Next-generation firewalls are a fundamental building block of network data security. Yet, there is no one size fits all solution, as each organization has differing needs, risks, and data flows.
Overall, the choice and configuration of a firewall solution is determined by the need to protect against today’s advanced attacks while preserving the performance and uptime critical to foster innovation and growth. So what are the main considerations?
To ensure proper “apples to apples” comparisons, you should size capabilities to your organisation’s real-world environments’ requirements like IPS, application control, and advanced malware detection with your traffic mix. Capacity planning is essential for sizing, so take time to correctly evaluate your requirements for the most pressing challenges, as well as future growth.
Always test before you buy and size correctly
You should never blindly buy a next-generation firewall. Your chosen firewall will need to suit your computing environment and the organisation’s unique needs. When testing, make sure that you test real traffic patterns and evaluate the end user application experience. It’s important to layer all tests together to reflect real world challenges, as testing one feature at a time can lead to misleading results.
With that in mind, never rely solely on datasheets and other “performance on paper” summaries because there are fundamental differences between firewall vendors. Some might measure consolidated threat prevention features (e.g. intrusion prevention systems [IPS], antivirus, command and control, URL filtering) in terms of performance impact, while another might highlight performance impact based solely on best-in-class IPS capabilities in a standalone box.
Simon Crocker is Senior Director of Systems Engineering at Palo Alto Networks.
Pay attention to the past whilst thinking about future business requirements
Typically, a firewall vendor works directly with the networking team to evaluate and implement a firewall. However, just considering the needs of the networking team is a mistake given the most important needs of today’s organization include security efficacy, automation, agility and user application experience.
So when considering your firewall you need to make sure you involve stakeholders across all these business units as well as wider business stakeholders - i.e. the application users. It’s also important to engage them as early on as possible to provide input on the level of threat prevention and other security capabilities required. For example, datacenter teams need automated features and capabilities, segmentation/micro segmentation of hybrid cloud environments, scalability to meet evolving needs, and single-pane management. By contrast, the application teams want simple, fast, and secure application development and deployment whether the application is SaaS or in the datacenter.
Accounting for integration and scalability
A new firewall should enhance your IT infrastructure without complex integration. It should easily integrate with your current ecosystem without forcing you to replace systems. Looking at API integration, automation capabilities and cloud management should all be important components of the evaluation, since these are all mission critical for an organization's strategy going forward.
Often, if you successfully consolidate to a single vendor, management issues and complexities can persist between individual networking and security devices. Avoid the age-old vendor lock-in hook by choosing a firewall vendor with a strong community of technology partners to ensure seamless integration with your ecosystem from both networking and security perspectives. You should also not be forced to manage the integration efforts of a new security platform—that should be the vendor’s responsibility.
As your business requirements change, scalability becomes a key factor. A vendor that uses cloud architecture for innovation and design can scale much more quickly without the need to frequently update hardware on the network edge, which will help you significantly in the long term, thus thinking about the journey to SASE or hybrid SaaS and on-prem environments is essential.
Taken together these tips require an organisation to trial a new firewall in a real-life setting. Proof of Concepts (PoCs) are a prerequisite for avoiding the mistakes that can creep in when evaluating a firewall offering. A PoC delivers an accurate test of next generation firewall performance in your real world operational environment. It also returns you to what matters - how successfully will a firewall balance network performance and security to support your business in the future and allow for scale and agility for the digital transformation.
