Often, during my meetings with clients, network engineers and security specialists the following question gets asked: “Which firewall product best suits my environment and which one is the best solution currently available on the market?” And usually my answer starts with “Well, it depends…”. When someone answers directly without asking additional questions to narrow down the requirements, the answer could be motivated, for example by willingness to sell a particular product rather than to provide correct advice. To show how much effort it takes before choosing the right platform for a particular environment we took it upon ourselves to publish our Guidepaper on “Overview of Next Generation Firewall Security Products” which shows that the first stage; where one should consider high level overview of model types for particular scale, licensing models and key parameters like interface types and numbers, statefull processing performance, IPS performance, ability to install NGFW within the public or private cloud environment etc. for the different products available in the market. Then the next stage is to carry out a comparison effort for the different products.
Next Generation Firewalls are designed to provide context and better visibility for traffic flowing through the network in comparison to legacy stateful firewalls where Layer 3 and 4 information of OSI were the only subject for classification. Based on different processing engines responsible for providing “next generation” functions, NG Firewalls are able to mitigate security risks more precisely and under different angles than legacy security devices. Performing many operations such as: application layer inspection, user identity recognition, intrusion prevention mechanisms, antivirus, malware code detection, web filtering based on category and with conjunction with cloud based security feeds, Next Generation Firewall products provide modern line of defense.
After the quick overview of what is Next Generation Firewall its time to make a short outlook of vendors which offer NGFW products in the market. In our report you can get the list of products from following vendors list:
Why above? Simply because they have a long history, specialize in making firewalls, are known and tested by most enterprises around the world. We have compared 9 NGFW products and carried out research in areas of functionality, scalability, performance and licensing. The important thing at this stage of comparison is that all above parameters are declared by vendors, not yet measured in our testing center. Based on data sheets, whitepapers and marketing materials we have made a collation of appliances positioned to medium scale enterprise networks.
First point that might seem confusing is why some of appliances scaled to the mid-size enterprise have better statefull inspection performance whereas the others have significantly higher number of users supported? So the questions you should ask here are: if you need more statefull firewall performance or more VPN users, more SSL VPN tunnels or more IPSec Site to Site tunnels etc. and which parameters better suits to your environment? Example can be firewall sitting on the DC and LAN demarcation line vs firewall on Internet Edge concentrating many remote access VPN users. If you need the first, choose higher statefull performance, if the second, choose the one with more tunnels supported.
The next thing to consider is not strictly technology related but very important for managers and CxO’s. This is licensing. In our paper you can read about the license types, licensing models and what is included without any extra fees. This could be also decision of what you really need vs what you have with no license. Many vendors license NGFW functions like application control, ips, web or url filtering, anti-malware and antivirus subscriptions. Some of them offer a la carte model that you can choose from the list and some of them have bundles.
After making the initial decision many of clients would like to have objective comparison on the table, meaning if the vendor actually delivers what it says. This point really opens up a discussion regarding the real performance of networking products. Especially in Next Generation Firewalls market there is a chance to overstate facts. NGFWs have many features and factors that can be differently interpreted and measured under different conditions. An example could be regular firewalling (statefull) performance that measured with large 1500-byte packet traffic can be several times higher that the one measured with small 60-byte packets. The truth is that every vendor has his own method of testing and gives his own result in data sheet. When we add the app control performance of many different inspection algorithms, IPS or malware analysis performance, results can be slightly different. That is why giving objective answer should be preceded by doing series of comparable tests under identical testing conditions. Objective environmental testing is not subject of our first report but will be part of our successive research work.
Another angle of comparison should be effectiveness of threats detection and stability under high infected traffic that should be analysed, mitigate, logged and reported. Today it is very common to compete with the speed of zero day recognition and mitigation. This is importent how fast is the vendor in sending zero day threat to the sandbox on premise or in cloud and mitigate it in turn. There are also some vendors introducing bunch of new functionalities that competition do not offer yet. One needs to be careful here because having wide range of functions does not necessarily mean they are better. Often when introducing the jack-knife of MacGyver there are many bugs introduced making the solution not as stable as competition. This often happens with new software, apps and so on and it is natural. Threat recognition and stability testing is also not subject of our first report but will be part of our successive research work.
With our overview we can see that most of NGFW products have very similar functionalities, some are declared faster and some more scalable. But the right solution needs to be chosen based on your special requirements and objective testing results. Going deeper into the traffic processing specifics, features behavior and real measured performance will be the subject of consecutive reports. Stay connected with our coming Grandmetric Guidepapers.
In my opinion sangfor NGAF is best firewall in the market. http://www.sangfor.com/product/sxf-network-security-ngaf.html
Report