What to Consider When Choosing a Next-Generation Firewall (NGFW)



What makes for a good NGFW solution? Many factors affect the suitability of an NGFW for a given organization. NGFWs play an important role in threat protection and preserving business continuity. Security teams use NGFWs to monitor their IT environment, everywhere from the network edge to the data center, and gain visibility into users, endpoint devices, and applications, and security threats across networks. 


At a high level, NGFWs must advance the cause of robust security, but it shouldn’t sacrifice your budget, speed, or the ability to scale. So where do you begin? When evaluating NGFW performance, we suggest keeping the following seven considerations in mind:


1. IPsec VPN performance

Teleworking employees have access to sensitive company data. Protecting this against compromises requires the ability to ensure that a remote employee connection to the company network is secure. This is provided through an encrypted session to not only ensure the confidentiality and integrity of sensitive company data in transit but also ensure that all traffic between the employee and the public internet is monitored and protected by the organization’s existing cybersecurity infrastructure. Bringing a very large remote workforce online to maintain productivity levels and maintain business continuity requires the support for a very large number of secure connections called IPsec or secure sockets layer (SSL) VPN tunnels. Equally important is the aggregated performance of the system. The NGFW should be able to sustain the user connections and the encrypted traffic load irrespective of the location of the users. 


2. Threat protection performance 

How well does your NGFW perform when running full threat protection? Ideally, an NGFW can sustain performance with full threat protection—meaning firewalling, intrusion prevention, antivirus, and application control—turned on. In three or so decades of firewall technology, at least one thing has remained constant: vendors that speak ambiguously about threat protection performance. Insist on real numbers and a close reading of documented performance claims.


3. SSL inspection capacity 

A majority of enterprise network traffic is now encrypted, and bad actors are continuing to take advantage by inserting malware into encrypted packets. SSL decryption and inspection can offset these security risks by intercepting malware, but SSL inspection comes at a downside: reduced throughput. And too much reduction puts the traditionally tense relationship between security and business productivity once again in conflict. All NGFWs receive some impact in throughput with SSL turned on, but the best have predictable performance with minimal degradation in speed.


4. Price vs. performance

Many NGFW vendors increase the size of their firewalls to boost performance and increase the price to match that size. The best NGFW solutions, however, combine price and performance with an eye toward a smaller technology footprint. Years ago, teams were often forced to choose price or performance when it came to total cost of ownership (TCO). But big leaps in disruptive firewall technology, underpinned by world-class network processors that can achieve unprecedented levels of performance, have made the TCO conversation a happy one. 


5. Credible third-party validation 

No organization making an investment as important as an NGFW should rely on vendor documentation or word of mouth alone. Recognized third-party evaluators such as Gartner and NSS Labs provide detailed validation of NGFW solutions, and their consultation is highly recommended.


6. Easy, single-pane-of-glass management 

It’s a frequent productivity killer: security teams that have to toggle between multiple dashboards to assess vulnerabilities, respond to threats, and ensure system resiliency. But gone now is the era when teams couldn’t include their NGFW in management consoles for other parts of the infrastructure. Teams should insist on single-pane-of-glass management combining NGFW as part of a broad, integrated security architecture that enables sharing of threat information across network devices and receiving of threat intelligence automatically. 


7. Future-proofing

As IT continues to evolve from cost center to business enabler, all organizations are embracing digital innovation in some form. Digital innovation initiatives drag, however, when organizations add complexity and introduce performance challenges because they haven’t integrated their solutions, right-sized their investment, or planned for future state activities. This includes NGFW integration. Ensuring an NGFW that not only provides performance at agreeable cost and scale but can also anticipate future demands will ensure organizations maximize their investments in network security for superior return on investment—today and tomorrow.


Fortinet’s Next-Generation Firewalls include the necessary qualities you are looking for in an NGFW, like reliability, flexibility, and scalability, coupled with threat management and edge security capabilities. To learn more, watch the following video, or visit www.vlcm.com/fortigate