Identifying the best fit NGFW (Next Generation Firewall)

No network environment is safe.

Even the largest corporations and their networks aren’t safe against security breaches.

This leads us to the following question:

Can conventional protection mechanisms like firewalls and antivirus software programs withstand and guard against hackers gaining unauthorized access to vital network assets?

There are many security experts who believe that antivirus software applications along with firewall and other intrusion prevention systems don’t have any effectiveness.

In other words, they are useless.

Outdated.

Even redundant.

But of course, this is not the truth.
The truth is that the majority of online users and corporate networks use these technologies for their security.

These security products still dominate the market.

And perhaps their users still need them to stay functional.

Of course, security firms have to come up with more effective, robust and integrated security products.

These companies and organizations need these security products rather than want these products.

Threats that target network infrastructures are advancing every day.

That is the reason why security products have to evolve at a much faster rate as well.

Next Generation Firewall (s)

Or Next Generation Firewall (s).

What are these?

As the name suggests, these are advanced firewalls.

These are firewalls that can carry out deep packet inspection.

They don’t just protect the network with a protocol or port inspection and/or blocking.

These firewalls move beyond these solutions to advanced solutions such as,

• Intrusion prevention
• Application level application
• And bringing forward intelligence outside the present firewall

Traditional firewalls are basically packet filtering ones.

They aren’t like Next Generation Firewall (s).

In other words, conventional firewalls with no advanced features only protect users at layer 4 (related to transport) and layer 3 (related to the network) of any given OSI model.

These type of firewalls also consists of metrics which enable and disable packets.

They do that by discriminating IP address sources of all incoming packets along with,

• IP addresses destinations
• Different types of internet protocols that any of the packets could contain.
  Examples include IP packets that carry normal data.
  Internet Control MEssage Protocol or ICMP
• Address Resolution Protocol or ARP
• Reverse Address Resolution Protocol or RARP
• Bootstrap Protocol or BOOTP
• Dynamic Host Configuration Protocol or DHCP
• Other lesser known routing features

Where Are These Firewalls?

Most of the time, we see these firewalls present right between an internal network and the internet itself.
And all of these entities are present inside the related DMZ.

Hackers though, know all of this.

And have found new methods of circumventing these security controls.

Because of that, hackers can cause a massive amount of damage even before these security products can detect them.

Moreover, traditional and conventional firewalls require separate installs of other packages such as WAFs or web application firewalls and,

• IPS
• Open Web Application Security Projects and other secure and safe code standards based on these technologies and their vulnerabilities.
• Strong enough encryption that is present at the relevant Web layer TLS/SSL
• Malware prevention
• Antivirus prevention

Hackers go to great lengths in order to ensure that their attacks are successful.

Security teams have to manage, deploy and then monitor a great number of security products to protect their networks and mitigate heterogeneous attacks which are several in number.

All of this is pretty challenging.

And that is an understatement if you know what we mean.

Moreover, sometimes when companies use a wide array of these security products, they can interfere with each other.

Sometimes, they can even compromise the other security product’s effectiveness and functionality.

That happens because each product is trying to balance out the usage of broadband resources.

They also want to compete for,

• Response times
• All security products have requirements related to maintenance and monitoring.

All of this can hurt the overall effectiveness of multiple security products.

Next Generation Firewall (s) also address all of the issues mentioned above.

They provide users with a single security vendor product.

This product has a common management process.

Moreover, it includes ways to manage multiple security products and services.

Overall, Next Generation Firewall (s) are more pragmatic and cost effective solution to all types of network security challenges.

Most of the Next Generation Firewall (s) can deliver application control and intelligence.

They can also provide,

• Malware protection
• Intrusion prevention
• Scalability in order to support even the highest of performance networks
• SSL inspection at much greater speeds.
  Usually, these speeds can approach Gigabits.

All of this ensures that companies and organizations don’t go through degradation when it comes to performance and security.

Next Generation Firewall (s)- More Benefits

You have these Next Generation Firewall (s).

And then you have the high-end Next Generation Firewall (s).

The high-end Next Generation Firewall (s) has no limits when it comes to protection network streams and a large number of files or even simultaneous files.

So if a file is infected, there is a very little chance that it will slip under the radar without detection.

Even if a next generation firewall is going through a cycle of heavy load, it would still not let an infected file slip through the cracks.

Next Generation Firewall (s) are able to apply any and all application and security control technologies to different types of traffic such as the SSL encrypted traffic.

This ensures that the encrypted traffic cannot introduce any new malware attack vector into the company’s or organization’s network.

Do We Need Next Generation Firewall (s)?

We’ll admit:

Next Generation Firewall (s) form an advanced security solution.

In other words, no everyone would require a solution based on Next Generation Firewall (s).

So how to decide whether your company should deploy Next Generation Firewall (s) or not?

Of course, you first have to make an appropriate business proposal in order to convince the management to purchase such a technology.

Before doing that, related parties must determine if the initial investment in a new and integrated system Next Generation Firewall (s) is feasible.

And justifiable.

Related staff must also figure out if the new Next Generation Firewall (s) can align and co-exist with current IT security strategies.

Moreover, organizations must have a clearly defined study on the total cost of ownership.

A lot of organizations would do rather well with a security system that includes,

• Intrusion prevention system
• Conventional network firewalls
• Support switches and routers

If all of these are networked properly then they can protect certain environments sufficiently.

Basic firewall products and services can also regular network connections that exist between computer system that have different trust levels.

How to Understand dependencies and features

All Next Generation Firewall (s) have some common features.

They include,

• UTM or unified threat management
• NAT
• Packet inspection that for stateful firewalls.
• VPN or Virtual Private Network
• Integrated IPS engine that is signature based
• Enhanced application awareness
• Nondisruptive configuration in what experts call bump-in-the-wire

Next Generation Firewall (s) also come with other features that aren’t so well known or common such as,

• Ability to understand and then make good use of information that comes from outside the installed firewall.
  Examples include, whitelists, directory-based policy and of course, blacklists.
• Some Next Generation Firewall (s) also include support for future upgrades.
  This allows them to manage security threats and information feeds in a more comprehensive manner.
• SSL decryption which allows Next Generation Firewall (s) to identify unwanted encrypted applications more easily.

Moreover, Next Generation Firewall (s) have different features depending on their vendors.

Organizations can use this information to differentiate between different security products.

Then they can select the best possible Next Generation Firewall (s) solution for themselves.

Time For Some Examples

Dell

Dell has the SonicWall product which provides essential security functions in the form of gateway anti-malware.

It also performs other functions such as content filtering and others.

Moreover, it can also handle functions such as anti spyware along with antivirus.

All of these services come with a license that lasts a year.

After a year has passed, the client has to renew the subscription plan.

Dell’s other security product is SecureWorks.

It has a premium package called Global Threat Intelligence.

This is also a service that requires another subscription to function.

Cisco

Cisco has one of its own security products which provides application control and visibility.

These functions come right off the bat with a base configuration.

And the company does not charge customers for it.

But it too has separate licenses that customers have to purchase in order to make use of Next Generation Firewall (s) and other intrusion prevention systems.

Cisco also has advanced protection for malware and malicious URL filtering.

McAfee

McAfee comes to its own with standard features such as multi-link and clustering.

The company’s product is called McAfee next generation firewall subscription license.

Barracuda

Barracuda offers its services but with an optional subscription if the client wants malware protection.

It uses the AV engine.

This is the same engine that Avira offers.

Moreover, Barracuda also offers threat intelligence measures along with enhanced VPN features along with SSL ones.

It also has services that allow clients to have advanced network access control.

Juniper

Juniper has a set of advanced features in its security products.

All of them are software-based.

They include,

• Next Generation Firewall (s)
• IPS
• UTM
• And other cyber threat intelligence services

It ships its services with SRX Series Services Gateways.

Users can turn this service on but they must have an additional license.

Juniper sells this license separately.

Juniper offers both perpetual and subscription-based packages.

Clients don’t have to install additional security components in order to turn services off or on.

Check Point

Check Point offers users Next Generation Firewall (s) security solution packages at its own rates.

All of the company’s software solutions come with a single purchase of a license.

Check Point main package doesn’t have any mobile device controls.

It doesn’t have any Wifi network controls either.

Users who want these features will have to buy another Check Point product.

Current Situation

As you can probably imagine, most of the security solutions offered above are not complete.

Even if they are, they require separate purchase and have complex license structures.

This level of online security is insufficient.

Companies and clients require more than these security features.

Of course, all of this depends on the enterprise itself.

It may only require a traditional firewall.

Or it may need a combination of discrete security products for its network at different points.

It may also need a system of Next Generation Firewall (s).

We think that Next Generation Firewall (s) are easily the better choice when it comes to large-scale network security.

Key Point About Comparisons.

The key point that all involved parties should note in these comparisons is that all security products have some common features.

Organizations must make sure that they review those common features.

Then figure out if they need a supplementary license for those features.

They should also study whether they need those additional features.

And then based on their security problems, they should figure out if they have significant enough problems that require the procurement of advanced security solutions.

Example

A company may require a security solution for data loss prevention or DLP.

In that case, it may only study those Next Generation Firewall (s) that offer the DLP feature.

Check Point is one of the companies that offers such Next Generation Firewall (s).

A company can take its research to another level as well.

In addition to figuring out the features themselves, they can also study the strength of those features and whether they are powerful enough to safeguard its security issues.

Depending on the company’s findings, it may decide to buy a standalone data loss prevention program rather than a system of Next Generation Firewall (s) with the DLP feature.

Integrated products usually aren’t as comprehensive or strong as standalone ones.

This also applies to other security solutions such as Web application firewalls.

Dell’s SonicWall Next Generation Firewall (s) offer this Web application firewall feature as well.

But again, it is an integrated feature and not a fully featured one.

Cisco too offers such kind of features.

It has built-in malware protection in its products.

But users must purchase additional official licenses before they can use the company’s Advanced Malware Protection feature.

More licenses are required to use URL filtering, NGIPS and other features.

Barracuda is the same.

It has the Next Generation Firewall (s) system which requires a separate license if the user wants to have malware protection as well.

As mentioned before, Barracuda malware protection uses the same antivirus engine as used by Avira.

What Do Enterprises Need?

Our research tells us that most of the modern enterprises at least need firewalls along with,

• Malware protection
• Antivirus software application
• IPS
• Wireless security feature
• Threat intelligence

Luckily for them, Next Generation Firewall (s) are able to cover all these categories.

They also offer more features.

And often times, with much composure.

Point products are a different beast altogether if an enterprise wants to select them over Next Generation Firewall (s).

The main problem with point products is that each area requires a separate security technology.

And let’s not forget to mention the fact that each type of security product requires time and effort in,

• Reporting
• Monitoring
• Integrating
• training

We might as well add quality of service into that list as well.

All of these functions are required in order to make sure that the enterprise or organization has appropriate levels of network security.

Each point product must work effectively both individually and in the overall arrangement.

Enterprise Structure

Enterprises must also observe their own network architecture.

They should also look at,

• Risk appetite
• Threat vectors

Only then these enterprises can ensure that they make the correct decision with regards to their security solutions.

After that, they should decide whether the best approach is to go with Next Generation Firewall (s) or point products.

As mentioned before, Next Generation Firewall (s) have significant advantages over point products as well.

The first is that Next Generation Firewall (s) have a single vendor.

They have the same architecture

And the same interface for management activities.

Hence, they offer more flexibility if a client requires a varying level of network security and protection.

Since Next Generation Firewall (s) have common reporting, that helps as well.

This leads to cost reduction.

With Next Generation Firewall (s), clients can negate the requirement to purchase individual network security services and appliances.

Enterprises Must Exercise Carefulness With next generation firewalls

Some enterprises don’t really know how to deploy next generation firewalls.

What they don’t understand is that using next generation firewalls is a big commitment.

And they should expect that an integrated security product for their large network would require a lot of effort to get right.

That is especially true for the initial process.

Most enterprises will have to spend a lot of money in order to migrate from point security products to next generation firewalls.

It also requires a fair amount of architectural remediation.

It is also true that some organizations don’t need next generation firewalls.

Some organization may need next generation firewalls but the cost and effort required to shift to next generation firewalls may not be feasible.

If an enterprise has spent a significant amount of money in its current point products (and the whole implementation phase), then it would not want to move to next generation firewalls.

With that said, it is also true that next generation firewalls can generate substantial savings.

And we’re not just talking about money here.

Next generation firewalls can reduce the effort and the time required to manage and support the network security system.

This can lead to significant advantages in the long term.

The fact that next generation firewalls have integrated services also brings a lot of benefits.

Next generation firewalls are better because their security services are more effective.

Next generation firewalls provide,

• IPS
• Application controls
• Deep packet
• SSL
• Wireless security
• VPN
• Mobile Security
• Other features

And the company offering these as a part of next generation firewalls system has designed and tested along with vetted each individual service to work with the other in perfect harmony.

Moreover, we should also remember that all of these services come under a single box and the whole package is integrated from the start.

In the long haul, this can result in significant savings.

Of course, the organization will have to implement next generation firewalls in the correct manner.

As far as the efficacy of these of these integrated security solutions goes, most of the security experts probably know a lot about it.

The final decision rests with the organization itself.

It has to decide if it wants to take that plunge.

And of course, it can always wait till it has enough resources and level of commitment that any next generation firewalls system requires.

Meaningful Differentiators

As mentioned before, next generation firewalls usually provide an integrated network platform.

This platform is actually a part of a 3rd generation of the firewall technology.

Next generation firewall systems combine the traditional firewall with innovative technologies in order to detect cyber attacks at each security layer.

Let’s take a look at some examples (again).

Check Point

Check Point is rightly the inventor of technologies such as stateful firewalls.

In terms of IPS block rate, Check Point is the best amongst its peers.

It has perhaps the biggest application library with over 5000 application.

That is more than any other company.

As far as data loss protection goes, Check Point has more than 600 file types.

It also offers features to change management such as rule changes and configuration.

We don’t know of too many companies that offer such a feature.

Check Point also as integration for Active Directory with and without an agent.

Dell

Dell’s SonicWall is a unique piece of technology with patented features such as Reassembly-Free Deep Packet Inspection.

This feature enables users to monitor, deploy and manage several firewalls.

And it allows them to achieve that within a single-pane view.

This feature is ideal for centralized management systems.

Cisco

Cisco’s ASA along with FirePower Services is a great security solution that has many integrated functions.

It also comes with a fantastic firewall that comes with its own protection and detection features and services.

Most other vendors don’t have such a comprehensive firewall solution.

Fortinet

Fortinet has a dedicated team of security researchers.

It has over eleven years of in-house experience.

That has resulted in the company’s premium FortiGuard Labs security product.

There are very few if any next generation firewalls providers that have their own research team.

Most other next generation firewalls providers like to outsource their research activities.

Not Fortinet though.

Fortinet also has FortiGate.

The company says that it can provide 5X more performance when compared to other similarly priced security products

HP

HP’s TippingPoint is another one of those next generation firewalls which are reliable, effective and simple to implement.

It has great coverage as far as security effectiveness is concerned.

In other words, it makes use of more than 8200 filters that can stop unknown and known cyber threats.

Moreover, the company came up with more than 380 zero-day filters in the year 2014 alone.

McAfee

McAfee’s next generation firewalls products have security controls which are “intelligence aware”.

They also have enhanced evasion prevention tools.

Most importantly, all of these features are unified with a single software application core design.

Barracuda

Barracuda’s strength is its cost of ownership.

It is cheap.

That’s because it has enhanced troubleshooting capabilities.

Couple that with a smart lifecycle management feature and you’ll have a reliable mass-scale CMS or central management server.

Barracuda’s next generation firewalls system is perhaps the only provider that has user identity functions for small and midsize businesses and next generation firewall application controls.

Juniper

Our research shows that Juniper’s SRX is among the first few next generation firewalls systems that offered their clients with 99.99 percent uptime with validation.

That only holds true for its SRX5000 line though.

Moreover, Juniper SRX series has a special place in the industry because it offered next generation firewalls features such as automated firewalls (enabled by JunoScript) and Open API.

With an Open API, developers could use various programming tools with it.

Juniper’s IPS feature has open attack signatures.

This enables clients to customize and even add tailor-made signatures that are best suited to their own network.

IT And Its Strategy With next generation firewalls.

We have to warn organizations that they may or may not need all the features that are available in next generation firewalls.

Moreover, their appliances may not support all security features.

Enterprises should know about what features they are going to need and then determine them before they buy next generation firewalls.

Next generation firewalls have a lot of security features.

Only organizations themselves can determine if they should enable all those security features.

There are those next generation firewalls that incorporate all their security features right into their appliances.

And they charge their clients nothing extra.

Researchers say that enterprises normally tend to not use all security features.

The reason for that is, organizations deem those features as extra and/or redundant.

There is also the possibility that organizations may see a security feature as a bad fit for their network security or business model.

Some next generation firewalls come with the same number of features as before but have the option to enable and/or disable some of those features.

These vendors charge clients extra money in order to do that.

There is no doubt about the fact that some next generation firewalls system service may count as excessive for some enterprises.

Such enterprises can then, use next generation firewalls as an addition to their already present system security.

And only use certain features at certain times.

Some of the features that organizations may not need include,

• Data loss prevention
• QoS
• Integrations related to Active Directory
• Application control
• Multifactor authentication
• VPN
• SSL
• Security for mobile devices
• Threat intelligence

What About Pricing?

Any organization that purchases next generation firewalls system, gets to have a copy of the actual software application and/or an appliance.

With that, the organization also receives a license that allows the company to use that security product.

In other words, the organization doesn’t own the security product.

The software company owns the rights to ownership of that security product.

Not the purchaser (the organization).

Moreover, software companies limit client access to their products with various documents of terms and conditions.

These come along with the license.

To put it another way, next generation firewalls come with licenses based on single physical devices.

If the client wants to use some of the uncommon features mentioned above, then they have to buy additional licenses.

Organizations should read the terms and conditions documents carefully to know the type and number of services that are available to them in the base version of Next Generation Firewall (s) system products.

Moreover, they should also have a clear idea about which services would require a supplementary license.

Fortinet and Check Point Next Generation Firewall (s) are not available to common users.

They sell via channel organizations.

Other Next Generation Firewall (s) vendors do sell directly and to channel partners.

All Next Generation Firewall (s) security products vary in their price.

The price varies according to the scale and type of hardware that clients will utilize.

It also varies with the length of the service contract.

Hence, we can observe a vast difference between the prices offered by different Next Generation Firewall (s) vendors.

Moreover, vendors themselves vary their prices between their different products.

Conclusion

A deeper study of Next Generation Firewall (s) products reveals that each vendor has dominated a certain area of the market.

In other words, each vendor has made use of product profiles.

And each has also used that profile to leverage its unique features that sets the vendor apart from other vendors.

For customers, the key is to study and then identify which Next Generation Firewall (s) vendor meets or exceeds the customer’s needs and requirements.