The shift to a hybrid workforce and cloud services has broadened the attack surface, making organizations more susceptible to new threats. Next-generation firewalls (NGFWs) offer comprehensive threat protection. However, in some NGFWs, the combination of processes can reduce network throughput. NGFWs must deliver best-of-breed threat protection without sacrificing performance and be part of a broad, integrated, and automated security architecture.
Requirements for Evaluating NGFWs
- Threat protection performance. Threat protection performance measures how well an NGFW performs with full threat protection, including firewalling, intrusion prevention, antivirus, and application control. The NGFW must maintain high performance levels when threat protection is enabled. Be aware that NGFW vendors may not provide clear information about their performance claims. Verify that documented performance claims reflect testing under load, with threat protection fully engaged.
- Single-pane-of-glass management. The management interface is critical to security architects, but it's often limited to the NGFW. This results in the need to toggle between multiple dashboards, reducing effectiveness and increasing administrative time. Instead, an integrated security architecture is needed, allowing for end-to-end visibility and control. This approach reduces training costs and is operationally more efficient.
- SSL/TLS 1.3 inspection across the entire enterprise. An enterprise NGFW must effectively inspect SSL traffic as cybercriminals take advantage of the inherent trust and low inspection priority given to SSL traffic by some and insert malware into encrypted packets. A good NGFW should maintain predictable performance, even with all security services enabled. When comparing vendors, look for transparency in SSL/TLS performance specifications, which should cite testing with industry-mandated ciphers, such as AES256-SHA256, validated by objective third parties.
- Secure SD-WAN. Organizations need affordable and resilient SD-WAN solutions for their distributed offices. SD-WAN brings new security challenges. Extra security isn't enough to protect enterprise workloads over a widely distributed network. Some NFGW vendors offer SD-WAN features, but they're not ideal. It's better to choose a vendor that provides fully integrated secure SD-WAN capabilities in NGFWs. That way, centralized control is enforced, investment costs are reduced, and security gaps are eliminated.
- Price/performance and other operational considerations. Choose a compact NGFW that delivers the required performance to reduce TCO, save space, and energy. Select an NGFW with mature technology, offered by a vendor with deep investments in research and design, to ensure smoother deployments and fewer support calls. Opt for an NGFW hardware that supports power redundancy and 40 GbE/100 GbE network interfaces for improved resiliency and migration to higher-capacity networks.
- Independent third-party validation. Network security is an ever-evolving industry, and untested innovations pose too great a risk. Architects should seek third-party evaluation from recognized testing houses instead of relying solely on vendor claims.
NGFW is critical for protecting corporate and customer data. Security architects should evaluate options carefully with trade-offs between security and performance in mind. The NGFW should provide consistent and consolidated security protection with minimal performance impact. Compact NGFW solutions that minimize space requirements and integrate into the overall security architecture are preferable. The NGFW should provide end-to-end visibility and automatically share threat intelligence between devices.
#nextgenfirewall #cisco #paloalto #fortinet #checkpoint #security #networksecurity #endpointsecurity #dlp #networking #cybersecurity
Amit Kumar - Consultant Networking and Cybersecurity - 9873397251
