The right firewall for your business

The nightmare of every Internet user is unauthorised access from outside to one's own computer or to the entire network in the supposedly protected interior. Such unwanted access can have various intentions - but in principle rarely good ones: it can be data theft, the discovery of business secrets or the implementation of malware. Especially current cyber threats, such as ransomware, cause enormous damage in this context every day and can hardly be detected without professional protection of the internal IT.

Surely you or your company would like to communicate unhindered - and above all with low risk - to the outside world. So what is needed here is a filter that allows your data packets and data requested by you to pass through as smoothly as possible and yet reliably detects and blocks possible dangers. This is the task of a firewall. It sorts out the traffic, manages open ports that are needed and should block unauthorised access via these open ports. Firewalls are available in hardware form (devices with physical connections) and as pure software (e.g. installed firewalls for operating systems).

The filter function is configured by the network administrator. The network administrator creates rules for the communication processes that run via registered and thus legitimate addresses of the senders and recipients of data packets. Although the firewall is intended to protect against attacks, it is not a virus protection programme itself. It can optionally contain filters that make it more difficult for malware to penetrate - for example, by blocking certain display media on websites, such as ActiveX or Flash objects, which are considered susceptible to malware. For this, the user or a company then needs software that works together with the firewall and ensures such extended functions. These are usually offered separately by device manufacturers in the form of additional licences.

A look at three manufacturers in direct comparison

As possible products for your corporate firewall, the differences between three vendors are to be worked out. Let's see how Fortinet Fortigate, Sophos UTM and Stormshield differ from each other in protecting you from the dangers on the Internet.

This is not only a price issue, but also an issue of capacity and traffic bandwidth. It is logical that a small architect's office will generate much less traffic in a given period of time than a corporation at its headquarters with dozens of offices all wanting to be connected to the outside via the corporate network at the same time, communicating with other offices of the same corporation and business partners at the same time.

Hardware as well as software of a firewall product try to take such different requirement profiles into account. In addition, there are different levels of security requirements, questions about the number of ports with plug-in connections or wireless with encryption, etc. Drawing up a security concept specifically for a company helps to delve deeper into the matter and make a decision in favour of one product or another.

More types than any other in the cupboard: Fortinet FortiGate Firewalls

Even at first glance, you can see a wide selection of devices in the hardware product range that can be found behind the firewall term "FortiGate". There are model ranges from 30 (e.g. for an office with 2 computers) to 7000 (an enormously large company with several 10000 employees). Even within one product type, for example FortiGate 100, there are several variants of equipment, which can be used to change the number of slots and ports. The throughput increases with the higher models from 75 Mbps with the FortiGate 30 up to 150 Gbps with the 3000 series. This covers every conceivable requirement from a one-man operation to a corporate group.

Fortinet's hardware includes attack detection and prevention technologies. Subscriptions to FortiCare for support from one year upwards, available in 8x5 or 24x7 (hours on standby weekdays) and subscriptions to FortiGuard as a proprietary anti-virus programme for the firewall are also available. The FortiGate 5000 firewall is then no longer one of those devices that is similar in size to a hi-fi system component, but fills an entire rack, which is probably only an option for very large corporations.

User-friendly: UTM and XG from Sophos

Sophos roughly differentiates between the small series from SG 105 to SG 135, the medium series from SG 210 to SG 450 and the large appliances SG 550 and SG 650. They could be categorised as entry-level models with a price-performance ratio tailored to them, the devices for medium-sized companies and the two top models for larger companies and data centres. Throughput increases from 1.5 to 6 Gbps in the small-series desktop models, from 12 to 30 Gbps in the medium-rack models, while the two end models offer 45 and 65 Gbps of firewall throughput. In the XG series, the throughput rates are even higher due to a more powerful operating system, and the model range here even extends to the XG 750, which delivers a data throughput of 140 Gbps. Of course, these are theoretical values, which are reduced to 90 Mbps to 5 Gbps in proxy mode when an antivirus programme is used.

Sophos SG UTM (Unified Threat Management) then maps the licences for companies with Sophos Firewall hardware. Available here are Network Protection, Wireless Protection, Web Protection, Sandstorm Sandboxing, Email Protection and Web Server Protection. The software of the licenses is based on multi-core CPUs and SSD hard drives. There are further special offers for data centres.

Sophos also provides virtualised software solutions. With SG, the UTM software is licensed on the basis of users, while XG is based on cores and corresponding RAM capacities.

The Sophos XG is completely free for private users (in the home version), with included anti-malware, web security, URL filtering, application control, IPS, traffic shaping, VPN as well as reporting and monitoring. This requires a separate computer that only runs this software (and contains its own operating system).

The certified security area: Stormshield

As a subsidiary of Airbus, Stormshield advertises that it is certified at the highest level for EU and NATO authorities. The range of devices starts with the entry-level SN 160 for home offices and small agencies, which can achieve a throughput of 400 Mbps, and ends with the top-of-the-line SN 6000, which has a throughput of 80 Gbps and is no bigger than a 19-inch module that fits into a server tower.

Stormshield offers a Network Vulnerability Manager, a support subscription and the firmware release of a protection programme as an option for all the devices mentioned, starting with a term of one year. As with Fortinet, one or more subscriptions are required to be able to use the firewall comprehensively.

Despite serious differences in configuration and performance, the device size always remains the same with a 19-inch rack housing. With an optional 24x7 support package, you are protected against failures around the clock. The 24x7 support gives you immediate access to a technician with terms ranging from 1 to 5 years.

Conclusion - Which firewall for my business?

Fortinet, Sophos and Stormshield strive to provide customers with a wide range of traffic and data protection needs with the right products. The Fortigate series can handle most variations, but tends to be more expensive, especially if you focus on the service subscriptions. These are difficult to avoid if protection is sought via firewall in the form of both hardware and software, and is also to be ensured through ongoing firmware updates.

Sophos is probably the best "all-rounder" here, if one looks at the range of functions in conjunction with the price-performance ratio.

The Stormshield devices, on the other hand, convince with an unbeatably powerful IPS function and relevant certifications.

Small businesses and freelancers will hardly need more than the respective entry-level model, medium-sized businesses will look for something tailored to them, among Fortigate 100 series to 500 series (Fortinet), SG 200 and 300 series (Sophos) or SN 300 to 700 (Stormshield). The number of slots for wired network subscribers or WLAN clients must be taken into account in addition to the data throughput rate.