Comparison of firewalls

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The following is a comparison of notable firewalls, starting from simple home firewalls up to the most sophisticated Enterprise-level firewalls.

Firewall software[edit]

Ultimately, all firewalls are software-based[citation needed], but some firewall solutions are provided as software solutions that run on general purpose operating systems. The following table lists different firewall software that can be installed / configured in different general purpose operating systems.

Firewall License Cost / Usage Limits OS
Avast Internet Security Proprietary US$39.99 per year Microsoft Windows
Comodo Internet
Security
Proprietary Free Windows 7 / Vista / XP SP2/ Windows 8
Glasswire Proprietary Free Windows 7 / Windows 8 / Windows 10
Intego VirusBarrier Proprietary pay Mac OS X 10.5 or later; on an Xserve
Jetico
Personal Firewall
Proprietary Free for 1.x / Paid for 2.x Windows Windows 8, 7, Vista, XP, Windows 2000, Server 2008/2003 x32/x64
Kaspersky
Internet Security
Proprietary $59,95 Year / 30 day trial Windows unknown versions x32/x64
Lavasoft
Personal Firewall
Proprietary €36 Year Windows unknown versions x32/x64
Microsoft
Forefront Threat
Management
Gateway
Proprietary discontinued Windows unknown versions x64
Norton 360 Proprietary $59.99 Year Windows unknown versions x32/x64
Online Armor
Personal Firewall
Proprietary discontinued Windows unknown versions x32/x64
Outpost
Firewall Pro
Proprietary discontinued Windows unknown versions x32/x64
PC Tools
Firewall Plus
Proprietary discontinued Windows unknown versions x32/x64
Privacyware
Privatefirewall
Proprietary Free Windows 10, Windows 8/8.1, 7, Vista and XP x32
Sunbelt
Personal Firewall
Proprietary discontinued Windows unknown versions x32
Sygate
Personal Firewall
Proprietary discontinued Windows unknown versions x32
Windows Firewall Proprietary Included with Windows
XP SP2 and later
ALL Windows Versions x32/x64
ZoneAlarm Proprietary Free / Paid Windows 7 / Vista / XP SP3/ Windows 8, 8.1. 10 x32/x64
Netfilter/iptables GPL Free Linux kernel module
Shorewall GPL Free Linux-based appliance
PeerBlock GPL Free Windows 8/8.1, 7, Vista x32/64
FirewallD GPL Free Fedora, Red Hat Enterprise Linux, CentOS
NPF BSD Free NetBSD kernel module
PF BSD Free *BSD kernel module
ipfirewall BSD Free *BSD package
IPFilter GPLv2 Free Package for multiple UNIX-like operating systems

Firewall appliances[edit]

In general, a computer appliance is a computing device with a specific function and limited configuration ability, and a software appliance is a set of computer programs that might be combined with just enough operating system (JeOS) for it to run optimally on industry standard computer hardware or in a virtual machine.

A firewall appliance is a combination of a firewall software and an operating system that is purposely built to run a firewall system on a dedicated hardware or virtual machine.[1][2][3] These include:

  • embedded firewalls: very limited-capability programs running on a low-power CPU system,
  • software-based firewall appliances: a system that can be run in independent hardware or in a virtualised environment as a virtual appliance
  • hardware-based firewall appliances: a firewall appliance that runs on a hardware specifically built to install as a network device, providing enough network interfaces and CPU to serve a wide range of purposes. From protecting a small network (a few network ports and few megabits per second throughput) to protecting an enterprise-level network (tens of network ports and gigabits per second throughput).

The following table lists different firewall appliances.

Firewall License Cost OS
Check Point Proprietary Included on Check Point
security gateways
Proprietary operating system Check Point IPSO
and Gaia (Linux-based)
FortiGate Proprietary Included on all Fortigate
devices
Proprietary, FortiOS
Palo Alto Networks Proprietary Included on Palo Alto
Networks firewalls
Proprietary operating system PANOS
WatchGuard Proprietary Included on all
WatchGuard firewalls
Proprietary operating system
Sophos Proprietary Included on Sophos UTM Linux-based appliance
Cisco Asa Firepower Proprietary Included on all CISCO
ASA devices
Proprietary operating system
Cisco PIX Proprietary Included on all CISCO
PIX devices
Proprietary operating system
Mcafee Firewall Proprietary Included on Intel Security Appliance Linux-based appliance
Juniper SSG Proprietary Included on Netscreen
security gateways
Proprietary operating system ScreenOS
Juniper SRX Proprietary Included on SRX
security gateways
Proprietary operating system Junos
Sonicwall Proprietary Included on Dell appliance Proprietary operating system SonicOs
Barracuda Firewall Proprietary Included Firewall Next Generation appliance Windows-based appliance
embedded firewall distribution
Cyberoam Proprietary Included Firewall Sophos appliance Windows-based appliance
embedded firewall distribution
D-Link Proprietary Included Firewall DFL Windows-based appliance
embedded firewall distribution
Endian Firewall Proprietary Free / Paid Linux-based appliance
Opendium Iceni Proprietary Free / Paid Linux-based, with optional web filtering / auditing.
IPCop GPL Free / Paid Linux-based appliance
firewall distribution
pfSense ESF/BSD Free / Paid FreeBSD-based appliance
firewall distribution
IPFire GPL Free / Paid Linux/NanoBSD-based appliance
firewall distribution
Untangle GPL Free / Paid Linux/NanoBSD-based appliance
firewall distribution
Zeroshell GPL Free / Paid Linux/NanoBSD-based appliance
firewall distribution
SmoothWall GPL Free / Paid Linux-based appliance
embedded firewall distribution [4]
WinGate GPL Free / Paid Windows-based appliance
embedded firewall distribution
Calyptix Security BSD Free OpenBSD-based appliance
firewall distribution
Halon Security BSD Free OpenBSD-based appliance
Vantronix BSD Free OpenBSD-based appliance

Firewall rule-set Appliance-UTM filtering features comparison[edit]

Can Target: Changing default policy to accept/reject (by issuing a single rule) IP destination address(es) IP source address(es) TCP/UDP destination port(s) TCP/UDP source port(s) Ethernet MAC destination address Ethernet MAC source address Inbound firewall (ingress) Outbound firewall (egress)
IPFire Yes Yes Yes Yes Yes Yes No No No
Trend Micro Internet Security Yes Yes Yes Yes Yes No No Yes Yes
Untangle Yes Yes Yes Yes Yes No No Yes Yes
Vyatta Yes Yes Yes Yes Yes Yes No No Yes
Windows XP Firewall No No Yes Partial[a] No No No Yes No
Windows Vista Firewall Yes Yes Yes Yes Yes No No Yes Yes
Windows 7 /
Windows 2008 R2
Firewall
Yes Yes Yes Yes No No Yes Yes Yes
WinGate Yes Yes Yes Yes Yes No No No Yes
Zeroshell Yes Yes Yes Yes Yes No Yes Yes Yes
Zorp Yes Yes Yes Yes Yes Yes No No No
pfSense Yes Yes Yes Yes Yes Yes Yes Yes Yes
Notes
  1. ^ can target only single destination TCP/UDP port per rule, not port ranges.

Firewall rule-set advanced features comparison[edit]

Can: work at OSI Layer 4 (stateful firewall) work at OSI Layer 7 (application inspection) Change TTL? (Transparent to traceroute) Configure REJECT-with answer DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. Filter according to time of day Redirect TCP/UDP ports (port forwarding) Redirect IP addresses (forwarding) Filter according to User Authorization Traffic rate-limit / QoS Tarpit Log
IPFire Yes Yes Yes No Yes Yes Yes Yes Yes Yes No Yes
Sidewinder Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Untangle Yes Yes (Some modules) No No Yes Yes (With Policy manager) Yes Yes Yes Yes Yes Yes
WinGate Yes Yes Yes No Yes Yes Yes No Yes Yes No Yes
Zeroshell Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
pfSense Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
Features: Configuration: GUI, text or both modes? Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... Change rules without requiring restart? Ability to centrally manage all firewalls together
IPFire both Web (HTTPS), SSH, RS232 Yes No
Untangle both SSH (Not enabeld by default), Web GUI, Yes Yes
WinGate GUI Proprietary user interface Yes N/A
ClearOS both RS232, SSH, WebConfig, Yes Yes with ClearDNS
Zeroshell GUI SSH, Web (HTTPS), RS232 Yes No
pfSense both SSH, Web (HTTP/HTTPS), RS232 Yes No

Firewall's other features comparison[edit]

Features: Modularity: supports third-party modules to extend functionality? IPS : Intrusion prevention system Open-Source License? supports IPv6 ? Class: Home / Professional Operating Systems on which it runs?
IPFire Yes Yes, with Snort Yes Yes (since IPFire 3) Both Linux-based appliance distribution.
Untangle Yes Yes Yes No Both Linux (built on Debian)
Vyatta Yes Yes Yes Yes Professional Vyatta OS (built on Debian)
WinGate Yes[a] ? No No Professional Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit.
pfSense Yes Yes, with Snort and Suricata Yes Yes Professional FreeBSD/NanoBSD-based appliance
Notes
  1. ^ WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).

Non-Firewall extra features comparison[edit]

Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.

NOTE: Features are marked "yes" even if implemented as a separate module that comes with the platform on which firewall sits.

IDS: real-time firewall that logs/sniffs/blocks suspicious connections that are not part of rule-set.

VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.

Profile selection: The user can switch between sets of firewall settings, e.g. for use at work, at home, and on public connections.

Can: NAT44 (static, dynamic w/o ports, PAT) NAT64, NPTv6 IDS (Intrusion Detection System) VPN (Virtual Private Network) AV (Anti-Virus) Sniffer Profile selection
IPFire Yes No Yes (with integrated Snort) Yes (IPsec and OpenVPN) Yes (with clamav) Yes (with tcpdump) ?
Untangle Yes ? Yes Yes (IPsec and OpenVPN) Yes (clamav,commtouch (optional) ) Yes (tcpdump) ?
Vyatta Yes (three NAT types) ? Yes (integrated Snort) Yes (IPsec and OpenVPN) Yes (with clamav,Sophos Antivirus (optional) ) Yes (with wireshark or tcpdump) ?
WinGate Yes ? Yes (with NetPatrol) Yes (proprietary) Yes (Kaspersky Labs) Yes (filtered capturing to pcap format) No
pfSense Yes No Yes (with Snort) Yes (OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) Yes (with clamav) Yes (tcpdump) No

See also[edit]

References[edit]

  1. ^ Smith, Bob; Hardin, John A; Phillips, Graham; Pierce, Bill. Linux Appliance Design: A Hands-On Guide to Building Linux Appliances. No Starch Press. pp. xvii. ISBN 1-59327-140-9. Retrieved 2008-05-06. 
  2. ^ SAN Data Center- Network World
  3. ^ Routers- About.com
  4. ^ "(Smoothwall is) a Free firewall that includes its own security-hardened GNU/Linux operating system", Smoothwall. Retrieved on 2 August 2016.

External links[edit]