Next-generation firewalls (NGFWs) are hardware- or software-based network security products that can detect and block sophisticated attacks beyond traditional firewall technologies.
There are many options for NGFWs, and while they all provide a variety of protection features that are commonly available in point products, there are significant differences between what is available in specific NGFW offerings.
In addition to their differentials, next-generation firewalls have features such as intrusion detection systems (IDS), intrusion prevention systems (IPS), wireless management, quality of service (QoS) and application control systems that are part of the main characteristics of traditional firewalls.
For example, some vendors offer unified threat management products separately from NGFWs for small and medium-sized businesses, while others incorporate UTM features into their basic next-generation firewall offerings.
Consequently, it is clear that, regardless of what vendors call their next-generation firewall products, it is mandatory for buyers to understand the precise features that each NGFW product under consideration includes.
To help readers begin this process and guide them in making the best NGFW purchasing decisions for their specific environments, we've outlined six firewall selection criteria to consider, as well as questions to ask when comparing these IT security products during the acquisition process.
1. type of platform
Most state-of-the-art firewalls are based on hardware (appliance), software (downloadable) or the cloud (SaaS).
Hardware-based NGFWs are most attractive for large and medium-sized companies, software-based next-generation firewalls for small companies with simple network infrastructures, and cloud-based NGFWs for highly decentralized, multi-site sites or organizations where the skill sets needed to manage them are required or relocated.
2. Set of resources
Not all NGFW providers offer similar features.
The features of next-generation firewalls typically consist of in-line deep packet inspection solutions, IDS / IPS, application inspection and control, SSL / SSH, website filtering and QoS / bandwidth management to protect networks against the latest sophisticated network attacks and intrusion.
In addition, most NGFWs offer threat intelligence, mobile device security, data loss prevention (DLP), Active Directory integration and an open architecture that allows customers to customize application control and even some firewall rule definitions.
The key is for the organization to know what it is buying and whether or not it provides the level of protection needed for each specific area of security desired.
3. Performance
Since NGFWs integrate many features into a single device, they may seem attractive to some organizations. However, enabling all the available features at once can result in a serious degradation of performance.
It's true that the performance metrics of next-generation firewalls have improved over the years, but buyers need to seriously consider performance in relation to the security features they want to enable when determining the vendors and NGFW models they choose.
4. Manageability
This criterion involves system configuration requirements and the usability of the management console. Changes to the system configuration and the user interface of the management console must have three main qualities.
They should be comprehensive, so that they cover a range of features that exclude the need to augment other point platforms, be possible to exclude features that are not needed in the corporate environment, and accessible, so that the management console, individual feature dashboards and reports are intuitive and incisive.
5. Price
Prices for the NGFW device, software and cloud service vary considerably by vendor and model. Some have separate prices for service contracts.
Companies should look closely at individual product offerings to determine which features would work best for the company, taking into account what the organization may or may not have.
If possible, don't pay retail prices. Most suppliers offer volume discounts, the more users they support, the less it costs per user, for example, or discounts with viable prospects for new purchases.
Generally, price should be one of several factors in determining TCO, the cost of an NGFW and the cost of operating it. For example, the TCO of a state-of-the-art firewall is not just the purchase price, but also the expenses incurred in its use, maintenance, support and operation.
A next-generation firewall that seems like a great bargain may actually have a higher TCO than another NGFW, or even a combination of point platforms.
6. Support
Support ranked in Gartner's 2018 "Magic Quadrant for Enterprise Network Firewalls", with characteristics such as the quality, breadth and value of NGFW offerings seen from the point of view of business needs.
Given the critical nature of next-generation firewalls, timely and accurate support is essential. Companies should obtain references and ask to speak to the vendor's customers, without the vendor being present.
Support criteria for NGFWs should address responsiveness classified by type of service request, quality and accuracy of service response, timeliness of product updates and customer education and awareness of current events.
The level of protection (controls) provided by an NGFW must be proportional to the value of the assets (risks)
It is important for organizations to familiarize themselves with the NGFW vendors and products that best suit their IT environments and business models.
To do this, consider these six criteria: platform base, feature set, performance, manageability, price and support. Then determine which of the remaining NGFW products best meet the organization's TCO requirements.
In addition, carry out proof-of-concept evaluations to ensure that the selected NGFWs work well in the organization's IT infrastructure.
Some NGFW vendors consider installation to be as easy as pick up and move, for example. For some next-generation firewalls, this is a true statement, but prudent planning and testing before deployment is essential.
About Conversys
Conversys IT Solutions is a provider of Information and Communication Technology services and solutions operating throughout Brazil.
With a highly qualified technical and commercial team and a network of partners that includes the main global technology manufacturers, Conversys IT Solutions is able to deliver customized IT and Telecom Infrastructure solutions to clients.
We invest in our employees and partners and strive for a long-lasting relationship with our clients, because we believe that in this way we gain the skills and knowledge necessary to innovate and generate value for the businesses in which we operate.
