It hasn’t been easy, trying to do our part to introduce ISA firewalls to the IT security community. Once we get past the basic questions "Is ISA Server really a firewall?" and "How do I run the ISA box with a single NIC", the next thing potential users want to know is inevitably, "How does the ISA firewall compare to other firewalls?"
That’s an excellent question and we’re glad you asked!
Often, the question comes as a challenge from Checkpoint or PIX aficionados. Other times it comes from new or inexperienced network administrators who have been tasked with the responsibility of selecting or recommending a firewall solution for their companies, and who are confused and overwhelmed by the morass of marketing material, voluminous claims of competing firewall vendors, and kudos or complaints they hear from other firewall users and allegedly "non-biased" reviews on popular computing and security Web sites.
In order to intelligently answer the question, we’ve had to become acquainted not only with the new ISA firewall (ISA Server 2004) itself, but with the features and pricing/licensing structures of competing products.
In this series of articles on comparing and contrasting the ISA firewall with other firewall solutions, we’ll:
- Provide answers to some common questions that comes up when selecting a firewall or hybrid firewall/caching product for their networks.
- Provide a rational basis for selecting the ISA firewall, that is predicated on evidence and fact, rather than bias.
- Provide "fact ammo" for ISA firewall fans who already know they want to implement an ISA firewall and need to convince their companies’ management
This article series is based on information provided in Chapter 2 of our book Configuring ISA Server 2004. If you can't wait for the entire series to play out over the next few months, then make sure you get the book today!
Beginning Your Trek through the Firewall Landscape
If you take a look at the product lines of most of the major firewall "appliance" vendors, you’ll find several different models, not to mention a variety of different licensing schemes, as well as plenty of "add-ons" that enhance functionality and come at extra cost.
Constructing an intelligent comparison of products from different vendors can be a daunting task, and often there is no clear-cut "winner" in such a comparison. Instead, you find that making the right choice depends very much on your existing network infrastructure, the role you want the firewall to play, and a tradeoff of some features for others.
We often hear network administrators lament, "I can buy a SonicWall firewall for under $500. An ISA firewall can cost up to several times that." That’s true – as far as it goes. Here is the rest of the story
- The under-$500 SonicWall (or NetScreen, or WatchGuard) is not intended for use on a large or even medium-sized business network. These low-cost firewall appliances are the SOHO (Small Office/Home Office) and "telecommuter" models. In fact, it can be argued that these devices aren’t worth more than $50-75 as their features sets are comparable to home user DLink or USRobotics offerings.
- SOHO firewalls are limited to a small number of users (usually 10-25), and telecommuter firewalls are designed to protect the single computer of someone working from home and connecting to the company network remotely (more like a personal firewall).
- SOHO and telecommuter firewalls may not support remote-access VPN, or may come with only a single VPN license; additional VPN clients will cost extra. They may support a limited number of VPN tunnels (5-10), even with extra licenses. Even worth, the proprietary VPN client software implements "off-label" and non-IETF compliant VPN protocols that do not work with IETF compliant industry standard firewall/VPN servers and gateways.
- Low-end firewalls run on low-powered hardware. For example, the SonicWall SOHO 3 uses a puny 133MHz processor and just 16MB of RAM, whereas you can customize the hardware on which to install ISA firewall and other software-based firewalls (as long as it meets the minimum requirements needed to run the OS and firewall) to match the performance requirements for your organization.
- Performance/throughput for low-cost firewalls is often very low (for example, 75Mbps firewall throughput, in comparison to ISA Server’s tested throughput of over 2.0Gbps).
As you dig deeper into the comparative features, you begin to realize that a simple cost comparison is meaningless. A comparative analysis must also take into account the administrative overhead, licensing structure, and feature sets of the products being compared.
To say, "I can buy a firewall for under $500" is like saying, "I can buy a watch for $5," or "I can buy a new car for $10,000." All of those statements are true, but many consumers still choose to spend $50 or $500 or even $5000 for a watch and $20,000, $30,000, or much more for a new car. Why? Most would tell you that issues of reliability, features, and longevity are important factors. Of course, status may also play a part in their decisions, especially at the extreme high end of the price scale.
Of course, if the under-$500 firewalls were all anyone needed to protect their networks, the same vendors wouldn’t also offer firewalls that cost three, five, ten, or sometimes twenty times as much as their low-end products. In fact, the low-end offerings are often easily recognized as "loss leaders" that are used to pull in the customer so that he can be assailed with sales pitches for the much more pricey offerings.
We won’t make the case that the ISA firewall is "the best" firewall product for every network in every situation. However, we will be able to provide facts supporting our contention that the ISA firewall is a serious contender in the business firewall market and holds its own in a competition with the "big boys" (Cisco and Check Point) and far exceeds the power and security of the many low-cost firewall/VPN appliances currently in use.
In an enterprise environment, it is often neither necessary nor desirable to choose a single firewall solution for all applications. A good "defense-in-depth" strategy will often "mix and match" products from multiple vendors for the most effective protection against modern threats. For example, a company might decide to deploy one or more fast, simple stateful packet filter-based firewall, such as PIX, at the Internet edge and put a deep application layer inspection firewall, such as the ISA firewall, within the DMZ or in front of each departmental subnet or in front of corporate application partitions.
In subsequent articles, we will examine factors you should take into consideration when comparing different firewall products. These factors are separated into three broad categories:
- Cost and licensing.
This includes not only the initial capital investment in the software, hardware, or appliance, but also special licensing considerations (such as the requirement for separate licenses for VPN clients), add-on modules and enhancements that are required to provide full competitive functionality, support contracts, the comparative cost of upgrading, and other factors that impact Total Cost of Ownership (TCO), such as administrative overhead, training requirements, and so on.
- Specifications and features.
This refers to architecture and operating system, throughput and concurrent sessions supported, filtering features, and intrusion detection and prevention features, VPN features (protocol support, client support, number of tunnels supported, VPN quarantine/security), Web caching functionality (if any), and integration and interoperability with Windows and other servers.
Certification by independent entities such as ICSA Labs in the U.S. and Checkmark in the U.K. can ensure that firewalls meet minimum criteria based on standardized testing.
The comparative analysis is based on information gathered from vendor documentation, vendor queries, questionnaires targeting administrators who use the various products, and hands-on evaluation of (some of) the products.
The information in this series of articles is current as of the time of the research and writing, but the security software market is constantly changing. New products are introduced and existing products are upgraded on a daily basis. Changes in business structure or ownership are common (for example, one of the major companies addressed in this analysis, NetScreen, was bought by Juniper Networks a short time before the writing of this document) and might or might not result in changes to the products themselves.
In this series of articles, our firewall analysis will compare the ISA firewall’s (ISA Server 2004) cost, features, and functionality with what we consider to be the ISA firewall’s primary competitors in the firewall market. The ISA firewall’s competitors are:
- CheckPoint firewall and VPN systems(including Nokia appliances)
- Cisco’s PIX packet filtering security appliances
- NetScreen security appliances (now owned by Juniper Networks)
- SonicWall security appliances
- Watchguard security appliances
- Symantec’s Enterprise Firewall software (including Symantec appliances)
- Blue Coat Systems ProxySG appliances
- Open source firewalls (IPchains, Juniper FWTK, IPCop)
This by no means includes all available firewall products on the market today; however, it does include those with the largest market shares and comparable firewall feature sets, performance and reliabilty. In addition to considering white box installs of the ISA firewall product, we will include what we consider to be the market leaders in ISA firewall hardware appliance offerings.
The Cost of Firewall Operations
To the network/security administrator, the cost of a firewall may not be first on the list of priorities in selecting the best product for your situation. You want the one that will get the job done most effectively and efficiently, and that will be easiest for you and your staff to deploy, manage, and update.
However, to those who may have the ultimate decision-making authority (the Chief Financial Officer, purchasing agent, or small business owner), cost is a very important consideration. As a firewall or security administrator, preventing a security breach that could put the company into bankruptcy is your major concern; to the check-writer, he often considers the firewall as a form of "health insurance" and tries to get the lowest price possible because he thinks he’ll never need to use it.
It’s important to remember, however, that cost involves a lot more than just the initial purchase price of an appliance or software/hardware package. Budget-minded decision-makers are concerned with the "bottom line," or the entire financial impact of the decision spread over the lifetime of the product. In comparing different products, you need to address each of the following:
- Capital investment
- Add-on modules and enhancements
- Licensing structures
- Total Cost of Ownership
We address each of these in the following subsections.
By "capital investment," we refer to both the initial cost of the software license and/or the hardware device, plus any additional add-on modules, client licenses, or other components that are required to deploy the firewall or caching solution with full functionality on your network.
Many vendors advertise a "base price" that doesn’t include everything required for what you want to do (for example, if you want to use the firewall as a VPN gateway, you may have to purchase licenses that are not included in the price of the firewall for each VPN client).
Add-on Modules and Enhancements
Many firewall products provide some of their functionality through add-on modules or additional "off-box" devices or software.
For example, most firewall vendors don’t provide Web caching as a standard feature of the firewall, but some allow you to add it through a software module (for example, Checkpoint) or offer an additional hardware device that performs the function (such as Cisco). The ISA firewall, along with BlueCoat, builds Web proxy and caching into the firewall so that you save hundreds or even thousands of dollars because you don’t have to buy additional software and/or devices to get that functionality.
To accurately compare the cost of ISA Server with these devices, you must also factor in the cost of add-ons required to give the same level of functionality ISA Server has "out of the box."
Some features and functionalities provided by vendors through add-ons include:
- Web caching
- Virus scanning and detection
- Centralized (enterprise) management of multiple firewalls
- Report generation
- High availability/load balancing
- PKI/Smart card authentication
ISA Server 2004 includes many of these features right out of the box, so they don’t add any extra cost.
In addition, it’s important to note that because they don’t include a hard disk to which log files can be written, ASIC devices often require separate computer hardware for logging.
For example, you may need to set up a server to collect the PIX logs. This is often forgotten in cost considerations. People often complain that ISA requires the purchase of computer hardware and an OS license, but recording ASIC-generated log files frequently requires this expenditure, too. Of course, some firewall certification programs require off-box logging, so this cost represents a double-edged sword.
Solutions such as the ISA firewall enable either on-box or off-box logging, providing enhanced flexibility in your cost structuring.
Software licensing structures can be confusing, at best. However, it’s important to understand each product’s licensing structure in order to make a valid comparison. The licensing structure can greatly affect the total cost of the firewall/security device. Some vendors grant licenses on a subscription basis, requiring that you pay for the software license again each year.
Others firewall vendors charge an initial licensing fee, with no additional fee required unless/until you upgrade to a new version of the product (and you may get a discounted licensing fee when you upgrade versus someone who is buying the product for the first time).
Licenses may also vary in price depending on how you intend to use the firewall.
For example, the license for a second firewall in a failover/fault tolerance cluster may be lower than for the first license for the active firewall.
Vendors may use different terminology to distinguish between licensing levels.
For example, Cisco makes its PIX licenses available as either Restricted (R) or Unrestricted (U) licenses, in addition to Failover mode (FO) licenses. The licensing mode is defined by your activation key. A Restricted (R) license puts a limit on the number of interfaces that are supported, as well as the amount of RAM that will be available to the software. An Unrestricted (UR) license allows you to use all of the RAM that the hardware supports and the maximum number of interfaces supported by the hardware. A Restricted license does not support failover configuration, while an Unrestricted license does. You can also buy a special "R to UR" license to upgrade from a Restricted license to an Unrestricted one or an "FO to R" or "FO to UR" license to upgrade from a Failover license to a Restricted or Unrestricted license.
Are you confused yet?
Some firewalls are licensed according to number of "users." The firewall may enforce this by sending a ping and counting the replies from responding hosts (in which case, network printers and other devices that are assigned IP addresses might be counted as "users") or by keeping track of the number of internal nodes that are accessing the Internet on the external interface.
For example, Check Point FireWall-1 (FW-1) listens for IP traffic on all internal interfaces and keeps count of the different IP addresses. When the number of IP addresses exceeds the license limit, e-mail notifications will be sent to administrators and the event will be logged.
Many vendors also have volume licensing plans or corporate licensing plans that offer lower rates to large customers or those who buy a large number of firewalls. Software firewall vendors may also offer evaluation licenses that expire after a specified number of days.
One notable advantage of software firewalls such as the ISA firewall, Checkpoint and Symantec Enterprise firewall is the ability to easily "try before you buy" by installing an evaluation version of the product. Obtaining evaluation hardware from "hardware" firewall vendors is never as easy.
You’ll also want to consider whether additional licenses, other than for the firewall software itself, are needed for full functionality.
Some vendors charge extra for VPN licenses for each VPN client or gateway connection. Even when the cost is relatively low ($15-35 per license is typical), this can add up fast if you have hundreds of VPN connections. You might also have to obtain an extra license to use certain features, such as 3DES or AES encryption.
Finally, you may need additional licenses to run add-on modules. For example, running the Motif GUI to connect to a Check Point FW-1 management console in FW-1 4.1 and above requires that you pay extra for a Motif license. LDAP (Lightweight Directory Access Protocol) functionality also requires an extra license if you want to use it with FW-1. LDAP may be required to fully leverage your existing user database.
Another "hidden" cost factor that you should consider in comparing the cost of various solutions is the cost of support, which can vary widely depending on the vendor. Support contracts can cost from less than a hundred to several thousand dollars per year.
Some vendors include free support for a set period of time.
For example, Cisco provides free tech support for 90 days, while Check Point FW-1 requires that you purchase a support/upgrade contract to access their tech support, with such contracts costing as much as 50 percent of the original software price, per year.
Some vendors have different levels of support contracts.
For example, Symantec offers Gold, Platinum, and Premium Platinum Maintenance and Support contracts on their firewall products. Gold support provides telephone support during regular business hours, Monday through Friday, while Platinum support provides after-hours support. With Premium Platinum support, you get a Technical Account Manager and three additional technical contacts (Gold and regular Platinum provide for two technical contacts).
If you plan to purchase a support contract, the cost should be factored into your comparison. The support contract can make the difference between a connected and disconnected business.
Many vendors require that you maintain the support agreement on a yearly basis. This means that if you let a support agreement lapse for a year, the vendor may require that you buy a support agreement for the current year and the lapsed year.
The cost to upgrade the firewall is another important cost factor you must consider when doing a cost comparison.
Software firewalls that are installed on standard PC/Intel architecture hardware can easily take advantage of the addition of a faster or additional processor, faster network cards, more RAM, or installation on a new, more powerful machine. Hardware appliances, on the other hand, may have to be replaced completely, or may be more costly to upgrade.
For example, the Cisco PIX Firewall Classic, 10000, and 510 models have been discontinued and cannot run PIX firewall software version 6.0 or later. This means if you want the features of the new software, you’ll have to purchase a new PIX packet filtering appliance.
Another important consideration is if/when you need to upgrade to more powerful hardware for your software-based firewall, you can "repurpose" the original hardware to act as a file server, workstation, or in another role on the network. A hardware-based security appliance running a proprietary operating system on proprietary hardware has less potential for reuse.
Whether you have a "hardware firewall" or a "software firewall," the cost of upgrading the software at periodic intervals is also important. You’ll want to consider the following:
- Are updates and fixes available free, or do you have to pay for them?
- Are there discounts for upgrade versions of the software, or must you buy the full version?
- Another consideration might be the administrative overhead required to perform the upgrade. For example, upgrading a PIX running version 5.0 or earlier doesn’t provide a way to use Trivial File Transfer Protocol (TFTP) to transfer the software image directly to the device’s flash memory, so you have to enter boothelper or monitor mode. Newer versions of the PIX software support a command that allows you to copy the software image directly from the TFTP server to the device. Or course, TFTP is not a secure protocol and you have to factor the protocols available to update the firewall. Either way, you’ll have to use a command line interface to enter the appropriate commands to upgrade the software.
Total Cost of Ownership
When all of the cost factors are taken into consideration, you can come up with a Total Cost of Ownership (TCO) for each product in order to make a more accurate price comparison. In calculating the TCO for each of the competing products, you must consider not only each of the direct costs we discussed in the preceding paragraphs, but also indirect costs such as:
- Learning curve:
cost of materials, training courses, and such, required for administrators to learn to configure and manage the firewall.
- Administrative overhead:
relative amount of administrative time required to configure and manage the firewall; level of administrative expertise required (which can increase personnel costs).
- Productivity costs:
affect on productivity of network users.
- Downtime costs:
both productivity losses and loss of revenues, for example from potential e-commerce sales, related to the deployment and reliability of the firewall.
Most TCO models divide all cost factors into two broad categories: acquisition costs and on-going or operational costs.
The first category includes the purchase price of the hardware, the initial licensing fees for the software, and one-time installation costs, including the cost of administrative time, hiring of consultants if applicable, initial training, and so on.
The second category includes vendor support contracts, internal IT administrative costs, hiring of independent consultants for troubleshooting and maintenance, hardware maintenance and upgrades, software updates and upgrades, on-going training, and other support costs. Of course, some of these costs will vary from one customer to another, depending on the way the firewall will be deployed and the experience and skill sets of current personnel.
There is more price flexibility and you have more control over TCO with software firewalls because you can take advantage of competitive pricing among different hardware vendors, whereas with hardware-based firewalls, you may be limited to a small selection of different hardware configurations with less of a price variance between different resellers.
In this article we discussed some of the key issues you should take into consideration when considering a new firewall for your network. In this, the first article in a series dedicated to comparing and contrasting the ISA firewall with other major firewalls on the market, we focused on the key issues you should focus on when deciding if the ISA firewall is the best solution for your organization. Throughout this series will be key into the features that characterize the ISA firewall and demonstrate how the ISA firewall is not only often the best solution for your organization, but also the most cost-effective solution.