Once an organization has concluded that it needs to add a next-gen firewall to its security plan, it is faced with...
the process of evaluating next-gen firewall vendors.
While an arduous task, it is a necessary one. Those making the corporate purchase suggestion can make the process easier by asking themselves, and potential vendors, several key questions.
Below are 11 queries that your company may wish to consider including when drawing up the request for proposal to evaluate next-gen firewall (NGFW) products.
1. What capabilities does the NGFW have that your existing security products don't?
Specifically, what can the business and risk teams do with an NGFW that they cannot do with the existing firewall? What are the benefits of upgrading to a next-gen firewall? Can the NGFW scan for malware in inbound traffic? Can it perform basic data loss prevention on inbound/outbound traffic? Is it able to prevent attacks using intrusion prevention system (IPS) techniques?
2. How application-aware is the NGFW?
All NGFW vendors make the claim for granular application capabilities, but what that means in practice can vary by vendor. Define the applications and blocks and checks that your company wants and confirm with the vendor that it can handle them. For example, do you need to alert or block credit card numbers in VoIP? What about IP tunneling or command-and-control over port 53 (DNS)? Can the NGFW allow Gmail traffic but be savvy enough to block Gmail attachments?
3. Does the NGFW support remote and mobile users?
And if so how? Does all remote traffic get sent back through a VPN or other tunnel to the NGFW? Is there a host agent on the remote device that enforces policies? Does the NGFW vendor provide policy enforcement for remote users in a distributed cloud model?
4. How are rules configured and managed?
NGFWs perform deep packet inspection and can enforce granular, application-level rules that are more complex than standard port-based stateful inspection rules. For full value, next-gen firewalls require configuration, time and effort. Does the vendor supply templates or wizards to help the organization set rules? Will the vendor have on-site support staff who can configure the firewalls before deployment?
5. What is the default model?
Is it "default deny" like a traditional firewall, or "default allow" like a traditional IPS? Default allow in a firewall is risky and may allow attack traffic through. This means that the default model has significant impact on overall security. But default deny can raise issues in a port-based model when legitimate application traffic travels over non-standard ports.
6. What systems, if any, can the NGFW integrate with?
As NGFW functionality increases, the ability to integrate with other systems becomes increasingly important. Can the NGFW integrate with a Web application scanner so a virtual patch rule can be implemented to protect vulnerable applications? Will the NGFW play well with the security information and event management system or log aggregation system in use in the security operations center?
7. What about identity awareness?
In addition to application awareness, many NGFWs are identity-aware. Can the NGFW support ID-based rules? Is so, what kind of rules? Can the NGFW integrate with ID repositories like Active Directory to leverage ID-aware policies?
8. To block or not to block?
Next-gen firewalls can act as IPSes and perform active blocking on inbound and outbound traffic. However, blocking legitimate traffic can result in business disruption. This means that blocking needs to be implemented carefully. Does the NGFW support active blocking? Are there mechanisms available that customers can use to test and validate blocking rules before they are made active on the NGFW?
9. What are the performance metrics?
While today's NGFWs are a lot faster than old-school proxy firewalls, complex rule sets and data inspection take processing time. Perimeter firewalls often require very high throughput metrics. Has the vendor sized throughput for the NGFW with complex application and identification rules? Does the vendor have reference customers that can detail the kind of real-world throughput they are getting from the NGFW?
10. What about encrypted traffic?
Many NGFWs can terminate and decrypt SSL traffic, but if users are leveraging other point-to-point encryption technologies or encrypting files before sending them out of the company, the firewall can't inspect them. Can the NGFW inspect outbound SSL/HTTPS traffic? What is required to do that? Can it block unsupported encrypted tunnels and attachments?
11. What kind of reporting is supported?
If the NGFW will be used to control access based on application and identity, the reporting from the firewall may become increasingly important for compliance mandates and audit purposes. What report templates does the vendor supply? Are they in audit-ready format? Can they be imported into other reporting systems? Can customers tweak existing reports or create new ones as needed?
Below is a representative list of next-generation firewall vendors.
- Barracuda Networks, Inc.
- Check Point Software Technologies Ltd.
- Cisco Systems, Inc.
- Fortinet, Inc.
- Hewlett-Packard Co.
- Juniper Networks, Inc.
- McAfee, Inc.
- Palo Alto Networks, Inc.
- Dell SonicWall
- WatchGuard Technologies
These lists of must-ask questions and next-gen firewall vendors are great starting points for any enterprise embarking on the NGFW vendor evaluation process. While there are other questions to ask and vendors to consider, the lists provided should help get your organization started off on the right foot.
About the author:
Diana Kelley is the executive security advisor at IBM Security Systems and a co-founder of New Hampshire-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has 25 years of IT experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Learn about the new Cisco network security architecture next-generation firewall
Discover how VMware adds NSX firewall integration with Palo Alto Networks
HP launches Tipping Point firewall with next-generation app control
Dell-SonicWall deal: Next-generation firewall boosts data center play