Get started Bring yourself up to speed with our introductory content.

Six criteria for buying next-gen firewalls

Next-generation firewalls have become a key security component for enterprises. Expert Mike O. Villegas offers advice on how to purchase the right NGFW.

Next-generation firewalls (NGFWs) are hardware- or software-based network security products that can detect and block sophisticated attacks beyond traditional firewall technologies. There are more than a dozen different next-gen firewalls available, and while they all provide a variety of protection features that are commonly available in point products (such as traditional firewalls, intrusion detection systems (IDS)/intrusion prevention systems (IPS), wireless management systems, quality of service (QoS) and application control systems), there are often significant differences between what's enabled in specific NGFW offerings. So, for example, some vendors provide UTM products separately from NGFWs for SMBs, while others embed UTM features in their NGFW base offering.

Consequently, it is clear that regardless of what vendors call their next-gen firewall products, it is incumbent that buyers understand the precise features each NGFW product under consideration includes. To help get readers started on this process and guide them in making the best NGFW purchase decision for their particular environment, this article presents the evaluation criteria to consider and questions to ask when comparing and contrasting these IT security products during the procurement process.

Platform type

How is the NFGW provided? Most next-gen firewalls are hardware- (appliance), software- (downloadable) or cloud-based (SaaS). Hardware-based NGFWs appeal best to large and midsize enterprises; software-based NGFWs to small companies with simple network infrastructures; and cloud-based NGFWs to highly decentralized, multilocation sites or enterprises where the required skill set to manage them is wanting or reallocated.

Feature set

Not all NGFW features are similarly available by vendor. NGFW features typically consist of inline deep packet inspection firewalls, IDS/IPS, application inspection and control, SSL/SSH inspection, website filtering and QoS/bandwidth management to protect networks against the latest in sophisticated network attacks and intrusion. Additionally, most NGFWs offer threat intelligence, mobile device security, data loss prevention (DLP), Active Directory integration and an open architecture that allows clients to tailor application control and even some firewall rule definitions.

An important caveat is that the bevy of features available in NGFWs outside of traditional firewall blocking and tackling is not full complements of each. For example, NGFW DLP is not at the level of the full-feature DLP typically provided by a dedicated DLP point product. Also, NGFW application control provides identification and authorization of defined applications, user access and additional time-of-day and upload/download permissions, but does not provide deep packet or content filtering of the application.

The key is to know what the organization is buying and whether or not it provides the level of protection required for each specific area of desired security.


Because NGFWs integrate many features into a single appliance, they may seem attractive to some organizations. However, enabling all available features at once could result in serious performance degradation. Admittedly, NGFW performance metrics have improved over the years, but the buyer needs to seriously consider performance in relationship to the security features they want to enable when determining the vendors they approach and the model of NGFW they choose.

For example, in October 2014, NSS Labs published the results of a comparative study of twelve NGFWs covering three major areas -- security, performance and total cost of ownership (TCO). The key findings stated that seven of the nine devices achieved a "recommended" overall value rating for TCO per protected megabits per second (Mbps). In addition, the NSS tested performance on all twelve NGFWs, finding throughput ranging from 719 Mbps to 18,771 Mbps (a significant range) with rates on two of the nine products significantly lower than their vendor's stated claims.


This criterion involves system configuration requirements and usability of the management console. The 2015 Gartner Magic Quadrant for Enterprise Network Firewalls evaluation criteria includes operations and manageability as important factors. It considers how the NGFW manages complex environments with many firewalls and users and very narrow firewall change windows.

System configuration changes and the user interface of the management console should be comprehensive, flexible and easy to use. It should (1) be comprehensive, such that it covers an array of features that preclude the need for augmentation by other point solutions; (2) be possible to exclude features that are not needed in the enterprise environment; and (3) be easy to use, such that the management console, individual feature dashboards and reporting are intuitive and incisive.


NGFW appliance, software and cloud service pricing varies considerably by vendor and model, with prices ranging from $599 to $80,000+ per device. Some are even priced by number of users (e.g., $1,100 for 1-99 users to $100,000 for 5,000 users+). All, meanwhile, have separate pricing for service contracts.

Because NGFWs integrate many features into a single appliance, they may seem attractive to some organizations. However, enabling all available features at once could result in serious performance degradation.

Closely review individual product offerings to determine what features are needed for your enterprise, factoring in what the organization can afford and what it cannot afford to have. If possible, do not pay retail prices. Most vendors will provide volume discounts (the more users supported the less it costs per user, for example) or discounts with viable prospects of further purchases.

Overall, pricing should be one of several factors in determining the TCO, the cost of a NGFW and the cost of its operation. For example, the TCO of a NGFW is not just the purchase price, but also the expenses incurred through its use, maintenance, support and operation. A NGFW that appears to be a great bargain might actually have a TCO that is higher than that of another NGFW, or even a combination of point solutions.


The 2015 Gartner Magic Quadrant on NGFW also rated support -- with quality, breadth and value of NGFW offerings viewed from the vantage point of enterprise needs. Given the critical nature of NGFWs, timely and accurate support is essential. Obtain references and ask to speak with vendor clients without the vendor present.

Support criteria for NGFWs should address responsiveness ranked by type of service request, quality and accuracy of the service response, currency of product updates, and customer education and awareness of current events.


The stratagem to thwart attacks on enterprise network environments will always be based on risk. The level of protection (controls) should be commensurate with the value of the asset (risks).

It is important that organizations familiarize themselves with the NGFW vendors and products that best fit their IT environments and business models.

To do so, consider these six criteria: platform base, feature set, performance, manageability, price and support. Then determine which of the remaining NGFW products best meet the organization's TCO requirements.

In addition, perform proof of concept evaluations to ensure that selected next-gen firewalls work well in the organization's IT infrastructure. Some NGFW vendors profess installation as easy as pickup-and-move, for example. For some NGFWs, that is a true statement, but prudent planning and testing prior to deployment is critical.

Hiring the right people or building the skill sets required to manage and maintain this new IT security environment with current staff is also important. Lastly, purchase at month and quarter's end to leverage vendor sales quota requirements to the organization's benefit.

Next Steps

Learn about the basics of next-gen firewalls in the enterprise

Find out what questions to ask before deploying a next-generation firewall

This was last published in July 2015

Dig Deeper on Network device security: Appliances, firewalls and switches

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What purchasing criteria are most important for selecting a next-gen firewalls?