Comparison of firewalls
{{#if:| |}}The following tables compare different aspects of a number of firewalls, starting from simple home firewalls up to the most sophisticated Enterprise firewalls.
Please note that the list is not exhaustive, but rather reflects the knowledge of one Wikipedia Contributor, so please add more firewalls to the table below.
Firewall rule-set basic filtering features comparison
Can Target: |
Changing default policy to accept/ reject (by issuing only 1 rule at most) |
IP destination address(es) |
IP source address(es) |
TCP/UDP destination port(s) |
TCP/UDP source port(s) |
Ethernet MAC destination address |
Ethernet MAC source address |
Inbound firewall (Ingress) |
Outbound firewall (Egress) |
|---|---|---|---|---|---|---|---|---|---|
| Windows XP Firewall |
|||||||||
| Windows Vista Firewall |
|||||||||
| Cisco Access List |
|||||||||
| Linux iptables |
|||||||||
| Trend Micro Internet Security |
|||||||||
Can Target: |
Changing default policy to accept/ reject (by issuing only 1 rule at most) |
IP destination address(es) |
IP source address(es) |
TCP/UDP destination port(s) |
TCP/UDP source port(s) |
Ethernet MAC destination address |
Ethernet MAC source address |
Inbound firewall (Ingress) |
Outbound firewall (Egress) |
- Windows XP Firewall can target only single destination TCP/UDP port per rule, not port ranges, therefore support is partial.
Firewall rule-set advanced features comparison
Can: |
work at OSI Layer 4 (stateful firewall) |
work at OSI Layer 7 (application inspection) |
Change TTL? (Transparent to traceroute) |
Configure REJECT-with answer |
DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. |
Filter according to time of day |
Redirect TCP/UDP ports (port forwarding) |
Redirect IP addresses (forwarding) |
Filter according to User Authorization |
Traffic rate-limit / QoS |
Tarpit |
Log |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Windows XP Firewall |
||||||||||||
| Windows Vista Firewall |
||||||||||||
| Cisco Access List |
(with static routes) |
(with queing) |
||||||||||
| Linux iptables |
(with patch) |
(with NuFW) |
(with Patch-o-matic module) |
|||||||||
| Check Point VPN-1 |
(With Web Intelligence) |
|||||||||||
Can: |
work at OSI Layer 4 (stateful firewall) |
work at OSI Layer 7 (application inspection) |
Change TTL? (Transparent to traceroute) |
Configure REJECT-with answer |
DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. |
Filter according to time of day |
Redirect TCP/UDP ports (port forwarding) |
Redirect IP addresses (forwarding) |
Filter according to User Authorization |
Traffic rate-limit / QoS |
Tarpit |
Log |
- NOTE: Because Linux Iptables is text-based firewall, you can "Filter according to time of day" by using additional 3rd party tools, like expect automation tool and cron jobs.
Firewall Management features comparison
Features: |
Configuration: GUI, text or both modes? |
Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... |
After rule change - requires firewall restart - less than one second ? |
Ability to centrally manage all firewalls together |
|---|---|---|---|---|
| Windows XP Firewall |
both |
RDP, telnet, Group Policy |
(with AD and GPO) |
|
| Windows Vista Firewall |
both |
RDP, telnet, Group Policy, MMC |
||
| Cisco Access List |
both |
Telnet, SSH, Web(Java App "PDM" or the newer "ASDM"), RS232 |
||
| Linux iptables |
both |
Telnet, SSH, Web (webmin), X/Win32 GUI "fwbuilder", RS232 |
||
| Check Point VPN-1 |
GUI |
proprietary GUI, SSH, Web (HTTP/HTTPS) |
||
Features: |
Configuration: GUI, text or both modes? |
Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM (RS232)... |
After rule change - requires firewall restart - less than one second ? |
Ability to centrally manage all firewalls together |
- NOTE: Rule changes on Checkpoint firewalls do not require any restart and incur no outage time.
- NOTE: Because Linux Iptables and Cisco ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.
- NOTE: Due to the distributed nature of the Checkpoint architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.
Firewall's other features comparison
Features: |
Modularity: supports third-party modules to extend functionality? |
Open-Source License? |
supports IPv6 ? |
Class: Home / Professional |
on what Operating Systems it runs? |
|---|---|---|---|---|---|
| Windows XP Firewall |
Home |
Windows XP |
|||
| Windows Vista Firewall |
Both |
Windows Vista |
|||
| Cisco Access List |
Professional |
Cisco IOS |
|||
| Linux iptables |
Professional |
Linux 2.4+ |
|||
| Check Point VPN-1 |
Professional |
Solaris, Linux (SPLAT or RHEL), Windows NT,2000,2003 |
|||
Features: |
Modularity: supports third-party modules to extend functionality? |
Open-Source License? |
supports IPv6 ? |
Class: Home / Professional |
on what Operating Systems it runs? |
- NOTE: Checkpoint support a limited range of third-party modules from certified partners. Modules are integrated with Checkpoint firewalls through a platform named OPSEC
Non-Firewall extra features comparison
Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.
NOTE: Features will be marked as "yes", even if it's separate module that comes with the platform, on which firewall sits.
IDS: real-time firewall that logs/sniffs/blocks suspicious connections, that are not part of rule-set.
VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.
Can: |
NAT (static, dynamic w/o ports, PAT) |
IDS (Intrusion Detection System) |
VPN (Virtual Private Network) |
AV (Anti-Virus) |
Sniffer |
|---|---|---|---|---|---|
| Windows XP |
(PAT, with Internet Connection Sharing) |
(with SPECTER) |
(Limited to 1 client) |
(McAfee, Symantec, etc) |
(with wireshark) |
| Windows Vista |
(PAT, with Internet Connection Sharing) |
(with SPECTER) |
(Limited to 1 client) |
(McAfee, Symantec, etc) |
(with wireshark) |
| Cisco IOS |
(supports three NAT types) |
(some IOS versions) |
|||
| Linux OS |
(supports three NAT types) |
(with Prelude-IDS) |
(with openVPN) |
(with clamav) |
(with wireshark) |
| Check Point |
(supports three NAT types) |
(with wireshark,tcpdump or |
|||
Can: |
NAT (static, dynamic w/o ports, PAT) |
IDS (Intrusion Detection System) |
VPN (Virtual Private Network) |
AV (Anti-Virus) |
Sniffer |
General Software-based Firewalls
Firewall |
Creator |
Cost (US) |
OS |
Hardware Requirements |
64 bit |
|---|---|---|---|---|---|
CA |
$x.xx |
Windows 98SE, ME, 2000, XP, Vista |
256M Ram, 25M HD |
||
Comodo |
Free |
Windows 2000, XP, Vista |
64M Ram, 50M HD |
||
Norton/Symantec |
$x.xx |
Windows XP, Vista |
256M Ram, 300M HD |
||
Trend Micro |
$49.95 |
Windows 2000, XP, Vista |
256M Ram, 250M HD |
||
Microsoft |
Included with Windows |
Windows XP, Vista |
Same as OS |
||
Check Point Software Technologies Ltd. |
Free & $x.xx |
Windows 2000, XP & Vista (32-bit) |
|||
R-fx Networks |
Free |
Linux |
Same as OS |
||
Firewall |
Creator |
Cost (US) |
OS |
Hardware Requirements |
64 bit |