Vendors list never-ending feature sets for their network firewalls. What extra firewall features are worth selling my clients on?

About the author Chris Clements is a security architect for Flat Earth Networking Inc., a dedicated information security company based in Nashville, Tenn. Chris has expertise in numerous security systems, security policy, vulnerability assessment and business case analysis. In January of 2007, Chris was launched a consulting offering including research, design, auditing and education for the Fortune 1000 customer market.

At their most basic, firewalls are access control devices. They block or allow communications passing between network segments. Today, however, network firewalls have evolved into multifunction devices with features such as encryption (VPN), authentication, IP address translation (NAT) and traffic rate limiting (also known as Quality of Service), to name just a few.

Standard firewall features include:

• Access control -- The base component of what makes a firewall a firewall.
• Network address translation (NAT) -- Converting internal IP addresses into Internet-routable addresses.
• Authentication -- Granting access only after users have proven their identity.
• The ability to establish an encrypted virtual link between networks.
• Remote access VPN -- Allowing remote users to connect securely to internal network resources.

Emerging or non-ubiquitous firewall features can include features such as quality of service, intrusion prevention, SSL VPN, antivirus and Web filtering:

• Quality of Service (QoS) -- Network traffic prioritization.
• IPS -- Blocking of network- or application-specific attacks.
• SSL VPN -- A feature that allows remote access VPN via a user's Web browser.
• Antivirus -- Filtering viruses from downloaded files as they pass through the firewall.
• Web filtering -- Blocking access to offensive or non-business-related Web sites.

Many of these emerging features provide significant customer value, and they may become standard offerings in the future. However, using all the features at once can cause a significant performance hit and care should be taken when recommending them to customers.