RE: Selecting and configuring a firewall

I have some observations on the article Selecting and Configuring a Firewall that showed up in my email from TechSoup today.  My background is in systems and networks for for-profit start-ups and enterprises, and I donate my free time to small non-profits getting started with their tech needs.

First off, the article is very informative and gives a good checklist for figuring out some of the basics in determining which firewall technology to pick up.  I feel it would be very useful to someone who is the "tech guy" at a lot of mid-sized non-profits that are finally feeling their growing pains techwise.

Now, here is some additional advice that I feel might complement the information in the article:

Don't make a decision until you have taken the time to visit other similarly sized non-profits and discuss with their staff why they made their decisions.  If you have never picked a firewall before, the choices available and the support requirements can vary wildly.  As the decision-maker, you will have a better idea of "what works" by finding out what other people have had successes with.  You will also have a better idea what hidden costs others have run into, and will be able to scale your budget accordingly.

If you can, find someone who has more experience with infrastructure decisions and have them plan your network development with you.  This is probably more important than you think, because firewalls are critical pieces of a network infrastructure that will become a bottleneck if they do not perform.  And they will not perform if they are underpowered, don't have the correct features, or are improperly placed.  If work is so phenomenally important that you cannot be down until a replacement firewall arrives, then that eventuality has to be planned in as well, so you are now considering failover, cold and warm spares, and remote management.

Monitoring of firewalls and the activities that they detect should not be managed directly from the firewall unless you are really sure the technology for it is rock-solid and the hardware is up to that sort of demand, or if you want the most basic monitoring.  The primary job of a firewall is to pass or block packets, and anything that distracts from that task means impact on performance of a time critical task.  Anyways, if your firewall goes down any phone home feature is going to be worthless- better to have it managed from another system with a secured dial out only line.  If you are not going to foot the bill or the time for that, then be willing to accept a more limited reporting solution.

Firewall cost consists of not just the hardware, but also potentially support contracts for the software running on the firewall, and delivery guarantees for replacement in the event of failure.  I don't really include staff time in this, because if you are only looking at a set top appliance this paragraph is a non-issue, and if you are using something more expensive you are going to pay for help one way or another.  When you purchase a firewall, you are usually going to also have to pay for services to maintain it.  Cisco and other for-profit companies often require a contract to provide the software and updates, and a separate contract to contact them to answer your questions.  And another one to get stuff replaced. 

There are other options, though you will pay in time and/or money, but your costs overall may end up being lower.  If you are going to be on a budget, you may not be able to completely escape the need for expert assistance, but you can cut out the requirement for the software costs and maybe even the hardware costs.  BSD and Linux distributions offer excellent professional solutions for free, and their software can often be optimized for performance in ways that pay systems would normally require a support call. 

My suggestion if you are going to go the opensource route is to investigate OpenBSD- for less than the price of an email only corporate support contract, you can contract directly with one of the project developers for an open source project for support instead.  You can do likewise for a number of other software distributions.  Another option is to contract locally through systems staff that attend "User Group" meetings in your area.

Cost savings also come from repurposing hardware for this need (either internally or from non-profits like recycle4free.net) and you can have a professional grade firewall with redundant failover and better performance for less money.  Of course, this option will only work if you are willing to think outside the box, but even if that is not for you, at least be aware of your options as you will be more resistant to the "sales speak" that a lot of vendors like to use.  Also, there are other reasons for using a vendor only solution, like auditing requirements that can only be met by certain systems vendors.