BUYERS GUIDE

What to Look for

in Next-Generation
Firewalls
An NGFW is a major technology purchase.
Understanding product features and capabilities,
and having a clear sense of your real security
requirements, is critical to choosing the
best product.
BY MIGUEL O. VILLEGAS
 BUYERS GUIDE
What to Look for
in Next-Generation
Firewalls
What to Look for in Next-Generation Firewalls
Choosing the best next-
generation firewall for your
particular enterprise requires a
thorough understanding of the
varieties of NGFW technology
available so that product-to-
product comparisons can be
correctly and efficiently made.
NGFWs are available in a vari-
ety of configurations and price
ranges.
This Buyers Guide explains
the essence of next-gen firewall
technology and which features
provide what type of protection
for company networks.
STAY CONNECTED!
Follow @SearchSecurity today.
2 EXPLAINED
NGFWs EXPLAINED
Next-generation firewalls are
integrated, hardware- or soft-
ware-based, network security
platforms. They were developed
as a means to detect and block
sophisticated attacks beyond the
abilities of traditional firewall
technologies.
The next-gen firewalls avail-
able on the market today can
vary significantly from one
another in many ways, includ-
ing both price and the specific
features provided. Choosing the
best next-generation firewall
requires careful study of the
technology in general, and an
understanding of your systems
particular needs.
HOW IT WORKS FEATURES
HOW AN NGFW WORKS
The best next-generation fire-
wall is one that is comprehen-
sive, flexible and easy to use.
To be comprehensive, an
NGFW should include intru-
sion prevention, antivirus/mal-
ware prevention, application
control, deep packet inspection
(DPI) andstateful inspection,
encryption, compression, qual-
ity of service (QoS) and other
capabilities.
Second, NFGWs must be flex-
ible, which also means scalable,
so that features can be modu-
larized and activated based on
need.
Finally, NFGWs must be easy
to use, with a fairly intuitive
THE BOTTOM LINE
 BUYERS GUIDE
management interface that pro-
What to Look for
in Next-Generation vides a clean and easy-to-read
Firewalls
dashboard, feature activations,
rule-set definitions, configu-
ration analysis, vulnerability
assessments, activity reports
and alerts.
Some NGFW features are
more robust and advanced than
others. So it is incumbent upon
customers to carefully vet the
features of individual products
to determine the best next-
generation firewall for them. For
example, not all NGFWs pro-
videtwo-factor authenticationor
mobile device security. But then
again, not every customer needs
those features. And while there
are those NGFW vendors that
say their product supports such
features, some of these might
require additional modules or
products in order to make them
work.
3 EXPLAINED
FEATURES TO LOOK FOR
Most NFGWs are appliance-
based, but some are available as
virtual products (software) so
that enterprises can install them
on their own servers. Some
NGFWs are delivered over the
cloud as asoftware as a service.
Most are modular, such that an
enterprise can choose to pur-
chase and activate features com-
mensurate with their specific
needs and risks.
It is important that organiza-
tions familiarize themselves
with the vendors and products
that best fit their IT environ-
ments and business models.
There are six criteria to con-
sider: platform base, feature set,
performance, manageability,
price and support.
Platform type: How is the NFGW
product provided? Next-gen
HOW IT WORKS FEATURES
firewalls are hardware, software,
or cloud-based. Hardware-based
NGFWs appeal to large and mid-
size enterprises; software-based
NGFWs suit small companies
with simple network infrastruc-
tures; and cloud-based NGFWs
to highly decentralized, multilo-
cation sites or enterprises where
the required skill set to manage
them is wanting or reallocated.
Feature set: Not all vendors
offer all NGFW features. Typi-
cal NGFW features include
inline DPI, IDS/IPS, application
inspection and control,SSL/
SSHinspection,website filter-
ingand QoS/bandwidth man-
agement to protect networks
against the latest in sophis-
ticated network attacks and
intrusion.
Other common NGFW fea-
tures include DLP, threat
THE BOTTOM LINE
 BUYERS GUIDE
intelligence,mobile device secu-
What to Look for
in Next-Generation rity,data loss prevention(DLP),
Firewalls
Active Directory integration and
an open architecture that allows
clients to tailor application con-
trol and even some firewall rule
definitions.
An important caveat is that
the bevy of features available in
NGFWsoutside of traditional
firewall blocking and tackling
are not full complements. In
other words, an NGFWs DLP is
not at the level of the full-fea-
ture DLP typically provided by
a dedicated DLP product. Simi-
larly, NGFW application con-
trol provides identification and
authorization of defined applica-
tions, user access and additional
time-of-day and upload/down-
load permissions, but does not
provide deep packet or content
filtering of the application.
The key is to know what
4 EXPLAINED
the organization is buying and
whether or not it provides the
level of protection required for
each specific area of desired
security.
Performance: Because they inte-
grate many features into a single
appliance, a next-generation
firewall may seem attractive to
some organizations. However,
enabling all available features at
once could result in serious per-
formance degradation.
It is true that NGFW perfor-
mance metrics have improved
over the years. But nevertheless,
the buyer still needs to seri-
ously consider performance in
relationship to the security fea-
tures they want to enable when
determining which vendors to
approach and what model is the
best next-generation firewall for
their company.
HOW IT WORKS
Manageability: Manageability
refers to system configuration
requirements and usability of
the management console. The
2015 GartnerMagic Quadrantfor
Enterprise Network Firewalls
evaluation criteria includes
operations and manageability as
important factors. It considers
how the NGFW manages com-
plex environments with many
firewalls and users and very nar-
row firewall change windows.
System configuration changes
and the user interface of the
management console should be
comprehensive, flexible and easy
to use.
Specifically, the best NGFW
would (1) be comprehensive,
such that it covers an array of
features that preclude the need
for augmentation by other point
solutions; (2) allow the exclusion
of features that are not needed
FEATURES THE BOTTOM LINE
 BUYERS GUIDE
in the enterprise environment;
What to Look for
in Next-Generation and (3) be easy to use, such
Firewalls
that the management console,
individual feature dashboards
and reporting are intuitive and
incisive.
Price: NGFW appliance, soft-
ware and cloud service pricing
varies considerably by vendor
and model, with prices ranging
from several hundred dollars to
many tens of thousands of dol-
lars. Some are even priced by
the number of users (e.g., $1,100
for 1-99 users to $100,000 for
5,000 users+). All, meanwhile,
have separate pricing for service
contracts.
Closely review individual
product offerings to determine
what features are best for your
enterprise, factoring in what
the organization can afford and
what it cannot afford to have.
5 EXPLAINED
If possible, do not immediately
agree to the retail price named.
Most vendors will provide vol-
ume discounts (the more users
supported the less it costs per
user, for example) or discounts
with viable prospects of further
purchases.
Overall, pricing should be one
of several factors in determining
the total cost of ownership. For
example, the TCO of a NGFW
is not just the purchase price,
but also the expenses incurred
through its use, maintenance,
support and operation. A NGFW
that appears to be a great bargain
might actually have a TCO that
is higher than that of another
NGFW, or even a combination of
point solutions.
Support: Given the critical nature
of NGFWs, timely and accu-
rate support is essential when
HOW IT WORKS FEATURES
choosing the best NGFW for
your company. Obtain refer-
ences and ask to speak with ven-
dor clients without the vendor
present.
Support criteria for NGFWs
should address responsive-
ness ranked by type of service
request, quality and accuracy of
the service response, currency of
product updates, and customer
education and awareness of cur-
rent events.
THE BOTTOM LINE
Next-generation firewalls offer
a good complement of security
point products that, although
not yet the silver bullet, address
many network security con-
cerns. NGFWs are not for every-
one, however. When deciding
whether or not to deploy the
technology (or when making a
THE BOTTOM LINE
 BUYERS GUIDE
business case to management),
What to Look for
in Next-Generation first determine if the investment
Firewalls
in an integrated NGFW security
product is justifiable, is aligned
with existing IT strategies and
has a well-defined TCO.
In order to determine the best
next-generation firewall for
their enterprises, potential pur-
chasers also need to look at their
network architecture, threat
vectors and risk appetite to
determine if point products or
NGFWs are the best approach.
That said, NGFWs do provide a
single vendor, architecture and
management interface for more
flexibility in providing differing
levels of protection, common
reporting and, typically, a cost
reduction by negating the need
to purchase separate security
appliances and services.
6 EXPLAINED
Migrating to a NGFW often
requires a considerable expendi-
ture and architectural remedia-
tion effort in the short run. For
some organizations, that may
exceed the benefits of convert-
ing, especially if their initial
investment for their existing
point products deployment has
been significant.
Nonetheless, converting to a
NGFW realizes substantial sav-
ings (not just in money, but in
time and effort in support and
management) over time. And
because they are integrated, an
NGFW tends to be more effec-
tive because of the combination
of security services it provides
that have been designed, tested
and vetted to work together.
Much of the integration, that
is, has already been done and
HOW IT WORKS FEATURES
provided in a box.
While savings over the long
haul could be considerable
with a NGFW, and the efficacy
of integrated security is well
known, the decision to take the
plunge now or wait until later
comes down to the level of com-
mitment and resources available
to an organization. n
MIGUEL O. MIKE VILLEGAS is vice presi-
dent for K3DES LLC, a payment and tech-
nology consulting firm. Over a span of 30
years, Villegas has been a CISO for a large
online retailer, partner for two Big Four
consulting firms over a span of nine years,
vice president of IT risk management, an IT
audit director for several large commercial
banks, and owner of an information security
professionals firm. He is past president of
the Los Angeles and San Francisco ISACA
chapters and holds many certifications, in-
cluding CISA, CISSP, GSEC, CEH, QSA and
PA-QSA.
THE BOTTOM LINE
 This Buyers Guide, What to Look for in Next-Generation Firewalls, is a SearchSecurity e-publication.

Robert Richardson | Editorial Director

Kara Gattine | Executive Managing Editor

Brenda L. Horrigan | Managing Editor

Robert Wright | Site Editor

Peter Loshin | Site Editor

Linda Koury | Director of Online Design

Jacquelyn Howard | Senior Director, Editorial Production

Joe Hebert | Managing Editor, E-Products

Doug Olender | Senior Vice President/Group Publisher | dolender@techtarget.com

TechTarget 275 Grove Street, Newton, MA 02466

www.techtarget.com

2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written
permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store
of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent
expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.