Comparison of firewalls

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The following is a comparison of notable firewalls, starting from simple home firewalls up to the most sophisticated Enterprise-level firewalls.

Firewall software[edit]

Ultimately, all firewalls are software-based[citation needed], but some firewall solutions are provided as software solutions that run on general purpose operating systems. The following table lists different firewall software that can be installed / configured in different general purpose operating systems.

Firewall License Cost / Usage Limits OS
Comodo Internet
Security
Proprietary Free Windows 7 / Vista / XP SP2/ Windows 8
FirewallD GPL Free Fedora, Red Hat Enterprise Linux, CentOS
Glasswire Proprietary Free Windows 7 / Windows 8 / Windows 10
Intego VirusBarrier Proprietary  ? Mac OS X 10.5 or later; on an Xserve
IPFilter GPLv2 Free Package for multiple UNIX-like operating systems
ipfirewall BSD Free *BSD package
Kaspersky
Internet Security
Proprietary $59,95 Year / 30 day trial Windows unknown versions x32/x64
Lavasoft
Personal Firewall
Proprietary €36 Year Windows unknown versions x32/x64
Microsoft
Forefront Threat
Management
Gateway
Proprietary discontinued Windows unknown versions x64
Netfilter/iptables GPL Free Linux kernel module
Norton 360 Proprietary $59.99 Year Windows unknown versions x32/x64
NPF BSD Free NetBSD kernel module
Online Armor
Personal Firewall
Proprietary €39.95 Year Windows unknown versions x32/x64
Outpost
Firewall Pro
Proprietary Free / Paid Windows unknown versions x32/x64
PC Tools
Firewall Plus
Proprietary discontinued Windows unknown versions x32/x64
PF BSD Free *BSD kernel module
Sunbelt
Personal Firewall
Proprietary discontinued Windows unknown versions x32
Sygate
Personal Firewall
Proprietary discontinued Windows unknown versions x32
Windows Firewall Proprietary Included with Windows
XP SP2 and later
ALL Windows Versions x32/x64
WinGate Proprietary Paid Windows unknown versions x32/x64
ZoneAlarm Proprietary Freemium Windows unknown versions x32/x64 (except XP-64)

Firewall appliances[edit]

In general, a computer appliance is a computing device with a specific function and limited configuration ability, and a software appliance is a set of computer programs that might be combined with just enough operating system (JeOS) for it to run optimally on industry standard computer hardware or in a virtual machine.

A firewall appliance is a combination of a firewall software and an operating system that is purposely built to run a firewall system on a dedicated hardware or virtual machine.[1][2][3] These include:

  • embedded firewalls: very limited-capability programs running on a low-power CPU system,
  • software-based firewall appliances: a system that can be run in independent hardware or in a virtualised environment as a virtual appliance
  • hardware-based firewall appliances: a firewall appliance that runs on a hardware specifically built to install as a network device, providing enough network interfaces and CPU to serve a wide range of purposes. From protecting a small network (a few network ports and few megabits per second throughput) to protecting an enterprise-level network (tens of network ports and gigabits per second throughput).

The following table lists different firewall appliances.

Firewall License Cost OS
Check Point VPN-1 Proprietary Included on Check Point
security gateways
Proprietary operating system Check Point IPSO
and Gaia (Linux-based)
CISCO ACLs Proprietary Included on all CISCO
switches and routers
Proprietary, runs only
on CISCO hardware
CISCO ASA Proprietary Included on all CISCO
ASA devices
Proprietary operating system
CISCO PIX Proprietary Included on all CISCO
PIX devices
Proprietary operating system
Endian Firewall Proprietary Free / Paid Linux-based appliance
FortiGate Proprietary Included on all Fortigate
devices
Proprietary, FortiOS
IPCop various Free Linux-based appliance
IPFire GPL Free Linux-based appliance
Juniper SSG Proprietary Included on Netscreen
security gateways
Proprietary operating system ScreenOS
Juniper SRX Proprietary Included on SRX
security gateways
Proprietary operating system Junos
Monowall BSD Free FreeBSD-based appliance
embedded firewall distribution
Opendium Iceni Proprietary Paid Linux-based, with optional web filtering / auditing.
OPNsense[1] BSD (2-clause) Free FreeBSD/NanoBSD-based appliance[4]
firewall distribution
Palo Alto Networks Proprietary Included on Palo Alto
Networks firewalls
Proprietary operating system PANOS
pfsense ESF License Agreement, v1.0 [2] Free FreeBSD/NanoBSD-based appliance
firewall distribution
Simplewall ??? Trial/Paid Linux-based appliance
Smoothwall GPL Free Linux-based appliance
Sophos UTM GPL and Proprietary Free / Paid Linux-based appliance
Untangle GPL Free / Paid Linux-based appliance
Vyatta GPL  ? Linux-based appliance
Calyptix Security BSD Free OpenBSD-based appliance
firewall distribution
Halon Security BSD Free OpenBSD-based appliance
Vantronix BSD Free OpenBSD-based appliance

Firewall rule-set basic filtering features comparison[edit]

Can Target: Changing default policy to accept/reject (by issuing a single rule) IP destination address(es) IP source address(es) TCP/UDP destination port(s) TCP/UDP source port(s) Ethernet MAC destination address Ethernet MAC source address Inbound firewall (ingress) Outbound firewall (egress)
IPFire Yes Yes Yes Yes Yes Yes No No No
Trend Micro Internet Security Yes Yes Yes Yes Yes No No Yes Yes
Untangle Yes Yes Yes Yes Yes No No Yes Yes
Vyatta Yes Yes Yes Yes Yes Yes No No Yes
OPNsense No Yes Yes Yes Yes No No Yes Yes
Windows XP Firewall No No Yes Partial[a] No No No Yes No
Windows Vista Firewall Yes Yes Yes Yes Yes No No Yes Yes
Windows 7 /
Windows 2008 R2
Firewall
Yes Yes Yes Yes No No Yes Yes Yes
WinGate Yes Yes Yes Yes Yes No No No Yes
Zeroshell Yes Yes Yes Yes Yes No Yes Yes Yes
Zorp Yes Yes Yes Yes Yes Yes No No No
pfSense Yes Yes Yes Yes Yes Yes Yes Yes Yes
Notes
  1. ^ can target only single destination TCP/UDP port per rule, not port ranges.

Firewall rule-set advanced features comparison[edit]

Can: work at OSI Layer 4 (stateful firewall) work at OSI Layer 7 (application inspection) Change TTL? (Transparent to traceroute) Configure REJECT-with answer DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. Filter according to time of day Redirect TCP/UDP ports (port forwarding) Redirect IP addresses (forwarding) Filter according to User Authorization Traffic rate-limit / QoS Tarpit Log
IPFire Yes Yes Yes No Yes Yes Yes Yes Yes Yes No Yes
OPNsense Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
Sidewinder Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Untangle Yes Yes (Some modules) No No Yes Yes (With Policy manager) Yes Yes Yes Yes Yes Yes
WinGate Yes Yes Yes No Yes Yes Yes No Yes Yes No Yes
Zeroshell Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
pfSense Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
Features: Configuration: GUI, text or both modes? Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... Change rules without requiring restart? Ability to centrally manage all firewalls together
IPFire both Web (HTTPS), SSH, RS232 Yes No
OPNsense both SSH, Web (HTTP/HTTPS), RS232 Yes No
Untangle both SSH (Not enabeld by default), Web GUI, Yes Yes
WinGate GUI Proprietary user interface Yes N/A
ClearOS both RS232, SSH, WebConfig, Yes Yes with ClearDNS
Zeroshell GUI SSH, Web (HTTPS), RS232 Yes No
pfSense both SSH, Web (HTTP/HTTPS), RS232 Yes No

Firewall's other features comparison[edit]

Features: Modularity: supports third-party modules to extend functionality? IPS : Intrusion prevention system Open-Source License? supports IPv6 ? Class: Home / Professional Operating Systems on which it runs?
IPFire Yes Yes, with Snort Yes Yes (since IPFire 3) Both Linux-based appliance distribution.
OPNsense Yes Yes, with Snort Yes Yes Professional FreeBSD-based appliance
Untangle Yes Yes Yes No Both Linux (built on Debian)
Vyatta Yes Yes Yes Yes Professional Vyatta OS (built on Debian)
WinGate Yes[a] ? No No Professional Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit.
pfSense Yes Yes, with Snort Yes Yes Professional FreeBSD/NanoBSD-based appliance
Notes
  1. ^ WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).

Non-Firewall extra features comparison[edit]

Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.

NOTE: Features are marked "yes" even if implemented as a separate module that comes with the platform on which firewall sits.

IDS: real-time firewall that logs/sniffs/blocks suspicious connections that are not part of rule-set.

VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.

Profile selection: The user can switch between sets of firewall settings, e.g. for use at work, at home, and on public connections.

Can: NAT (static, dynamic w/o ports, PAT) IDS (Intrusion Detection System) VPN (Virtual Private Network) AV (Anti-Virus) Sniffer Profile selection
IPFire Yes Yes (with integrated Snort) Yes (IPsec and OpenVPN) Yes (with clamav) Yes (with tcpdump) ?
OPNsense Yes Yes (with Snort) Yes (OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) Yes (with clamav) Yes (tcpdump) No
Untangle Yes Yes Yes (IPsec and OpenVPN) Yes (clamav,commtouch (optional) ) Yes (tcpdump) ?
Vyatta Yes (supports three NAT types) Yes (integrated Snort) Yes (IPsec and OpenVPN) Yes (with clamav,Sophos Antivirus (optional) ) Yes (with wireshark or tcpdump) ?
WinGate Yes Yes (with NetPatrol) Yes (proprietary) Yes (Kaspersky Labs) Yes (filtered capturing to pcap format) No
pfSense Yes Yes (with Snort) Yes (OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) Yes (with clamav) Yes (tcpdump) No

See also[edit]

References[edit]

  1. ^ Smith, Bob; Hardin, John A; Phillips, Graham; Pierce, Bill. Linux Appliance Design: A Hands-On Guide to Building Linux Appliances. No Starch Press. pp. xvii. ISBN 1-59327-140-9. Retrieved 2008-05-06. 
  2. ^ SAN Data Center- Network World
  3. ^ Routers- About.com
  4. ^ OPNsense team. "OPNsense 15.1.10 released". forum.opnsense.org. OPNsense Forum. Retrieved 5 May 2015. 

External links[edit]