Comparison of firewalls
The following is a comparison of notable firewalls, starting from simple home firewalls up to the most sophisticated Enterprise-level firewalls.
Firewall software
See also: Personal firewall
Ultimately, all firewalls are software-based, but some firewall solutions are provided as software solutions that run on general purpose operating systems. The following table lists different firewall software that can be installed / configured in different general purpose operating systems.
Firewall appliances
In general, a computer appliance is a computing device with a specific function and limited configuration ability, and a software appliance is a set of computer programs that might be combined with just enough operating system (JeOS) for it to run optimally on industry standard computer hardware or in a virtual machine.
A firewall appliance is a combination of a firewall software and an operating system that is purposely built to run a firewall system on a dedicated hardware or virtual machine.[1][2][3] These include:
- embedded firewalls: very limited-capability programs running on a low-power CPU system,
- software-based firewall appliances: a system that can be run in independent hardware or in a virtualised environment as a virtual appliance
- hardware-based firewall appliances: a firewall appliance that runs on a hardware specifically built to install as a network device, providing enough network interfaces and CPU to serve a wide range of purposes. From protecting a small network (a few network ports and few megabits per second throughput) to protecting an enterprise-level network (tens of network ports and gigabits per second throughput).
The following table lists different firewall appliances.
| Firewall | License | Cost | OS |
|---|---|---|---|
| Check Point VPN-1 | Proprietary | Included on Check Point security gateways |
Proprietary operating system Check Point IPSO and Gaia (Linux-based) |
| CISCO ACLs | Proprietary | Included on all CISCO switches and routers |
Proprietary, runs only on CISCO hardware |
| CISCO ASA | Proprietary | Included on all CISCO ASA devices |
Proprietary operating system |
| CISCO PIX | Proprietary | Included on all CISCO PIX devices |
Proprietary operating system |
| Endian Firewall | Proprietary | Free / Paid | Linux-based appliance |
| FortiGate | Proprietary | Included on all Fortigate devices |
Proprietary, FortiOS |
| IPCop | various | Free | Linux-based appliance |
| IPFire | GPL | Free | Linux-based appliance |
| Juniper SSG | Proprietary | Included on Netscreen security gateways |
Proprietary operating system ScreenOS |
| Juniper SRX | Proprietary | Included on SRX security gateways |
Proprietary operating system Junos |
| Monowall | BSD | Free | FreeBSD-based appliance embedded firewall distribution |
| Opendium Iceni | Proprietary | Paid | Linux-based, with optional web filtering / auditing. |
| Palo Alto Networks | Proprietary | Included on Palo Alto Networks firewalls |
Proprietary operating system PANOS |
| pfsense | Electric Sheep Fencing | Free / Paid | FreeBSD/NanoBSD-based appliance firewall distribution |
| Simplewall | Proprietary | Trial/Paid | Linux-based appliance |
| Smoothwall | GPL | Free | Linux-based appliance |
| Sophos UTM | GPL and Proprietary | Free / Paid | Linux-based appliance |
| Untangle | GPL | Free / Paid | Linux-based appliance |
| Vyatta | GPL | ? | Linux-based appliance |
| Calyptix Security | BSD | Free | OpenBSD-based appliance firewall distribution |
| Halon Security | BSD | Free | OpenBSD-based appliance |
| Vantronix | BSD | Free | OpenBSD-based appliance |
| WatchGuard | Proprietary | Included on all WatchGuard firewalls |
Proprietary operating system |
Firewall rule-set basic filtering features comparison
| Can Target: | Changing default policy to accept/reject (by issuing a single rule) | IP destination address(es) | IP source address(es) | TCP/UDP destination port(s) | TCP/UDP source port(s) | Ethernet MAC destination address | Ethernet MAC source address | Inbound firewall (ingress) | Outbound firewall (egress) |
|---|---|---|---|---|---|---|---|---|---|
| IPFire | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No |
| Trend Micro Internet Security | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
| Untangle | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
| Vyatta | Yes | Yes | Yes | Yes | Yes | Yes | No | No | Yes |
| Windows XP Firewall | No | No | Yes | Partial[lower-alpha 1] | No | No | No | Yes | No |
| Windows Vista Firewall | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
| Windows 7 / Windows 2008 R2 Firewall |
Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes |
| WinGate | Yes | Yes | Yes | Yes | Yes | No | No | No | Yes |
| Zeroshell | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Zorp | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No |
| pfSense | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
- Notes
- ↑ can target only single destination TCP/UDP port per rule, not port ranges.
Firewall rule-set advanced features comparison
| Can: | work at OSI Layer 4 (stateful firewall) | work at OSI Layer 7 (application inspection) | Change TTL? (Transparent to traceroute) | Configure REJECT-with answer | DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. | Filter according to time of day | Redirect TCP/UDP ports (port forwarding) | Redirect IP addresses (forwarding) | Filter according to User Authorization | Traffic rate-limit / QoS | Tarpit | Log |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| IPFire | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
| Sidewinder | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Untangle | Yes | Yes (Some modules) | No | No | Yes | Yes (With Policy manager) | Yes | Yes | Yes | Yes | Yes | Yes |
| WinGate | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Yes | No | Yes |
| Zeroshell | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
| pfSense | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
| Features: | Configuration: GUI, text or both modes? | Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... | Change rules without requiring restart? | Ability to centrally manage all firewalls together |
|---|---|---|---|---|
| IPFire | both | Web (HTTPS), SSH, RS232 | Yes | No |
| Untangle | both | SSH (Not enabeld by default), Web GUI, | Yes | Yes |
| WinGate | GUI | Proprietary user interface | Yes | N/A |
| ClearOS | both | RS232, SSH, WebConfig, | Yes | Yes with ClearDNS |
| Zeroshell | GUI | SSH, Web (HTTPS), RS232 | Yes | No |
| pfSense | both | SSH, Web (HTTP/HTTPS), RS232 | Yes | No |
Firewall's other features comparison
| Features: | Modularity: supports third-party modules to extend functionality? | IPS : Intrusion prevention system | Open-Source License? | supports IPv6 ? | Class: Home / Professional | Operating Systems on which it runs? |
|---|---|---|---|---|---|---|
| IPFire | Yes | Yes, with Snort | Yes | Yes (since IPFire 3) | Both | Linux-based appliance distribution. |
| Untangle | Yes | Yes | Yes | No | Both | Linux (built on Debian) |
| Vyatta | Yes | Yes | Yes | Yes | Professional | Vyatta OS (built on Debian) |
| WinGate | Yes[lower-alpha 1] | ? | No | No | Professional | Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit. |
| pfSense | Yes | Yes, with Snort and Suricata | Yes | Yes | Professional | FreeBSD/NanoBSD-based appliance |
- Notes
- ↑ WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).
Non-Firewall extra features comparison
Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.
NOTE: Features are marked "yes" even if implemented as a separate module that comes with the platform on which firewall sits.
IDS: real-time firewall that logs/sniffs/blocks suspicious connections that are not part of rule-set.
VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.
Profile selection: The user can switch between sets of firewall settings, e.g. for use at work, at home, and on public connections.
| Can: | NAT44 (static, dynamic w/o ports, PAT) | NAT64, NPTv6 | IDS (Intrusion Detection System) | VPN (Virtual Private Network) | AV (Anti-Virus) | Sniffer | Profile selection |
|---|---|---|---|---|---|---|---|
| IPFire | Yes | No | Yes (with integrated Snort) | Yes (IPsec and OpenVPN) | Yes (with clamav) | Yes (with tcpdump) | ? |
| Untangle | Yes | ? | Yes | Yes (IPsec and OpenVPN) | Yes (clamav,commtouch (optional) ) | Yes (tcpdump) | ? |
| Vyatta | Yes (three NAT types) | ? | Yes (integrated Snort) | Yes (IPsec and OpenVPN) | Yes (with clamav,Sophos Antivirus (optional) ) | Yes (with wireshark or tcpdump) | ? |
| WinGate | Yes | ? | Yes (with NetPatrol) | Yes (proprietary) | Yes (Kaspersky Labs) | Yes (filtered capturing to pcap format) | No |
| pfSense | Yes | No | Yes (with Snort) | Yes (OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) | Yes (with clamav) | Yes (tcpdump) | No |
See also
- Internet Security
- Comparison of antivirus software
- Next-Generation Firewall
- Unified-Threat Management
References
- ↑ Smith, Bob; Hardin, John A; Phillips, Graham; Pierce, Bill. Linux Appliance Design: A Hands-On Guide to Building Linux Appliances. No Starch Press. pp. xvii. ISBN 1-59327-140-9. Retrieved 2008-05-06.
- ↑ SAN Data Center- Network World
- ↑ Routers- About.com
External links
- Windows Software Firewall Test Rankings, Matousec, 2014
This article is issued from Wikipedia - version of the Monday, May 02, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.