Today, almost all leading firewalls come bundled with network address translation (NAT) capabilities. However, there are different categories of NAT that you might want to be aware of. NAT gives you the ability to translate private or illegal IP addresses into legal public addresses and as an aside, it helps to hide the internal topology of your network(s).
There are four types of NAT configurations to be aware of: one-to-one addressing, many-to-one addressing, one-to-many addressing, and many-to-many addressing.
The one-to-one NAT configuration is the most basic of all NAT features. This feature maps an internal IP address to a different external public IP address. Many-to-one addressing means that multiple internal IP addresses can be mapped to one external IP address. You might want to do this if you have an internal DHCP scope that you want to map to one external IP address. Many-to-many NAT addressing is for mapping groups of internal or external IP addresses with different groups of IP addresses on other networks. You may want to use many-to-many NAT addressing if you are mapping one set of DHCP scopes to another. A one-to-many NAT scenario is most commonly used in load-balancing scenarios where you want to take one IP address, and split it into two. If you have a big and complex carrier-class network you will want advanced NAT features. For SOHO networks simple one-to-one NAT capabilities are probably sufficient.
Firewalls are commonly used as VPN endpoints, and some firewalls offer VPN capabilities. VPNs allow you to use site-to-site encryption. While a firewall acts like a road-block, and only lets certain traffic in and out, once the traffic is out on the Internet, it is being transported in clear-text, and with a sniffer, is viewable to the world. The only way to ensure privacy and data integrity is to use a VPN. If you decide you need a VPN, keep in mind that a VPN implies two endpoints. There is no point in getting a VPN if you don't have a second endpoint to connect it to because a VPN does not work with only one endpoint.
VPNs send your data through an encrypted tunnel, keeping it private from the rest of the world. The encryption process requires additional processing power, and if you are setting up a VPN for a carrier-class network, you will like want one that either comes bundled with a crypto accelerator, or allows you to add-on a crypto accelerator. Crypto accelerators take slow VPNs and make them faster.
Logging capabilities is one of the most important features of any firewall, and not all firewalls log events equally. You want a firewall than can log as many different types of events as possible, and can filter on as many different types of events as possible. So one question you will want to ask a prospective firewall vendor is how many different event types a potential firewall can log, and how many different filters the logging capability has. The filters allow you to view the different events in a logical and understandable way. For example, you should be able to filter on events by things such as IP address, network numbers, connection types, domain names, and by date and time (to name a few basic filters). The Syslog format is the most commonly used logging format, and if a particular firewall does not support Syslog, you might want to think about crossing it off your short list.
The firewall rules and the definitions you setup which tell the firewall what types of traffic to let in and out of your network. All firewalls have a rules file and it is the most important configuration file on your firewall. An important question to ask your firewall vendor prospects is if will you need to reboot the firewall every time you make a change to the rules file. If you are shopping for a carrier-class firewall this is a must. If you are in the market for a SOHO firewall, an occasional firewall reboot will probably not impact you too much.
Another feature to find out about is if the firewall supports automatic order-independent rules. The rules on a firewall need to be in a very specific order or they will not work properly. Some firewalls have the ability to order the rules automatically. This feature can be both good and bad so you will want to make sure that if it exists, there exists the capability to turn it on and off. The algorithms and code used to make the order-independent rule setting decisions need to be completely bug free, or using this feature could open up security holes on your network. In a perfect technical world, automatic order-independent rule setting is a great feature because if you have a lot of firewall rules, it can help you understand how to order the rules properly. However, there is no substitute for human knowledge in setting up your firewall rules.
Summing it all up
There are more things to know about firewalls than what I have discussed here, but hopefully this will be enough to get you going. Other features you might want to research are high-availability, content filters, and the ability to support anti-virus features. Before you start talking to firewall vendors, make a list of questions that you want to ask each vendor. Ask all the vendors the same questions, and refine your list as you talk to more vendors. Be sure to ask them about their phone support packages, and if this is included in the license fee. Good firewall phone support is key to helping you become comfortable and proficient at configuring your new security device.
Laura Taylor is the founder of Relevant Technologies, a provider of original information security content, research advisory services, and best practice IT management consulting services.