How to shop for enterprise firewalls
- 30 April, 2019 14:00
Firewalls have been around for years, but the technology keeps evolving as the threat landscape changes. Here are some tips about what to look for in a next-generation firewall (NGFW) that will satisfy business needs today and into the future.
Don't trust firewall performance stats
Understanding how a NGFW performs requires more than looking at a vendor’s specification or running a bit of traffic through it. Most firewalls will perform well when traffic loads are light. It’s important to see how a firewall responds at scale, particularly when encryption is turned on. Roughly 80% of traffic is encrypted today, and the ability to maintain performance levels with high volumes of encrypted traffic is critical.
Also, be sure to turn on all major functions – including application and user identification, IPS, anti-malware, URL filtering and logging – during testing to see how a firewall will hold up in a production setting. Firewall vendors often tout a single performance number that's achieved with core features turned off. Data from ZK Research shows many IT pros learn this lesson the hard way: 58% of security professionals polled said they were forced to turn off features to maintain performance.
Before committing to a vendor, be sure to run tests with as many different types of traffic as possible and with various types of applications. Important metrics to look at include application throughput, connections per second, maximum sessions for both IPv4 and IPv6, and SSL performance.
NGFW needs to fit into broader security platform
Is it better to have a best-of-breed strategy or go with a single vendor for security? The issue has been debated for years, but the fact is, neither approach works flawlessly. It’s important to understand that best-of-breed everywhere doesn’t ensure best-in-class security. In fact, the opposite is typically true; having too many vendors can lead to complexity that can't be managed, which puts a business at risk. A better approach is a security platform, which can be thought of as an open architecture, that third-party products can be plugged into.
Any NGFW must be able to plug into a platform so it can "see" everything from IoT endpoints to cloud traffic to end-user devices. Also, once the NGFW has aggregated the data, it should be able to perform analytics to provide insights. This will enable the NGFW to take action and enforce policies across the network.
Multiple form factors, consistent security features
Firewalls used to be relegated to corporate data centers. Today, networks have opened up, and customers need a consistent feature set at every point in the network. NGFW vendors should have the following form factors available to optimize price/performance:
- Data center
- Internet edge
- Midsize branch office
- Small branch office
- Ruggedized for IoT environments
- Cloud delivered
- Virtual machines that can run in private and public clouds
Also, NGFW vendors should have a roadmap for a containerized form factor. This certainly isn’t a trivial task. Most vendors won’t have a container-ready product yet, but they should be able to talk to how they plan to address the problem.
Single-pane-of-glass firewall management
Having a broad product line doesn’t matter if products need to be managed individually. This makes it hard to keep policies and rules up to date and leads to inconsistencies in features and functions. A firewall vendor must have a single management tool that provides end-to-end visibility and enables the administrator to make a change and push it out across the network at once. Visibility must extend everywhere, including the cloud, IoT edge, operational technology (OT) environments, and branch offices. A single dashboard is also the right place to implement and maintain software-based segmentation instead of having to configure each device.
Firewall automation capabilities
The goal of automation is to help remove many of the manual steps that create "human latency" in the security process. Almost all vendors tout some automation capabilities as a way of saving on headcount, but automation goes well beyond that. Automation can also be used to better protect the organization by predicting behaviors and executing protection faster. If used correctly, automation can reduce the human burden and prevent cyber-attacks. Below are three use cases for automation with NGFWs:
- Workflow automation simplifies the job of the security engineer by offloading many of the mundane, day-to-day tasks. Managing multiple devices across multiple environments can increase complexity and introduce risk from configuration errors. Workflow automation can be thought of as rule lifecycle management to automate every stage of the change management process. The workflows should be customizable to adapt to the security goals and standards. Also, automation can lift the burden of some tedious tasks, such as identifying applications and devices. If the NGFW has a large enough database, almost all apps and endpoints will be identified. Without it, the administrator needs to go through a long list of unknowns and identify them manually.
- Policy automation makes security much more agile. Change is the norm in businesses today as companies are becoming increasingly dynamic and distributed. This makes it almost impossible to keep policies up to date using manual methods. Policy automation ensures that the policies are being adhered to continually, even when things change. For example, if all IoT devices are to remain in a secure segment and a device moves, the policy needs to automatically follow the device instead of having to reconfigure the network.
- Security identification and enforcement automation can help find threats faster and react to them in near real time. Threats often linger in companies for days, weeks or even months before they are identified, which causes significant damage. The power of a platform is that it sees all and is able to identify even the most minuscule anomaly, such as an IoT device periodically trying to access a point-of-sale system. Automation can be used to find the anomaly and quarantine the endpoint in a secure segment. Ideally, the automation capabilities would extend to enforcement and remediation, so the threat can be removed and the device placed back in the network.
Lastly, automation needs an interface that’s easy to understand. A general rule of thumb for all IT projects is that the solution needs to be simpler than the original problem. Many automation tools have steep learning curves, which limits their usefulness. Businesses should be able to grow the use of automation without having to add more people.
NGFW advanced features
In addition to the basic blocking and tackling for the NGFW, the feature set should include advanced capabilities to optimize performance and deliver new features. The list of advanced features that are available is extremely long; here are a few that can address some of the biggest enterprise pain points.
- Optimization services, which enable customers to maximize their ROI from security investments. This would be done from a set of vendor-provided tools and resources to help customers adopt best practices to ensure things are configured and deployed correctly.
- Policy optimization, which enables rules to be analyzed and then determines which rules to keep, get rid of, or clean up. Traditional firewalls used port-based rules, and NGFWs operate on application-based whitelist rules. One of the challenges companies have with migrating from port-based to app-based is the rule set can become massive and unruly. Many companies have millions of firewall rules and no way to clean them up before migrating. Policy optimization can help remove unused rules, which keeps the rule set clean and reduces the overall attack surface.
- DNS security, which uses machine learning capabilities to block attacks that use DNS. The use of DNS as an attack vector continues to grow as it is easy to direct users to bad domains through phishing. There are DNS security tools, but they are separate from the firewall. Integration with the NGFW enables protection to be automated and obviates the need for stand-alone tools. This leads to faster identification of malicious domains combined with the ability to neutralize the threat hidden in the DNS tunnel.
- Credential theft protection protects the company from stolen passwords. This is the oldest and easiest way to gain access to a network. Once a threat actor has access to stolen credentials, they can bypass all security tools by pretending to be that trusted user. The adversary can then freely move within the company, picking and choosing which data to steal or what harm to cause. An NGFW that is part of a platform can identify and prevent attempts to steal credentials by stopping valid credentials from being entered into an illegitimate website. The NGFW can then automate rules to prevent lateral movement to different systems, giving the company time to inform the user and change passwords. In addition, businesses need to be protected against misuse of credentials that have already been stolen. To protect against this, the NGFW vendor should partner with leading multi-factor authentication (MFW) vendors.
Despite how long NGFWs have been available, they are far from becoming a commodity. They should be considered the foundation of a security platform strategy that enables better security everywhere in the network. Don’t be fooled by slick marketing and glossy spec sheets. Instead, do your own testing and ensure the needs of your company are being met in all scenarios. Because with NGFWs, small variances in performance can have a big impact on threat protection.