Features for the SMB Firewall


I was reading about how China has shut down almost a hundred Web sites since last week. The reason for the closures: Many of these sites contained pornographic content, which is illegal in China.


The article triggered my thinking about the kind of controls that an SMB might want to enforce on its network traffic. This is an important area, especially since the growing network of a small and medium business necessarily means that they do not inherit the "everything included" features of high-end enterprise firewalls.


So what are some of the features an SMB should look for in firewalls?


General port filtering


This is the most basic level of filtering found in even the most affordable firewalls. You should be able to define the ports to be blocked and allowed. In general, most companies will probably want to block all outgoing ports except for services such as SMTP and POP (e-mail), FTP (file transfer) and HTTP (Web browsing), etc.


The ability to manage network ports will allow you to block most games as well as applications that attempt to access the Internet.


Basic URL filtering and logging


The next level of control to consider would be to perform basic filtering by URL. Most of the time, it will make sense to perform some kind of logging of URLs, too.


The ability to perform URL filtering and logging will allow the network administrator to potentially expose malware or unauthorized applications that use HTTP. In addition, the ability to log all accessed URLs should also deter staff from visiting inappropriate Web sites in the office.


Blocking Instant Messaging


The freedom to perform instant massaging in the office can be a touchy area and depends heavily on work culture. I know of organizations that require every staffer to have an IM account and to be constantly logged on when at work. I also know of organizations where being seen instant messaging at work is viewed as slacking off.


Whatever the case, the ability to block instant messaging is typically only available to higher-end firewalls, since IM clients such as MSN Messenger have many different methods of connecting, making them difficult to block.


So make sure you check that the firewall has the intelligence to weed out IM messages if you want to block that.