Most Popular Hardware Firewalls?

Here

Yes, they are.

So are all the most popular cars.

-Russ.

No. Vast differences at all levels.

Looks like they're not all the same. You have to make sure it has this "stateful" stuff.

So what is a good one and a less good one? Thanks.

Anything that says NAT ROUTER, generally anything under $250, is considered a fake firewall, it's just marketing hype for NAT methods. NAT is a ROUTING technology, not a firewall technology.

Anything that has a Certification as a Firewall is most likely a firewall that can protect you.

Most of the cheap, sub $250 units are just NAT routers with some fancy gimics or fancy routing features.

While a NAT Router is NOT a firewall, it's the minimum that you would want to have between you and the Internet. I know many people that have been protected by them for years of always-on service and never experienced any malware - but they also used many other methods to stay safe.

With a true firewall, like many of the better units, one can setup rules to prevent malware of entering your network, even when you are browsing the web or fetching email - they can remove ActiveX, remove content, block downloading of files by type, remove bad headers in SMTP sessions, remove file attachments based on mime-type, etc.... While those are not actually firewall functions, they are often found in the better firewall units.

I like, actually will use over any other vendor if I have a choice, WatchGuard, but I also use units from the other major vendors.

I wouldn't think that $250 firewalls are going to be commonly found in home networking. Is the $250 unit distinguished by the "stateful" approach? Do you think the "stateful" features of a sub $100 firewall-router are much less effective?

First of all, yes. NAT firewall in my world aren't really firewalls. The protection they provide is too limited and pratcically non-existant when it comes to outgoing traffic. Also, a firewall is not everything in life, even if it's a stateful inspection one. It's important to look at the whole network security picture. Do you need antivirus on the gateway? It's always a good idea as it can protect you from virus outbreaks in case your desktop AV is not up to date. What about secure remote access to your network? And intrustion prevention? Bandwidth shaping? Web filtering for the kids?

Home users who understand a thing or two about network security and have more than one machine in the home network often opt for a statful inspection firewall in an appliance rather than purchase a simple router then heaps of locally installed software to meet the rest of the vendor needs.

You can see just about all firewall vendors here:

What boring worlds people imagine beside the pizza man's universe!

VB.

Why exactly should one try to filter outgoing traffic when such a thing like tunneling exists?

That would need a gateway anyway.

Is usually impractical.

That's a non-firewall feature.

You mean "against the kids".

Home users usually don't need a firewall at all.

Yes in many cases I think there is a large difference. You might learn about it by checking on firewalls vs NAT routers with SPI.

Because a firewall will block that type of thing in most cases. You can't tunnel out unless the firewall permits you to reach a tunnel endpoint.

Nope, the firewall can act as a VPN endpoint in many cases.

Depends on the need of the user/client/company.

I agree.

Not all filtering is "Against", as Parents we're suppose to protect our kids while teaching them right from wrong. As a parent I block 13 of 14 types of content in our home, in addition to blocking many file attachments and many downloadable types. That's working FOR the kids as I can still expose them from a designated machine, but they are blocked from machines not in the Common area.

Wrong, those are the ones that need it most. Just about every computer I've seen connected directly to the Internet in a residential setting has been compromised. At the same time, just about every one of them connected to a Firewall has remained uncompromised, and most with a NAT are uncompromised.

Oh, you want to block the entire internet? Or just the entire WWW?

OK, it's almost always impractical.

Did you ever notice that the kids are clever and simply circumvent your measures?

Totally wrong. Home users don't have a clue about networking so they can't achieve any security with firewalls.

You never took a deeper look, didn't you? The biggest source for compromise remains being MSIE, where no firewall can help.

Actually, the entire Internet. I don't believe in giving access to people unless there is a reason to have it - when it comes to a business we always block everything and then permit based on need. In most cases this means you get access to Business Partners portals but not anything else.

From residential, well, lets just say that most of the internet, all services, are not needed by most home users, the better you understand their real need and then limit, the lower their threat level is.

Yep, I have three teens and a couple thousands seats for clients - I've seen about everything on the market and some home grown attempts to get past the firewall. In 20+ years we've never had a compromised network.

Since most of the defaults can be good enough, it's a lot better than a default Windows XP Box.

You don't know much about firewalls, do you? I can block downloads, content types, cookies, and ActiveX in my WatchGuard units - which makes most of the threats to IE meaningless. Oh, and I can do it based on the User or the IP of the workstation.

Maybe you watch too much television. Have you talked to any teenagers recently? Most are incredibly ignorant. Sure, they can often get around software solutions such as Net Nanny (often with the help of some knowledgeable pedophile unfortunately), but a properly setup firewall is considerably more difficult to circumvent.

Speaking for yourself again. Basic firewalling is not difficult at all.

Actually yes, a really good firewall can help by blocking content. But have you ever considered a simple popup blocker?

It's not about compromising the network but about simply circumventing the censorship. Believe me, they do, and you won't notice.

eval(unescape($escaped_evil_script))

Or what about

=2E??????????????????????(x86 binary code here) p:first-letter { border-bottom: 1px solid; }

? Gonna filter all CSS? What about links containing "sysimage:"? Or "ftp:= "?

No, trivial as always. Just Google Cache is enough to do so, or do you want to deny access to Google?

Yeah, it's breaking everything. And pretty soon the users allows this or that, or if something doesn't work he disables it temporarily. Pretty unavoidable with such crappy default settings. And as long as IE, OE, MS Office, MSN Messenger, mIRC or other crap is allowed, you'll get the malware anyway.

So, blocking all JavaScript, CSS, all Links containing "ftp:", Objects and (I)Frames?

Do I need one? My webbrowser has a default deny policy on all JavaScript and NSPlugin actions invoking opening a new window with a configuration notice. I wouldn't even call it blocking, it's just a must-have feature.

You must really be unsure of your own skills. I can assure you that it's easy to block it and to watch them try all the time.

It's not censorship if I own the network, it's not censorship if the company owns the network, it's only censorship if you are being denied access from your own network.

The firewall is perfectly capable of inspecting and removing content, just try a real firewall sometime and you'll see.

Seems like you don't watch them at the right point.

I didn't deny that, but just that it's practical to limit attack surface on MSIE. Examples as above would force you to filter out almost anything that make webpage, and these are just the known unpatched ones.