- Comparison of firewalls
-
The following tables compare different aspects of a number of firewalls, starting from simple home firewalls up to the most sophisticated Enterprise firewalls.
Contents
Firewall software
Main article: Personal firewallGenerally, all firewalls are software-based, and there is no such thing as a purely hardware-only firewall. Embedded firewalls are simply very limited-capability programs running on a low-power CPU, and this software can be upgraded or replaced if someone has sufficient skill and resources to do so. (See OpenWrt)
Firewall rule-set basic filtering features comparison
Can Target: Changing default policy to accept/reject (by issuing a single rule) IP destination address(es) IP source address(es) TCP/UDP destination port(s) TCP/UDP source port(s) Ethernet MAC destination address Ethernet MAC source address Inbound firewall (ingress) Outbound firewall (egress) Check Point VPN-1 Yes Yes Yes Yes Yes Yes Yes Yes Yes Cisco Access List Yes Yes Yes Yes Yes Yes Yes Yes Yes Clavister Yes Yes Yes Yes Yes Yes Yes Yes Yes Endian Firewall Yes Yes Yes Yes Yes Yes Yes Yes Yes IPFilter Yes Yes Yes Yes Yes Yes Yes Yes Yes Juniper Networks Yes Yes Yes Yes Yes Yes Yes Yes Yes Linux iptables Yes Yes Yes Yes Yes Yes Yes Yes Yes NAI Gauntlet Yes Yes Yes Yes Yes Yes Yes Yes Yes OpenBSD PF Yes Yes Yes Yes Yes Yes Yes Yes Yes Sidewinder G2 Yes Yes Yes Yes Yes Yes Yes Yes Yes Soft in Engines BMF Yes Yes Yes Yes Yes Yes Yes Yes Yes SonicWALL Yes Yes Yes Yes Yes Yes Yes Yes Yes Trend Micro Internet Security Yes Yes Yes Yes Yes No No Yes Yes Vyatta Yes Yes Yes Yes Yes Yes Yes Yes Yes Windows XP Firewall No No Yes Partial No No No Yes No Windows Vista Firewall Yes Yes Yes Yes Yes No No Yes Yes Windows 7 /
Windows 2008 R2
FirewallYes Yes Yes Yes Yes Yes Yes Yes Yes WinGate Yes Yes Yes Yes Yes Yes Yes Yes Yes Zentyal Yes Yes Yes Yes Yes Yes Yes Yes Yes Zorp Yes Yes Yes Yes Yes Yes Yes Yes Yes - Windows XP Firewall can target only single destination TCP/UDP port per rule, not port ranges, therefore support is partial.
Firewall rule-set advanced features comparison
Can: work at OSI Layer 4 (stateful firewall) work at OSI Layer 7 (application inspection) Change TTL? (Transparent to traceroute) Configure REJECT-with answer DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. Filter according to time of day Redirect TCP/UDP ports (port forwarding) Redirect IP addresses (forwarding) Filter according to User Authorization Traffic rate-limit / QoS Tarpit Log Juniper Networks Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Check Point VPN-1 Yes Yes Yes Yes(With Web Intelligence) Yes Yes Yes Yes Yes Yes Yes Yes Cisco Access List Yes (with CBAC) Partial (with CBAC) No No Yes Yes Yes Yes (with static routes) Yes (with dynamic ACLs) Yes (with queueing) No Yes Clavister Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes IPFilter Yes Partial (selected protocols only) Yes Yes Yes Yes Yes Yes No Yes Yes Yes Linux iptables Yes Yes (with patch) Yes Yes Yes Yes (with 3rd party tools) Yes Yes Yes (with NuFW) Yes Yes (with Patch-o-matic module) Yes IPFW2 Yes Partial (with divert) Yes Yes Yes Partial (with patch) Yes Yes ? Yes Yes Yes OpenBSD pf Yes Partial (selected protocols only) Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Sidewinder Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Soft in Engines BMF Yes Partial (selected protocols only) No Yes Yes Yes Yes Yes Yes (with MS Active Directory) Yes No Yes Vyatta Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Windows 7 (and Windows 2008 R2) Firewall Yes Yes No No No Yes **(with 3rd party tools) Yes Yes Yes Yes**** No Yes Windows Vista Firewall Yes Yes No No No Yes* Yes Yes Yes Yes**** No Yes Windows XP Firewall Yes Yes No No No Yes* Yes Yes Yes Yes**** No Yes WinGate Yes Yes Yes No Yes Yes Yes No Yes Yes No Yes Zentyal Yes Yes No No Yes No Yes Yes No Yes No Yes - NOTE: Because Linux Iptables is text-based firewall, you can "Filter according to time of day" by using additional 3rd party tools, like expect automation tool and cron jobs.
- Windows firewall may be scripted with scheduled tasks.
- Configured by system policy
Firewall Management features comparison
Features: Configuration: GUI, text or both modes? Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... Change rules without requiring restart? Ability to centrally manage all firewalls together Juniper Networks both proprietary GUI, SSH, Web (HTTP/HTTPS),Telnet, nsm, RS232 Yes Yes Check Point VPN-1 both proprietary GUI, SSH, Web (HTTP/HTTPS) Yes Yes Cisco ABC both Telnet, SSH, Web(Java App "PDM" or the newer "ASDM"), RS232 Yes Partial Clavister both proprietary GUI, SSH, Web (HTTP/HTTPS),Telnet, nsm, RS232 Yes Yes IPFilter both Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 Yes Yes Linux iptables both Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 Yes Yes IPFW2 both Telnet, SSH, Web (webmin), X GUI "qtfw", Mac GUI "WaterRoof", RS232 Yes Yes OpenBSD pf both Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 Yes Yes Vyatta both Telnet, SSH, Web GUI, RS232 Yes Yes Windows 7 (and Windows 2008 R2) Firewall both RDP, telnet, Group Policy, MMC Yes Yes Windows Vista Firewall both RDP, telnet, Group Policy, MMC Yes Yes Windows XP Firewall both RDP, telnet, Group Policy No Yes(with AD and GPO) WinGate GUI Proprietary user interface Yes N/A Endian Firewall both Telnet, SSH, Web GUI, Yes Yes ClearOS both RS232, SSH, WebConfig, Yes Yes with ClearSDN Zentyal GUI SSH, Web (HTTPS) Yes Yes with Zentyal Cloud - NOTE: Because Linux Iptables and Cisco ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.
- NOTE: Due to the distributed nature of the Checkpoint architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.
Firewall's other features comparison
Features: Modularity: supports third-party modules to extend functionality? IPS : Intrusion prevention system Open-Source License? supports IPv6 ? Class: Home / Professional Operating Systems on which it runs? Juniper Networks Yes Yes No Yes Professional Juniper Networks (JunOS) Check Point VPN-1 Yes Yes No Yes Professional Solaris, Linux (SPLAT or RHEL), Nokia IPSO, Crossbeam Systems,Windows NT, 2000, 2003 Cisco IOS No Yes No Yes Professional Cisco IOS Clavister Yes Yes No Yes Professional CorePlus IPFilter Yes Yes, with Snort Inline, Ossec Yes Yes Both Solaris, IRIX, HP-UX, NetBSD and FreeBSD. Available but deprecated on Linux. Linux iptables Yes Yes, with Snort Inline, Ossec Yes Yes Both Linux 2.4+ OpenBSD pf Yes Yes, with Snort Inline, Ossec Yes Yes Both OpenBSD, FreeBSD 6.0+, NetBSD 3.0+ Outpost Firewall Pro No Yes No Yes Professional Windows Vyatta Yes Yes Yes Yes Professional Vyatta OS (built on Debian) Windows 7 (and Windows 2008 R2) Firewall Yes No No Yes Both Windows 7
Windows Server 2008 R2Windows Vista Firewall Yes No No Yes Both Windows Vista
Windows Server 2008Windows XP Firewall No No No No Home Windows XP
Windows Server 2003WinGate Yes ? No No Professional Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit. Endian Firewall Yes Yes, with Snort Inline Yes Yes Both Endian OS (Based on Red Hat Enterprise Linux) Zentyal Yes ? Yes No Both Ubuntu Server - NOTE: Checkpoint support a limited range of third-party modules from certified partners. Modules are integrated with Checkpoint firewalls through a platform named OPSEC
- NOTE: WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).
Non-Firewall extra features comparison
Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.
NOTE: Features will be marked as "yes", even if it's separate module that comes with the platform, on which firewall sits.
IDS: real-time firewall that logs/sniffs/blocks suspicious connections, that are not part of rule-set.
VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.
Profile selection: The user is enable to switch fast between firewall settings for at work, home or in public places.
Can: NAT (static, dynamic w/o ports, PAT) IDS (Intrusion Detection System) VPN (Virtual Private Network) AV (Anti-Virus) Sniffer Profile selection Juniper Networks IOS Yes (supports three NAT types) Yes Yes Yes Yes (supports wireshark, tcpdump, IOS version) ? Check Point Yes (supports four NAT types) Yes Yes Yes Yes (with wireshark, tcpdump or FW-1 kernel inside dump "fw monitor" a powerful tool to determine many aspects of the connection before and after packet enters/leaves OS routing system ? Cisco IOS Yes (supports three NAT types) Yes Yes (some IOS versions) No Yes (some IOS versions) ? Clavister Yes (supports three NAT types) Yes Yes Yes Yes (supports Clavister Real-Time Log/Monitor and PCAP/Wireshark) ? IPFilter Yes (supports three NAT types) Yes (with Prelude-IDS or Snort) Yes (Native on Solaris, HP-UX. With third-party software on IRIX, BSD, Linux.) Yes (with clamav) Yes (with wireshark or tcpdump) ? Linux OS Yes (supports three NAT types) Yes (with Prelude-IDS or Snort) Yes (with openVPN) Yes (with clamav) Yes (with wireshark or tcpdump) ? OpenBSD pf Yes (supports three NAT types) Yes (with Prelude-IDS or Snort) Yes Yes (with clamav) Yes (with wireshark or tcpdump. "log" option logs in pcap format) ? Vyatta Yes (supports three NAT types) Yes (integrated Snort) Yes (IPsec and OpenVPN) No Yes (with wireshark or tcpdump) ? Windows 7 (and Windows 2008 R2) Partial (PAT, with Internet Connection Sharing) Yes (with SPECTER) Yes Yes (McAfee, Symantec, etc.) Yes (with wireshark) Yes (public, private, home) Windows Vista Partial (PAT, with Internet Connection Sharing) Yes (with SPECTER) Partial (Limited to 1 client) Yes (McAfee, Symantec, etc.) Yes (with wireshark) Yes (public, private) Windows XP Partial (PAT, with Internet Connection Sharing) Yes (with SPECTER) Partial (Limited to 1 client) Yes (McAfee, Symantec, etc.) Yes (with wireshark) No WinGate Yes Yes (with NetPatrol) Yes (proprietary) Yes (Kaspersky Labs) Yes (filtered capturing to pcap format) No Endian Firewall Yes (supports three NAT types) Yes (with integrated Snort) Yes (IPsec and openVPN) Yes (with clamav,Sophos Antivirus (optional) ) Yes (with wireshark or tcpdump) N/A Zentyal Partial (static, PAT) Yes Yes Yes Yes (with wireshark or tcpdump) N/A External links
Categories:- Software comparisons
- Firewall software
Wikimedia Foundation. 2010.
