Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Choosing the right network security tool for the job

Selecting a network security product can be simplified once you understand your business goals and match them to the features offered by the leading network security vendors.

With this roundup, we've tried to simplify the purchasing process by providing a quick review of the leading network security tools on the market. These products are broken into five groups: next-generation firewalls, or NGFW; secure web gateways, or SWG; network access control, or NAC, systems; malware sandboxes; and cloud access security brokers, or CASB.

Most enterprise-class security products can work in almost any environment, and all of the vendors offer strong products. If you've done your homework by assessing which type of network security tool you need and have matched those requirements to your business goals, the best options quickly become apparent, helping you simplify the purchasing decision.

Editor's note: The pricing listed for each network security tool is approximate. Contact the vendor or reseller for detailed pricing and licensing information.

Next-generation firewalls

Check Point Software Technologies Ltd.
Deployment options: Physical and virtual machine (VM)
Connections per second: 18,000 to 9 million
Cost and licensing: Less than $1,000 and can exceed $1 million

Check Point Software offers multiple appliance-based and virtualized products to meet the needs of most enterprises. Check Point NGFW products include identity-awareness features that track and restrict access to sensitive information that's accessed by users, groups of users and even specific devices. The company also operates an application identity database that intelligently identifies more than 6,600 web 2.0 applications and 260,000 social networking widgets. This allows administrators to create granular controls around web tools to implement better data loss prevention.

Deployment options: Physical and virtual
Number of users: 5,000 to 800,000
Cost and licensing: $1,000 to $225,000

Cisco is well-known for purchasing smaller network technology companies and using them to fill a void in its portfolio. Such is the case with Cisco's NGFW technology. With its acquisition of security company Sourcefire in 2013, Cisco has integrated Sourcefire's threat protection software into its latest line of Adaptive Security Appliances (ASAs) with FirePower firewalls. Cisco recently released a FirePower model that operates using a unified operating system, as opposed to integrating FirePower features onto ASA software.

FirePower features include FirePower NGIPS, a real-time, next-generation intrusion prevention system with contextual awareness. This network security tool also includes advanced malware protection that uses global threat intelligence to protect against zero-day threats. In the event a threat is identified, a rapid threat containment tool automatically applies special security policies on other security and network devices to mitigate the threat.

Palo Alto Networks Inc.
Deployment options: Physical and virtual
Number of users: 1,000 to 1.2 million
Cost and licensing: Starts at $2,000 and can exceed $1 million

The Palo Alto firewall line includes enterprise NGFWs on both hardware and virtualized platforms. These firewalls inspect and analyze all traffic in several deployment scenarios, including the network perimeter, data centers and branch offices. Palo Alto firewalls also offer GlobalProtect, an integrated mobile security application that protects mobile devices when accessing corporate resources. Traps advanced endpoint protection secures Windows systems that can no longer be patched.

Editor's note

Based on extensive research into network security tools, TechTarget editors focused on the vendors with leading market share in these five categories -- next-generation firewalls, secure web gateways, network access control systems, malware sandboxes and cloud access security brokers. Our research included data from TechTarget surveys, as well as reports from other respected research firms, including Gartner.

Secure web gateways

Deployment options: Physical, virtual and cloud
Number of users: Dozens to tens of thousands
Cost and licensing: Contact vendor or reseller

Formerly known as Websense AP-Web, the product was rebranded as Forcepoint Web Security after Websense was acquired by IT security firm Raytheon. Forcepoint Web Security software protects enterprise networks from web-based threats. The product includes features such as real-time analysis of web traffic, zero-day exploit protection using a global advanced persistent threat network, data loss prevention and the ability to secure remote devices from accessing internal resources.

Forcepoint Web Security is tightly integrated with other Forcepoint security products designed for email security, data security, endpoint security and malware sandboxing. The software is available in various deployment options, including physical appliances, VMs and a cloud-based SaaS.

Symantec Corp.
Deployment options: Physical, virtual and cloud
Number of users: Dozens to hundreds of thousands
Cost and licensing: Starts at $1,200 for a virtual appliance and 25 user licenses. Cloud licenses range from $25 to $60 per user.

Like its competitors, Symantec ProxySG is equipped with user authentication, web filtering, data loss prevention and inspection. But Symantec has engineered additional features into its SWG, most notably the WebPulse Collaborative Defense, which provides real-time defense through the vendor's global threat network. The company also boasts of being the only SWG vendor to offer what it calls "negative-day threat defense." This uses a combination of monitoring and the correlation of global malware network movements to prevent zero-day exploits by blocking attacks before they occur.

Symantec also offers a product called Advanced Secure Gateway. This combines all of the features of ProxySG with additional content analysis features to help identify and stop advanced persistent threats.

Zscaler Inc.
Deployment options: Cloud
Number of users: One to hundreds of thousands
Cost and licensing: Starts around $6,500 for a one-year license for 500 users

A relatively new security company, Zscaler Inc., based in San Jose, Calif., includes several security products in its portfolio. Among them is Zscaler Web Security, an SWG product regarded by independent research firms as one of the leading SWGs in the market. Zscaler built its SWG from the ground up, incorporating recent advances in cloud design methodologies and architectures. To that end, Zscaler web gateways offer security features, such as cloud intelligence, botnet detection and even some sandboxing protection for advanced persistent threats.

Network access control products

Bradford Networks
Deployment options: Physical, virtual and cloud
Number of users: 500 to 20,000 per appliance
Cost and licensing: Approximately $15,000 for a 500-device network

Perhaps not as well-known as other network infrastructure vendors, Boston-based Bradford Networks focuses on endpoint security. Its Network Sentry product provides comprehensive network access control for a wide range of devices. In addition to the obvious security features, including device profiling, endpoint fingerprinting, compliance assessments and guest management, Network Sentry is engineered with EasyConnect, a function that enables users to connect their BYOD gear to the corporate network. EasyConnect automates much of this setup process, including setting configurations, access controls and encryption types. Bradford NAC products also work in multivendor environments.

Deployment options: Physical and virtual
Number of users: 100 to 20,000 per appliance
Cost and licensing: List price of $50,000 for a 1,000-device network appliance

Cisco's Identity Services Engine is suitable for networks primarily comprised of other Cisco infrastructure gear. The tool integrates well with other Cisco products, including routers, switches, wireless LANs and NGFWs. The technology used to simplify provisioning, management and communication between network components is called TrustSec. TrustSec is a network segmentation approach that can help reduce much of the hassle of providing an end-to-end security framework.

There are different licensing options for the Cisco Identity Services Engine. The base license includes basic network access functions, guest management and encryption. The plus license includes compatibility for BYOD, profiling, endpoint protection and TrustSec features. The apex license adds features such as mobile device management, posture, compliance and incident remediation. There also is a mobility license to oversee wireless devices and Cisco AnyConnect virtual private network users.

ForeScout Technologies Inc.
Deployment options: Physical and virtual
Number of users: 10 to 10,000 per physical or virtual appliance
Cost and licensing: List pricing starts at $4,000

ForeScout is a well-known name in the world of NAC. The company's CounterACT NAC platform is flexible and easy to deploy; it supports multiple authentication methods, including a built-in RADIUS server for 802.1x authentication, or direct authentication with the Lightweight Directory Access Protocol, Active Directory, Oracle and Sun platforms.

Once authenticated, administrators have a wide range of control options to categorize, permit or deny access and remediate any end-device issues. CounterACT is based on an open architecture called ControlFabric, which allows for easy interoperability with other third-party security and network hardware and software. For large enterprise deployments, multiple CounterACT physical and virtual appliances can be administrated through a single management platform called CounterACT Enterprise Manager.

Malware sandboxes

FireEye Inc.
Deployment options: Physical, virtual and cloud
Number of users: 50 to 80,000
Cost and licensing: Starts at around $25,000 for a 500-user network with a hardware appliance

The key benefit of the FireEye NX series is its Multi-Vector Virtual Execution (MVX) engine. The signature-less engine can identify and flag suspicious behavior, including zero-day exploits that other security tools may let slip through. Once unknown, yet suspicious, content is flagged, MVX uses multiple VMs to safely analyze various web objects, attachments and files to execute the files and monitor the results to verify whether or not the content is malicious. The malware forensics is performed in real-time to significantly decrease the amount of time it takes to complete an analysis.

The NX series can be deployed as an all-in-one hardware appliance, as a distributed model fully located on premises, or as a hybrid on-premises and public cloud model. This level of flexibility allows for companies of all sizes and varying levels of cloud implementation to deploy the malware sandbox.

Deployment options: Physical, virtual and cloud
Number of users: Dozens to tens of thousands
Cost and licensing: Contact vendor or reseller

Cybersecurity firm Raytheon recently acquired Websense and Stonesoft. The combination of the three companies makes up its new line of security products using the Forcepoint brand name. While Websense at one time had sandboxing tools within its Triton platform, it has since moved on to focus on acquired products to better fit this role. Currently, Forcepoint is focusing on integrating sandboxing technologies within the Forcepoint NGFW, a technology gained through the Stonesoft purchase.

The Forcepoint Triton AP malware sandbox is a supplemental part of its NGFW product. The sandbox is part of a product known as Forcepoint Advanced Malware Detection. The feature uses a simulated environment for code execution, and ultimately detection and remediation of malicious software. This network security tool also offers dynamic and dormant code analysis to help root out difficult-to-detect malware coming from web and email sources.

Palo Alto Networks
Deployment options: Physical and cloud
Number of users: Dozens to tens of thousands
Cost and licensing: Starts at $4,500 for a license on a PA-3050 NGFW

Palo Alto WildFire is a cloud-based service that provides malware sandboxing and fully integrates with the vendor's on-premises or cloud-deployed NGFW line. The firewall detects anomalies and then sends data to the cloud service for analysis. Through the use of the cloud architecture, Palo Alto claims its approach simplifies management, increases scalability and automates many of the steps other vendors require human intervention to accomplish.

WildFire uses a threat intelligence prioritization feature called AutoFocus to highlight the threats needing the most attention. The WildFire sandbox also uses a bare-metal analysis Palo Alto contends eliminates malware sandbox VM avoidance techniques.

Cloud access security brokers

Deployment options: Cloud
Number of users: Virtually unlimited
Cost and licensing: Contact vendor or reseller 

In mid-2016, Cisco acquired CloudLock and propelled the networking and security giant into the CASB market. The CloudLock platform can be used if your organization uses SaaS, platform as a service, infrastructure as a service, hybrid cloud or any combination of cloud architectures. CloudLock uses an API-only approach that focuses security on three key areas: users, data and applications. CloudLock uses artificial intelligence to focus on user behavior and triggers alerts if an anomaly is detected. This approach can protect enterprise users from compromised user accounts or nefarious internal acts, such as data theft.

Data protection identifies and protects data using uniform security policies. Application protection provides visibility into application usage on the network. This is useful in tracking down shadow IT or the use of apps to inappropriately use and store sensitive data on unapproved cloud apps. CloudLock also tightly integrates with other Cisco security platforms, including its NGFW product. Pricing varies depending on which applications you want to protect. For example, adding CloudLock services to Google Drive starts at $1.25 per user, per month.

Netskope Inc.
Deployment options: Virtual and cloud
Number of users: Unlimited
Cost and licensing: Approximately $15 per user, per month for the base subscription

Netskope is considered one of the original trailblazers of the CASB market. The company has deployment options for on-premises private clouds, public clouds or within a hybrid architecture. Netskope Active Platform relies on a combination of in-band proxy analysis and out-of-band API integrations with many of the leading cloud services available today.

One of Netskope's strengths is its user behavior analysis that can help protect against network breaches and data leaks from internal threats. The company boasts solid integration with several industry-leading security tools, including several products from FireEye. Netskope can audit cloud environments at a granular level and notify administrators when services and workflows are out of bounds based on predefined compliance policies.

Skyhigh Networks
Deployment options: Virtual and cloud
Number of users: Unlimited
Cost and licensing: Approximately $5 to $15 per month, depending on added services

Formed in late 2011, Skyhigh Networks is one of the earliest entrants into the CASB market. Having originally focused on securing SaaS cloud providers, the company has expanded its support to platform as a service and infrastructure as a service. The Skyhigh platform uses a combination of an inline proxy with API hooks into cloud applications for user-to-cloud interactions. It also collects logging information from a variety of security vendor products, including NGFWs, SWGs and data loss prevention.

The product also offers its own built-in data loss prevention policies packaged into different templates and organized by business vertical. That eliminates a significant amount of manual work for many companies that must deal with compliance regulations. Skyhigh and Cisco CloudLock are the only two CASB products that are FedRAMP-approved.

Deployment options: Virtual and cloud
Number of users: Unlimited
Cost and licensing: Contact vendor or reseller

With its acquisition of Blue Coat Systems in 2016, Symantec became one of the leaders of the red-hot CASB market. Rebranded as CloudSOC, this CASB platform uses a combination of machine learning techniques and SaaS API integrations. The platform is well-suited for customers heavily invested in the Amazon Web Services or Microsoft Azure public clouds, and the product also integrates well with other Symantec security products, including its data loss prevention and SWG lines.

CloudSOC operates best in large public cloud, multi-cloud or hybrid cloud deployments. Its granular policy control makes it a suitable CASB platform for organizations requiring a great deal of control over security settings. This network security tool also offers several encryption mechanisms adhering to specific compliance and regulation laws.

Next Steps

How network segmentation can help secure your network

Are next-gen firewalls losing their luster?

How enterprises are tackling the challenges of mobile network security

This was last published in November 2017

Dig Deeper on Network Security