Security Firewall Router – Your Primary Network Defence – A complicated and critical decision for most companies.
A security firewall router is very different to an ISP provided router. It performs a host of traffic inspection and protection services far beyond anything else.
Protection services found on firewalls include:
- Zero Day Protection
- Intrusion Protection/Detection IPS/IDS
- DNS Security
- Website Filtering
- AntiSpam
- Network Anti-Virus (Not the same as end-point Anti-Virus)
- Botnet Protection
- Global AI Intelligence Threat Protection
- Port Blocking
- VPN Protection/Access and a lot more.
All security routers typically require a subscription service to update the “Intrusion Detection/Protection” rules which is the primary reason for using a security firewall. No subscription – means it will not be effective at all and we commonly find people install these units and then don’t understand how to use them properly or fail to pay the subscription.
Hardware consideration should always include:
- How many users on the network?
- How many remote users?
- How many other devices?
- How many VPN connections / at what speed?
- SD-WAN requirements
- Internet connectivity speed vs firewall capabilities
- IDS/IPS Transfer speed limitations
- What extra protection do you need? (Website blocking/Country blocking/etc)
The short answer to which firewall:
If you business is mostly cloud based (365/iCloud/Google/etc..) with no inbound ports or maybe some inbound for a pre-secured device like QNAP or CCTV then its best to go with Ubiquiti UniFi UXG.
If your business is mixed use case with high security requirements using inbound ports and local on-site (Windows) servers. Maybe including inbound VPN then get Fortigate or pfSense/OPnsense but you will need a good firewall expert to set this up and to manage it daily/weekly in order to take advantage of all the security features otherwise it will just be useless. However if this sounds too expensive or too difficult then use Ubiquiti UniFi.
View the following Business Firewall Comparison Chart:
Firewall Technical Considerations:
- Speed/User in a typical office you require an absolute minimum 2 to 5Mbps per user for typical web browsing and local office apps. Aim for at least 7 to 25Mbps for mixed usage and 25 to 35Mbs to future proofing or for high usage.
- Over 35Mbps would mean you may have some capacity to provision for VPN/SD-WAN/Streaming/FileSync/Backup or you have media intensive users who may require as much as 50 to 100Mbps per user.
- If the business is using pure cloud based solutions with an active file sync solution like OneDrive, you may need to allocate around 20 to 35Mbps per user if they are highly active.
- Speed is also reduced when adding a lot of extra rules or functions and especially when using VPN for multiple users. So always over provision based on this.
- Make sure you take into consideration any streaming services (5Mbps-HD/25Mbps-4K) plus video conferencing per user or drive sync applications running on all systems or server to cloud backup and/or QOS for VoIP allocation.
- Also consider your internet connectivity speed and consider if its a restriction or do you want a firewall that can deliver the true connectivity speed. Its unlikely you will want a firewall that performs less than 700/1000Mbps with TD/IDS turned on in any business these days.
- Pure maximum non IDS throughput is disregared in any calculations as it has no reflection actually enabling the features on the firewall.
- SSL inspected traffic has been excluded which can be a semi-effective tool but typically impractical to install and maintain due to changes on every device to allow for intercepted SSL certificates.
- Anti-Virus on network traffic can be ineffective with SSL encryption now being the primary connection method and most systems not using SSL inspection. Use a PC/Server based anti-virus solution instead.
Fortigate
One of the stronger contenders for corporate firewalls but it does require a specialist to setup and manage.
“Fortinet” with its NGFW (Next-Generation Firewall) called “Fortigate”.
In our own testing – Fortinet had the best detection protocols but we found it overly complex to make simple changes to IPS/DNS/Web Protection that should be one click not twenty and had very interlinked settings which take a lot to revert if required. Even setting up a new WiFi SSID/network requires a lot of work compared to others. The VPN solution is pretty good overall.
Fortinet has a range firewalls ideal for small business right up enterprise level. Small office users typically go with the 60F(700Mbps), 80F(900Mbps) and medium sized companies use 90G(2.2Gbps), 100F(1Gbps), 200F(3Gbps) and large businesses use 400F(9Gbps), 900G(20Gbps), 3500F(63Gbps), 6500F(100Gbps)
https://www.fortinet.com/products/next-generation-firewall
FortiGate Firewalls also make use of SD-WAN – “More and more companies are making the shift to SD-WAN every day. In fact, Gartner predicts that by 2024, 60% of enterprises will be using SD-WAN. And why not? It is cheaper than an MPLS connection, and easier to set up and configure.”
“SD-WAN enables organizations to securely connect users, applications and data across multiple locations while providing improved performance, reliability and scalability. SD-WAN also simplifies the management of WANs by providing centralized control and visibility over the entire network.”
SD-WAN is not a requirement under this essential security protocol but merely a benefit for any company that does upgrade to a firewall that is SD-WAN capable.
Ubiquiti UniFi UXG/DM/DW/DR Routers
Ubiquiti now has quite a range of routers – all with different transfer speed ratings and they all come with the basics which includes network monitoring, basic level IDS/IPS, country blocking, VPN and an easy to use interface.
This is by far the cheapest solution and good for most companies. It supports anyone from a remote worker to an enterprise company. Its certainly doesn’t have all the latest inbound zero day protection but for most companies that mostly have outbound cloud access – this is perfect.
If you combine this with ThreatDown anti-virus with added features. You are pretty well protected and highly recommended.
Ubiquti UniFi UXG firewall router is a very common solution used in a range of companies from general business, schools, medical and even government.
pfSense Plus (netgate)
Professional level protection if you take the add on packages.
Available in community free edition but you still need to pay for rule sets if you want high level IPS.
You can centrally manage using PFMonitor
IDS protection requires a paid subscription for ET Pro Rules if you want good protection. It is possible to use Snort rules for a more budget friendly option but it is far less effective.
IP protection is provided by Zenarmor but in theory you could rely on free IP block lists.
https://www.netgate.com/pfsense-plus-software
https://www.wundertech.net/pfsense-vs-opnsense/
https://www.snort.org/products#rule_subscriptions
Zenarmor (Sensei) has a bigger threat intelligence database vs pfBlockerNG
OPNsense
Professional level protection if you take the add on packages. Zenarmor and Proofpoint ET Pro Ruleset.
OPNsense is a fork of pfSense which started in 2015 but it has a much better GUI interface and easier to use.
IPS protection requires a paid subscription for ET Pro Rules if you want good protection.
IP protection is provided by Zenarmor but in theory you could rely on free IP block lists.
https://shop.opnsense.com/product-categorie/software_and_licenses/
Additional Firewall Options
Forcepoint | Very effective but a bit more costly | 9/10 |
Juniper | Very effective but quite costly | 9/10 |
Versa | Low cost and very effective but not as well known | 9/10 |
Check Point | Very effective and moderately costly (A potential leader in 2024) | 9/10 |
Barracuda | Fairly effective and moderately costly | 8/10 |
Sangfor | Not as effective | 7/10 |
Untangle | Open source | 7/10 |
WatchGuard | Low cost but less effective vs alternatives | 7/10 |
Palo Alto | Costly and less effective | 6/10 |
Cisco | Expensive and far less effective | 5/10 |
Sophos | Low cost but less effective vs alternatives | 5/10 |
Sonicwall | Low cost but less effective vs alternatives | 5/10 |