A single centralized network firewall system offers management benefits by employing a single security policy for all networks and focusing the administrator's attention on a single location. Distributed firewalls are less expensive per unit and affect smaller portions of the network in the event of a failure.
There are three factors to consider when recommending a centralized or distributed approach to your customer:
- Performance -- Performance of a centralized network firewall must be able to meet the needs of many networks and multi-gigabit traffic, while distributed firewalls need only meet the requirements for the individual network segment they protect.
- Redundancy -- Failure of a centralized network firewall can cause outages of every network that the firewall protects, leading to an organization-wide business disruption. Because of this, redundancy of a centralized firewall is critical and requires a customer to purchase backup systems to take over in the event of a failure. Distributed firewalls control smaller portions of the organization's computer network, and as such may not need the immediate backup systems centralized firewalls require.
- Cost -- As a result of their needs for performance and redundancy, centralized firewalls have a much higher cost per unit than smaller distributed firewalls, and this must be paid all at once. Smaller distributed firewalls cost less per unit, but the combined cost of all firewalls to cover an enterprise can be larger than the cost of the single distributed system.