Comparison of firewalls
From Seo Wiki - Search Engine Optimization and Programming Languages
Jump to navigationJump to search
| This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (December 2009) |
| This article's factual accuracy is disputed. (December 2009) |
The following tables compare different aspects of a number of firewalls, starting from simple home firewalls up to the most sophisticated Enterprise firewalls.
Firewall software
Main article: Personal firewall
| Firewall | License | OS | 64-bit |
|---|---|---|---|
| Agnitum Outpost Firewall Pro | Proprietary | Windows | Yes |
| Comodo Firewall Pro | Freeware | Windows | Yes |
| Core Force | Apache | Windows | Template:Unk |
| GhostWall | Freeware | Windows | Yes |
| IPFilter | BSD with special clause | Solaris, NetBSD, FreeBSD, HP-UX, IRIX | Yes |
| ipfirewall | BSD | FreeBSD | Yes |
| Kaspersky Internet Security | Proprietary | Windows | Yes |
| Lavasoft Personal Firewall | Proprietary | Windows | Yes |
| Netfilter/iptables | GPL | Linux | Yes |
| Norton 360 | Proprietary | Windows | Yes |
| Online Armor Personal Firewall | Freeware/Proprietary | Windows | No |
| Outpost Firewall Pro | Proprietary | Windows | Yes |
| PC Tools Firewall Plus | Freeware | Windows | Yes |
| PF | BSD | OpenBSD, NetBSD, FreeBSD | Yes |
| Sunbelt Personal Firewall | Proprietary | Windows | No |
| Sygate Personal Firewall | Freeware | Windows | No |
| Trend Micro Internet Security | Proprietary | Windows | Yes |
| Vista Firewall Control | Freeware/Proprietary | Windows | Yes |
| Vyatta | GPL | Linux | Yes |
| Windows Firewall | Proprietary | Windows | Yes |
| WinGate | Proprietary | Windows | Yes |
| ZoneAlarm | Freeware/Proprietary | Windows | Yes |
Firewall rule-set basic filtering features comparison
| Can Target: | Changing default policy to accept/ reject (by issuing only 1 rule at most) | IP destination address(es) | IP source address(es) | TCP/UDP destination port(s) | TCP/UDP source port(s) | Ethernet MAC destination address | Ethernet MAC source address | Inbound firewall (Ingress) | Outbound firewall (Egress) |
|---|---|---|---|---|---|---|---|---|---|
| Juniper Networks | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Check Point VPN-1 | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Cisco Access List | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| IPFilter | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Linux iptables | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| NAI Gauntlet | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| OpenBSD PF | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Sidewinder G2 | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Soft in Engines BMF | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Trend Micro Internet Security | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
| Vyatta | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Windows 7 (and Windows 2008 R2) Firewall | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Windows Vista Firewall | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
| Windows XP Firewall | No | No | Yes | Partial | No | No | No | Yes | No |
| WinGate | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Zorp | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
- Windows XP Firewall can target only single destination TCP/UDP port per rule, not port ranges, therefore support is partial.
Firewall rule-set advanced features comparison
| Can: | work at OSI Layer 4 (stateful firewall) | work at OSI Layer 7 (application inspection) | Change TTL? (Transparent to traceroute) | Configure REJECT-with answer | DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. | Filter according to time of day | Redirect TCP/UDP ports (port forwarding) | Redirect IP addresses (forwarding) | Filter according to User Authorization | Traffic rate-limit / QoS | Tarpit | Log |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Juniper Networks | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Check Point VPN-1 | Yes | Yes | Yes | Yes(With Web Intelligence) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Cisco Access List | Yes (with CBAC) | Partial (with CBAC) | No | No | Yes | Yes | Yes | Yes (with static routes) | Yes (with dynamic ACLs) | Yes (with queueing) | No | Yes |
| IPFilter | Yes | Partial (selected protocols only) | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Linux iptables | Yes | Yes (with patch) | Yes | Yes | Yes | Yes | Yes | Yes | Yes (with NuFW) | Yes | Yes (with Patch-o-matic module) | Yes |
| OpenBSD pf | Yes | Partial (selected protocols only) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Sidewinder | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Soft in Engines BMF | Yes | Partial (selected protocols only) | No | Yes | Yes | No | Yes | Yes | Yes (with MS Active Directory) | Yes | No | Yes |
| Vyatta | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Windows 7 (and Windows 2008 R2) Firewall | Yes | No | No | No | No | No | No | No | Yes | No | No | Yes |
| Windows Vista Firewall | Yes | No | No | No | No | No | No | No | Yes | No | No | Yes |
| Windows XP Firewall | Yes | No | No | No | No | No | No | No | No | No | No | Yes |
| WinGate | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Yes | No | Yes |
- NOTE: Because Linux Iptables is text-based firewall, you can "Filter according to time of day" by using additional 3rd party tools, like expect automation tool and cron jobs.
Firewall Management features comparison
| Features: | Configuration: GUI, text or both modes? | Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... | Change rules without requiring restart? | Ability to centrally manage all firewalls together |
|---|---|---|---|---|
| Juniper Networks | Both | proprietary GUI, SSH, Web (HTTP/HTTPS),Telnet, nsm | Yes | Yes |
| Check Point VPN-1 | GUI | proprietary GUI, SSH, Web (HTTP/HTTPS) | No | Yes |
| Cisco Access List | both | Telnet, SSH, Web(Java App "PDM" or the newer "ASDM"), RS232 | No | Partial |
| IPFilter | both | Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 | Yes | Yes |
| Linux iptables | both | Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 | Yes | Yes |
| OpenBSD pf | both | Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 | Yes | Yes |
| Vyatta | both | Telnet, SSH, Web GUI, RS232 | Yes | Yes |
| Windows 7 (and Windows 2008 R2) Firewall | both | RDP, telnet, Group Policy, MMC | Yes | Yes |
| Windows Vista Firewall | both | RDP, telnet, Group Policy, MMC | Yes | Yes |
| Windows XP Firewall | both | RDP, telnet, Group Policy | No | Yes(with AD and GPO) |
| WinGate | GUI | Proprietary user interface | Yes | Template:N/A |
- NOTE: Rule changes on Checkpoint firewalls do not require any restart and incur no outage time.
- NOTE: Because Linux Iptables and Cisco ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.
- NOTE: Due to the distributed nature of the Checkpoint architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.
Firewall's other features comparison
| Features: | Modularity: supports third-party modules to extend functionality? | IPS : Intrusion prevention system | Open-Source License? | supports IPv6 ? | Class: Home / Professional | on what Operating Systems it runs? |
|---|---|---|---|---|---|---|
| Check Point VPN-1 | Yes | ? | No | Yes | Professional | Solaris, Linux (SPLAT or RHEL), Nokia IPSO, Crossbeam,Windows NT, 2000, 2003 |
| Cisco Access List | No | ? | No | Yes | Professional | Cisco IOS |
| IPFilter | Yes | Yes, with Snort Inline, Ossec | Yes | Yes | Both | Solaris, IRIX, HP-UX, NetBSD and FreeBSD. Available but deprecated on Linux. |
| Juniper Networks | No | ? | No | Yes | Professional | JuniOS |
| Linux iptables | Yes | Yes, with Snort Inline, Ossec | Yes | Yes | Both | Linux 2.4+ |
| OpenBSD pf | Yes | Yes, with Snort Inline, Ossec | Yes | Yes | Both | OpenBSD, FreeBSD 6.0+, NetBSD 3.0+ |
| Outpost Firewall Pro | No | Yes | No | Yes | Professional | Windows |
| Vyatta | Yes | No | Yes | Yes | Professional | Vyatta OS (built on Debian) |
| Windows 7 (and Windows 2008 R2) Firewall | Yes | No | No | Yes | Both | Windows 7 Windows Server 2008 R2 |
| Windows Vista Firewall | Yes | No | No | Yes | Both | Windows Vista Windows Server 2008 |
| Windows XP Firewall | No | No | No | No | Home | Windows XP Windows Server 2003 |
| WinGate | Yes | ? | No | No | Professional | Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit. |
- NOTE: Checkpoint support a limited range of third-party modules from certified partners. Modules are integrated with Checkpoint firewalls through a platform named OPSEC
- NOTE: WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).
Non-Firewall extra features comparison
Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.
NOTE: Features will be marked as "yes", even if it's separate module that comes with the platform, on which firewall sits.
IDS: real-time firewall that logs/sniffs/blocks suspicious connections, that are not part of rule-set.
VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.
Profile selection: The user is enable to switch fast between firewall settings for at work, home or in public places.
| Can: | NAT (static, dynamic w/o ports, PAT) | IDS (Intrusion Detection System) | VPN (Virtual Private Network) | AV (Anti-Virus) | Sniffer | Profile selection |
|---|---|---|---|---|---|---|
| Juniper Networks | Yes (supports three NAT types) | Yes | Yes | Yes | Yes (supports wireshark, tcpdump, IOS version) | ? |
| Check Point | Yes (supports three NAT types) | Yes | Yes | Yes | Yes (with wireshark, tcpdump or FW-1 kernel inside dump "fw monitor" a powerful tool to determine many aspects of the connection before and after packet enters/leaves OS routing system | ? |
| Cisco IOS | Yes (supports three NAT types) | Yes | Yes (some IOS versions) | No | Yes (some IOS versions) | ? |
| IPFilter | Yes (supports three NAT types) | Yes (with Prelude-IDS or Snort) | Yes (Native on Solaris, HP-UX. With third-party software on IRIX, BSD, Linux.) | Yes (with clamav) | Yes (with wireshark or tcpdump) | ? |
| Linux OS | Yes (supports three NAT types) | Yes (with Prelude-IDS or Snort) | Yes (with openVPN) | Yes (with clamav) | Yes (with wireshark or tcpdump) | ? |
| OpenBSD pf | Yes (supports three NAT types) | Yes (with Prelude-IDS or Snort) | Yes | Yes (with clamav) | Yes (with wireshark or tcpdump) | ? |
| Vyatta | Yes (supports three NAT types) | Yes (integrated Snort) | Yes (IPsec and OpenVPN) | No | Yes (with wireshark or tcpdump) | ? |
| Windows 7 (and Windows 2008 R2) | Partial (PAT, with Internet Connection Sharing) | Yes (with SPECTER) | Yes | Yes (McAfee, Symantec, etc) | Yes (with wireshark) | Yes (public, private, home) |
| Windows Vista | Partial (PAT, with Internet Connection Sharing) | Yes (with SPECTER) | Partial (Limited to 1 client) | Yes (McAfee, Symantec, etc) | Yes (with wireshark) | Yes (public, private) |
| Windows XP | Partial (PAT, with Internet Connection Sharing) | Yes (with SPECTER) | Partial (Limited to 1 client) | Yes (McAfee, Symantec, etc) | Yes (with wireshark) | No |
| WinGate | Yes | Yes (with NetPatrol) | Yes (proprietary) | Yes (Kaspersky Labs) | Yes (filtered capturing to pcap format) | No |
External links
If you like SEOmastering Site, you can support it by - BTC: bc1qppjcl3c2cyjazy6lepmrv3fh6ke9mxs7zpfky0 , TRC20 and more...
→
