Next-generation firewalls rose to prominence several years ago as vendors promised that they could deliver a variety of security features -- namely intrusion prevention system capabilities and application control -- in one appliance.
In examining today's next-generation firewalls (NGFW) market, experts say that not every NGFW offers features that are desirable to every organization, and that in some cases, having too many features may do more harm than good.
One size does not fit all. There are very different products for different use cases.
Greg Young, research vice president, Gartner Inc.
Stamford, Connecticut-based IT analysis firm Gartner Inc. released its Magic Quadrant report for enterprise network firewalls --registration required -- in April and found NGFW products from Check Point Software Technologies Ltd. and Palo Alto Networks Inc. to be the clear market leaders. NGFW appliances from Fortinet Inc., Cisco Systems Inc. and Juniper Networks Inc. were all considered challengers by Gartner, while nearly a dozen more vendors were deemed niche players.
Greg Young, research vice president with Gartner and one of the authors of the firewall Magic Quadrant report, said that Check Point and Palo Alto Networks distinguish themselves from competitors with a wide array of product features and by scaling effectively in large-scale enterprise environments, a problem for many of the niche vendors.
Despite those competitive advantages, Young said, even the leading NGFWs are far from perfect. He noted that Check Point's and Palo Alto's NGFWs come with premium price tags that may be hard to stomach, especially if an organization doesn't take advantage of all the security features offered.
For instance, in its Magic Quadrant report, Gartner claimed that most Check Point customers only take advantage of the vendor's Software Blade subscription services to activate typical NGFW features, including IPS, application control and user identity capabilities, but that options like email security and data loss prevention aren't selected nearly as much.
In many instances, Young said that lesser-known NGFW vendors beyond the top two can often provide a more cost-effective product that delivers only the features an enterprise needs, though that puts the onus on organizations to identify their requirements to make the best selection.
"One size does not fit all. There are very different products for different use cases," said Young. "Don't only look at the leaders. It's almost like looking at which manufacturer makes the fastest car."
More features, more problems
While an NGFW that crams many features into a single appliance may seem like an attractive option for some organizations, Young warned that enabling all of those features may result in an unpleasant surprise: performance degradation.
Young noted several next-generation firewall vendors have recently added Web anti-malware as a selling point to clients. However, turning on that feature "just kills the performance" of NGFW appliances, he said, adding that antivirus is better suited to secure Web gateways or other security products besides NGFWs.
"A single console view is good, but not everything should be in the same box," said Young. "Many next-gen firewalls will have the antivirus option, but we find that most enterprises have a bad experience."
Robert Smithers, CEO of independent IT testing firm Miercom Inc., agreed that many NGFW products suffer from performance degradation issues when additional features are turned on. Smithers said his firm has tested a dozen next-gen firewalls and found that products from Sophos Ltd. tend to have the best performance when all relevant features are enabled, with products from Intel Corp.'s McAfee unit also performing well.
Smithers advised organizations currently conducting an NGFW comparison to consider what features are actually going to be used in their environments, and to research just how well those products perform when all needed features are switched on.
"If you enable all these features, everything slows down. A 10 Gbps product becomes a 3 Gbps product," said Smithers, who noted that unified threat management appliances may provide "better bang for the buck" to small and mid-sized organizations when compared to NGFWs, though he rarely sees UTMs deployed in large enterprise environments.
"I see next-gen firewall vendors trying to own everything. They're saying, 'Wait a minute, you don't need antivirus,'" Smithers continued. "I'm not sure that's the right answer, to tell you the truth."
Is NGFW right for you?
Young said that while price, features and performance tend to receive the most attention from enterprises shopping for an NGFW appliance, many organizations don't take enough time to consider whether they are actually capable of effectively deploying a next-gen firewall.
For instance, application control is one of the defining features that give NGFWs a leg up on traditional firewalls, but if an organization fails to put the right policies in place, Young said that feature "won't be very useful."
Some organizations also turn on NGFW features just because they are available, Young said, but to get the most out of such products, an organization needs some in-house expertise to fine-tune the appliance. In some instances, that expertise might even need to be attached to a specific product. For example, Smithers noted that Check Point systems must be deployed by Check Point experts, a factor that may make some enterprises hesitate.
Even the type of network in place at the organization must be considered before deploying a NCFW, according to Young, who noted that such appliances tend to generate a lot of alerts at companies with flat networks.
"We do see people being overwhelmed with alerts," Young said. "So if you're not capable of consuming that many alerts … you're maybe just not ready [to deploy an NGFW appliance] yet."