Firewall Buyers GuideLooking to replace your network firewall? Whether you want to consolidateeverything into a unified solution or add next-generation features, this guide is foryou. It provides an overview of what to consider when selecting your next networkfirewall, including information on the features available and questions to ask yourvendors. Use it to identify the right solution for your organization.

Firewall comparison check listThis table summarizes the main capabilities that you should consider when evaluating network security solutions. Use it to helpyou decide which solution fits your needs.Read the full report for information on the factors that influence the usage experience, protection and performance of a solution,as well as a deep dive into specific protection features.SophosUTMFortinetFG 20-90Dell SonicWALLTZ SeriesWatchGuardXTM SeriesNetwork Firewall/ Protection4444Automatically updated IPS, checkbox configurationAdvanced Threat Protection4444All-in-one solutionSite to site and remote user VPN4444Easy set up with Sophos REDSecure web gateway4444Easy policy builderSpam protection4No separate appliance needed47*74Email encryption and DLP7*7444Dual anti-virus4777*777Automated encryption, no extra infrastructure neededEndpoint protectionFeatureThe Sophos advantageSophos is Gartner Leader***Choose your scanner or use both4**77WiFi4444Simple, elegant mesh networksReverse Proxy4447*User portal44Full reporting4Integrated 2 factor authentication4FREE Central management4Best TMG feature parity47*7777777*777Complete Reverse Proxy capabilitiesWeb application firewall77*77*777Choice of Hardware, Software,Virtual or Cloud deployment4777All features available for all deployment optionsActive/Active Cluster withintegrated load balancing4Larger models4LimitedConsistent feature seton all models4777No need to buy a bigger appliancejust to get key featuresAbility to add license modulesas and when required4Larger models44Flexible licensing, no hardware upgradenecessary to support additional featuresMobile network access controlSimple policy deploymentNo separate appliance neededFree up IT resourcesOn-box, using built-in hard driveFREE and no additional infrastructure requiredFREE and no separate appliance neededIndependent experts recommend Sophos†Deployment optionsCluster up to 10 appliances fora fully scalable solutionAdditional requirementsRefers to functionality included in a unified solution only* Comparable functionality with separate appliance only** Requires Sophos Mobile Control subscription*** Sophos is a Leader in the Gartner Magic Quadrants for UTM, Endpoint Protection Platforms and Mobile Data Protection.† Buyers Guide2

IntroductionHow to use this guideThis guide is intended to provide you with useful advice on what to consider when evaluatingfirewall solutions, including specific protection features to help you identify which capabilitiesyour network firewall or UTM solution will need to deliver.It also includes a comparison between selected Sophos, Dell SonicWALL, WatchGuard andFortinet products.Whether you’re looking for an alternative to a network firewall to add enhanced functionality,want to reduce the number of network security products you currently manage, or are lookingfor more visibility and granular control over your web users, this guide is written for you.Independent product performance testsWe recently commissioned an independent testing facility, Miercom Labs, to compare firewallproducts from Sophos with those of other vendors. They tested one of our SG Series appliances,the SG 210.The competitor products were selected based upon their suitability for a typical 50-100 userorganization:ÌÌ DELL SonicWALL NSA 2600ÌÌ Fortinet FortiGate 100DÌÌ WatchGuard XTM 525Please note that for all appliances sizing is an average guideline as factors such as type of user,infrastructure, etc. can influence the individual requirements. We would always recommend thatcustomers contact their vendor or a qualified reseller to identify the right appliance model fortheir individual needs.UTM vs Next-Gen FirewallWhat constitutes a UTM and what is a next-generation firewall? Although many believe it’s acase of semantics, there are differences.In the majority of cases, a UTM consolidates security solutions into a single platform. Thosesecurity solutions can include network, web, email, endpoint, wireless management and more.A next-generation firewall, on the other hand, will probably have fewer core features and requireadditional security solutions such as an email gateway or endpoint protection.A next-generation firewall, or NGFW, has a strong focus on granular web controls andapplication-based security with core capabilities for application visibility and control, optimizationof the use of Internet connections, clear, understandable Intrusion Prevention Systems (IPS), andseamless VPN to connect to remote sites and provide remote access.Whatever you call it, it is more important to understand what you want to protect and evaluatesolutions based upon your individual business requirements.Firewall Buyers Guide3

Part 1: Evaluating solutionsThe five key areas to consider when choosing your next firewall are:1. Ease of use2. Performance3. Security features4. Reporting5. Proven protection1. Ease of useA network firewall used to be something you configured once and then rarely touched again. Insome organizations, the person with the knowledge to do that setup is long gone. That leavesmany businesses with that ‘thing’ in the server room which nobody dare touch for fear ofbreaking something.If you’ve been used to configuring your firewall using a command line interface, then a securitygateway product with a decent GUI will probably be a treat for you in terms of usability. Networksecurity has come a long way, and vendors have learned that products that are simpler to usecan also be more effective. Advanced features are of little value if they are too complex toactually use.The user interface of any solution will need well-defined workflows to avoid you having to repeatconfiguration steps for different modules of the product.Also, with today’s distributed workforces, the need to do any installation on the end user clientsis no longer a feasible option for many organizations. For example, a firewall which offers fulltransparent mode without the need to configure proxies or set up NAT rules, can save any ITadministrator a lot of time. A management interface accessible from any location and on anydevice ensures that ad-hoc or emergency administrative tasks do not mean a drive to the office.By the same token, policy setup for users in the office should be equally applicable to thosewho are working remotely. Web filtering rules, for example, need to protect users outside therealms of the corporate network. And in order to support the different devices your users have,authentication should provide the best user experience.Some things to consider:ÌÌ How quickly can you get to the information you need to troubleshoot user problems (blockedwebsites, etc.)?ÌÌ How easy is it to update the solution?ÌÌ How many steps are required to do the most common tasks, e.g. create web filtering policies?ÌÌ Can you tailor the dashboard view to suit your needs?Firewall Buyers Guide4

2. PerformanceWhether you’re looking for a unified solution for a small business, or enterprise-grade nextgeneration firewall features, one of the first points of comparison you will make is generallyperformance.Vendors offer sizing guidelines, but it is always advisable to consider your individualinfrastructure. Look at how your users work, their individual usage patterns, which applicationsand servers you need to protect, and which features of your firewall you will have switched on.Beware of blindly trusting any kind of online sizing tool: one vendor may say you need 1 Mbpsfirewall throughput per user, the next may say anything up to 20 Mbps, and so on. Even some ofthe most network-savvy experts have made mistakes by undersizing an appliance – eventuallyleading to performance problems – or oversizing the appliance and pricing the solution wayoutside of the available budget.Performance is also influenced by the architecture used in any hardware appliance and how thesoftware and the hardware work together. Whereas an appliance with ASICs chips can producegood throughput results for a specific purpose, it places limits on upgradability and oftenrequires the appliance to be connected in a particular way. Also, performance numbers for ASICshardware differ greatly from virtual installations from the same vendor.Third-party tests, such as the ones that follow from Miercom Labs, generally offer a moreaccurate picture of the actual throughput you will see in a productive environment. Here it isimportant to check the test methodology.Test results can be influenced greatly by:ÌÌ The architecture used in the hardware e.g., ASICs vs. standard multi-core processors suchas IntelÌÌ The number of ports on an appliance – line speed will be shown in round numbersÌÌ Type of traffic measured – bi-directional or uni-directionalÌÌ How comparable the tests are, e.g., proxy-based antivirus (slower but more secure) vs. flowbased (faster but less effective)Firewall Buyers Guide5

Miercom test: Firewall ThroughputThe firewall is the most fundamental function of your UTM. Any slowdown here impacts alltraffic passing through the device. Therefore firewall throughput should ideally allow line rate foryour connections. This test was conducted with three 1Gbps ports giving a theoretical maximumof 3Gbps/3,000Mbps.Unidirectional Firewall Throughput guardXTM52515001,3227500Layer 3SophosSG210FortinetFG100DSource: Miercom, June 2014As the first firewall throughput test did not stretch the Sophos SG210 to its limits, it was retested using more ports and sending traffic in both directions at the same time. The SophosSG210 reached maximum throughput of 10,441 Mbps.Miercom test: Application Control ThroughputApplication Control allows you to effectively monitor and manage different types of trafficgoing through your gateway such as VPN, YouTube or Facebook without having to block trafficcompletely. This test looks at Layer 7 (Application layer) throughput.Application Control Throughput hguardXTM5253250Layer 7SophosSG210FortinetFG100DSource: Miercom, June 2014Firewall Buyers Guide6

Miercom test: IPS ThroughputIntrusion Prevention Systems monitor the network for suspicious traffic and can block exploitsof known vulnerabilities. Similar to application control, this is a resource intensive process wherepackets are assembled and inspected.Firewall IPS Throughput (Mbps)7005255044754203501751320Layer rdXTM525Source: Miercom, June 2014For more information on the Miercom independent testing report visit optionsSome vendors offer value in the form of deployment flexibility – hardware, software, virtualenvironment (such as VMware, Hyper-V and Citrix Xen), or cloud-based.Should you choose a software and virtual installation, it is important to note if it will run on anydedicated Intel X86-compatible hardware or if it requires purpose-built hardware components.Obviously, you have greater flexibility with standard hardware which can be easily upgraded.Also depending on the architecture a vendor uses, you may see substantial differences inperformance between the firewall appliance a vendor offers and a virtual installation from thesame vendor on standard hardware.Alternatively, you may choose to deploy your network security solution in the cloud. This canoften be done by using Amazon Web Services, or a data center of your choice.Not all vendors offer all deployment options as the table below shows. Select the deploymentscenario which best suits your requirements and offers you the flexibility to grow.SophosUTMFortinetFG 20-70Dell SonicWALLTZ SeriesWatchGuardXTM ploymentFirewall Buyers Guide777

3. Security featuresIf your goal is to consolidate your existing infrastructure into a single solution, you likely want thesame security features you’re accustomed to having. Should you be considering a UTM solutionfor email protection, for example, don’t forfeit features such as anti-spam, email encryption andDLP.If a vendor on your shortlist doesn’t offer comparable features to your email gateway, thenperhaps they shouldn’t be on that list.The same goes for web protection. A unified solution should offer equivalent features to a websecurity gateway. Even if you don’t use every feature your chosen network security productoffers, you have the functionality you need to support and enable your business.If you’re trying to replace a retired product such as Microsoft Forefront Threat ManagementGateway (TMG), you can find a UTM with superior features to your End-of-Life solution. If yourTMG replacement can offer you network, web and email protection features as well, that willsave you money and administrative effort.The comparison check list on page 2 lists features and functionalities you may look for in anetwork security gateway. This comparison shows which vendors offer functionalities as part ofa unified solution (UTM).Although most vendors can offer almost all of the features, in many cases they can only do sowith multiple appliances or security solutions. Also many vendors do not offer the full breadth offeatures on all appliances.So if you are a small business looking to secure a limited number of users, look to purchase asolution that isn’t over-dimensioned for your purposes just to get the features you need.For a detailed look at individual protection capabilities please see part 2 of this guide.4. ReportingReports give you visibility into what’s happening with your network, so you can make informeddecisions to support your business.If a large amount of bandwidth is being used by a particular application, it could slow down otheroperations. In addition, reporting gives visibility into infections on your system.It’s important to have real-time data to make ad-hoc decisions and ensure you are providingthe quality of service your users need. Reporting on web usage in real-time lets you adapt yoursolution dynamically, removing bottlenecks caused by particular usage patterns; or free up moreresources for certain departments when peaks can be expected.Solutions which only offer reports in set intervals aren’t adequate for some organizations. Forexample, many school districts require data immediately and cannot wait until the next report isavailable.You may also want to access historical data to make more informed decisions about the optimalsetup or to analyze particular incidents. Having some kind of storage on-box lets you access thatdata.Firewall Buyers Guide8

Any reporting module needs to be adaptable to your needs and give you the data you want – andnot store what you don’t want.Consolidated reports spanning multiple features can be beneficial in some areas. Not all attacksare necessarily just from one designated source and having a single view, e.g., for command andcontrol, can allow you to quickly remediate a problem.If you are worried about the effect reporting can have on performance, consider a solution withan integrated solid-state drive rather than a rotating hard drive. Having no moving parts not onlymakes them robust but also fast and with minimum impact on your solution performance, evenfor complex reporting.FeatureReporting – included as standardOn-box storage for local quarantine,log files and reportsSophosUTMFortinetFG 20-90Dell SonicWALLTZ SeriesWatchGuardXTM . Proven protectionWhen choosing a firewall, you also need to look at the quality of protection; third-partyendorsements can give you a good idea of which vendors have the best protection from variousthreats.For many organizations, the Gartner Magic Quadrant is the benchmark in selecting whichvendors to consider.But with many network firewalls now providing complete security, the technology as a wholeneeds to be considered and if the vendor has the experience in which you can place your fullconfidence.Firewall Buyers Guide9

Part 2: Evaluating security capabilitiesWe will now look in depth as the different security features available. Use this to identify thecapabilities that are important to you and what questions you should ask your vendors.Network protectionThis section looks in-depth at the different security features available. Use this to identify thecapabilities that are important to you and the questions you should ask your vendors.Your network security product should provide a solid security foundation even before you addnetwork protection subscriptions or licenses. At a basic level it should include static routing,DNS proxy services, DHCP server options, NTP functionality, stateful firewall, network addresstranslation, basic remote access VPN, local user authentication, local logging and daily reports,and basic management functionality.Capability to look forDescriptionQuestions to ask your vendorIPSBolsters your firewall’s security policy by inspectingapproved traffic for malicious packets. Can drop packetsthat match a signature list of threat patterns.ÌÌ What kind of expertise is needed toproperly use the system?ÌÌ How are rules delivered and configured?ÌÌ Is IPS easy to tailor to your individualnetwork infrastructure?Advanced Threat Protection/ Command-and-Control/ Botnet DetectionChecks outbound traffic to detect and block attemptsto communicate with malicious hosts such ascommand-and-control and Botnet serversÌÌ What expertise is needed to use the system?ÌÌ Does it include the detection of threats via the Web?ÌÌ Does it offer consolidated reporting for all sources?Bandwidth control/Quality of servicePrioritizes traffic based on the rules you setand allows you to control how a fixed resourceis used during different conditions.ÌÌ How many WAN connections can yousupport on a single appliance?ÌÌ How easy is it to identify and controlthe bandwidth applications use?Site-to-site VPN optionsLinks remote sites with the main office, allowing usersto send and receive information via a secure connection.Also allows employees to use devices such as fileservers and printers that are not in the same office.ÌÌ What protocols does your VPN support?ÌÌ How much experience or VPN knowledgeis required to set up a VPN?Remote access optionsAllows users to securely connect to the networksecurity appliance from any location.ÌÌ Do you offer multiple remote accessoptions including clientless VPN?ÌÌ Is remote access supported from any OS and/or device?ÌÌ Is the clientless VPN truly clientless or areapplets required on end-user devices?ÌÌ Are additional licenses required?Remote office supportConnects remote office networks to thenetwork security appliance to protect themwith the same policies and capabilities.ÌÌ How easy is it to connect remote offices?ÌÌ Technician required?ÌÌ Can remote offices be centrally managed?ÌÌ Are additional subscriptions or licenses needed?Detailed reportsProvides detailed real-time and historical statistics andreports on network/bandwidth usage, network security, etc.ÌÌ Does it contain a built-in hard drive?ÌÌ What kind of reports are available without a separateapplication?Firewall Buyers Guide10

Web protectionYou need web protection that allows you to apply terms and conditions to where and how usersspend their time online, and stops spyware and viruses before they can enter the network.Detailed reports should show you how effective your policy is so you can make adjustments.Capability to look forDescriptionQuestions to ask your vendorURL filteringControls employee web usage to prevent casual s