NGFWs are key to an enterprise network security strategy. Here's what to consider when shopping for one.
If there is one network security device that has changed significantly in the past decade, it would have to be the firewall. What once was a simple access control gate between trusted and untrusted networks has now morphed into a multi-faceted and multi-layered threat management system.
Today's next-generation firewalls are the linchpin of any modern network security strategy. Yet not all NGFW's are the same. While some features and benefits obviously overlap from one vendor's NGFW to the next, there are distinct differences you need to understand and evaluate based on your networks security needs.
In this slideshow, we'll look at seven factors you need to consider when evaluating and ultimately choosing your next-gen firewall platform. Security research firm NSS Labs evaluated 13 of the top NGFWs and concluded that seven of the products met its criteria to receive a "recommended status." But even having the field narrowed down to seven vendors isn't enough. You need to apply your own criteria and find the firewall that best fits your needs -- and your budget.
For most of us, a NGFW will likely replace a traditional firewall or aging NGFW in an established network environment. If that's the case, our final decision may be influenced by what hardware is being replaced, what other network components the new firewall will need to work with, and who will implement and manage the NGFW.
Another major influence on your final decision will revolve around critical applications in use on your network and what kinds of security policies and tactics are needed. NGFW vendors have strengths and weaknesses based on what type of features you require. For instance, one NGFW vendor may have an industry-leading IPS feature set. But that same firewall may not have the most robust malware protection capabilities to protect against zero-day exploits. Because of this, it's up to the technical decision maker to prioritize what features are most important in order to choose the right product.
Finally, one must look at the NGFW investment in terms of long-term scalability and investment protection. Enterprise-class NGFWs aren't cheap. It's important to understand how the vendor's roadmap aligns with yours in terms of scaling out your current investment.
When it comes to next-gen firewalls, there’s a balance that must be struck between threat protection and raw performance. Getting the features you want along with the performance you need to avoid any bottlenecks, can be tricky. Note that Gartner Research analysts have observed that vendors and their solution provider partners often undersize firewalls to keep costs down and that "undersizing was a clear reason for performance issues." The undersized hardware appliances can't properly handle the processing required to run all the security features without getting bogged down. Therefore, it’s critical that you know a product's calculated throughput today and several years into the future.
NGFWs don’t operate on an island. Instead, they often interact with many other network and security tools such as network monitoring tools, logging servers, authentication servers, network access control (NAC) products and external web/email security solutions. Depending on the vendor and NGFW product line, interoperability will vary. Make sure you understand and verify interoperability with the external components and applications your NGFW must get along with.
Visibility and control
One area that NGFWs vary widely from one vendor to the next is network and application visibility. Not only are we talking about visibility down to the application and user level, but also visibility that provides network behavior intelligence. Be sure to understand each vendor's security intelligence visibility functions to make sure it meets or exceeds your expectations.
Advanced security features
Next-generation firewalls have become the veritable multi-tool of IT security. And as they do with most multi-tools, companies will rely on some of the individual tools daily while rarely, if ever, using others. With NGFWs, customers will almost certainly use standard stateful access control rules. Other commonly used features include VPN, secure remote access, and intrusion prevention. But in terms of other security features, it’s up to you on whether you want to implement -- and pay for licensing -- for capabilities like sandboxing, advanced emerging threats, and global threat protection. To some companies, all three may be an absolute necessity to implement. But to others, they might be overkill.
Network hardware refresh timelines vary from one organization to the next. But for the most part, three to six years is where the majority fall. When choosing your NGFW, you want to make sure it can grow to meet projected your company's data expectations. This might mean purchasing oversized hardware for what is needed today or growth through active-active load balancing or clustering capabilities.
Management and reporting
If your security administrators are responsible for managing dozens or more firewalls, having the right management platform is crucial to lowering the number of human resources needed. Most enterprise NGFWs have built-in or optional centralized management capabilities to provide a single pane of glass for configuration, monitoring and reporting of all NGFWs on your network. Alternatively, a growing number of vendors are beginning to offer cloud-managed NGFWs that effectively do the same thing as a centralized server without the hassle of having to manage yet another server on-premises.
Cost of ownership
The last, but certainly not least, factor is your total cost of ownership throughout a NGFW's lifecycle. Once you start shopping around, you’re quickly going to realize that hardware, licensing, and ongoing support costs will vary widely from one vendor to the next. You will need to perform a cost/benefit analysis to determine what product is going to give your organization the proper level of security for the lowest lifecycle cost.