Computer Repair : Computer Networks : Outsource Computer Maintenance : Computer Network Installation :

Small Business Firewalls

As a network security integrator dealing with small to mid-sized businesses, two issues continually arise when discussing network security:

1 What do I need
2 How much will it cost?

More than any other class of business, the small business professional must consider each and every expense in terms of how much is too much. While all businesses have a bottom line, experience shows that the small business often works right on (if not under) the bottom line daily.

In keeping with the theme of security on a budget, we tested three network security systems designed expressly for the small to mid-sized office: Cisco PIX 501 Firewall, Nokia IP71 Small Business Firewall, and SmoothWall Corporate Server. We considered several different combinations of products but settled on these three as representative of the SOHO market when price is the chief consideration for the purchase of a security solution. As is the case with most comparisons, each system has its own strengths and weaknesses. This comparison is not intended to be a guide of all systems on the market; however, when price is the primary motivator, these three solutions should be on any Top Ten list.

1. About the Test

We developed a simple test sequence based on two assumptions: first, that the business owner would not have network administrators on-site but would depend upon an employee with some computer skills to install and configure whichever firewall purchased. Second, that the person doing the configuration would need documentation or a user-friendly interface to accomplish configuration. These two assumptions established a requirement for the testing to be simple and straightforward.

Our "end-users" performing the test were college seniors majoring in Computer Information Systems. These students are familiar with computer operations and applications but do not have hands-on experience with firewalls and security applications. In our view, this made the testing realistic given the parameters as defined above.

2. Cisco PIX 501 Firewall

The Cisco PIX 501 is the premier small office product of the Cisco SOHO line. Compact, lightweight, and running a 133 MHz processor with 16 MB RAM, it has the horsepower to handle the needs of the small business office. The standard configuration includes a 10-user license and advertises VPN support, intrusion protection, and URL filtering via Websense server support. Easily obtainable through any number of vendors, this configuration allows for secure communications in both local and remote access modes.

Pros

From a hardware point of view, the PIX is small and relatively easy to install. When added into a network in the default configuration, the internal DHCP server is active and able to issue IP addresses to clients. The default rule base is set to “deny all” from the public side of the device, so if your needs are to allow any outbound traffic while denying any inbound traffic, the PIX is ready to function straight out of the box.

Cons

For most installations, the default rule base isn’t going to be workable; additional rules and filters will be required to allow normal business use. With the PIX, adding these rules and filters is anything but easy. The native mode is to use the command line interface (CLI), but unless the person doing the configuration is fairly familiar with Cisco’s command syntax, the CLI is difficult to use. The PIX does offer a GUI, called the PIX Device Manager (PDM). However, the PDM is neither intuitive nor user-friendly and is not for the novice or faint of heart. Configuration documentation is extremely limited and considered useless for the target user.

We set up the PIX with three fairly simple rules: allow port 80 from ANY, allow port 443 from ANY, and allow port 22 (SSH) from a public static IP only. In addition, we changed the internal network from the default 192.168.1.0 /24 to 192.168.2.0 /24. This seemingly simple configuration required nearly two hours to install and test before working properly.

Two related issues surround the VPN and content filtering support. Although both features are supported, neither is included in the purchase price. With the cost of a 50 user VPN package nearly the cost of the PIX itself, the PIX becomes a costly option for most users.

3. Nokia IP71 Small Business Firewall

Similar to the Cisco PIX, the Nokia IP71 is designed specifically with for small business market. Slightly faster and containing more RAM than the PIX, the IP71 comes complete with Checkpoint FW-1 Small Office Edition supporting 50 nodes. Unlike the PIX, URL content filtering is not an included option; however, the IP71 as advertised includes VPN support.

Pros

From a hardware point of view, the IP71 is also relatively easy to install. The default rule base is set to “deny all” from the public side of the device while allowing complete freedom on the internal side. The Checkpoint GUI provides a user-friendly interface for creating rules and address translations. Anyone familiar with the full version of Checkpoint FW-1 will find the GUI easy to use; less experienced users may encounter some difficulty but nothing like the issues surrounding the PIX.

Cons

We set up the IP71 with the same rules as the PIX (allow port 80 from ANY, allow port 443 from ANY, and allow port 22 (SSH) from a public static IP only). In addition, we changed the internal network from the default 192.168.1.0 /24 to 192.168.2.0 /24 and created an address translation rule for hiding the internal network behind our static IP issued by our ADSL service provider. Our testers completed these tasks in less than an hour, with the majority of the time spent getting a “feel” for the GUI.

As with the PIX, the VPN feature of the device is not an included option and requires the purchase of additional licenses. The base cost of the device, coupled with the cost of the additional licenses, makes the IP71 nominal at best for the budget-minded business owner. The lack of documentation designed for the novice user made configuration a laborious process involving more time than was necessary.

4. SmoothWall Corporate Server

Although SmoothWall is a software solution rather than a network security appliance, the wide range of compatible hardware makes SmoothWall a good choice for the price-conscious buyer. A highly modified version of VA Linux (further based on the popular Red Hat Linux), SmoothWall is advertised to run on a 486 processor with 16 MB RAM and 200 MB hard disk space. While we chose not to test SmoothWall in this configuration, the ability to run on otherwise obsolete equipment is an added incentive for the target market

Pros

We chose a Pentium II 300 MHz system with 96 MB RAM and a 1 GB hard drive as our hardware platform. Installation was simple and straightforward and offered a number of options for a variety of network configurations. For our testing, we chose the “GREEN + RED” option, since we connected the system directly to our ADSL connection. Once active, the system was significantly easier to customize than either the PIX or the IP71. We set up the system with the same rules as the PIX (allow port 80 from ANY, allow port 443 from ANY, and allow port 22 (SSH) from a public static IP only). Since the internal network address was configured during the initial setup, no further address changes were needed. Also, since the software allows direct communication with the ADSL modem, we needed no address translation rule since the PPPoE connection establishes a static public IP address upon connection. The GUI is user-friendly and easy to follow; within 15 minutes of initial installation, we had the system fully online with both proxy services and Intrusion Detection enabled. The process of installation and configuration is clearly geared towards the novice user, resulting in significant ease of use and customization. Further, the functionality out of the box includes many features (such as limited VPN support, IDS, proxy services) available only at added cost from Cisco or Nokia.

Cons

Since SmoothWall is software-only, there is an added cost of the underlying hardware. However, this is mitigated by the fact that the software runs on practically any system built in the last five years, so the cost is minimal. Other limitations, such as VPN support, are alleviated by the fact that these services are also added features and can be purchased at significantly lower cost than similar features by Cisco or Nokia.

5. Summary

When considering the price of security, business owners often balance results with price: the more secure you wish to be, the higher the cost of the right solution. For the small business, that often means a less secure network with little or no options to increase the level of security once a solution is purchased.

From the standpoint of price, cost effectiveness, and ease of use, SmoothWall Corporate Server proves to be considerably cheaper and simpler to deploy than either the PIX or the IP71. Both the PIX and the IP71 are single-use products, with a limited migration path available once all add-on options are purchased. As your network grows, you are required to purchase replacement equipment at a higher cost. With SmoothWall, the software gives you the ability to expand independent of the hardware. As your business expands, you can either alter the hardware running SmoothWall or not, depending on your preference. SmoothWall is sufficiently robust to grow with your business.

For the small office needing secure communications and a least-costly migration path, SmoothWall does the job.