It's important to remember not all companies will want or need a next-generation firewall (NGFW).
If your organization doesn't need intrusion prevention system (IPS) functionality or additional application and identity awareness on a firewall, an NGFW might not be the best fit. Is your enterprise in the middle of a major refresh cycle? Or have you just finished a new deployment of non-NGFWs? If your organization isn't due for a "forklift" firewall upgrade -- and there are no pressing drivers like a compliance requirement not met by the current infrastructure -- the cost to transition to an NGFW likely isn't justified.
If, however, you are beginning an active firewall refresh cycle, think carefully about going with a next-generation firewall. Most major firewall players are now offering NGFW technology. If your vendor isn't, ask why. You need to make sure it's a company you feel confident can grow with your organization and offer the firewall benefits your business needs.
Below are a few more considerations to keep in mind before choosing an NGFW.
NGFW vs. UTM
If you work at a small organization, a next-generation firewall may be overkill, and a unified threat management (UTM) system that has more security functions but less throughput might be more appropriate. UTMs and NGFWs often get blurred together, and the definition of one versus the other varies by vendor and analyst firm. At a high level, an NGFW combines firewall/VPN and IPS functionality with an emphasis on very high throughput. UTM, on the other hand, combines firewall, IPS, antimalware and content filtering. The trade-off for the UTM doing more is reduced speed and throughput, making UTMs a better fit for smaller companies with lower bandwidth needs than organizations with large-scale, high-volume deployments.
NGFW or else?
Remember: Just because NGFWs are "next-generation" doesn't mean they are the only viable option for your firewall needs over the next two to five years. Perhaps most importantly, don't forget that paying for functionality your company won't use doesn't make a lot of financial sense. If your organization is not ready to implement and manage more application- and identity-aware rules on a firewall, think twice before investing in those features. Has your organization spent the time to create complex identity-based rules that will be best implemented on an NGFW? Are those rules implemented today? If so, on what systems? Will putting them on the next-generation firewall be an improvement? Note: These questions may have layered answers.
For example, access to a healthcare information repository may be implemented using a custom application with granular identity and policy control requirements. Moving these rules to a next-generation firewall probably won't make sense because the identity requirements are so closely bound to (not to mention, proprietary to) the application in use. However, the ability to allow all of one user class (like all full-time employees, for example) to use Facebook or Twitter while blocking another class, such as temps and interns, may be a perfect use case for implementing identity- and application-aware rules on an NGFW.
To integrate or not to integrate
Integration considerations might help drive a purchasing decision. For example, your enterprise may desire the ability to consume information from external sources like a global intelligence network for early identification and blocking of malicious websites or message-based attacks, such as wide-net phishing campaigns. Or for companies with heterogeneous firewall populations, the ability to integrate with a firewall policy management tool could be a deciding factor. Note that firewall vendors don't sell firewall policy management tools; they're sold by third parties and work with most major firewalls and NGFWs. These tools are especially useful for companies with different firewall brands and models that need to be managed for audit and policy purposes from a central console.
No matter what features and functions your company needs, don't forget to think through what matters most and has the most value to your specific organization before going out and talking to the vendors. It's easy to get sold on advanced features, but if you don't need them, won't use them or don't have the resources to manage them, these firewall benefits will not be of value to your organization right now, and, therefore, are not worth the extra money.
About the author:
Diana Kelley is the executive security advisor at IBM Security Systems and a co-founder of N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has 25 years of IT experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Which thwarts Web 2.0 risks better, UTM or NGFW?
Next-generation firewall products: Ready or not, here they come
Next-generation firewall comparisons show no product is perfect
Firewall vs. IPS: Will next-generation firewalls nix standalone IPS?