Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL JULY 2002 WatchGuard Technologies 505 Fifth Avenue South Suite 500 Seattle, WA 98104 www.watchguard.com
  2. 2. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL Trying to select which firewall to install in your computer network? It’s a challenging task, especially if you’re trying to compile enough information to make a true feature-for-feature comparison. Here’s the problem: when various firewall vendors describe their products, they each use the same buzzwords to mean very different things. But if you’ll invest a few minutes in reading about WatchGuard technology, you’ll learn what we mean when we say that WatchGuard firewalls are not only smart and fast, but also offer the best security value available. Will you decide we’re right? The only way to find out is to read on. WHY WATCHGUARD® PIONEERED THE FIREWALL APPLIANCE In the early days of the Internet, the Defense Advanced Research Projects Administration (DARPA) funded the development of new software to help block unauthorized access to a university or corporation’s computer network. This software, which ran on a dedicated UNIX server, had no cohesive user interface, and demanded a great deal of expertise to operate. Nonetheless, it evolved into the first Internet firewall. Only a university or large corporation could use those early firewalls, because managing them required substantial staff and resources to cope with the task. Over time, firewalls became faster, more sophisticated, and more numerous. As the number of businesses networking to the Internet skyrocketed, the number of experts in administering server-based firewalls did not grow at the same rate. Additionally, purchasing, setting up, and running a server-based firewall cost more than the average business could afford. WatchGuard pioneered the “firewall appliance” concept to address the need for a high performance, easy-to-use, robust Internet security solution that the Small to Medium Size Enterprise could afford and manage. Over the years we’ve been a leader in this space by building on our commitment to intelligent network security and high performance firewalls. Because we’re firewall innovators, our approach to network security is distinctive. This article explains our philosophy and why we believe our Firebox III and Vclass product families offer the best firewall values in the world. It will also help network administrators make informed decisions about which Firebox models are suitable for their networks. www.watchguard.com|2
  3. 3. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL WHAT MAKES A GOOD SECURITY SYSTEM? Asking, “Which is the best firewall?” is like asking, “Which is the best car?” The answer is, “That depends on what you want to do with it.” Still, just as all good cars have some features in common (reliability, superior crash test ratings, intuitive handling, etc.), all good firewalls share some common traits, listed below. If you’re in the process of selecting firewalls for your network, ask each vendor if their firewalls adhere to these world-class practices. WatchGuard Fireboxes do. SIMPLICITY A network security device that is complex in its design, configuration, or day-to-day operation is more error-prone, and has more points of entry than one that is simple. Simple designs are more likely to be used consistently and correctly. A firewall appliance is easier to integrate into your network than setting up firewall software under a standard operating system. But don’t mistake simple design for simplistic design. A good firewall appliance should provide nuanced and feature-rich security - - but present it with a simple interface. Complicated software firewalls can leave you the victim of the “blame game” when you discover a security flaw. The firewall developer tells you the problem comes from the operating system, and the operating system developer tells you the problem comes from the software firewall, but nobody tells you they’ll fix the problem. Firewall appliances eliminate that dilemma. SCALABILITY Good network security solutions keep pace with company growth and increased use. For example, a company might not increase in size significantly over a two-year period but still might need to scale up their network protection as they find new applications for network technology. A scalable system expands at reasonable cost. Plus, its administration requirements gain little complexity as the system grows. Although the system might have more firewall appliances, log hosts, authentication hosts, VPN tunnels, and other components to administer as time goes on, the user interface should remain consistent. HIGH UPTIME / RAPID RECOVERY Low-cost commercial network protection is a young industry. Some products may have lower reliability because of the manufacturer’s rush to offer marketable features. A good network security device has a high MTBF (mean time between failures) rating and uses reliable hardware components. For even greater service www.watchguard.com|3
  4. 4. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL uptime, the security appliance should be configurable for fail-over; that is, it should have the capability of being paired with a second appliance that automatically takes over if the first appliance goes offline. Ideally, this handoff should take place via a dedicated interface. A failed firewall is a no-win situation: Either it shuts down your Web site (fail shut) or leaves it open to outside attack (fail open). Given only a choice of the two, a safe firewall should fail shut. However, it's better for you if it can fail over. DISTRIBUTED ARCHITECTURE Distributed architecture means assigning different network security tasks to different computers. For example, a distributed architecture might have one device as the firewall appliance, a computer to create and manage configurations for the firewall, other computers to handle the system logs, and yet others to store the authentication and user databases. A distributed architecture separates tasks and functions according to type and assigns them to systems best suited to the respective tasks. This makes distributed architecture both more efficient and more secure. DYNAMIC UPDATES Entrepreneurs keep inventing new services to transmit multimedia, teleconferencing, and other advanced services over the Internet. Hackers are perpetually inventing and exploiting new methods to invade networks and introduce viruses and worms. That means for network security, out-of-date software is downright dangerous. As a network security system becomes dated, it becomes more vulnerable to emerging hacks and attack methods. The network administrator must then divide his or her time between local administration tasks, and the effort to keep the network secure by researching the availability of patches and the reconfiguring of services newly found to be vulnerable. Ideally, a network security device includes an updating mechanism from the vendor, which notifies an administrator about new software downloads, information about emerging security threats, and opportunities for training to keep the whole networked environment current and thus, more secure. SECURE CONNECTIONS Good security systems implement secure connections between all critical and sensitive points of communication. The links between the administration computer and the firewall appliance should use strong encryption. So should the channel by which the logs are transmitted to the log server. www.watchguard.com|4
  5. 5. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL ROBUST AUTHENTICATION Authentication ensures that all traffic actually came from the source that claimed to originate it, and that the user or machine that sent it is permitted to do so. A good security system offers several types and levels of authentication. Using multiple levels of authentication, you can give different groups of users different levels of access, and limit that access to specific areas on your network. Multiple types of authentication ensure that the most secure or compatible type of authentication is available for a given use. A good firewall appliance can take advantage of the work you’ve already done on authentication servers and converge them into a single point of authentication management. Just found out that a worker was fired five minutes ago? Robust authentication features let you eliminate that worker’s network access without having to search in various places where usernames and passwords are stored. URL FILTERING URL filtering enables you to prevent users from squandering organization time and resources on Web-based entertainment inappropriate to your goals, philosophies, and work ethic. Good URL filtering capability allows the administrator to restrict Web surfing based on type of content (for example, gambling) and time of day, and to assign those rules to groups or individuals. SECURE REMOTE MANAGEMENT A good security system can be managed from a remote location, but prevents eavesdropping on the administrative session. The administration tools should be able to communicate everything the administrator needs to know about active connections, services, denied packets, VPN tunnels, general security policies, and the network configuration. In certain instances, it is desirable to manage the firewall from a wide range of devices in a variety of ways. Robust implementations of secure remote management do not lock you into one way of managing your infrastructure. VIRTUAL PRIVATE NETWORKING VPN capabilities are in high demand for organizations that have branch offices, telecommuters, or traveling employees. Many telco vendors offer some type of VPN capabilities, but not necessarily in a security package. For example, a VPN package that does not provide authentication and/or encryption should not be used for conducting confidential business. www.watchguard.com|5
  6. 6. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL VPNs are complex. Firewalls are, too. VPNs and firewalls can be managed separately, or together. If you manage them separately, hazardous traffic that firewall policies forbid can be admitted by a VPN that uses a more liberal policy. In such a scenario, an attacker can gain an extra foothold on your network; in the same way a rambunctious child who has a strict parent and a permissive parent learns to play them against one another. Using a firewall appliance for VPN makes it easier to ensure that VPN policies mesh appropriately with the security policies the firewall implements; that lists of accepted and denied services are consistent, and that adding a service or a tunnel does not breach security. Robust firewalls can apply their security policies to each VPN tunnel. HIGHLY CONFIGURABLE SECURE LOGGING A good security system lets you specify which types of events are logged, for each individual service (e-mail, Web, downloading files, etc.), and for traffic heading in or out of the network. In a robust firewall, logging parameters should be adjustable according to log host capacity and usable file size. Logs should not be constrained to a set file size that fills up and begins overwriting if unattended. The best logging systems can be configured to watch for patterns symptomatic of attempted security breaches, and to notify an administrator of the suspicious activity. And finally, proper logging gives management an accurate, meaningful, and straightforward account of firewall use. You should be able to sort the logging data by various parameters such as host-to-host connections, Internet activity, active times of day, and even by one individual’s activity. WELL-CONCEIVED SECURITY POLICIES A network security system is only as good as the security system policies that drive it. A well-planned security system specifies which computers can communicate with the outside and in which ways. It closely examines content sent via protocols that can hide potentially destructive content types. It employs encryption where communication could be intercepted, and authentication wherever a faked user identity could have destructive results. Well-conceived security policies leave no holes in the firewall, just authorized passages. DEFENSE IN DEPTH Installing a firewall is not the be-all and end-all of network security. The firewall needs to work effectively with your many other layers of security: anti-virus software, dedicated intrusion detection systems, router rules, server-level protection, and more. One indicator that a firewall will interact synergistically with other elements of the network is if the ICSA (and other standards organizations) www.watchguard.com|6
  7. 7. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL have certified the firewall and its compatibility with IPSec standards. Settling for anything less is asking for trouble. FLEXIBILITY: As networks grow to meet more and more specific needs. The requirements that they will reasonably place on a firewall will begin to shift. For sophisticated environments, look for the ability to use advanced networking technologies, such as: Traffic Management The ability to control which systems and services get the first claim on your network resources based on source/destination port or attributes of the packets themselves Server Load Balancing Spreading the processing load for a single Internet application across multiple servers. VLAN Service Providers who manage security for multiple tenants should be able to create and enforce separate security policies for each tenant, managed centrally using VLAN technology. High Availability If one firewall goes down, another can pick up the load. Taken together, these technologies enable you to tailor your network’s capabilities to your business’ needs both now and in the future without continually reinvesting in more equipment. WHICH IS BETTER: SPEED OR INTELLIGENCE? Given: all firewalls are not created equal. But when you’re comparing various vendors’ firewalls, it’s difficult to make sure you’re comparing features head-to- head. This is especially true when comparing throughput, the speed at which a given firewall passes traffic. To compare throughput numbers accurately, find out what each firewall does while putting that data through. The methods that firewalls use for handling data packets can be loosely grouped into two categories: filtering, and proxying. The merits of each have been debated with religious fervor in articles and other public forums. Conventional wisdom says that packet filtering is dumb but fast, while proxying is smart but slow. This section www.watchguard.com|7
  8. 8. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL explains the difference, shows why conventional wisdom has it wrong, and how WatchGuard settled for nothing less than smart, flexible, and fast. THE PURPOSE OF DYNAMIC PACKET FILTERING Dynamic packet filtering examines the headers of packets being sent or received. A packet header is a lot like the envelope on a conventional piece of US mail, providing information on the source of the packet (like a return address does), the destination, the protocol used, the port number, and other transport information. A packet filter examines the headers to determine whether they follow legitimate syntax rules and comply with the configured security policy. We can compare a firewall packet filter to an intern who sorts mail for several executive editors at a large publishing company. He checks envelopes to make sure they came from a legitimate address, and that they are addressed to an existing editor within the company. He checks in-house postal guidelines to make sure that he is allowed to send this size and type of mail to this particular editor. But he does not open the envelope and examine the story being submitted; he simply sorts and routes the mail. This is essentially what packet filters do. For example, if a packet filter encounters a packet assigned to port 403, and the filter “knows” that this port has not been opened for any service, the filter rejects the packet because its port number is invalid according to packet filter rules. Packet filters operate by following rule sets that determine packet disposition. Because filters examine only the header and not the content of the packet, they’re fast; depending on the hardware, they can be very fast. HOW WATCHGUARD USES SECURITY PROXIES Security proxies go well beyond the function of packet filters by examining not just the headers, but the packet content as well. In doing so, the proxy determines whether forbidden content is being transmitted, and allows or denies the content, as appropriate. To revisit the corporate mail sorter analogy, suppose the mail sorter at the publishing company is promoted to screening editor. Now he not only reads the “To” and “From” addresses on the envelopes, he also examines the envelope’s contents to determine whether the executive editor in the address wants to read the enclosed story. The screening editor is acting as a stand-in, or proxy, for the executive editor. For example, the screening editor opens an envelope containing a proper originating address, addressed to a proper internal address -- say, the cookbook editor. Inside he finds an action-adventure story set in a rain forest. He will not forward the manuscript because its content is inappropriate for its destination. In the same way, a mail proxy examines all SMTP packets to determine whether the payload contains forbidden content types, such as executable programs or items written in scripting languages. www.watchguard.com|8
  9. 9. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL The SMTP proxy knows these content types are not allowable; a packet filter does not. Advanced WatchGuard security proxies examine not only one packet at a time, but entire groups of related packets, or data streams, which gives clearer context for deciding whether content is safe or not. Security proxies work at the application level, whereas IP packet filters work at the protocol level. This means that each packet a proxy receives must be stripped of its network wrapping, analyzed, processed, and re-wrapped so it can be forwarded to its destination. This adds layers of complexity and processing well beyond the packet filtering process. Thus, proxies use up more processing bandwidth than packet filters. On the other hand, they can catch dangerous content types that packet filters cannot. So, they’re relatively slow, but compared to packet filters, they’re smart. WHAT ABOUT VPN? Twenty years ago, if you needed to get a sales report from Denver to New York, you either put it in the mail or, if you worked for a really big company, you could send it over the company’s private network. Today that same report would probably be sent as e-mail over the Internet -- no big deal. Once people figured out that the Internet was useful for more than the exchange of scientific data, they asked, how could the Internet enhance the way we do business? If we do business over the Internet, how do we keep our business private? If the answer is an expensive private network of leased lines, how do we afford it? While the jury may still be out on the first question, the answer to the privacy and cost questions is: connect the various pieces of a geographically dispersed business using a Virtual Private Network (VPN). We compare VPN technology to riding around in a fancy limousine with darkened windows. Just as the limo drives the public streets but keeps its contents private, a message sent via VPN travels the public Internet, but is encapsulated in encryption so that its content remains private. Only the originator and the receiver of the message see it in a clearly readable state. Any hacker trying to eavesdrop en route gets nothing but a scrambled mess. The path of a VPN message has “light” at each end but “darkness” (obscurity) at all the between-points, so it is called, metaphorically, a VPN tunnel. Though you don’t actually have a private network, privacy is accomplished by encryption -- hence, the public Internet is virtually a private network, for VPN users. Any business can afford to maintain a connection www.watchguard.com|9
  10. 10. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL to a local ISP. So any business can now gain the advantages in communications efficiency that were once reserved for the largest corporations. If you view VPN as an important factor in your network, but would like to know more about it, be sure to request our paper, “Straight Talk about VPN,” for a valuable overview of key learnings developed over the years since VPN technology was introduced. But for now, you’re reading this paper, not another one, so we’d like to offer a few important points to consider when selecting a VPN solution Standards are there for a purpose. IPSec is a standard that describes how an encrypted tunnel between two points should be set up, regardless of which vendor makes the hardware. If you will ever want to establish a tunnel between two pieces of equipment made by separate manufacturers, choose equipment certified as IPSec- compatible by an independent firm like ICSA Labs. WatchGuard has this certification; some of our competitors don’t. A successful VPN requires diligence. There is no way around this one. Since you are essentially building another network in addition to the one you already have, you must dedicate time and staff resources to maintaining and growing your VPN. However, you can leverage your efforts by choosing a VPN solution with powerful and flexible management capabilities. Make sure you’re not flying blind. Since a VPN sends your sensitive traffic out onto the public Internet, you’ll need to be aware of how that traffic fares. WatchGuard products come with a robust set of reporting and monitoring tools to gather statistics on the health of your tunnels. You can use these to help diagnose bad lines, network connectivity problems that may occur, bandwidth utilization, or the unexpected network outage. Choose a manageable solution that scales well. Your business is going to grow, right? Your needs will change as a result. WatchGuard’s advanced VPN management utilities allow you to quickly and easily add new tunnels and new devices, and delete old ones, all from a secure application that runs on most any laptop and can be used anywhere inside and outside the trusted network. www.watchguard.com|10
  11. 11. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL Recognize that not all traffic on your network is created equal. Ask yourself if you need to control which service or protocol gets first priority. In some instances you’ll want to enforce Quality of Service on your net. IN A VPN, DOES EVERYONE GET ACCESS TO EVERYTHING? The answer should be “No.” The WatchGuard Firebox System empowers you to establish restrictive security policies on individual tunnels with business partners, branch offices, telecommuters, or whoever. You can limit access to servers, services, and networks available via those tunnels to the minimum level necessary to achieve your goals. This level of security is imperative. Otherwise, you implicitly trust every user coming through that tunnel as you would any of your key employees on the main corporate network. More than one major company has learned the painful cost of too much trust, so select a VPN solution that applies robust security to itself. THE WATCHGUARD RESPONSE: CHOOSE WHAT’S RIGHT FOR YOU In reality, the best firewall is the one that meets your needs. Filtering and proxying each have their merits, not all networks need advanced traffic management features, and the need for high speed VPNs will vary from organization to organization, why limit your choices? Some firewall vendors have one single approach for managing every company’s access to the Internet. In contrast, WatchGuard products offer a wide range of throughput, and employ a pragmatic combination of dynamic stateful packet filtering, security proxies, and advanced network traffic management features to efficiently control and monitor the flow of IP packets through the Firebox. You can choose where to apply the extra security of proxies to the most vulnerable protocols, or go with packet filtering where you want to optimize for speed. Using packet filters, proxies, and advanced network management features, you can determine: Which hosts within your LAN and on the Internet can communicate with each other through a given protocol Which events to log (such as rejected incoming packets), Which series of events should initiate a notification to the network administrator, Which sorts of traffic or even which hosts on your network get priority www.watchguard.com|11
  12. 12. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL How the various segments of your network can talk to one another. So, when comparing firewalls, certainly you’ll want to look for one that’s fast. But find out whether the firewalls you’re considering are just fast -- or, like the WatchGuard Firebox System: fast and smart. WHICH FIREBOX® APPLIANCE DO I NEED? So, if you decide that the Firebox is the best firewall and VPN solution on the market, how do you know which Firebox model will best suit your needs now and in the future? Without a crystal ball, it’s impossible to know with 100% certainty. Your sales representative can offer more detailed advice. But here are some general guidelines. First of all, the bottleneck in almost every connection to the Internet is the line to the Internet itself, not the firewall. Modern firewalls can pass traffic faster than all but the fastest digital lines. Fast is easy -- but it’s not enough on its own. Choose a firewall that’s both fast and has the combination of features that meets your needs. The technologies that drive the Internet are constantly improving and evolving. Plan ahead and optimize for flexibility. Second, when estimating network load on a firewall, understand that how your people use the Internet matters more than how many people use the Internet. Five people using the Internet to swap movies all day take up a lot more bandwidth than 500 people sending plain text e-mail. The load on your firewall will depend on where your network usage falls between these two extremes. We offer some guidelines regarding the capabilities of our products in the tables below. The WatchGuard firewall line is divided into two families: the Firebox III / Firebox SOHO family, and the Firebox Vclass family. Each family is optimized for the needs of a particular class of business. For organizations that place a high priority on VPN throughput, flexible management options, and advanced network management features, we offer the Firebox Vclass line of products. For smaller organizations that place a high priority on ease of management and a full feature set, we offer the Firebox III / SOHO family. As the table indicates, a smaller remote office or business will find enough horsepower in the Firebox 700. If VPN tunnels are a factor in your plans, you’ll want to look closely at the Firebox 1000 for those same offices, or if the office is a little bigger, check out the numbers for the Firebox V60. If you have one to five thousand users and use the Web heavily, or run a mid-size business, we recommend the Firebox 2500. If you’re firewalling a larger enterprise in the one-to-five-thousand-user range, and have heavy VPN needs — well, the Firebox 4500 or V80 is just what you're looking for. For gigabit VPN and carrier grade network management, choose the Firebox V100. www.watchguard.com|12
  13. 13. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL SMART AND FAST So there you have the WatchGuard Firebox story. Now you know why we believe the Firebox family of appliances represents the best price/performance value, best ease-of-use, unbeaten VPN management, and the most robust feature set of any firewall product on the market. Our concluding encouragement to you: when you finally decide on a firewall, don’t settle for slow and smart, or fast and dumb. With WatchGuard, you can have fast and smart. And isn’t that how you want your network to run? www.watchguard.com|13
  14. 14. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL FIREBOX® VCLASS PRODUCT LINE FIREBOX® V100 FIREBOX® V80 FIREBOX® V60 FIREBOX® V10 Large Enterprises, Large/Mid-size Enterprise Recommended For Service Providers, Large Enterprises Enterprise Telecommuting and Data Centers Maximum Security in Maximum Security in Maximum Security Desktop Enclosure 1RU enclosure 1RU enclosure in 1RU enclosure T3, Fast Ethernet, T3, Fast Ethernet, Multiple T3 or OC-3 DSL/Cable/ISDN and OC-3 and OC-3 Connections Connections Connections Connections Gigabit Firewall Wire-speed Firewall Wire-speed Firewall and VPN with up to 20,000 with up to 8,000 Firewall with up to Remote Office VPN Tunnels VPN Tunnels 400 VPN Tunnels User License Unlimited Unlimited Unlimited 10 upgrade to 25 Firewall Throughput 600 Mbps 270 Mbps 200 Mbps 75 Mbps 3DES Encryption 300 Mbps 150 Mbps 100 Mbps 20 Mbps Throughput Branch Office VPNs 20,000* 8,000* 400* 10 Mobile User VPNs 20,000* 8,000* 400* 0 2 1000BaseSX Fiber 4 RJ-45 10/100 4 RJ-45 10/100 Gigabit Ethernet Fast Ethernet Fast Ethernet 2 RJ-45 10/100 Interfaces Fast Ethernet 2 Dedicated HA 2 Dedicated HA 2 Dedicated HA Ports Ports Ports Initial Initial Initial Initial LiveSecurity® Service subscription subscription subscription subscription included included included included TOP 5 REASONS MANAGEMENT FEATURES NETWORKING FEATURES TO CHOOSE 1. High-Speed ASIC Install Wizard Stateful Packet Filtering High Availability** processor Device Discovery Branch Office & Mobile User VPN Multi-Tenant Security** 2. Scalability for up to Security Policy Manager Remote Access Authentication* VLAN Support** 20,000 VPN tunnels Policy Checker (Auditing) PKI Support NAT (Static, Dynamic & 3. Secure Java-based Network Diagnostic Tools PPPoE and DHCP Support Virtual IP)** management Command Line Interface Predefined Services VPN Tunnel Switching** 4. Gigabit fiber Secure Encrypted Logging Spoof Detection Server Load Balancing** interfaces Active Tunnel Display Port and Site Blocking Dynamic Routing 5. Powerful Real-time Traffic Monitoring Synflood Protection Traffic Shaping QoS Networking Real-time Graphs DDoS, DoS Prevention Features Notification Hacker Defense * The total number of Branch Office plus Mobile User VPN tunnels. **Supported on V60, V80 and V100 models. www.watchguard.com|14
  15. 15. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL FIREBOX® III AND FIREBOX® SOHO PRODUCT LINE Firebox® 4500 Firebox® 2500 Firebox® 1000 Firebox® 700 Firebox® SOHO / SOHO|tc Smaller Smaller Stand- RECOMMENDED Central Office, Medium Business, Mid-Size Business Business or Alone or Remote FOR VPN Hub Web Business or Branch Office Remote Office Office 5,000 5,000 1,000 250 10 Users Authenticated Authenticated Authenticated Authenticated (Upgradeable to 50 Users Users Users Users Users) T-3/E-3 or T-3/E-3 or ISDN or ISDN or T-1 DSL/Cable/ISDN Multiple T-1/E-1 Multiple T-1/E-1 Fractional T-1 Connections Connections Connections Connections Connection Wire-speed Need Wire Speed High Volume Web Firewall with up DSL/Cable/ISDN VPN Support Traffic to 400 VPN Connections Tunnels 10 (Upgradeable to USER LICENSE Unlimited Unlimited Unlimited Unlimited 50 Users) STATEFUL PACKET FILTER 197 Mbps 197 Mbps 185 Mbps 131 Mbps 9 Mbps THROUGHPUT HTTP PROXY 60 Mbps 52 Mbps 43 Mbps 43 Mbps N/A THROUGHPUT 3DES ENCRYPTION 100 Mbps 70 Mbps 55 Mbps 5 Mbps 1.3 Mbps THROUGHPUT BRANCH OFFICE 5 (Requires 1,000* 1,000* 1,000* 150* VPNS VPN Manager) MOBILE USER 1,000* 1,000* 1,000* 150* 5 (Optional) VPNS 3 RJ-45 10/100 3 RJ-45 10/100 3 RJ-45 10/100 3 RJ-45 10/100 5 RJ-45 10BaseT INTERFACES Fast Ethernet Fast Ethernet Fast Ethernet Fast Ethernet Ethernet Initial Initial Initial Initial Initial LIVESECURITY® subscription subscription subscription subscription subscription SERVICE included included included included included * The total number of Branch Office plus Mobile User VPN tunnels. www.watchguard.com|15
  16. 16. SMART AND FAST WHAT TO LOOK FOR IN YOUR NEXT FIREWALL MANAGEMENT MANAGEMENT FEATURES FEATURES (FB III MODELS) (FB SOHO MODELS) (FB III MODELS) (FB SOHO MODELS) QuickSetup Wizard Easy Setup Stateful Packet Filtering Stateful Packet Security Policy Manager Remote Security Proxies Filtering VPN Manager, 4-node Management (SMTP, HTTP, DNS, FTP) Mobile User VPN (N/A on FB700) Secure Encrypted Mobile User VPN (Optional) Real-time Monitoring Logging Branch Office VPN Branch Office VPN HostWatch Internet Sharing Static and Dynamic NAT (Optional with SOHO, Historical Reporting One-to-one NAT included with SOHO|tc) Secure Encrypted Firewall Authentication Static and Dynamic NAT Logging PKI with internal Certificate Web Content Filtering Colorized Logging Authority (CA) (Optional) Notification VPN Authentication Anti-virus (Windows NT, RADIUS, PKI, WG Server) Web Content Filtering Scan and Spoof Detection Port and Site Blocking Synflood Protection Anti-virus DHCP Support (client and server)** PPPoE Support (client)** **Limits several features ADDRESS: ABOUT WATCHGUARD 505 Fifth Avenue South Suite 500 WatchGuard (Nasdaq: WGRD) is a leading provider of dynamic, comprehensive Internet security Seattle, WA 98104 solutions designed to protect enterprises that use the Internet for e-commerce and secure communications. Thousands of enterprises worldwide use WatchGuard's award-winning products WEB: and services. These products include our Firebox firewall and VPN appliances for access control www.watchguard.com and secure communications, and our ServerLock technology and anti-virus solution for content and application security for servers and desktops. Centralized point-and-click management E-MAIL: makes it easy for even the non-security professional to install, configure, and monitor our information@watchguard.com security solutions. Our innovative LiveSecurity Service also enables our customers, with minimal effort, to keep their security systems up-to-date in a continuously changing environment. For U.S. SALES: +1.800.734.9905 more information, please call 206-521-8340 or visit www.watchguard.com. INTERNATIONAL SALES: +1.206.521.8340 © 2002 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, LiveSecurity and Designing peace of mind are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks and tradenames are the property of their respective owners. Part# 080702WGCLE64660 FAX: +1.206.521.8342 www.watchguard.com|16