Get started Bring yourself up to speed with our introductory content.

Comparing the best NGFWs on the market

Expert Mike O. Villegas compares the leading next-generation firewalls (NGFWs) to help readers find the option that best fits their IT environment and security needs.

Next-generation firewalls (NGFWs) ably protect enterprise networks from intrusions and attacks with integrated network security platforms that include in-line deep packet inspection firewalls, intrusion prevention systems (IPSes), application inspection and control, SSL/SSH inspection, website filtering and quality of service/bandwidth management. Once an organization has decided to go this route, choosing the best next-generation firewall for its IT environment can be a challenging process, however.

Choosing the best NGFW for a particular enterprise requires research. Organizations need to investigate and compare NFGW products and come up with a short list. They do not have to choose the top-rated NGFW product in the industry, however. What they need to do is choose the best NGFW that fits and meets their specific enterprise requirements, as best doesn't always mean "best" for you.

So who are the players? The nine NGFW vendors covered in this article are Check Point, Dell Sonicwall, Palo Alto, Cisco, Fortinet, HP TippingPoint, McAfee, Barracuda and Juniper.

Questions to consider when looking for the best NGFW vendor product include: What is their product line? Is their NGFW for cloud service providers, large enterprises, or small and medium-sized businesses? What are the NGFW features that come with the base product? What features need an extra license(s)? How is the firewall sold and priced? What differentiates their product from other vendor products?

As one might anticipate, there are many similarities between NGFWs. However, the differences are worth mentioning and comparing. So while individual write-ups on each of the vendors are forthcoming, here we delve into the similarities and (more importantly) the differences between these nine vendors' NGFW products.

Who is the NGFW for?

All NGFWs are designed to protect mid to large enterprises. Cisco, Check Point, Fortinet, Barracuda and Juniper, however, also offer NGFW products for small to medium-sized businesses (SMBs). All the NGFWs covered in this article, meanwhile, support both virtual and physical deployments, as well as deployments in cloud environments such as Azure and AWS.

What features are available?

Common features available in all NGFW products include unified threat management (UTM), nondisruptive in bump-in-the-wire configuration, NAT, stateful packet inspection, virtual private network (VPN), integrated signature-based IPS engine and application awareness. They also tend to include the ability to incorporate information from outside the firewall (e.g., directory-based policy, blacklists, whitelists, among others), provide an upgrade path to include future information feeds and security threats, and offer SSL decryption to enable the identification of undesirable encrypted applications.

Noncommon NGFW features vary by vendor, so this is where organizations can start to differentiate between products and choose the best NGFW for them.

For example:

  • Dell SonicWall provides security services such as gateway antimalware, content filtering and client antivirus and antispyware that are licensed on an annual subscription contract. Dell SecureWorks premium Global Threat Intelligence service is an additional subscription.
  • Cisco provides application visibility and control as part of the base configuration at no cost, but separate licenses are required for next-generation intrusion prevention systems (NGIPS), advanced malware protection and URL filtering.
  • McAfee provides clustering and multilink as standard features with McAfee Next Generation Firewall license.
  • Barracuda requires an optional subscription for malware protection (AV engine by Avira), threat intelligence and for advanced client network access control VPN/SSL VPN features.
  • Juniper offers advanced software security services (NGFW/UTM/IPS/threat intelligence service) shipped with its SRX Series Services Gateways that can be turned on with the purchase of an additional license, which can be subscription-based or perpetual. No additional components are required to turn services on/off.
  • Check Point provides a full NGFW solution package with all of its software blades included under a single license. However, it does not provide mobile device controls or Wi-Fi network control without purchasing a different Check Point product.

The key message in this comparison is that in addition to the common features, organizations need to carefully review those features that require additional licenses and whether they are significant enough to decide on specific products for procurement. For example, if a company requires data loss prevention (DLP), it might consider a NGFW that offers DLP, such as Check Point. Or, should it determine that the DLP components of NGFWs aren't sufficiently powerful enough for its purposes, it may decide to go with a standalone DLP (rather than an integrated) product. The same would apply for Web application firewall (WAF) technology in, say, the Dell SonicWall NGFW. WAF features are there, but it is -- again -- not a full-featured WAF. Another example would be Cisco. Although malware protection is available, additional licenses are required for its Advanced Malware Protection, NGIPS and URL filtering. Barracuda NG Firewall also requires an additional license for malware protection (antivirus engine by Avira), for instance.

In addition, there are some vendors that provide threat intelligence services as part of their NGFW offerings, such as Fortinet, McAfee and HP TippingPoint. Juniper's Threat Intelligence Service, however, is shipped with its SRX NGFW model, but needs to be activated with the purchase of an additional license.

How is the NGFW sold, licensed and priced?

When an organization purchases a product, it receives a copy of the software or appliance and a license to use it. It doesn't actually own the software -- ownership rights belong to the software company, and customers are limited by the terms and conditions (T&C) of the license. All NGFW products are licensed per physical device. Additional licenses are required for the noncommon features stated above. Closely read the T&Cs to determine what services are available in the base NGFW products and what services require an additional license.

While Check Point and Fortinet are sold through channel organizations, the remaining NGFW vendors sell direct and channel partners. All NGFW products, meanwhile, are priced by scale based on the type of hardware utilized and the service contract. Of particular importance are the wide price range differences not just between vendors, but between the various offerings by individual vendors themselves.

Cisco, for example, is priced by user. The cost structure is $1,100 (1 to 99 users), $6,500 (100 to 999 users), $25,000 (1,000 to 4,999) and $100,000 (5,000+ users). Palo Alto, by contrast (based on data sheets reviewed), has 2,707 different pricing options ranging from $1,300 to $38,640,000 for its enterprise three-year contracts (PAN-ENT-SUB-4W-3YR).

While pricing structure appears disparate, similarities do exist in the lower-end product lines -- the smaller the NGFW need, the simpler the pricing. The larger the enterprise and volume purchase potential, the greater the disparity, but also the greater the bargaining power on the part of the customer.

Licenses typically come in one-, two- and three-year subscriptions. As the number of users increase, volume discounts often apply. We generally recommend not paying MSRP on security products; however, keep in mind that vendors tend to be less flexible with single purchases. One approach is to time purchases for month- or quarter-end, as vendor personnel at these times are often under pressure to meet and exceed sales quotas.

Is there a free trial version of the NGFW available?

The only NGFW vendor that does not provide a free trial version at this time is HP TippingPoint. All others provide a free 30-day downloadable full virtual appliance or virtual machine (VM) version to test. Juniper does a bit better than the others, providing potential customers with a 30- to 90-day free trial version run through its paces on their network.

The key differentiators between NGFW products

What makes the best NGFW standout among its peers is clearly of great interest. Below are some highlights of the noted differentiators.

  • Check Point is the inventor of stateful firewalls. It has the highest block rate of IPS among its competitors, largest application library (over 5,000) than any other, DLP with over 600 file types, change management (i.e. configuration and rule changes) that no one else has, and agent or agentless Active Directory integration.
  • Dell SonicWall has patented Reassembly-Free Deep Packet Inspection, a technology that allows for centralized management for users to deploy, manage and monitor many thousands of firewalls through a single-pane of glass.
  • Cisco ASA with FirePOWER Services provides an integrated defense solution with greater firewall features detection and protection threat services than other vendors.
  • Fortinet lauds its 11-year-old in-house dedicated security research team, FortiGuard Labs. It is one of the few NGFW vendors that has its own, as most others OEM this activity. Fortinet also purports to have NGFW FortiGate, which can deliver five times better performance of comparatively priced competitor products.
  • HP TippingPoint is known for its NGFW's simple, effective and reliable implementation. The security effectiveness coverage is high with over 8,200 filters that block known and unknown threats and over 383 zero-day filters in 2014 alone.
  • McAfee NGFW provides "intelligence aware" security controls, advanced evasion prevention and a unified software core design.
  • Barracuda purports the lowest total cost of ownership (TCO) in the industry due to advanced troubleshooting capabilities and smart lifecycle management features built into large scaling central management server. The NGFW is also the only one that provides NGFW application control and user identity functions for SMBs.
  • Juniper SRX is the first NGFW to offer customers validated (Telcordia) 99.9999% availability (in its SRX 5000 line). The SRX Series is also the first NGFW to deliver automation of firewall functions via JunoScript and open API to programming tools. Open attack signatures in the IPS also allow customers to add or customize signatures tailored for their network.

Although we will dive deeper in individual NGFW products in the product profiles, it is clear each NGFW vendor has established a foothold in unique areas that sets them apart from the rest. The key for customers is to identify the deciding differentiators that meet and/or exceed their needs.

Which is the best NGFW product for you?

The stratagem to thwart attacks on enterprise network environments will always be based on risk. The level of protection (controls) should be commensurate with the value of the asset (risks). If protection requires a NGFW, familiarization of NGFW vendor products and models to fit your organization and business model is critical.

For example, if an organization is a small to medium-sized business, it may not consider the McAfee NGFW since its SMB appliance requires the Firewall License only, with its somewhat limited feature set. Barracuda similarly has a NGFW for large enterprises and a firewall offering for SMB, each with separate appliances and licenses.

All vendors considered here offer NGFW products for large enterprises. Check Point, Palo Alto, Fortinet and Cisco -- in particular -- stood out in the April 2015 Gartner Magic Quadrant for Enterprise Network Firewalls. The remaining NGFW products fall in the lower left-hand quadrant of the report, where they identify as "niche players." Niche players, for example, include those NGFWs offered primarily to SMBs. Clients that this author has encountered in assessment work, meanwhile, have commented on features available in their NGFW of choice but have not activated due to either time constraints or sufficient knowledge on how make use of features.

Consider the following criteria in selecting the NGFW vendor and model for your enterprise: identify the players; develop a short list; perform a proof of concept; make reference calls; consider cost; obtain management buy-in; and work out contract negotiations. TCO is also critical. Lastly, but no less important, consider the skill set of your staff and the business model and growth expectation for your enterprise -- these are all important factors in making your decision.

Next Steps

In part one of this series, learn about the basics of next generation firewalls in the enterprise

In part two of this series, find out about the three things to consider before deploying NGFWs

In part three of this series, discover the six criteria for buying next-generation firewalls

This was last published in October 2015

Dig Deeper on Network device security: Appliances, firewalls and switches

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Has your organization ever used or tested any of these top next-generation firewalls?