Over the past several years, next generation firewalls (NGFW) have been the cornerstone of perimeter security. They establish a fundamental barrier between secure and controlled internal networks that can be trusted and non-secure, external networks that cannot be trusted. As the enterprise attack surface has become more and more sophisticated over the years, NGFW products have had to evolve to protect against dynamic threats across diverse attack vectors.
Additionally, the lines between business and personal traffic on corporate networks have blurred, with most companies now adopting BYOD (bring your own device) policies. This means that as well as having to support a multitude of users, an NGFW must also support dynamic and multi-faceted applications, which increases the risk of an organization being exposed to threats. Because of this, organizations are struggling to choose NGFW products that are the best fit for their environments. Purchasing an NGFW is typically a significant investment, and it is a constant challenge for organizations to optimize their NGFWs in order to achieve a balance between productivity and security.
Most enterprises are familiar with the common feature sets of NGFW products, but what is key is understanding which capabilities to focus on when selecting an NGFW. These include firewall capabilities with stateful inspection, greater integration on deep packet inspection modules (also known as intrusion prevention), and user- and application-centric awareness and control. Recently, there has been a push in the industry for the NGFW’s security policies and controls to provide additional context through advanced heuristics and cloud-based machine-learning integration capabilities. This would enhance the NGFWs ability to analyze suspicious code, identify communication with malicious hosts, and provide enhanced detection and prevention of malware, exploits and other targeted attacks. Some of these capabilities might not be native to the NGFW platforms, but through integration with existing endpoint offerings or breach detection systems (BDS), NGFW platforms can act as highly effective breach Prevention Systems (BPS).
The goal is for these products not only to detect but also to block sophisticated attacks at the application level and to have them integrate with an enterprise’s overall security architecture.
Key quantifiable metrics that enterprises should look for in an NGFW include:
- Security efficacy: NGFWs should be evaluated for security effectiveness against known and unknown threats entering from both north-south and east-west (lateral movement) entry points in an enterprise network. This is important for enterprise, and particularly now when traditional network perimeter boundaries are disappearing.
- Scalability, flexibility, and performance: An enterprise-class NGFW is a significant investment that is expected to provide value for a minimum of three years. For this reason, enterprises require NGFWs that not only deliver high performance and throughput but that are also scalable, so that security functions can be consolidated without causing disruption to applications and services. High-computing, distributed environments are becoming ubiquitous in medium-to-large enterprises that now demand highly flexible NGFW architectures with the capability to inspect content for threats at high speed while also performing basic firewall tasks at an accelerated pace.
- Security ecosystem integration and breach prevention: A defense-in-depth security architecture requires that products work together. Enterprises must be able to closely integrate their NGFW products with existing security functions and controls to better manage and mitigate risk. NGFW products must also be capable of merging with endpoint, sandbox, and breach detection tools that focus on detecting, investigating, and mitigating suspicious activities, known threats, and other issues on an enterprise’s hosts and endpoints. They should also be able to provide security information and event-based incident response-based workflows that are reliable and scalable and that can integrate with threat analytics platforms and take preventative action in real time.
- Threat visibility: The NGFW should provide end-to-end visibility into and context for threats. It should do this through a unified management console, and it should be capable of coordinating with various threat management tools and other security solutions. This will not only decrease the attack surface and increase detection of cyberattacks, but it will also accelerate the incident response time, which in turn will reduce the enterprise’s time to mitigate breaches.
- Central management capabilities: Many organizations understand the importance of a multi-pronged approach for configuring and monitoring security solutions. Often however, complexity is inadvertently introduced through the deployment of these various security controls (for example, intrusion prevention systems, sandbox solutions, endpoint solutions, and other solutions. Since the NGFW is a core component of an enterprise security architecture, its central management capabilities are critical (including, for example, the ability to view, manage and configure these different security controls from one central location).
- Support for SSL interception: Encryption protects sensitive information, but it also provides a way for threats to bypass defenses. The recent explosion in SSL/TLS-based traffic makes it imperative that NGFW appliances have the capability to intercept, decrypt, and inspect SSL/TLS-based traffic so that they are not oblivious to threats.
- Ability to withstand evasion techniques: Attackers know that defenses are looking to stop them. An NGFW platform should be to prevent threats from attackers who can modify basic attacks to evade NGFW threat detection modules. Even unable to withstand a singular evasion technique against a threat could prove extremely costly for enterprises.
This list of key metrics is not exhaustive and should be seen only as a starting point. Other key criteria, including cost, time to block threats, and administrative efficiency should also be considered during product selection.
Ultimately, the goal is to shorten the list of vendors your enterprise needs to consider so it can perform a proof of concept (POC) using only the selection criteria that it considers important. List your key requirements and then determine common denominators that products can be evaluated on. Focus on quantitative facts that are objective and measurable.
To learn more about what to look for when evaluating NGFW products, review NSS’ latest Next Generation Firewall Test Methodology v7.0. You can also access our NGFW group test reports to see how various products performed with regard to performance, stability and reliability, security effectiveness, and most importantly, how they performed against various evasion techniques.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.