, as well as lease additional IP addresses from your service provider.
The SOHO firewall has an intrusion-detection feature, but the alert mechanisms rely upon e-mail. If the connection to your e-mail server is down, or you're experiencing an SMTP-based DoS attack, you won't get the alert. SOHO does, however, log events to a Syslog server whose logs can be monitored by your corporate network management system. If you choose this solution, you should enable both of these features.
The LinkSys BEFSR11 doesn't have as many features as the SonicWALL SOHO firewall, as the price difference suggests (see the table). What you won't find in the LinkSys solution is VPN capability, support for centralized policy management, built-in anti-virus or Web-content filtering support, or Java and cookie filtering capabilities. Admittedly, the LinkSys BEFSR11 is really more of a cable modem or DSL router that supports customized security policies through packet filtering, as is typical for routers. Port scans of the LinkSys and protected systems revealed no open ports or services, and the systems didn't appear vulnerable to the most common DoS attacks.
I've included this product because it serves the same purpose as a personal firewall. While not providing as many bells and whistles as the more robust SOHO firewall, the LinkSys firewall is an adequate and affordable alternative.
===
The above write up was found here
networkmagazine.com
Table comparison of products mentioned in article:
img.cmpnet.com |
