Comparison of firewalls

From Wikipedia, the free encyclopedia

To meet Wikipedia's quality standards, this article or section may require cleanup.
Please discuss this issue on the talk page, or replace this tag with a more specific message. Editing help is available.
This article has been tagged since October 2006.

The following tables compare different aspects of a number of firewalls, starting from simple home firewalls up to the most sophisticated Enterprise firewalls.

Please note that the list is not exhaustive, but rather reflects the knowledge of one Wikipedia contributor, so please add more firewalls to the table below.

Contents

Can Target: Changing default policy to accept/ reject (by issuing only 1 rule at most) IP destination address(es) IP source address(es) TCP/UDP destination port(s) TCP/UDP source port(s) Ethernet MAC destination address Ethernet MAC source address Inbound firewall (Ingress) Outbound firewall (Egress)
Windows XP Firewall No No Yes Partial No No No Yes No
Cisco Access List Yes Yes No No Yes Yes Yes Yes No
Linux iptables Yes Yes Yes Yes Yes Yes No No No
Check Point VPN-1 Yes Yes Yes Yes Yes Yes Yes Yes Yes
Trend Micro PC-cillin Yes Yes Yes Yes Yes No No Yes Yes
Can Target: Changing default policy to accept/ reject (by issuing only 1 rule at most) IP destination address(es) IP source address(es) TCP/UDP destination port(s) TCP/UDP source port(s) Ethernet MAC destination address Ethernet MAC source address Inbound firewall (Ingress) Outbound firewall (Egress)
  • Windows XP Firewall can target only single destination TCP/UDP port per rule, not port ranges, therefore support is partial.

Can: work at OSI Layer 4 (stateful firewall) work at OSI Layer 7 (application inspection) Change TTL? (Transparent to traceroute) Configure REJECT-with answer DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. Filter according to time of day Redirect TCP/UDP ports (port forwarding) Redirect IP addresses (forwarding) Filter according to User Authorization Traffic rate-limit / QoS Tarpit Log
Windows XP Firewall Yes No No No No No No No No No No Yes
Cisco Access List Yes No No No Yes Yes No Yes (with static routes) No Yes (with queing) No Yes
Linux iptables Yes No Yes Yes Yes Yes (with cron) Yes Yes No Yes Yes (with Patch-o-matic module) Yes
Check Point VPN-1 Yes Yes Yes Yes(With Web Intelligence) Yes Yes Yes Yes Yes Yes Yes Yes
Can: work at OSI Layer 4 (stateful firewall) work at OSI Layer 7 (application inspection) Change TTL? (Transparent to traceroute) Configure REJECT-with answer DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. Filter according to time of day Redirect TCP/UDP ports (port forwarding) Redirect IP addresses (forwarding) Filter according to User Authorization Traffic rate-limit / QoS Tarpit Log
  • NOTE: Because Linux Iptables is text-based firewall, you can "Filter according to time of day" by using additional 3rd party tools, like expect automation tool and cron jobs.

Features: Configuration: GUI, text or both modes? Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... After rule change - requires firewall restart - less than one second ? Ability to centrally manage all firewalls together
Windows XP Firewall GUI RDP Yes No
Cisco Access List both Telnet, SSH, Web(Java App "PDM" or the newer "ASDM"), RS232 Yes Partial
Linux iptables both Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 Yes Partial
Check Point VPN-1 GUI proprietary GUI, SSH, Web (HTTP/HTTPS) Yes Yes
Features: Configuration: GUI, text or both modes? Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM (RS232)... After rule change - requires firewall restart - less than one second ? Ability to centrally manage all firewalls together
  • NOTE: Rule changes on Checkpoint firewalls do not require any restart and incur no outage time.
  • NOTE: Because Linux Iptables and Cisco ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.
  • NOTE: Due to the distributed nature of the Checkpoint architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.

Features: Modularity: supports third-party modules to extend functionality? Open-Source License? supports IPv6 ? Class: Home / Professional on what Operating Systems it runs?
Windows XP Firewall No No Vista or later Home Windows XP
Cisco Access List No No Yes Professional Cisco IOS
Linux iptables Yes Yes Yes Professional Linux 2.4+
Check Point VPN-1 Yes No Yes Professional Solaris, Linux (SPLAT or RHEL), Windows NT,2000,2003
Features: Modularity: supports third-party modules to extend functionality? Open-Source License? supports IPv6 ? Class: Home / Professional on what Operating Systems it runs?
  • NOTE: Checkpoint support a limited range of third-party modules from certified partners. Modules are integrated with Checkpoint firewalls through a platform named OPSEC

Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.

NOTE: Features will be marked as "yes", even if it's separate module that comes with the platform, on which firewall sits.

IDS: real-time firewall that logs/sniffs/blocks suspicious connections, that are not part of rule-set.

VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.

Can: NAT (static, dynamic w/o ports, PAT) IDS (Intrusion Detection System) VPN (Virtual Private Network) AV (Anti-Virus) Sniffer
Microsoft Windows XP Partial (PAT, with Internet Connection Sharing) Yes (with SPECTER) Partial (Limited to 1 client) Yes (McAfee, Symantec, etc) Yes (with wireshark)
Cisco IOS Yes (supports three NAT types) No Yes (some IOS versions) No No
Linux OS Yes (supports three NAT types) Yes (with Prelude-IDS) Yes (with openVPN) Yes (with clamav) Yes (with wireshark)
Check Point Yes (supports three NAT types) Yes Yes Yes No
Can: NAT (static, dynamic w/o ports, PAT) IDS (Intrusion Detection System) VPN (Virtual Private Network) AV (Anti-Virus) Sniffer
  • NOTE: For better security, I recommend adding additional security measures at OSI Layer 7 (Application). That will be: Security Proxy and Application Security Framework (like SUSE AppArmor).

Retrieved from "http://en.wikipedia.org../../../c/o/m/Comparison_of_firewalls.html"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.