All firewalls are not created equal. To understand that, you need to know what the idea behind a basic firewall is. A firewall from the IT perspective is some hardware or software implementation that is meant to restrict incoming or outgoing network traffic. Most desktop operating systems as well as servers have some sort of firewall protection already built into the operating system. While these type of firewalls protect the machines they are running on, hardware firewalls/appliances will protect these machines as well as the rest of the hardware that exist on the network. Most home routers have built in firewalls that protect your home network from unwanted incoming connections. They also provide Natting to allow communication from all your internal devices outside to internet as well as connections back. This would be a hardware firewall in its simplest form. Next Gen firewalls provide this and so much more.
Next Gen Firewalls
Next Gen Firewalls (NGFW) are 3rd generation firewalls. They provide the same functionality as traditional firewalls, but add additional features like deep-packet inspection as well as malware protection. These devices are usually deployed at critical parts of your network. Companies like Cisco, Fortinet, Forcepoint as well as Palo Alto all have Next Gen Firewalls in their catalog. They do not necessarily offer the same features though.
Defining the Need
When shopping for a next gen firewall make sure you find something that fits your needs. For example, some solutions may provide CASB protection while others may just have the ability to leverage SD-Wan technology. They should all, though, be able to provide IPS (Intrusion Prevention System) as well as some Anti-Malware capabilities. Some of the services on a NFFW may be subscription based like on premise Antivirus products so this needs to be taken into account when budgeting. Others may actually interact with your on premise AV product to provide up to date detection and prevention as well as remediation. This could conceivably work in two different ways. For one, if the NGFW realizes that a threat was identified and blocked by other NGFW’s it can notify all of the Endpoints on the network to quarantine this threat immediately. This can also happen in the other direction so if the Endpoints pick up an infected file, it can notify the firewall(s) not to let this threat traverse the network. Many vendors actually partner with other vendors to provide a well-rounded solution, so this should be taken into account. Vendors may also have other products in their portfolio that may be of interest and work directly with their NGFW offerings as well. Email/Web Security, DLP, Switching and DDOS are some of the other products most likely available.
In additions to defining the need, sizing of these firewalls is an important process. This is conceivably a long term investment, so you need to make sure that the firewall that you purchase today can handle the traffic that it will need to process now, as well as in the future. If you plan on using these for VPN/SD-WAN, some may also need to be licensed by the amount of connections in use, so this should be accommodated for.
Management of these firewalls can also be a huge undertaking, so you want to make sure that you are comfortable with the interface, and the method of updating policies and behaviors. If you have many firewalls in place, you do not want to have to manually update each firewall when a change needs to be made. You want to be able to centrally manage all if necessary and be able to view and configure them at ease. Some products can be managed from the cloud, which may or may not be an issue.
There are quite a few vendors with different options available. Take the time and do the research. There are many resources out there to help with the decision, contact CCSI if you have further questions or concerns.
These were some of the areas that need to be addressed when updating to a Next Gen Firewall. What were your considerations?
Author Bio: Steven Rainess is a Solutions Architect for CCSI. He has 25 plus years experience in the IT industry. For most of these years he has been a consultant as a Subject Matter Expert in Systems, and Networking area, as well as, some Project Management and Development work. His work has covered many verticals including Financial, Education, Broadcasting, and Software Development.
This is a Security Bloggers Network syndicated blog post authored by Steven Rainess. Read the original post at: CCSI