Business Firewall Buyers Guide: How to Choose a Firewall

Sourcing a firewall for your business is rarely as simple as heading to a supplier and saying “I’ll have that one please.” With myriad options on the market and countless product data sheets available online, choosing a business firewall can feel like a bit of a minefield.

Most businesses will need help from some kind of firewalling or IT support partner to make sure they are making the right decision.

But the core, technical considerations that go into choosing a business firewall isn’t something we believe that techies should hold close to their chests. By knowing a few choice nuggets of firewall-hunting wisdom, you will be better informed when talking to providers, and better equipped to choose the best solution for you.

How to Choose a Business Firewall?

Data Throughput

One of the first things you will need to consider when getting a new business firewall is just how much traffic will need to pass through it at any given time – especially at peak times during the day. Firewall throughput is generally expressed in Mbps (megabits per second) or Gbps (gigabits per second).

Don’t be tempted to scrimp on throughput. The figures provided by supplier data sheets often reflect the highest possible raw throughput examined by the firewall, and therefore don’t necessarily reflect the realities of using that device on a daily basis, what with essential security extras like gateway sandboxing, remote working security, and data loss prevention (especially if those protections are external to the firewall).

Likewise, also consider network congestion. If your network were to grow, more users would naturally create more traffic. If this increased throughput is beyond your firewall’s available rates, anything above that capability may simply pass through unmonitored, so be warned!

There are numerous ways of establishing your network’s existing throughput, but always err on the side of higher throughput to provide a buffer for growth, change, and how much more digital we seem to be getting every day!

Small side note here – some supplier data sheets will include multiple throughputs for their different layers of protection. It’s complexities like these that organisations like Just Firewalls can help you navigate!

Internet Speed

When looking at business firewall throughput, also consider your average internet speeds. It makes no sense to get a business firewall with a slower throughput than your internet connection as this will naturally slow down your network’s usable connection to the internet.

Likewise, it makes no sense to get a firewall that is miles ahead of your internet speed (unless you’re expecting a jump in speeds from your provider) as you will likely end up spending more on the device than you realistically need.

Number of Users

More easy maths! Firewalls of all kinds run the gamut from enterprise-grade units that can accommodate hundreds of users, all the way down to a small box that can capably protect a team of 10, and all sorts of solutions in between.

Understandably, it would be useless for a large team to invest in a box that only protects 25 users (unless it’s for a small satellite office). Likewise, it would be total overkill for a small team of 15 people to source a huge enterprise grade firewall (unless they are absolutely sure of mammoth growth coming soon!).

Supplier data sheets sometimes differ in what they call “how many users can be protected at a time” – sometimes you’ll see it listed as “concurrent connections”, sometimes just “connections”, or something similar.

Remote User Coverage

As more and more organisations are permanently adopting hybrid and remote working, it’s important to be able to protect your remote staff too. Before you make any firewall-related decisions, establish how many of your team are likely to work on site and how many are likely to work remotely. You might also want to consider contingency plans should everyone have to work from home one day – and likewise you don’t want your on-site solution to be overworked if all of your hybrid workforce arrives on your doorstep one day!

Depending on your own relationship with remote work, and with tech, you have a number of options.

The first is easy. If all of your workers have to be on-premises at all times in order to do their jobs, and they can only do so through their workplace-assigned, ethernet connected devices, then that’s easy. Simply choose a firewall to protect your premises and nothing more.

If you need WiFi for work purposes, then many current firewalls will support this to an extent. However, it may be worth exploring whether your firewall includes Wireless Intrusion Protection functionality or whether you will need to obtain that separately. (In short, WIPS keeps the bad guys away from infiltrating your WiFi airwaves!)

Things get more complicated when you bring hybrid or even totally remote working into the mix. I mean – how do you connect everyone so they are working securely and not introducing any risk factors into your infrastructure? Well, there are a few ways.

Hybrid workplaces would likely benefit from taking a look at each firewall’s VPN capabilities. Even small business devices nowadays will likely have some form of VPN functionality – whether that’s simply creating an encrypted tunnel between two or more sites over the public network, or the potential for connecting a whole remote team’s devices to your network securely. Note that VPN throughput is often a lot lower than the device’s general firewall-protection throughput.

Businesses who work mostly or totally remotely have another interesting choice to ponder: if everyone is spread out geographically, is it worth investing in a centrally located, physical firewall at all? Would a cloud firewall be better? Cloud firewalls – sometimes referred to as firewall-as-a-service (FWaaS) – throw the established idea of a contained network perimeter out of the window; instead, remotely securing a distributed network of trusted devices. We’ll discuss their pros and cons shortly. However, there is another, simpler, cheaper option, though it’s arguably the least protective option here – to simply use a DNS Filtration service for all of your remote users. This can restrict your users from accessing known threat links and unprofessional sites, but doesn’t provide the same in-depth protective measures and oversight as a “proper” firewalling solution.

Business Firewalls – Next Generation Capabilities

Modern firewalls do far more than simply “monitor the network and filter out the bad stuff”. Next generation firewalls (NGFWs, an abbreviation you’re likely to find on your business firewall-hunting journey) can include numerous other features that are designed to keep your business safe on an increasingly dangerous internet.

Important note: Be aware that “additional” functionality like this doesn’t usually run at the same throughput speeds as general firewall protection. For example, a SonicWall TZ270’s general firewall inspection throughput is 2Gbps, but when you add next-gen threat prevention into the mix, this dips to 750Mbps.

Also, the ways that manufacturers package services like these can differ. This can affect how much to allow in terms of licensing fees and throughput; and depending on your needs, it may affect which manufacturer you decide to side with. It can feel like a lot to juggle, so our friendly team can help you work out the best solution.

Deep Packet Inspection

When an encrypted connection is established between two points (say a user and a banking website) all communications between the two points are encrypted so nobody can jump in between and intercept any sensitive information. Only the two parties involved have the decryption keys to see what’s going on.

This is great for data security, but the rise of encrypted connections – especially the push for websites to use encrypted HTTPS connections even when they don’t handle sensitive information – had made the job of firewalling a lot harder. Because all communications are encrypted between website and user, an older firewall wouldn’t be able to decrypt and inspect that traffic for nasties, often letting them pass by unexamined.

Enter Deep Packet Inspection (DPI), sometimes called SSL Inspection or TLS Inspection. Rather than having the user’s device decrypt the traffic, the firewall does it instead, allowing it to descramble the traffic and thoroughly inspect each packet deeply for threats (hence the name).

Ideally, you need to look for DPI functionality that supports TLS 1.3 encryption/decryption as this is the latest version of the Transport Layer Security (TLS) protocol used in HTTPS/SSL traffic.

Gateway Antivirus

We’re all familiar with antivirus software – but it’s also worth considering investing in a business firewall that includes “gateway” antivirus functionality too. In short, this means that the firewall inspects all traffic for known malware and blocks that traffic before it makes its way to devices within your network.

Does it mean you should do away with traditional endpoint protection on your user devices? No. Does it add an extra failsafe layer of protection against the bad guys? Absolutely.

Gateway Sandboxing

Sandboxing functionality housed within a business firewall is the ultimate gateway protection measure you can use to enhance your network’s security and fend off as-yet-unfixed zero-day threats.

Put simply, sandboxing opens any unknown, incoming files in a virtual environment to see how they behave. If they simply open and don’t act in any unexpected ways, then the end user is permitted access to the file. If they do contain malicious code or behave unexpectedly, the whole network is barred from accessing the file. Smart, eh?

SonicWall’s Capture ATP is particularly effective here, and is particularly notable in that if a file fails its sandboxing check, it notifies all SonicWall security products worldwide to be on the lookout for that threat – in their words, “threats that fail anywhere fail everywhere.”

Data Loss/Leak Prevention

Sensitive data can leak out of a network in myriad surprising ways. From a sensitive password shared via email, to a top-secret file leaving your office on a pen drive, the possibilities for sensitive data loss are endless. Data leak prevention systems are like customs checks at the borders of your network, ensuring that no sensitive information is allowed to leave. DLP solutions are a great investment for any company, but they are particularly useful in helping you monitor your compliance with security standards like PCI DSS.

Deployment: Hardware or Cloud?

Hardware Business Firewalls

Hardware firewalls are the most commonly deployed in business. They provide centralised gateway protection to the whole network, and as such they can be centrally managed. Because physical firewalls operate on their own dedicated hardware, this frees up other network resources (like PCs or servers) from having to do the job of firewalling through software, leaving those devices to do what they do best.

As we’ve discussed, hardware firewalls can accommodate a lot of different use cases, including remote working and secure networking to other premises over public networks.

On the downside, hardware firewalls tend to be the more costly option, regardless of business size or need. Some firewall solutions will need some level of IT knowledge to set up and administer, so working with a firewall partner or managed service provider is very much advised if you don’t have these talents in-house.

Also, if you invest in a firewall and then scale significantly, you’re going to need to upgrade your hardware to cover the new headcount. This is where business firewall leasing becomes a good option, as you may be able to scale your hardware up or down during your lease depending on need – and your lease’s terms, of course.

Cloud Business Firewalls

Cloud firewalls are increasing in popularity, and for good reason. They can facilitate all of the protective benefits of more established firewall types – including Next Generation features, but the business doesn’t have to make physical space for on-prem hardware, and they don’t have to spend money on an expensive box that they might outgrow either.

Because cloud firewalls are totally online, they are a great choice for decentralised teams who operate mostly or completely remotely. Hardware firewalls have the potential to create a network bottleneck as all traffic needs to pass through it, from both on-prem and remote users, but when the firewall is administered through the cloud, this potential for choke points is reduced or eliminated.

There’s no hardware to purchase as the functionality is provided in exchange for an ongoing subscription fee. If the business suddenly grows or changes, this subscription can often be scaled up or down to accommodate. Also, cloud firewalls can be used to secure online resources like file storage and cloud servers, like a hardware firewall would protect a hardware server for example.

We hope this guide has been helpful, but if your head is spinning from all of these options, just give our friendly team a call on 0808 1644414 or request a call back today!