What to consider when deploying a next-generation firewall
- 09 November, 2017 05:51
Firewalls have become ubiquitous across enterprises over the past decade, but the combination of new and varied access methods combined with increasingly sophisticated attacks has forced network operators and security professionals to constantly evaluate their defenses.
Typically, firewalls are on a five-year refresh cycle, according to Gartner researcher Adam Hils, and that gives organizations the opportunity to evaluate fairly regularly what type of firewall and what features best suit their needs.
So, when deploying a next-generation firewall what are the major factors to consider? Choices such as throughput capacity, deployment criteria all the way to configuration implementations are all important.
Next-gen vs traditional firewalls
Perhaps the first question is, why do you need a next-generation firewall (NGFW) as opposed to a potentially less expensive previous generation version. Traditional, port-based, stateful firewalls are regarded as being “far-sighted,” according to a Palo Alto Networks whitepaper. “They can see the general shape of things, but not the finer details of what’s actually happening.” NGFWs are packed with a multitude of new features and functionality allowing them to inspect traffic at a much finer level. Some features include:
-Intrusion prevention systems (IPS): These systems inspect network packet signatures and use advanced anomaly detection features to not only identify but also to block threats.
-Deep packet inspection (DPI): This technology goes beyond just the inspection of packet headers to search for and block known threats within traffic packets as they pass through an “inspection point” within the NGFW.
-SSL inspection: This technology inspects encrypted traffic to stop known threats, even if they’re encrypted.
Many of the features in a NGFW can be purchased as standalones, such as IPS, DPI and SSL inspections. A NGFW integrates these capabilities into a single system.
Create a security strategy
When consulting with vendors on a NGFW deployment, one of the first conversations will be around the organization’s security posture. No amount of technology can replace the critical work of evaluating an environment and prioritizing the most important business-critical assets that need to be protected. This is a conversation that may include multiple departments, from IT to network and security services, to HR and executive leadership.
“Basically, organizations need to figure out, if they don’t already know, where the pearls of their data are and make a plan around protecting that,” says Gartner researcher Hils. Organizations typically gather these requirements and approach multiple vendors for a quote.
Most firewalls are still deployed at the perimeter of the data center, but depending on if customers have adopted microsegmentation and network virtualization there could be firewalls deployed within the data center as well.
In recent years, firewall vendors have allowed customers to opt into sharing what threats are being blocked, in essence crowd-sourcing security protections. Firewall software can be updated from the vendor at regular intervals to ensure it has up to date protections against all the latest threats and vulnerabilities.
Once you’re sold on the idea of a NGFW and have an idea of security requirements, a next-step is evaluating the saturated market of vendors offering NGFWs. Gartner’s latest Magic Quadrant lists Palo Alto Networks, Fortinet and Check Point Software Technologies as leaders in the next-generation firewall market. Gartner names Cisco, with its Firepower NGFW product line, and Huawei as challengers in the market.
Rounding out the market are companies like Forcepoint, which is a mid-sized pure-play security vendor that offers not just a NGFW, but also web and email security platforms. Sophos, Juniper Networks, Barracuda Networks, WatchGuard, Sangfor, Hillstone, SonicWall, AhnLab, Stormshield and the new H3C Group all compete in the NGFW market too.
Firewall cost analysis
When purchasing a firewall, the initial capital expense of firewall hardware isn’t the only expense to consider. Firewalls run complex software systems that are bundled with the hardware. Most enterprise firewall installations require multiple hardware pieces and a central management system for controlling them, which can be software only or a combination of hardware and software.Other expenses include installation, ongoing maintenance, support and updates.
NSS Labs, which runs tests on infrastructure equipment, says it can be difficult to compare firewall products apples-to-apples because vendors offer different levels of network throughput. The initial purchase price of a system that includes five firewalls and a central management system ranged from $30,000 to $715,000, with the average being about $200,000.
NSS also warns that there can be a difference between vendors’ advertised maximum throughput and the throughput in tested and real-world scenarios. NSS found that tested throughput of firewalls could be up to 80% less than the advertised for some vendors, so it recommends testing the systems in your environment before purchasing.
One of the chief decisions to make when deploying a firewall is how big of a hardware box is needed. The throughput of the network connection is the primary factor influencing this decision. How the network is setup influences how much throughput the firewall must be able to handle. Ryan Choate, with the Alameda County Education office, recently upgraded from a 5050 version of Palo Alto’s firewall – which has throughput speeds of up to 20 Gbps – to a 7080, which supports up to 200 Gbps of throughput.
Why such an increase? Before the new system, each of the more than a dozen school districts in the county managed its own network connections and firewalls. After a redesign, the education office became a central pooled resource for the entire county. Now, all incoming and outbound traffic travels through the central education office’s firewall. The firewall controller – a piece of software that centrally manages the deployment of firewall hardware – allows for granular policy enforcement depending on specific users or sites within the network. Not only does the firewall learn what threats have been blocked, it also gets constant updates on the latest vulnerabilities.
“There are a large number of threats and risks, and one the values of not just a content filtration system, but a full firewall is that we see all of those threats by the day, hour, even minute,” Choate says. “We’re not hiding ourselves, we’re a public entity and we’re a pretty big target. With good conscience, I couldn’t not run a firewall in the environment.”