Comparison of firewalls
Appearance
(Redirected from Comparison of packet filters)
This article needs additional citations for verification. (July 2023) |
This is a comparison of firewalls.
Software firewalls
[edit]- Notes
Appliance firewalls
[edit]Firewall | License | Cost | OS |
---|---|---|---|
Clavister | Proprietary | Included on all Clavister NGFWs |
Proprietary operating system cOS Core |
Check Point | Proprietary | Included on Check Point security gateways |
Proprietary operating system Check Point IPSO and Gaia (Linux-based) |
FortiGate | Proprietary | Included on all Fortigate devices |
Proprietary, FortiOS,
Based on the Linux kernel |
Palo Alto Networks | Proprietary | Included on Palo Alto Networks firewalls |
Proprietary, PAN-OS,
Based on the Linux kernel |
Sophos | Proprietary | Included on Sophos UTM | Linux-based appliance |
Cisco Firepower | Proprietary | Included on newer CISCO ASA devices which support the Firepower services module or Firepower Threat Defense |
Proprietary operating system.
Based on the Linux kernel. |
Cisco PIX | Proprietary | Included on all CISCO PIX devices |
Proprietary operating system |
Juniper SSG | Proprietary | Included on Netscreen security gateways |
Proprietary operating system ScreenOS |
Juniper SRX | Proprietary | Included on SRX security gateways |
Proprietary operating system Junos |
SonicWall | Proprietary | Included on Dell appliance | Proprietary operating system SonicOS
Based on the Linux kernel |
Barracuda Firewall | Proprietary | Included Firewall Next Generation appliance | Windows-based appliance embedded firewall distribution |
Cyberoam | Proprietary | Included Firewall Sophos appliance | Windows-based appliance embedded firewall distribution |
D-Link | Proprietary | Included Firewall DFL | Windows-based appliance embedded firewall distribution |
Endian Firewall | Proprietary | Free / Paid | Linux-based appliance |
Forcepoint NGFW | Proprietary | Included on all Forcepoint NGFW devices | Proprietary operating system |
OPNsense | Simplified BSD / FreeBSD License | Free / Paid | FreeBSD-based appliance firewall distribution |
pfSense | Apache 2.0 / Proprietary (Plus) | Free / Paid | FreeBSD-based appliance firewall distribution |
Zeroshell | GPL | Free / Paid | Linux/NanoBSD-based appliance firewall distribution |
SmoothWall | GPL | Free / Paid | Linux-based appliance embedded firewall distribution |
IPFire | GPL | Free (Donations welcomed) | Linux-based appliance embedded firewall distribution |
WatchGuard | Proprietary | Included on all Firebox devices | Proprietary, Fireware OS,
Based on the Linux kernel |
WinGate | Proprietary | Free / Paid | Windows-based appliance embedded firewall distribution |
Appliance-UTM filtering features comparison
[edit]Can Target: | Changing default policy to accept/reject (by issuing a single rule) | IP destination address(es) | IP source address(es) | TCP/UDP destination port(s) | TCP/UDP source port(s) | Ethernet MAC destination address | Ethernet MAC source address | Inbound firewall (ingress) | Outbound firewall (egress) |
---|---|---|---|---|---|---|---|---|---|
Trend Micro Internet Security | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
Vyatta | Yes | Yes | Yes | Yes | Yes | Yes | No | No | Yes |
Windows XP Firewall | No | No | Yes | Partial[a] | No | No | No | Yes | No |
Windows Vista Firewall | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
Windows 7 / Windows 2008 R2 Firewall |
Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes |
WinGate | Yes | Yes | Yes | Yes | Yes | No | No | No | Yes |
Zeroshell | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Zorp | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No |
pfSense | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
IPFire | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
- Notes
- ^ can target only single destination TCP/UDP port per rule, not port ranges.
Advanced features comparison
[edit]Can: | work at OSI Layer 4 (stateful firewall) | work at OSI Layer 7 (application inspection) | Change TTL? (Transparent to traceroute) | Configure REJECT-with answer | DMZ (de-militarized zone) | Filter according to time of day (quota) | Redirect TCP/UDP ports (port forwarding) | Redirect IP addresses (forwarding) | Filter according to User Authorization | Traffic rate-limit / QoS | Tarpit | Log |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Sidewinder | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
WinGate | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Yes | No | Yes |
Zeroshell | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
OPNsense | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
pfSense | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
IPFire | Yes | Yes | ? | No | Yes | Yes | Yes | Yes | ? | Yes | No | Yes |
Features: | Configuration: GUI, text or both modes? | Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... | Change rules without requiring restart? | Ability to centrally manage all firewalls together |
---|---|---|---|---|
WinGate | GUI | Proprietary user interface | Yes | — |
ClearOS | both | RS232, SSH, WebConfig, | Yes | Yes with ClearDNS |
Zeroshell | GUI | SSH, Web (HTTPS), RS232 | Yes | No |
OPNsense | both | SSH, Web (HTTP/HTTPS), RS232 | Yes | No |
pfSense | both | SSH, Web (HTTP/HTTPS), RS232 | Yes | No |
IPFire | both | SSH, Web (HTTPS), RS232 | Yes | No |
Miscellany comparison
[edit]Features: | Modularity: supports third-party modules to extend functionality? | IPS : Intrusion prevention system | Open-Source License? | supports IPv6? | Class: Home / Professional | Operating Systems on which it runs? |
---|---|---|---|---|---|---|
Vyatta | Yes | Yes | Yes | Yes | Professional | Vyatta OS (built on Debian) |
WinGate | Yes[a] | ? | No | No | Professional | Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit. |
OPNsense | Yes | Yes, with Snort and Suricata (modules) | Yes | Yes | Both | FreeBSD/NanoBSD-based appliance |
pfSense | Yes | Yes, with Snort and Suricata (modules) | Yes | Yes | Both | FreeBSD/NanoBSD-based appliance |
IPFire | Yes | Yes, with Suricata | Yes | Yes (manual setup needed) | Both | Linux (based on Linux From Scratch) |
- Notes
- ^ WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).
Non-Firewall features comparison
[edit]These are not strictly firewall features, but are sometimes bundled with firewall software or appliance. Features are also marked "yes" if an external module can be installed that meets the criteria.
Can: | NAT[a] | NAT64, NPTv6 | Intrusion Detection System (IDS)[b] | Virtual Private Network (VPN)[c] | Antivirus (AV) | Packet capture | Profile selection[d] |
---|---|---|---|---|---|---|---|
Vyatta | Yes (three NAT types) | ? | Yes (integrated Snort) | Yes (IPsec and OpenVPN) | Yes (with clamav, Sophos Antivirus (optional)) | Yes (with wireshark or tcpdump) | ? |
WinGate | Yes | ? | Yes (with NetPatrol) | Yes (proprietary) | Yes (Kaspersky Labs) | Yes (filtered capturing to pcap format) | No |
OPNsense | Yes | Yes (NPt) | Yes (integrated Suricata) | Yes (WireGuard, OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) | Yes (with squid and clamav) | Yes (tcpdump) | No |
pfSense | Yes | Yes (NPt) | Yes (with Snort) | Yes (WireGuard, OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) | Yes (with squid and clamav) | Yes (tcpdump) | No |
IPFire | Yes | ? | Yes (with Suricata) | Yes (OpenVPN, IPsec, IKEv2) | Yes (with squid and clamav) | Yes (tcpdump) | No |
- Notes
See also
[edit]References
[edit]- ^ AG, G. DATA CyberDefense (2022-12-23). "Internet Security – strong online protection for all of your devices". gdata-software.com. Retrieved 2023-07-10.