Don’t Go Cheap on Firewalls!

Don’t Go Cheap on Firewalls!

In this second “Don’t Go Cheap on” post (the first being “Don’t Go Cheap on WiFi!”) we’re going to take on the subject of firewalls. (Try to contain your excitement!)

Without getting too “geek-speaky”…a firewall is simply a device that sits between (and controls the flow of traffic to and from) a private network that you control and public networks that you do NOT control (like the Internet). In the “old days” of computing (whatever that means) there was an assumption of trust within a private network such that all devices within that network were generally “trusted” while all devices on public networks were “untrusted”; however, the modern IT administrator realizes that networks (and the devices in them) are NOT that simple to classify these days.

Indeed there are good reasons why ALL devices within a particular private network might be considered untrusted unless/until they meet specific security policy requirements that allow them to be trusted but I digress…

The number of firewall vendors (hardware and software) is VAST…in fact, as this 2014 Gartner “Magic Quadrant for Enterprise Network Firewalls” article indicates, even the leading vendors in this space are numerous and each vendor has its own differentiating factors, model/feature variants and price points.

Those of you small business/non-profit leaders who are reading this post may be saying to yourself right about now: “My Internet Service Provider [ISP] gave me a firewall with my plan so I don’t have to worry about this.” Well, as thoughtful as your ISP may be, I can almost guarantee you that the “firewall” that they gave you as part of your service plan is NOT really what you want securing your network. Why?

Well, for more reasons than make sense to cover in this post but the most basic reason is that these devices are usually “dumb” (I’ll quality what I mean by this in a bit) and offer only the most basic level of firewall functionality (if that). That most basic function typically being to allow certain types of traffic to leave your network (outbound) and drop most (if not all) types if inbound network traffic. (In “dumb firewall” terms: “Inside network good…outside network bad.”)

ISPs give these firewalls to their customers because they realize that “dumb security” is better than “no security” but just ask any of them if they happen to be using those same devices that they give away to their customers to secure their own networks and the answer will be a resounding “oh, HELL no!

In fact, a helpful analogy here comes from about ten years ago…back in 2006 and 2007: Remember that awesome Motorola RAZR you bought yourself in 2006 that made you feel like you were a super-spy? Then one year later Apple released the “iPhone” (the first REAL “smart phone” in my opinion) in 2007 and all of a sudden your RAZR seemed “quaint” (read: “just about useless”) by comparison. So when your ISP gave you that “freebie firewall” they may as well have given you a “RAZR” and said: “Look, we’re giving you a phone! It makes phone calls and everything! How awesome are we?!?”

So let’s say you’re the victim of…er, I mean…the “owner” of one of these “freebie firewalls”…is the solution to run out and go buy a new one? No, that would be a hasty response but the steps below would constitute a wise response to this situation:

  • First, ask yourself what types of cybersecurity threats you should be most concerned about. For instance, if you run a retail store where you accept Credit Card payments (via Point of Sales systems), then you have PCI DSS compliance concerns that should be addressed not only by your firewall features but by other security policies as well. Compare this to a small, non-profit leader who likely doesn’t take Credit Card payments and may have little to no customer PII (or Personally Identifiable Information) on hand either. Both of these organizations still need a good firewall coupled with good security policies in place but they do NOT require the same firewall features and would likely come in at different performance/price points.
  • Second, once you have a handle on the security concerns that your new firewall will need to address along with some understanding of what firewall features will help you address those concerns, then you need to figure out how fast your ISP connection is. For example, if you have a Comcast cable connection to your place of work, then you may be getting download speeds in excess of 180Mbps and upload speeds of 10+Mbps so you will need a firewall that can have ALL of the security features that you need turned ON but still allow you to get your maximum throughput speeds on the Internet. How bummed out will you be to know that while you’ve got all of the security features turned on for your shiny, new firewall only to find out that those same features drop your Internet download throughput to 50Mbps? Answer: You will be TOTALLY bummed!
  • Third, you need to decide what level of redundancy you require. Should you have TWO ISP connections instead of just one? Do you need TWO firewalls that are setup to failover to one another in case of hardware failure (what’s more broadly known as “High Availability”) or can you get by with only one firewall with two ISP connections?
  • Fourth, you should decide what level of support that you require from your firewall vendor. What type of warranty do they offer? How responsive will their technical support be if you need to call in with a problem? In fact, the vendor’s technical support may be the MOST critical “feature” that it offers! In the words of the best Consulting Engineer that I know – James Delancey: “Not all firewall vendor support teams are created equal. In fact, it’s only a small number of vendors that even offer customer SLAs on network uptime…your best vendors take those SLAs very seriously and manage to them because they know that their customers’ productivity takes a hit when their firewalls are down/malfunctioning. Further, vendors that seriously support these SLAs or can provide them at reasonable costs, must have the experience and systems in place to deliver what they sell.”

A thorough understanding of all the above elements will dictate the brand, model, performance and price point that makes the most sense for your organization when choosing a new firewall. Do NOT assume that simply buying the most expensive firewall that you can afford solves the problem. As I mentioned in my previous “Don’t Go Cheap on WiFi!” post, this approach may leave you with a Ferrari that you have no idea how to drive.

Bottom line: If you need help figuring out what firewall solution would be best for your organization, then you should go out and get it and remember to avoid getting stuck on the price of your prospective firewall(s) but instead focus on the VALUE that it will provide!


When Danny is NOT busy “hacking his Motorola RAZR”, he’s also leading atechnology consulting company. Hit him on Twitter or Facebook.

About the Author

Leave a Reply