General Information:
Information regarding the product or product family, but not specific to the hardware
Product Functionality:
Products may be firewall only, VPN only, or firewall & VPN
Device Specific Information:
Hardware specific details about a particular product, particularly regarding interfaces and low-level functionality
Interface Count:
The number of interfaces supported by the device
Interface Types: The types of interfaces available to be installed in the device.
Redundant Power Supplies: Does this device support more than one power supply?
NEBS Compliance: Has this device been certified/tested to be NEBS compliant?
Remote/Out of Band Management: Does this device support a non-LAN/WAN method of accessing/controlling/configurating the equipment, such as a PCMCIA modem or serial port?
High Availability Port: A device that supports failover may have a dedicated port or ports that allow the unit(s) to be connected together without relying on the back-end network infrastructure for connectivity. This port is typically called a high availability port. The port is not required for high availability, as the keep-alives may also be sent over the network. A high-availability port is essentially an out-of-band synchronization mechanism.
Routing Protocols: Routing protocols are used to exchange information about the status of the network. They are not critical to device functionality, but add an extra level of fault tolerance and network visibility
Product Warranty: How long is the device covered against hardware defects from the time it is shipped to the customer?
802.1Q VLAN Tagging: Some VPN/firewall devices can classify certain types of traffic and automatically place that traffic on a specific virtual LAN (VLAN). If this sort of feature is supported, a yes will appear in this field.
Latest Shipping Software: The version of software in which these features are available (must be shipping)
VPN Specific Information: Information that only pertains to products that support VPN termination.
Maximum Concurrent Connections: The maximum number of simultaneous connections the VPN concentrator can support. This number is usually limited by the CPU and amount of RAM in the system.
3DES Performance: The vendor quoted performance of the VPN concentrator when operating in IPsec mode with 3DES encryption, before any add-on accelerators are added to the product
3DES Accelerated Performance: The maximum 3DES performance the device can achieve (according to the vendor) with one or more 3DES accelerators installed
Encryption Algorithms: Encryption is the translation of data into a code. Encryption is the most effective way to achieve data security. To read encrypted data, you must have access to a key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text. There are many different standard methods of encrypting data.
Network Integration: VPN devices can either behave transparently or as a router. In site-to-site applications, some network managers prefer logically extending the corporate network across the VPN in an un-routed manner. Others prefer to subnet the remote office and route traffic to/from that office. The hardware must support the desired method.
Industry Certifications: Several standards bodies provide certifications for interoperability, device security, and standards compliance. A lack of a certification may indicate that a device will not interoperate, or simply that the vendor has implemented proprietary extensions to improve performance or managability.
Tunneling Protocols: Standards based protocols which are used to encrypt and secure the data travelling between two nodes on the VPN
CAs supported: A Certificate Authority is an entity that is trusted by one or more users to create, assign, and manage public-key certificates. A CA is required to digitally sign a certificate to attest to its validity. CAs can be communicated to via a standard such as PKCS or in a proprietary manner through an API provided by the CA manufacturer.
Key Management: These are the procedures used to manage public and private keys, which are systems of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.
CA Revocation Methods: A Certificate Authority is an entity that is trusted by one or more users to create, assign, and manage public-key certificates. A CA is required to digitally sign a certificate to attest to its validity. CAs can be communicated to via a standard such as PKCS or in a proprietary manner through an API provided by the CA manufacturer.
High Availability Features: If a VPN concentrator fails, all the users on it will be disconnected. However, with stateful failover, another standby device immediately assumes the identity of the failed device and maintains the VPN session table. This is called stateful failover.
VPN Architecture: A VPN solution can be built entirely in software (which allows maximum flexibility, but minimal performance), completely in hardware (allowing maximum performance, but limiting the ability to adopt to new technologies such as newer encryption algorithms), or as a hybrid (with some software and some hardware acceleration, allowing the flexibility of a software solution and the ability to upgrade the hardware over time).
AES Performance (if applicable)
SSL VPN tunneling features: The ability to send arbitrary applications through a secure tunnel created by leveraging SSL support in modern browsers
SSL VPN translation features: The ability to translate non-web applications into a web-based form for presentation to a remote user in a clientless fashion via SSL
SSL VPN Browser Support: SSL VPNs are clientless, but require a downloadable agent. This agent may be written in Java or ActiveX. The language chosen affects browsers that the SSL VPN can support
VPN Client Information: Information that is specific to only the client-side software component of a VPN solution
Client Name: The name of the client that supports remote access VPN connectivity
Client Status: This field indicates whether the software is in-house developed or OEM/co-branded
OS Support: A list of the operating systems that the VPN Client software operates on.
Authentication Methods: Authentication on VPNs deals with the issue of how you determine who to open a tunnel to (and who not to). Because users or other sites are remote and not connected to your LAN, this is typically more problematic than a simple password prompt. There are many types of authentication available for VPNs.
Split Tunnel Support: Split-tunneling is a client ability that allows internet traffic to pass through a local gateway such as a cable-modem or DSL router, while simultaneously sending LAN traffic across the VPN network. Split-tunnels significantly reduce the load put on corporate internet connections, because remote users utilize local (ISP-provided) bandwidth rather than central office bandwidth to surf the net. Split-tunnels are only available on IPSec connections.
Client Lock-Out: The ability for the administrator to deny (intentional or accidental) changes to the desktop VPN software.
Personal Firewall: Broadband users pose a serious threat to corporate VPNs, because the broadband internet connection leaves a machine vulnerable to attack at all times, and opens the corporate network to attack when the VPN is operational. A personal firewall is desktop software which prevents these attacks. Personal Firewalls may be integrated or add-on software.
Personal Firewall Configuration: If a vendor supports a personal firewall, is that software managable by a central site management console?
Remote Management: VPN Client software may need periodic software, configuration, or policy updates. Remote management makes some or all of this possible, reducing the cost of owning the VPN and administering remote VPN users.
Client Config Check: Does the VPN client allow the administrator to 'check' that certain applications, policies, authentication information, or security precautions (such as antivirus software) are running before the VPN connection is established?
Client Failover: Does the client have the ability to store and automatically dial backup VPN conecentrators should the primary VPN concentrator fail?
Firewall Features: Information that only pertains to products that support firewalling.
Firewall Type: Firewalls are security devices whose primary function is to protect an enterprise's internal network from unintended access by users on the Internet. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Some firewalls block all traffic based on a specific TCP or UDP port (packet filter), while others inspect flows, seeking out unusual patterns and filtering the non-normal traffic(Stateful inspection), or act as a man-in-the-middle, authenticating each type of application (application proxy)
Address Translation: Address translation allows a network to be hidden from the internet by converting IP addresses from one range to another. Address translation is often called NAT, or Network Address Translation. NAT can be used to expand the usable IP addresses of a network by using private addresses behind the firewall or VPN. NAT can map one IP address to many, or do a one-to-one translation. NAPT (Network Address Port Translation) can be used to translate layer-4 TCP/UDP addresses for security or obscurity reasons, or to route specific TCP/UDP requests to certain servers (for example, voice over IP traffic)
High Availability Sessions: Firewalls that provide stateful inspection or application proxy will drop connections if the device fails. High Availability Sessions allow for a backup firewall to assume the identity of the primary firewall in the event of a device failure without dropping connections.
Load Balancing: To achieve higher performance/throughput, some firewalls can automatically load balance sessions amongst multiple devices, eliminating the need for a separate firewall load balancer
Protocol Support: A firewall can typically pass any type of traffic, however some firewalls implement specific protocol support to help handle special types of traffic, resulting in higher security or easier administration, or better logging facilities
Firewall Architecture: Firewalls can be built using software techniques (slower, more configurable/expandable), or in hardware (faster, less configurable, less adaptable to new protocols), or using a hardware-assist method (moderate speed, more flexible than hardware alone)
Virtual Firewalling: The ability for the firewall to appear and operate as more than one firewall. Typically, this feature is used in ISP or large enterprise environments, where a single (large) firewall can provide firewall service in place of several smaller firewalls, particularly in a data-center environment
Management Features: Features that affect the simplicity/functionality of managing a VPN or Firewall device.
Management Station: The name of the software that provides centralized configuration of remote VPN/Firewall devices
Management OS Support: The operating systems that the remote management software will operate under.
Management Devices Supported: The number of devices that the management station can simultaneously manage
Management Client Support
Logging Options: The protocols and/or methods by which the VPN concentrator, firewall, and/or management console can log data for later analysis/troubleshooting
The protocols and/or methods by which the VPN concentrator, firewall, and/or management console can log data for later analysis/troubleshooting
NMS Integration:
A list of platforms or standards-based facilities that the network management software can integrate with
Policy Based Configuration: A scalable VPN or firewall solutoin will include a management station with the ability to automatically configure multiple devices for specific connectivity needs, without the administrator individually going to each node and configuring VPN policy. For example: An administrator has a central office with 10 remote sites and wishes to set up a fully meshed VPN between all sites. A policy-enabled solution can configure the necessary security and VPN policies to deploy the network without the user individually configuring each device
Management Security: A list of protocols that are used to communicate between the client and the management station. Configuration data is sensitive, because shared passwords or other secret data may be passed, thus customers should be concerned with peer-to-peer security mechanisms
Value Added Features: Features not typically found on a VPN/Firewall device that may be added to the solution at a later time.
Denial of Service Protection: Some platforms offer the ability to detect various malicious attacks from the internet, and take appropriate action to stop those attacks from happening, or at least stop them from bringing down the internal network.
IDS Intelligence: Some platforms offer the ability to log and alert the administrator when suspicious activity that might be a hacker is present. This functionality can be very simple, or very robust, going so far as to integrate and report with leading IDS solutions from companies like ISS, Dragon, etc.
Anti-Virus Scanning: Some platforms can automatically scan certain types of traffic for viruses as the pass through the organization perimeter. This functionality provides enterprise-wide antivirus capabilities, significantly reducing the dependency of AV solutions on individual desktops.
Content Filtering: Some platforms offer the ability to automatically screen, log, and even filter outgoing HTTP url requests. This can be done by a specifiying an administrative list of URLs, accessing a database of URLs, or integrating with a content filtering solution such as WebSense.
Pricing: Pricing, Licensing, and Support Information
Solution Hardware Pricing: The price of the hardware that operates the firewall/vpn/combo solution
Add-on Hardware: Price of an optional hardware accelerator, if not already included in product
Software Licenses: Any special licenses that must be purchased to support features
VPN Client Pricing: Price of the client software necessary to remotely connect to the VPN (if applicable). Price specified as individual unit price and 1000 unit price
Solution Description & Restrictions: Any special terms or conditions the vendor puts on the usage/licensing of the firewall or VPN, such as per-node licensing, tunneling restrictions due to license, etc.
Support/Maintenance: Costs associated with the end user maintaining the hardware and software
Hardware Maintenance Costs: The cost of maintaining a 24x7 next-business day warranty/service contract on the equipment.
Maintenance include S/W updates: This field indicates whether the "Hardware Maintenance Costs" includes the ability to update the software on the device as part of the contract
Software ONLY Maintenance Cost: The cost of a maintenance contract that only covers software, but not support or hardware.
Available Product Advisors 
