First of all, do you understand the meaning of NGFW?
Yes, it is short for Next-generation Firewall.
As a very popular kind of firewall, NGFW provides us reliable protections. Next-generation firewalls (NGFWs) ably protect enterprise networks from intrusions and attacks with integrated network security platforms that include in-line deep packet inspection firewalls, intrusion prevention systems (IPSes), application inspection and control, SSL/SSH inspection, website filtering and quality of service/bandwidth management. Once an organization has decided to go this route, choosing the best next-generation firewall for its IT environment can be a challenging process, however.
There are also many brands of firewalls in the market. If you want to buy a NGFW, how to select?
Here share you 3 tips when selecting a NGFW.
- How is the NGFW sold, licensed and priced?
When an organization purchases a product, it receives a copy of the software or appliance and a license to use it. It doesn’t actually own the software–ownership rights belong to the software company, and customers are limited by the terms and conditions (T&C) of the license. All NGFW products are licensed per physical device. Additional licenses are required for the noncommon features stated above. Closely read the T&Cs to determine what services are available in the base NGFW products and what services require an additional license.
While Check Point and Fortinet are sold through channel organizations, the remaining NGFW vendors sell direct and channel partners. All NGFW products, meanwhile, are priced by scale based on the type of hardware utilized and the service contract. Of particular importance are the wide price range differences not just between vendors, but between the various offerings by individual vendors themselves.
Cisco, for example, is priced by user. The cost structure is $1,100 (1 to 99 users), $6,500 (100 to 999 users), $25,000 (1,000 to 4,999) and $100,000 (5,000+ users). Palo Alto, by contrast (based on data sheets reviewed), has 2,707 different pricing options ranging from $1,300 to $38,640,000 for its enterprise three-year contracts (PAN-ENT-SUB-4W-3YR).
While pricing structure appears disparate, similarities do exist in the lower-end product lines–the smaller the NGFW need, the simpler the pricing. The larger the enterprise and volume purchase potential, the greater the disparity, but also the greater the bargaining power on the part of the customer.
Licenses typically come in one-, two- and three-year subscriptions. As the number of users increase, volume discounts often apply. We generally recommend not paying MSRP on security products; however, keep in mind that vendors tend to be less flexible with single purchases. One approach is to time purchases for month- or quarter-end, as vendor personnel at these times are often under pressure to meet and exceed sales quotas.
- Is there a free trial version of the NGFW available?
The only NGFW vendor that does not provide a free trial version at this time is HP TippingPoint. All others provide a free 30-day downloadable full virtual appliance or virtual machine (VM) version to test. Juniper does a bit better than the others, providing potential customers with a 30- to 90-day free trial version run through its paces on their network.
The key differentiators between NGFW products
What makes the best NGFW standout among its peers is clearly of great interest. Below are some highlights of the noted differentiators.
(1) Check Point
Check Point is the inventor of stateful firewalls. It has the highest block rate of IPS among its competitors, largest application library (over 5,000) than any other, DLP with over 600 file types, change management (i.e. configuration and rule changes) that no one else has, and agent or agentless Active Directory integration.
(2) Dell SonicWall
Dell SonicWall has patented Reassembly-Free Deep Packet Inspection, a technology that allows for centralized management for users to deploy, manage and monitor many thousands of firewalls through a single-pane of glass.
(3) Cisco ASA with FirePOWER Services
This series of Cisco firewall provides an integrated defense solution with greater firewall features detection and protection threat services than other vendors.
Fortinet lauds its 11-year-old in-house dedicated security research team, FortiGuard Labs. It is one of the few NGFW vendors that has its own, as most others OEM this activity. Fortinet also purports to have NGFW FortiGate, which can deliver five times better performance of comparatively priced competitor products.
(5) HPE TippingPoint
HPE TippingPoint is known for its NGFW’s simple, effective and reliable implementation. The security effectiveness coverage is high with over 8,200 filters that block known and unknown threats and over 383 zero-day filters in 2014 alone.
(6) McAfee NGFW
McAfee NGFW provides “intelligence aware” security controls, advanced evasion prevention and a unified software core design.
Barracuda purports the lowest total cost of ownership (TCO) in the industry due to advanced troubleshooting capabilities and smart lifecycle management features built into large scaling central management server. The NGFW is also the only one that provides NGFW application control and user identity functions for SMBs.
(8) Juniper SRX
Juniper SRX series is the first NGFW to offer customers validated (Telcordia) 99.9999% availability (in its SRX 5000 line). The SRX Series is also the first NGFW to deliver automation of firewall functions via JunoScript and open API to programming tools. Open attack signatures in the IPS also allow customers to add or customize signatures tailored for their network.
Although we will dive deeper in individual NGFW products in the product profiles, it is clear each NGFW vendor has established a foothold in unique areas that sets them apart from the rest. The key for customers is to identify the deciding differentiators that meet and/or exceed their needs.
- Which is the best NGFW product for you?
The stratagem to thwart attacks on enterprise network environments will always be based on risk. The level of protection (controls) should be commensurate with the value of the asset (risks). If protection requires a NGFW, familiarization of NGFW vendor products and models to fit your organization and business model is critical.
For example, if an organization is a small to medium-sized business, it may not consider the McAfee NGFW since its SMB appliance requires the Firewall License only, with its somewhat limited feature set. Barracuda similarly has a NGFW for large enterprises and a firewall offering for SMB, each with separate appliances and licenses.
All vendors considered here offer NGFW products for large enterprises. Check Point, Palo Alto, Fortinet and Cisco –in particular–stood out in the April 2015 Gartner Magic Quadrant for Enterprise Network Firewalls. The remaining NGFW products fall in the lower left-hand quadrant of the report, where they identify as “niche players.” Niche players, for example, include those NGFWs offered primarily to SMBs. Clients that this author has encountered in assessment work, meanwhile, have commented on features available in their NGFW of choice but have not activated due to either time constraints or sufficient knowledge on how make use of features.
Consider the following criteria in selecting the NGFW vendor and model for your enterprise: identify the players; develop a short list; perform a proof of concept; make reference calls; consider cost; obtain management buy-in; and work out contract negotiations. TCO is also critical.
When you select a brand, you also need to compare the benefits among series of the same brand, like Cisco NGFW comparison of the ASA5500-X.
Lastly, but no less important, consider the skill set of your staff and the business model and growth expectation for your enterprise–these are all important factors in making your decision.