Comparison of firewalls: Difference between revisions

Content deleted Content added

Inline

Revision as of 18:03, 11 December 2014

The following is a comparison of notable firewalls, starting from simple home firewalls up to the most sophisticated Enterprise firewalls.

Firewall software

Ultimately, all firewalls are software-based; a hardware firewall runs firmware (built-in software) on dedicated hardware. Embedded firewalls are simply very limited-capability programs running on a low-power CPU, and this software can be upgraded or replaced if someone has sufficient skill and resources to do so. (See OpenWrt)

Firewall	License	Cost / Usage Limits	OS
Nano IT & TI	Proprietary	$35 to 1800 / 30 day trial support	Linux-based appliance CentOS
Check Point	Proprietary	Included on Check Point security gateways	Proprietary operating system Check Point IPSO and Gaia (Linux-based), runs on appliances and virtual machines.
CISCO	Proprietary	Included on all CISCO switches and routers	Proprietary, runs only on CISCO hardware
Clavister cOS Core	Proprietary	Included on Clavister security gateways	Proprietary cOS Core, runs on Clavister appliances and virtual machines.
Comodo Internet Security	Proprietary	Free	Windows 7 / Vista / XP SP2/ Windows 8
Glasswire	Proprietary	Free	Windows 7 / Windows 8 / Windows 10
Intego VirusBarrier	Proprietary	?	Mac OS X 10.5 or later; on an Xserve
IPFilter	GPLv2	Free	Package for multiple UNIX-like operating systems
IPCop	various	Free	Linux-based appliance
IPFire	GPL	Free	Linux-based appliance
ipfirewall	BSD	Free	*BSD package
Kaspersky Internet Security	Proprietary	$59,95 Year / 30 day trial	Windows unknown versions x32/x64
Lavasoft Personal Firewall	Proprietary	€36 Year	Windows unknown versions x32/x64
Microsoft Forefront Threat Management Gateway	Proprietary	discontinued	Windows unknown versions x64
Monowall	BSD	Free	FreeBSD-based appliance
Netfilter/iptables	GPL	Free	Linux kernel module
Norton 360	Proprietary	$59.99 Year	Windows unknown versions x32/x64
NPF	BSD	Free	NetBSD kernel module
Online Armor Personal Firewall	Proprietary	€39.95 Year	Windows unknown versions x32/x64
Outpost Firewall Pro	Proprietary	Free / Paid	Windows unknown versions x32/x64
PC Tools Firewall Plus	Proprietary	Free ?	Windows unknown versions x32/x64
PF	BSD	Free	*BSD kernel module
pfsense	ESF License Agreement, v1.0 [1]	Free	FreeBSD/NanoBSD-based appliance
Smoothwall	GPL	Free	Linux-based appliance
Sophos UTM	GPL and Proprietary	Free / Paid	Linux-based appliance
Sunbelt Personal Firewall	Proprietary	discontinued	Windows unknown versions x32
Sygate Personal Firewall	Proprietary	discontinued	Windows unknown versions x32
Untangle	GPL	Free/Paid	Linux-based appliance
Vyatta	GPL	?	Linux-based appliance
Windows Firewall	Proprietary	Included with Windows XP SP2 and later	ALL Windows Versions x32/x64
WinGate	Proprietary	Paid	Windows unknown versions x32/x64
Zeroshell	GPL version 2	Free	Linux based appliance
ZoneAlarm	Proprietary	Freemium	Windows unknown versions x32/x64 (except XP-64)

Firewall rule-set basic filtering features comparison

Can Target:	Changing default policy to accept/reject (by issuing a single rule)	IP destination address(es)	IP source address(es)	TCP/UDP destination port(s)	TCP/UDP source port(s)	Ethernet MAC destination address	Ethernet MAC source address	Inbound firewall (ingress)	Outbound firewall (egress)
IPFire	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Trend Micro Internet Security	Yes	Yes	Yes	Yes	Yes	No	No	Yes	Yes
Untangle	Yes	Yes	Yes	Yes	Yes	No	No	Yes	Yes
Vyatta	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Windows XP Firewall	No	No	Yes	Partial	No	No	No	Yes	No
Windows Vista Firewall	Yes	Yes	Yes	Yes	Yes	No	No	Yes	Yes
Windows 7 / Windows 2008 R2 Firewall	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
WinGate	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Zeroshell	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes
Zorp	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes

Windows XP Firewall can target only single destination TCP/UDP port per rule, not port ranges, therefore support is partial.

Firewall rule-set advanced features comparison

Can:	work at OSI Layer 4 (stateful firewall)	work at OSI Layer 7 (application inspection)	Change TTL? (Transparent to traceroute)	Configure REJECT-with answer	DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled.	Filter according to time of day	Redirect TCP/UDP ports (port forwarding)	Redirect IP addresses (forwarding)	Filter according to User Authorization	Traffic rate-limit / QoS	Tarpit	Log
IPFire	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes
Sidewinder	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Untangle	Yes	Yes (Some modules)	No	No	Yes	Yes (With Policy manager)	Yes	Yes	Yes	Yes	Yes	Yes
WinGate	Yes	Yes	Yes	No	Yes	Yes	Yes	No	Yes	Yes	No	Yes
Zeroshell	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes

NOTE: Because Linux Iptables is text-based firewall, you can "Filter according to time of day" by using additional 3rd party tools, like expect automation tool and cron jobs.
Windows firewall may be scripted with scheduled tasks.
Configured by system policy

Features:	Configuration: GUI, text or both modes?	Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ...	Change rules without requiring restart?	Ability to centrally manage all firewalls together
IPFire	both	Web (HTTPS), SSH, RS232	Yes	No
Untangle	both	SSH (Not enabeld by default), Web GUI,	Yes	Yes
WinGate	GUI	Proprietary user interface	Yes	—
ClearOS	both	RS232, SSH, WebConfig,	Yes	Yes with ClearDNS
Zeroshell	GUI	SSH, Web (HTTPS), RS232	Yes	No

NOTE: Because Linux Iptables and CISCO ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.

NOTE: Due to the distributed nature of the Check Point architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.

Firewall's other features comparison

Features:	Modularity: supports third-party modules to extend functionality?	IPS : Intrusion prevention system	Open-Source License?	supports IPv6 ?	Class: Home / Professional	Operating Systems on which it runs?
IPFire	Yes	Yes, with Snort	Yes	Yes (since IPFire 3)	Both	Linux-based appliance distribution.
Untangle	Yes	Yes	Yes	No	Both	Linux (built on Debian)
Vyatta	Yes	Yes	Yes	Yes	Professional	Vyatta OS (built on Debian)
WinGate	Yes	?	No	No	Professional	Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit.

NOTE: Checkpoint support a limited range of third-party modules from certified partners. Modules are integrated with Checkpoint firewalls through a platform named OPSEC

NOTE: WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).

NOTE: Collax Security Gateway kernel and components are Open Source. The only proprietary part is the GUI.

Non-Firewall extra features comparison

Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.

NOTE: Features are marked "yes" even if implemented as a separate module that comes with the platform on which firewall sits.

IDS: real-time firewall that logs/sniffs/blocks suspicious connections that are not part of rule-set.

VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.

Profile selection: The user can switch between sets of firewall settings, e.g. for use at work, at home, and on public connections.

Can:	NAT (static, dynamic w/o ports, PAT)	IDS (Intrusion Detection System)	VPN (Virtual Private Network)	AV (Anti-Virus)	Sniffer	Profile selection
IPFire	Yes	Yes (with integrated Snort)	Yes (IPsec and OpenVPN)	Yes (with clamav)	Yes (with tcpdump)	?
Untangle	Yes	Yes	Yes (IPsec and OpenVPN)	Yes (clamav,commtouch (optional) )	Yes (tcpdump)	?
Vyatta	Yes (supports three NAT types)	Yes (integrated Snort)	Yes (IPsec and OpenVPN)	Yes (with clamav,Sophos Antivirus (optional) )	Yes (with wireshark or tcpdump)	?
WinGate	Yes	Yes (with NetPatrol)	Yes (proprietary)	Yes (Kaspersky Labs)	Yes (filtered capturing to pcap format)	No

External links

Windows Software Firewall Test Rankings, Matousec, 2014

@@ Line 21: / Line 21: @@
 | [[Linux]]-based appliance CentOS
 |-
-! [[Cisco]]
+! [[Check Point]]
 | {{Proprietary}}
-| Included on all Cisco<br>switches and routers
+| Included on Check Point<br>security gateways
+| Proprietary operating system [[Check Point IPSO]] and Gaia ([[Linux]]-based), runs on appliances and virtual machines.
-| Proprietary, runs only <br>on Cisco hardware
+|-
+! [[CISCO]]
+| {{Proprietary}}
+| Included on all CISCO<br>switches and routers
+| Proprietary, runs only <br>on CISCO hardware
 |-
 ! [[Clavister cOS Core]]
@@ Line 347: / Line 352: @@
 |}
-*NOTE: Because Linux Iptables and Cisco ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.
+*NOTE: Because Linux Iptables and CISCO ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.
-*NOTE: Due to the distributed nature of the Checkpoint architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.
+*NOTE: Due to the distributed nature of the Check Point architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.
 ==Firewall's other features comparison==