 |
|
SmoothWall Firewall Comparison
Last updated: 21st April 2005
Firewall:
F1 Advanced Firewall supports 250 authenticated users as standard, expandable to 5000 users with the addition of user licence packs. There is no restriction on the number of IP addresses supported, however it is recommended that Corporate Server 3.0 and Corporate Firewall 4.0 should be limited to a maximum of 250 users. F2 Static Network Address Translation (SNAT) (Source Mapping) is an integral component of Advanced Firewall. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothHost add-on module introduces this facility. F3 Outbound (egress) traffic control (user access to Internet services) is an integral component of Advanced Firewall. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothRule add-on module introduces this facility. F4 Support for multiple public aliased IP address is a standard feature of Advanced Firewall. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothHost add-on module introduces this facility. F5 For load balancing, where for example high traffic applications are served by multiple web servers responding to page requests from a single public IP address. F6 Advanced Firewall incorporates traffic inspection technology to can detect and block Peer to Peer (P2P) traffic such as KaZaA, Bit Torrent and eDonkey, regardless of which port the file sharing software attempts to use. For Corporate Firewall 4.0 the SmoothRule add-on module introduces this facility. Corporate Server 3.0 with SmoothRule does not include this traffic inspection technology but can be configured to block the ports used by P2P traffic and prevent P2P traffic passing through the web proxy. Networking:
N1 Advanced firewall will support 4 NICs as standard, licence expandable to 20 NICs and VLAN trunk (802.1Q) interfaces by licence. At least one NIC is required for Corporate Firewall's Local Protected Network (Green) network interface if used with a PPP/Dial-Up connection, a minimum of 2 NICs with an Ethernet connection to the External Network (Internet). N2 Corporate Firewall and Corporate Server support a single active External Network (Internet) connection. Corporate Firewall allows the 3 NICs can be configured as: a single External Internet (Red) interface plus either: one each of Local Protected Network (Green) and DMZ (Orange) or two Local Protected Network (ie no DMZ) or two DMZs (no Local Protected Network). Corporate Server supports a single External Internet (Red) interface, a DMZ (Orange) and a Local Protected Network (Green). Advanced Firewall can support multiple active External Network connections as any NIC can be designated as External (Red), Local Protected (Green) or DMZ (Orange). N3 Multiple internal network zones allow the physical separation of different user groups, internal servers, publicly accessible servers etc. Inter-zone access rules permit strictly limited access from one zone to another (by server/IP address, port/service etc.). N4 Advanced Firewall, Corporate Firewall 4.0 and Corporate Server 3.0 can all support a single active PPP (dial-up) connection (eg ISDN, ADSL modem or analogue modem). Multiple connection profiles (eg ISP details) can be stored. N5 Split traffic between multiple external (Red) network interfaces (eg configure which IPs use a particular external network interface). N6 If an Internet connection should fail then Advanced Firewall can be configured to automatically route all traffic from the failed interface to another. There is no limit to how many interfaces can be set in the failure cascade path, nor is there any limitation on the type of interface that can be used (Ethernet, ADSL modem, ISDN or analogue modem). N7 802.1Q VLAN trunking support allowing communication with VLAN capable switches and the routing of traffic between VLANs. N8 For easier support of cable modems which will typically only communicate with the MAC address from which the modem or Internet connection was initially configured. Hardware:
See the Hardware Compatibility Guide: http://www.smoothwall.net/support/hcg for full information on the hardware supported by SmoothWall Security Software. H1 Supported RAID controllers will Include Compaq, Dell PERC and DAC960. H2 SCSI controllers from Adaptec, Future Domain, Sym Bios, Initio, Advansys and BusLogic are supported. H3 Update 3.0-1 of Corporate Server Version 3 introduced support for a limited set of SATA disk controllers. H4 Gigabit Ethernet cards from Intel, 3Com, Broadcom and other manufacturers. H5 Multi-Port NIC support includes Intel quad and dual port cards, 3Com dual port cards and the DLink DE580 4 port card. H6 Over 30 types of USB ADSL modems are supported, along with Ethernet connected ADSL modems and the BeWAN PCI ADSL card modem. H7 Drivers for numerous PCI ISDN cards are included, together with support for USB ISDN and RS232 connected ISDN Terminal Adapters. H8 Hayes compatible RS232 connected analogue modems and a number of ISA card modems are supported. H9 Compact Flash can be used as an alternative to hard disk for appliance applications. Minimum capacity is 256 MByte with 512 MByte recommended. The flash memory must present itself as an IDE device. Logs will be stored in a non-persistent (volatile) RAM disk, thus the use of Syslog for off-box log recording is recommended. H10 Bewan PCI ADSL modem. H11 Supports APC models. Advanced Firewall and Corporate Firewall 4.0 can support UPS slave mode operation, where up to 5 systems (eg Advanced Firewall, Corporate Firewall 4.0, Corporate Guardian 4.0, Unix/Microsoft Windows system running apcupsd software) on the network can share the same UPS. Installation / Maintenance:
IN1 SmoothWall Security Solutions are based on a cut-down security hardened version of the Linux operating system, where all unnecessary components have been removed from the operating system, reducing disk and memory utilisation, improving security and performance. IN2 Security updates and bug fixes are supplied free of charge for all supported SmoothWall products. IN3 To be able to select which rules/configuration information to restore from a SmoothWall Configuration Backup (allowing specific rules, such as Port Forward rules, to be copied between systems). IN4 Option to automatically download and store any new updates on the firewall, which can then be applied at a convenient time by administrator command. IN5 All updates (patches) present on an installation CD will automatically be applied. IN6 Any modules present on the same CD as the firewall software will be automatically installed (single disk installation). IN7 MAC address of each Network Interface Card (NIC) displayed. Network cable status (present/not present) displayed to help identify a particular NIC when multiple NICs of the same type are installed. IN8 SmoothWall and its authorised Resellers can supply pre-installed versions of Advanced Firewall and Corporate Firewall 4.0, providing pre-configured installations. Configuration
C1 Configuration options allow the GUI Home (Control) page to display a variety of information, including alert messages, system status, VPN status, traffic statistics, firewall reports and update/blocklist status. C2 All rule lists and log files can be sorted on any column (eg IP address, source port etc.) Authentication:
A1 Integrated Kerberos user authentication system to work with LDAP authentication systems such as Microsoft Windows 2000® and Microsoft Windows 2003® Server using Active Directory. A2 Support for the common InetOrgPerson (RFC2798) schema. A3 Corporate Server 3.0 and Corporate Firewall 4.0, in conjunction with the SmoothGuardian Web Content Filtering add-on module, support a user authentication database maintained on the SmoothWall firewall. This authentication system can only be used by the SmoothGuardian module to control web access. With Advanced Firewall, this authentication database can also be used to control users' access to Internet services (outbound/egress rules) and inter-zone access. A4 An Ident client for Microsoft Windows™ operating systems can be used to identify the computer user to the SmoothWall system. A5 The SSL Login page automatically senses from the users' browsers if it should display in English, German, Italian, Spanish, Danish, Dutch, French or Swedish. A6 Multiple internal network zones allow the physical separation of different user groups, internal servers, publicly accessible servers etc. Inter-zone access rules permit strictly limited access from one zone to another (by server/IP address, port/service etc.). User authentication can be used to control which access control policies (rule-sets) are applied to a user session. A7 Access for VPN users to internal servers and services can be controlled by user authentication, ie determines the policies (rule-sets) are applied to that VPN session. Intrusion Detection:
IDS1 Email and SMS text message alerting (generated in response to suspicious activity detected by the Intrusion Detection System) is an integral component of Advanced Firewall. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothMonitor add-on module introduces this facility. Virtual Private Networking (VPN):
V1 Site-to-site VPN is an integral component of Advanced Firewall. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothTunnel add-on module introduces this facility. V2 IPSec VPN connectivity for single computers (mobile/laptop/home user/Road Warrior users) is an integral component of Advanced Firewall. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothTunnel add-on module introduces this facility. V3 Layer 2 Tunnelling Protocol (L2TP) VPN connectivity for single computers (mobile/laptop/home user/Road Warrior users) is an integral component of Advanced Firewall. For Corporate Firewall 4.0 it is provided by the SmoothTunnel 4.0 add-on module, for Corporate Server 3.0 the SmoothTunnel Version 3.1 module introduces this facility. V4 Advanced Firewall supports 5 VPN tunnels as standard (any combination of IPSec site-to-site, IPSec Road Warrior or L2TP Road Warrior tunnels). This can be expanded to a maximum of 500 tunnels by the addition of SmoothConnection VPN licence packs. Corporate Server 3.0 and Corporate Firewall 4.0 both require a VPN add-on module for VPN connectivity and it is recommended that the VPN tunnel count should not exceed 100. V5 Advanced Firewall and the SmoothTunnel VPN Gateway module for Corporate Server and Corporate Firewall both include a Certificate Authority (CA) for the creation and issue of self-signed x509 certificates. Alternatively an external Certificate Authority, such as Microsoft Windows 2000/2003 Server may be used, or an external certificate provider such as Verisign or Thawte. V6 Advanced Firewall supports NAT Traversal (NAT-T) mode for IPSec VPN connections as standard. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothTunnel add-on module introduces this facility. V7 Either L2TP or IPSec VPN can be used for local as well as remote (Internet) VPN connections with Advanced Firewall. This is principally used for Wireless (WiFi) access, providing secure L2TP connections with the user PC authenticated using an x509 certificate and the data encrypted using the 3DES encryption algorithm. IPSec internal subnet routing can also be configured. V8 Advanced Firewall will log each connection and disconnection by mobile/laptop/home user/Road Warrior VPN users, with option to display an alert message on the GUI Home (Control) page or send Alert message by email or SMS text message. For Corporate Firewall 4.0 this requires the SmoothMonitor module. Logging and Reporting:
L1 To reduce disk space utilisation for non hard-disk operation (eg flash memory). L2 All log files and rule lists can be sorted on any column (eg IP address, port, time etc.) L3 Advanced Firewall includes scheduled reporting. For Corporate Firewall 4.0 and Corporate Server 3.0, the SmoothMonitor add-on module introduces this facility. L4 Advanced Firewall and Corporate Firewall 4.0 provide more detailed traffic statistics than Corporate Server 3.0, with the option to generate an alert message reports if the current inbound or outbound traffic exceeds a configurable threshold. There is also a volume threshold where an alert can be generated if the total traffic volume exceeds a configurable limit for a daily/weekly/monthly limit. For alert message generation, Corporate Firewall 4.0 requires the SmoothMonitor add-on module. L5 Query an Advanced Firewall system to report management information, including disk utilisation and traffic information. Miscellaneous:
M1 Modularisation of many components/services, such as the DHCP server and the Web Proxy, allows them to be removed as desired. This allows the system to be customised and the memory/system requirements reduced if desired. The required modules can be configured at install time, thus the system can be tailored to the target hardware. System Requirements:
S1 For Advanced Firewall the minimum recommended processor is a Pentium III 500 MHz. For Corporate Firewall 4.0 and Corporate Server 3.0 any Intel Pentium compatible processor or 166 MHz or greater. Compatible processors from AMD and VIA are supported. S2 For Advanced Firewall the minimum recommended memory is 128 Mbytes DDR or similar fast RAM. For Corporate Firewall 4.0 and Corporate Server 3.0 minimum memory is 64 Mbytes with 96 Mbytes recommended. For Advanced Firewall and Corporate Firewall 4.0 the maximum useable memory is 4 GBytes; for Corporate Server 3.0 the maximum useable memory is 950 MBytes. More RAM memory is beneficial for web proxy cache performance and is necessary for operation of the SmoothGuardian web content filtering module. S3 For Corporate Firewall 4.0 and Corporate Server 3.0 the minimum recommended hard disk capacity is 1 GByte. For Advanced Firewall 4 GBytes disk is recommended. Alternatively Advanced Firewall and Corporate Firewall 4.0 can utilise compact flash memory instead of a hard disk, when 256 Mbytes flash memory is the minimum recommended figure. The compact flash must appear as an IDE device, with logging to non-persistent (volatile) RAM disk. |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |