Essential Guide

Browse Sections


This content is part of the Essential Guide: How to conduct a next-generation firewall evaluation
Manage Learn to apply best practices and optimize your operations.

Final considerations before a next-gen firewall purchase

View expert advice on seven final factors to take into account before making a next-gen firewall purchase, from vendor support options and ongoing costs to integration capabilities and community support.

Purchasing a next-generation firewall -- or any large technology investment for that matter -- is never a decision...

an enterprise should make lightly.

Especially in the case of a next-generation firewall (NGFW), organizations must take into account factors about both the vendor and the product that will impact the long-term costs of owning and managing the device.

Below are seven categories and considerations that your enterprise should keep in mind when evaluating a NGFW purchase.

1. Best-in-class or one-stop shop? Start-up or established vendor?

Looking at Gartner's Magic Quadrant for NGFWs, Check Point Software Technologies Ltd. and Palo Alto Networks, Inc., are the only companies in the upper-right section, which means that Gartner deems these two companies to be ahead of their competitors and positioned as leaders and visionaries in the NGFW market. However, neither of these vendors has a full-blown network and security portfolio offering like Cisco Systems Inc., which Gartner describes as a "challenger." In this market, best-in-class vendors are also both established companies, but if your organization is looking for a vendor that can supply more of your network needs (like routers, switches and wireless access points) along with your NGFW, that may override the best-in-breed requirement.

2. Real cost of deployment?

There's more to the cost of a firewall purchase than just the list price. Make sure the vendor quote takes into account any professional service time it provides, and factor in your own team's time to implement the product. NGFWs support more complex rules than other firewalls, and this often translates into needing more admin time to set up and test those rules. Also, does the vendor have package pricing for getting their product up and running in a company like yours?

3. Integration with other products?

Integration with identity services, global intelligence services and policy management consoles may be a deal-breaker for your organization. It is also critical to consider whether the NGFW can integrate with other systems as well. For example, how will the NGFW integrate with your security information and event management system or log-management tools in use at the security operations center or the network operations center? Is IT governance risk and compliance being used for policy validation and, if so, can reporting information from the NGFW be accessed by the IT-GRC tool? With what else does the NGFW need to integrate to protect your organization?

4. Support options?

Do you need multi-lingual, last-tier (most advanced technically) 24/7 technical support? If so, can the vendor supply it? What is the cost? Don't forget to ask how high the support calls can go: 24/7 access to a low-level support rep is not the same as being able to get to the last tier during a time of crisis.

5. User groups and community support?

Does the vendor have a community website where users can help each other? Is there an annual conference? The ability to network with peers and hear how they're using the product can greatly increase the value your organization gets from your NGFW.

6. Ongoing costs and licensing?

Do the ongoing costs and licensing account for a global environment? Does the vendor understand tax issues and in-country fees in non-U.S. locations? What is the licensing structure? Standard 18% or more complicated? Will that go up or down over the life of the product?

7. Upgrades and refresh cycles?

How often does your company go through hardware and software refreshes? Be sure to confirm with the vendor what its patch program is, when it goes through major software refreshes and how often a forklift (new hardware) upgrade is required. Security issues can arise from slow patch cycles, and industry-laggard issues can result from slow software refreshes. On the other hand, rapid software or hardware refreshes can raise TCO significantly, so the right balance needs to be struck.

Choosing a NGFW is a big commitment for an enterprise. After deciding that your organization wants and needs such a security tool, it is critical to use these seven considerations to make sure that your business not only get the most bang for its buck but also understands the commitment involved in acquiring a next-gen firewall, which will span its entire lifecycle.

About the author:
Diana Kelley is the executive security advisor at IBM Security Systems and a co-founder of N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has 25 years of IT experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

Next Steps

Beyond the Page: Next-generation firewalls

Quiz on must-have NGFW features

Next-generation firewalls: Breaking through the hype

This was last published in September 2014

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.