Comparison of firewalls
The following is a comparison of notable firewalls, starting from simple home firewalls up to the most sophisticated Enterprise firewalls.
Firewall software
Ultimately, all firewalls are software-based; a hardware firewall runs firmware (built-in software) on dedicated hardware. Embedded firewalls are simply very limited-capability programs running on a low-power CPU, and this software can be upgraded or replaced if someone has sufficient skill and resources to do so. (See OpenWrt)
Firewall | License | Cost / Usage Limits | OS |
---|---|---|---|
Cisco IOS | Proprietary | Included on all Cisco switches and routers |
Proprietary, runs only on Cisco hardware |
Comodo Internet Security |
Proprietary | Freemium | Windows 7 / Vista / XP SP2/ Windows 8 |
Intego VirusBarrier | Proprietary | ? | Mac OS X 10.5 or later; on an Xserve |
IPFilter | GPLv2 | Free | Package for multiple UNIX-like operating systems |
IPCop | various | Free | Linux-based appliance |
IPFire | GPL | Free | Linux-based appliance |
ipfirewall | BSD | Free | *BSD package |
Kaspersky Internet Security |
Proprietary | $59,95 Year / 30 day trial | Windows unknown versions x32/x64 |
Lavasoft Personal Firewall |
Proprietary | €36 Year | Windows unknown versions x32/x64 |
Microsoft Forefront Threat Management Gateway |
Proprietary | discontinued | Windows unknown versions x64 |
Monowall | BSD | Free | FreeBSD-based appliance |
Netfilter/iptables | GPL | Free | Linux kernel module |
Norton 360 | Proprietary | $59.99 Year | Windows unknown versions x32/x64 |
NPF | BSD | Free | NetBSD kernel module |
Online Armor Personal Firewall |
Proprietary | € 39.95 Year | Windows unknown versions x32/x64 |
Outpost Firewall Pro |
Proprietary | Free / Paid | Windows unknown versions x32/x64 |
PC Tools Firewall Plus |
Proprietary | Free ? | Windows unknown versions x32/x64 |
PF | BSD | Free | *BSD kernel module |
pfsense | BSD | Free | FreeBSD/NanoBSD-based appliance |
Smoothwall | GPL | Free | Linux-based appliance |
Sophos UTM | ? | Free / Paid | Linux-based appliance |
Sunbelt Personal Firewall |
Proprietary | discontinued | Windows unknown versions x32 |
Sygate Personal Firewall |
Proprietary | discontinued | Windows unknown versions x32 |
Untangle | GPL | ? | Linux-based appliance |
Vyatta | GPL | ? | Linux-based appliance |
Windows Firewall | Proprietary | Included with Windows XP SP2 and later |
ALL Windows Versions x32/x64 |
WinGate | Proprietary | Paid | Windows unknown versions x32/x64 |
Zeroshell | GPL version 2 | Free | Linux based appliance |
ZoneAlarm | Proprietary | Freemium | Windows unknown versions x32/x64 (except XP-64) |
Firewall rule-set basic filtering features comparison
Can Target: | Changing default policy to accept/reject (by issuing a single rule) | IP destination address(es) | IP source address(es) | TCP/UDP destination port(s) | TCP/UDP source port(s) | Ethernet MAC destination address | Ethernet MAC source address | Inbound firewall (ingress) | Outbound firewall (egress) |
---|---|---|---|---|---|---|---|---|---|
IPFire | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Trend Micro Internet Security | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
Untangle | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
Vyatta | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Windows XP Firewall | No | No | Yes | Partial | No | No | No | Yes | No |
Windows Vista Firewall | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes |
Windows 7 / Windows 2008 R2 Firewall |
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
WinGate | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Zeroshell | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes |
Zorp | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
- Windows XP Firewall can target only single destination TCP/UDP port per rule, not port ranges, therefore support is partial.
Firewall rule-set advanced features comparison
Can: | work at OSI Layer 4 (stateful firewall) | work at OSI Layer 7 (application inspection) | Change TTL? (Transparent to traceroute) | Configure REJECT-with answer | DMZ (de-militarized zone) - allows for single/several hosts not to be firewalled. | Filter according to time of day | Redirect TCP/UDP ports (port forwarding) | Redirect IP addresses (forwarding) | Filter according to User Authorization | Traffic rate-limit / QoS | Tarpit | Log |
---|---|---|---|---|---|---|---|---|---|---|---|---|
IPFire | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
Sidewinder | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Untangle | Yes | Yes (Some modules) | No | No | Yes | Yes (With Policy manager) | Yes | Yes | Yes | Yes | Yes | Yes |
WinGate | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Yes | No | Yes |
Zeroshell | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
- NOTE: Because Linux Iptables is text-based firewall, you can "Filter according to time of day" by using additional 3rd party tools, like expect automation tool and cron jobs.
- Windows firewall may be scripted with scheduled tasks.
- Configured by system policy
Features: | Configuration: GUI, text or both modes? | Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... | Change rules without requiring restart? | Ability to centrally manage all firewalls together |
---|---|---|---|---|
IPFire | both | Web (HTTPS), SSH, RS232 | Yes | No |
Untangle | both | SSH (Not enabeld by default), Web GUI, | Yes | Yes |
WinGate | GUI | Proprietary user interface | Yes | N/A |
ClearOS | both | RS232, SSH, WebConfig, | Yes | Yes with ClearSDN |
Zeroshell | GUI | SSH, Web (HTTPS), RS232 | Yes | No |
- NOTE: Because Linux Iptables and Cisco ACL are text-based firewalls, you can centrally manage them all-at-once by using additional tools, like KDE Konsole or expect automation tool.
- NOTE: Due to the distributed nature of the Checkpoint architecture, no single interface is used exclusively. Security, NAT and VPN configuration is always done using the proprietary GUI, however basic IP networking and routing configuration of individual firewalls could be done using SSH or the Web interface.
Firewall's other features comparison
Features: | Modularity: supports third-party modules to extend functionality? | IPS : Intrusion prevention system | Open-Source License? | supports IPv6 ? | Class: Home / Professional | Operating Systems on which it runs? |
---|---|---|---|---|---|---|
IPFire | Yes | Yes, with Snort | Yes | Yes (since IPFire 3) | Both | Linux-based appliance distribution. |
Untangle | Yes | Yes | Yes | No | Both | Linux (built on Debian) |
Vyatta | Yes | Yes | Yes | Yes | Professional | Vyatta OS (built on Debian) |
WinGate | Yes | ? | No | No | Professional | Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit. |
- NOTE: Checkpoint support a limited range of third-party modules from certified partners. Modules are integrated with Checkpoint firewalls through a platform named OPSEC
- NOTE: WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).
- NOTE: Collax Security Gateway kernel and components are Open Source. The only proprietary part is the GUI.
Non-Firewall extra features comparison
Those features are not strictly firewall features, but are sometimes bundled with firewall software, or exist on the platform.
NOTE: Features are marked "yes" even if implemented as a separate module that comes with the platform on which firewall sits.
IDS: real-time firewall that logs/sniffs/blocks suspicious connections that are not part of rule-set.
VPN (Virtual Private Network) Types are: PPTP, L2TP, MPLS, IPsec, SSL/SSH.
Profile selection: The user can switch between sets of firewall settings, e.g. for use at work, at home, and on public connections.
Can: | NAT (static, dynamic w/o ports, PAT) | IDS (Intrusion Detection System) | VPN (Virtual Private Network) | AV (Anti-Virus) | Sniffer | Profile selection |
---|---|---|---|---|---|---|
IPFire | Yes | Yes (with integrated Snort) | Yes (IPsec and OpenVPN) | Yes (with clamav) | Yes (with tcpdump) | ? |
Untangle | Yes | Yes | Yes (IPsec and OpenVPN) | Yes (clamav,commtouch (optional) ) | Yes (tcpdump) | ? |
Vyatta | Yes (supports three NAT types) | Yes (integrated Snort) | Yes (IPsec and OpenVPN) | Yes (with clamav,Sophos Antivirus (optional) ) | Yes (with wireshark or tcpdump) | ? |
WinGate | Yes | Yes (with NetPatrol) | Yes (proprietary) | Yes (Kaspersky Labs) | Yes (filtered capturing to pcap format) | No |
|