NGFWs for Today’s IT Environment and Security Needs
Expert Mike O. Villegas compares the leading next-generation firewalls (NGFWs) to help network users find the option that best fits their IT environment and security needs.
Next-generation firewalls (NGFWs) ably protect enterprise networks from intrusions and attacks with integrated network security platforms that include in-line deep packet inspection firewalls, intrusion prevention systems (IPSes), application inspection and control, SSL/SSH inspection, website filtering and quality of service/bandwidth management. Once an organization has decided to go this route, choosing the best next-generation firewall for its IT environment can be a challenging process, however.
Choosing the best NGFW for a particular enterprise requires research. Organizations need to investigate and compare NFGW products and come up with a short list. They do not have to choose the top-rated NGFW product in the industry, however. What they need to do is choose the best NGFW that fits and meets their specific enterprise requirements, as best doesn't always mean "best" for you.
All NGFWs are designed to protect mid to large enterprises. Cisco, Check Point, Fortinet, Barracuda and Juniper, however, also offer NGFW products for small to medium-sized businesses (SMBs). All the NGFWs covered here support both virtual and physical deployments, as well as deployments in cloud environments such as Azure and AWS.
Common features available in all NGFW products include unified threat management (UTM), nondisruptive in bump-in-the-wire configuration, NAT, stateful packet inspection, virtual private network (VPN), integrated signature-based IPS engine and application awareness. They also tend to include the ability to incorporate information from outside the firewall (e.g., directory-based policy, blacklists, whitelists, among others), provide an upgrade path to include future information feeds and security threats, and offer SSL decryption to enable the identification of undesirable encrypted applications.
Noncommon NGFW features vary by vendor, so this is where organizations can start to differentiate between products and choose the best NGFW for them.
provides security services such as gateway antimalware, content filtering and client antivirus and antispyware that are licensed on an annual subscription contract. Dell SecureWorks premium Global Threat Intelligence service is an additional subscription.
provides application visibility and control as part of the base configuration at no cost, but separate licenses are required for next-generation intrusion prevention systems (NGIPS), advanced malware protection and URL filtering.
provides clustering and multilink as standard features with McAfee Next Generation Firewall license.
requires an optional subscription for malware protection (AV engine by Avira), threat intelligence and for advanced client network access control VPN/SSL VPN features.
offers advanced software security services (NGFW/UTM/IPS/threat intelligence service) shipped with its SRX Series Services Gateways that can be turned on with the purchase of an additional license, which can be subscription-based or perpetual. No additional components are required to turn services on/off.
provides a full NGFW solution package with all of its software blades included under a single license. However, it does not provide mobile device controls or Wi-Fi network control without purchasing a different Check Point product.
When an organization purchases a product, it receives a copy of the software or appliance and a license to use it. It doesn't actually own the software--ownership rights belong to the software company, and customers are limited by the terms and conditions (T&C) of the license. All NGFW products are licensed per physical device. Additional licenses are required for the noncommon features stated above. Closely read the T&Cs to determine what services are available in the base NGFW products and what services require an additional license.
While Check Point and Fortinet are sold through channel organizations, the remaining NGFW vendors sell direct and channel partners. All NGFW products, meanwhile, are priced by scale based on the type of hardware utilized and the service contract. Of particular importance are the wide price range differences not just between vendors, but between the various offerings by individual vendors themselves.
Cisco, for example, is priced by user. The cost structure is $1,100 (1 to 99 users), $6,500 (100 to 999 users), $25,000 (1,000 to 4,999) and $100,000 (5,000+ users). Palo Alto, by contrast (based on data sheets reviewed), has 2,707 different pricing options ranging from $1,300 to $38,640,000 for its enterprise three-year contracts (PAN-ENT-SUB-4W-3YR).
While pricing structure appears disparate, similarities do exist in the lower-end product lines--the smaller the NGFW need, the simpler the pricing. The larger the enterprise and volume purchase potential, the greater the disparity, but also the greater the bargaining power on the part of the customer.
Licenses typically come in one-, two- and three-year subscriptions. As the number of users increase, volume discounts often apply. We generally recommend not paying MSRP on security products; however, keep in mind that vendors tend to be less flexible with single purchases. One approach is to time purchases for month- or quarter-end, as vendor personnel at these times are often under pressure to meet and exceed sales quotas.
The only NGFW vendor that does not provide a free trial version at this time is HP TippingPoint. All others provide a free 30-day downloadable full virtual appliance or virtual machine (VM) version to test. Juniper does a bit better than the others, providing potential customers with a 30- to 90-day free trial version run through its paces on their network.
The key differentiators between NGFW products
What makes the best NGFW standout among its peers is clearly of great interest. Below are some highlights of the noted differentiators.
is the inventor of stateful firewalls. It has the highest block rate of IPS among its competitors, largest application library (over 5,000) than any other, DLP with over 600 file types, change management (i.e. configuration and rule changes) that no one else has, and agent or agentless Active Directory integration.
has patented Reassembly-Free Deep Packet Inspection, a technology that allows for centralized management for users to deploy, manage and monitor many thousands of firewalls through a single-pane of glass.
provides an integrated defense solution with greater firewall features detection and protection threat services than other vendors.
lauds its 11-year-old in-house dedicated security research team, FortiGuard Labs. It is one of the few NGFW vendors that has its own, as most others OEM this activity. Fortinet also purports to have NGFW FortiGate, which can deliver five times better performance of comparatively priced competitor products.
is known for its NGFW's simple, effective and reliable implementation. The security effectiveness coverage is high with over 8,200 filters that block known and unknown threats and over 383 zero-day filters in 2014 alone.
provides "intelligence aware" security controls, advanced evasion prevention and a unified software core design.
purports the lowest total cost of ownership (TCO) in the industry due to advanced troubleshooting capabilities and smart lifecycle management features built into large scaling central management server. The NGFW is also the only one that provides NGFW application control and user identity functions for SMBs.
is the first NGFW to offer customers validated (Telcordia) 99.9999% availability (in its SRX 5000 line). The SRX Series is also the first NGFW to deliver automation of firewall functions via JunoScript and open API to programming tools. Open attack signatures in the IPS also allow customers to add or customize signatures tailored for their network.
Although we will dive deeper in individual NGFW products in the product profiles, it is clear each NGFW vendor has established a foothold in unique areas that sets them apart from the rest. The key for customers is to identify the deciding differentiators that meet and/or exceed their needs.
The stratagem to thwart attacks on enterprise network environments will always be based on risk. The level of protection (controls) should be commensurate with the value of the asset (risks). If protection requires a NGFW, familiarization of NGFW vendor products and models to fit your organization and business model is critical.
For example, if an organization is a small to medium-sized business, it may not consider the McAfee NGFW since its SMB appliance requires the Firewall License only, with its somewhat limited feature set. Barracuda similarly has a NGFW for large enterprises and a firewall offering for SMB, each with separate appliances and licenses.
All vendors considered here offer NGFW products for large enterprises. Check Point, Palo Alto, Fortinet and Cisco --in particular--stood out in the April 2015 Gartner Magic Quadrant for Enterprise Network Firewalls. The remaining NGFW products fall in the lower left-hand quadrant of the report, where they identify as "niche players." Niche players, for example, include those NGFWs offered primarily to SMBs. Clients that this author has encountered in assessment work, meanwhile, have commented on features available in their NGFW of choice but have not activated due to either time constraints or sufficient knowledge on how make use of features.
Consider the following criteria in selecting the NGFW vendor and model for your enterprise: identify the players; develop a short list; perform a proof of concept; make reference calls; consider cost; obtain management buy-in; and work out contract negotiations. TCO is also critical.
Lastly, but no less important, consider the skill set of your staff and the business model and growth expectation for your enterprise--these are all important factors in making your decision.