Which is the worlds best firewall? Windows Firewall of course..

Over the years I've often been asked 'Which is the best firewall?' My answer is usually the same - it's the one you know best.. Customers often think I'm just being a smart arse, but I'm not. So I thought I'd lay out the argument here..

How do Companies buy firewalls?

There have been lots of religious wars over firewall types. Who can forget the proxy vs statefull inspection of the nineties and early noughies. Vendors still forward the whole 'ours is best because of feature X' arguments.

As a result of these wars, many organisations now use a formulaic approach to vendor and product selection. You write down a list of the features you want, compare the products, and bingo, there is the selection.

It sounds logical and sensible as a method, although you could argue that it's main purpose is to assist in the justification of why the purchase was made after the fact.. Most people (subconsciously maybe) tilt the requirements towards the product they actually want, and vendors have become expert in planting requirements into peoples heads. But still you can say 'No, we didn't buy from them because my brother is the salesman, it's because it's the only firewall to protect against Mosaic vulnerabilities'..

How well do we know our firewalls?

Firewalls are complex beasts, and while most people learn quickly enough how to make a policy change, or set up a simple NAT, regardless of brand. However really understanding how it's processing the packet, the order and types of checks that are going on, and how to troubleshoot each aspect of the inspection logic is a rarer thing. For example, I would say that I know the PIX/ASA firewalls pretty well. I can set up complex features and troubleshoot them well. However give me a checkpoint box, and I can do a lot, but quickly get lost on advanced troubleshooting tasks.

This is hugely important, as the moment things start to go wrong with a firewall deployment, people quickly start to compromise their lofty security ideals to keep their traffic working. If we don't really fully understand exactly what that knob does, other than make the traffic work when we turn it off, we end up in a position where the firewall configuration is suboptimal - and we might not even know!

That's not to say we can make every feature work on our firewall of choice, but we probably have the experience and product knowledge to understand the consequence of turning off a feature. If I'm working on an ASA, I'm pretty confident that I can stand over my work and say 'Yes, this will protect exactly what you've asked me to protect'. Do it with a product I don't know so well, and I'm not so sure how it will perform.

So which is best, Cisco ASA or XP firewall?

I tweeted about this recently, and someone sent me (in jest) a comment 'so XP firewall is as good as a pix then?'.. Well, this could be the logical conclusion of the argument.

Let's say as an organisation you have a windows admin who is so good he can change the computer case colour by group policy, and is a passable cisco admin. A really good windows admin can close down windows so tight that you can be plugged into the same LAN as it and you will get nowhere (and no, I don't mean by powering it off).

So what's the best use of his time? If he spends his time making windows bulletproof, using all the tools he knows, he will have more effect than poking at a PIX he doesn't really understand..

Am I seriously recommending windows firewall over a PIX? No, I'm not, because I'm a Cisco guy. But my windows admin buddy probably will, and that's the point. The tools we know how to use, are the tools that we will have the most effect with.

Of course, as any security person will tell you, a layered approach is essential, but when you select your products for each layer, make sure it's the product which you can make fly. Otherwise, all you've bought is a bunch of problems and caveats you haven't seen before..

Location:Dublin, Ireland