This content is part of the Buyer's Guide: Network security basics: A Buyer's Guide
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Criteria for vetting tools from network security vendors

Before purchasing a network security system, consider where your data is located, who has access, where security tools will be deployed and if they're part of a unified strategy.

Having the right network security measures in place for your infrastructure is crucial, as the protection of sensitive data and the elimination of security threats are of utmost importance. When you start looking around, you'll find there are plenty of network security vendors from which to choose -- and each will tell you that its product is best. But some security measures are better than others in meeting your network architecture and specific data security requirements.

Before you begin vetting products from the various network security vendors, it may be helpful to establish a set of criteria using the following considerations.

Where is your mission-critical data stored?

Understanding where your company data is stored today -- and where it may be in the future -- is a great indicator of the types of network security systems needed and their importance in your overall security architecture. Whether data is stored in-house, in the cloud or both affects the network security system's effectiveness and criticality.

If the majority of data will be stored in private data centers, then perimeter security using next-generation firewalls (NGFWs) and network access control (NAC) will be crucial to ensure data is protected. The firewalls will safeguard data from users outside of the corporate network, while NAC will assist in making sure users and devices have proper authorization to access data.

On the other hand, if data is, or will soon be, stored in the cloud, your overall security posture should emphasize network security systems compatible with the cloud. For instance, many NGFWs offer cloud compatibility through virtualized firewalls. Similarly, your network security measures should emphasize secure web gateways (SWGs) and malware sandboxes to prevent data loss between networks. These tools also restrict potentially malware-infested data from moving between the corporate network and various cloud service providers and the internet.

Many SWGs and malware sandboxes offer cloud services, making them better suited for enterprises with data stored in the cloud. A cloud access security broker (CASB) platform is ideal if your enterprise is dispersed throughout multiple public and private data centers. CASB technology can be used to better manage authentication, access control and encryption policies on disparate infrastructure architectures.

Which internal users and devices will be accessing your data?

Protecting a corporate organization from untrusted external connections, such as the internet and WAN edges, is a no-brainer. But what if specific data should only be accessed by specific users? And what about external consultants, guests and other users who have access to the internal network, yet should not be considered trusted? This is where NAC, CASB and possibly NGFWs come into play.

Using a NAC or CASB platform, you can verify the identity of every user who attempts to access network resources. Users not permitted on the network will be completely blocked from accessing it. Others with limited access rights will be allowed on the network, but will only able to access the applications, networks and data that the security administrator permits. NAC rules can either be integrated into network switching and routing devices, or through the use of internal NGFWs that segment various internal networks. A CASB platform can be deployed as a proxy, through direct application integration using software APIs or a combination of the two.

Trusting of end devices is becoming a more critical element of network security measures, especially when the company allows noncorporately controlled devices to connect to the internal network. The BYOD movement adds significant risk to a network, because devices brought in may not be secure enough for the operating system, applications and antivirus software. In a worst-case scenario, a user could connect a malware-infested device, which would then infect any devices and servers it accesses.

To prevent this, NAC, CASB or a combination of the two can be set up to assess the posture of the device to identify the hardware, OS and antivirus software running on it and determine if it meets predefined standards. If it does not, the user is either denied access or placed onto a quarantined network segment until problems are rectified.

Where will your network security tools be deployed?

Many security tools can be deployed either in-house or as a cloud service. Cloud-deployed security tools are becoming popular for two reasons. First, cloud-based security eliminates the need for in-house security administrators to manage the tool at a lower level. The service provider becomes responsible for maintaining network connectivity, patches, updates and any other lower-level infrastructure tasks. It allows your security administrators to focus on configuring and managing the security tool itself.

The second benefit of deploying network security measures through the cloud is they can be more easily leveraged if your network is highly distributed. For example, it used to be that a remote site would be designed to direct all web traffic back to the corporate office, so it could be filtered through an SWG. The cost of deploying an SWG at each location was often too high, so routing traffic back to headquarters was the most cost-effective option.

Unfortunately, this design often led to single points of failure and increased network latency if the remote site didn't have redundant WAN connections and was a great distance from the corporate office. By moving SWGs to the cloud, it potentially removes single points of failure and significantly reduces latency. Cloud providers are often geographically dispersed, and your SWGs can be virtually deployed around the globe, effectively placing the SWG closer to each remote site. This tactic can significantly reduce latency issues inherent in older designs that backhauled all internet traffic to a single location.

Are your network security systems part of a defense-in-depth strategy?

Thanks to network security vendors, tools that were once deployed as individual components are now becoming integrated as a unified system.

It's vital that a security architecture be viewed as a unified, defense-in-depth strategy. To that end, many network security measures must work together to optimize performance and increase effectiveness. When you begin vetting products from the different network security vendors, make sure you understand and confirm what dependencies the application may have on other security tools. This will ensure you have the right security tool for this specific task, as well as other components that integrate with it.

Case in point: Some malware sandboxes work completely independently. All data flows through the sandbox, and the malware sandbox tool filters out the legitimate traffic, while flagging data that looks suspicious -- and thus needs additional testing. But other malware sandboxes rely on NGFWs and SWGs to flag data as suspicious. Because of this, you must make sure your NGFWs and SWGs can perform the functions that the malware sandbox demands.

Additionally, all your network security measures must dovetail with your security information and event management (SIEM) platform. The role of a SIEM is to pull in event and log data from the various security systems into a single repository. The SIEM then can analyze the data to correlate potential malicious security trends and compliance issues. While most data collection techniques use standards-based logging and Simple Network Management Protocol, it's important to verify with the network security vendors if their security systems will mesh with the SIEM you already have, or plan to implement.

Thanks to network security vendors, tools that were once deployed as individual components are now becoming integrated as a unified system. A great example of this is the merging of firewalls and intrusion prevention systems. CASB platforms also combine many of the features commonly found in NAC, malware sandboxes, encryption and SIEM tools.

Next Steps

How antimalware products can provide enterprise-wide security

Leaked info on the CIA's CherryBlossom project highlights potential router security issues

News roundup highlights DeltaCharlie malware threat to U.S.

This was last published in August 2017

Dig Deeper on Network Security