This content is part of the Buyer's Guide: Network security basics: A Buyer's Guide

Buying the right network security tool for your organization

The key to selecting the network security product that will work best for your organization is choosing tools that will work together as a unified security strategy.

Plenty of options exist when choosing the right network security tool, but narrowing your selections to a single choice can become a real headache. That's why we recommend looking at tools from a network-wide perspective.

Instead of haphazardly choosing individual security tools based on marketing rhetoric or generic research reports, look at your overall network architecture to determine where data resides and how end users access that data. You can use this information to gauge which specific features or implementation methods might be the best overall fit.

Additionally, make sure you compare how your network security tool will interoperate with existing or future security tools. A defense-in-depth strategy and choosing security products that accentuate the benefits and capabilities of other security applications are both critical to the overall success of your network security architecture.

Here, we will present two different company scenarios that detail real-world criteria for distinctly different network postures. In doing so, we will use each scenario to map business security needs to specific security products. The goal will be to present how a specific network security tool would be the best choice, depending on where company data resides, how users and devices access company data, where security tools are deployed, and the need for a defense-in-depth architecture. The security tools and top vendors we will be evaluating are the following:

  • Next-generation firewalls (NGFW): Check Point Software Technologies Ltd., Cisco and Palo Alto Networks.
  • Secure web gateways (SWG): Symantec, Forcepoint and Zscaler Inc.
  • Network access control (NAC): Bradford Networks, Cisco and ForeScout Technologies Inc.
  • Malware sandboxing: FireEye Inc., Palo Alto Networks and Forcepoint.
  • Cloud access security broker (CASB): Cisco, Netskope, Skyhigh and Symantec.

Cloud versus in-house control

Suppose we have two different companies: Company X and Company Y. Company X hasn't yet adopted cloud computing, while Company Y is fully embracing the cloud and various as-a-service offerings. In Company X, all critical applications and data reside within private data centers. Company Y, on the other hand, has opted to store its data in the cloud. Both companies maintain highly sensitive data, and so require that users and devices have strict access-control policies applied.

Given the traditional architecture scenario for Company X, the private data center is ideal. A cloud-based network security tool is out of the question, since the organization has made the decision to maintain critical data and network components on premises. But for Company Y, cloud-deployed and managed tools are preferred, because they offer increased flexibility in terms of tool placement and manageability.

Any of the leading NGFWs you choose in the scenario for Company X will work just fine. Each of the three vendors offers highly capable Layer 7 firewalls with advanced threat protection. Whichever firewall you select, the firewall appliance or virtual machine can be easily deployed between the internal network and internet or WAN edges.

When you look at the cloud deployment architecture of Company Y, Check Point and Palo Alto have the edge over Cisco, because they led the way in offering virtualized NGFWs that act identically to their hardware appliance counterparts. Additionally, both offer NGFW as a service in larger cloud providers, including the Amazon Web Services Marketplace.

In terms of the ideal secure web gateway, there are some things to consider. Both Symantec and Forcepoint offer their SWGs as appliances and as cloud services. Zscaler offers its SWG only as a cloud service. So, in this situation, Zscaler is ideal for Company Y, but not for Company X. Symantec and Forcepoint would be better options for Company X, because each offers appliance-based SWG platforms that could easily be deployed into private data centers.

The next choice is determining the best NAC vendor for each type of network. The necessary NAC features depend heavily on the importance of protecting company data and how the company approaches BYOD and the internet of things (IoT). So, not only are deployment options important, but so are the feature sets that each NAC product provides. Company X, for example, has strict BYOD polices; its primary focus is on data loss prevention. It's very likely the company is also cautious when it comes to the concept of IoT.

As a result, Company X is interested in leveraging user and device identification and resource accessibility. For in-house deployments -- as would be the case for Company X -- Cisco and ForeScout offer robust systems that are perfect for private data center architectures. Both Cisco and ForeScout are commonly heralded as among the best NAC products in the industry today. They also tend to shine for their companywide authentication and authorization policy enforcement features.

Company Y might find Bradford Networks' NAC product a better fit. While Bradford does offer flexible and robust hardware appliances that can be deployed in private data centers, it also sells its NAC as a virtual appliance that can be deployed in the cloud. Each product has easy-to-manage features that work well with BYOD-friendly environments. So, if the goal of Company Y is to manage network security tools from the cloud, and with BYOD security in mind, then Bradford should be considered.

Next, let's consider the malware sandbox. FireEye is the most logical network security tool in a traditional on-premises setting, such as the one described for Company X. FireEye's NX platform is a stand-alone system and can be easily deployed in a private data center, positioned where it can analyze traffic inline. Products from Palo Alto and Forcepoint are better deployed in cloud architectures, like the scenario described for Company Y, because both vendors offer sandboxing as a cloud service.

Finally, for companies that operate in increasingly complex, multicloud environments, one way to simplify the management of access control, data protection and data encryption across multiple network infrastructures is to choose a CASB platform. It also significantly increases end-to-end visibility of data flows. While the deployment is more complex compared with implementing individual tools, they are unrivaled in their ability to create and enforce uniform policy from the end user all the way to the application.

A CASB platform for Company X probably wouldn't be the right fit, unless that company had plans to rapidly move to a hybrid or multicloud architecture. For those organizations that are heavily SaaS-oriented, look for CASB products that are more proxy-oriented, such as platforms from Netskope, Skyhigh Networks and Symantec. The proxy allows for SaaS data to be funneled through a security product where policy can be attached. This is true for both sanctioned and unsanctioned SaaS providers.

It's true that API-based CASBs offer a far greater amount of control and depth when protecting SaaS architectures, but not all SaaS APIs are supported or even available. Therefore, you may lose some visibility when using a CASB that doesn't support a forward-proxy architecture. This is likely to change in the future, however, as more cloud providers add APIs.

For organizations that rely on hybrid or multicloud environments, an API-driven CASB might be a better choice. Because proxies require all data to be passed through security gateways, it makes this architecture less appealing when applications and data are distributed throughout multiple providers and private clouds. This is where an API-driven approach is preferred. Security analysis can be centralized and thus streamlined. And while all the top CASB platforms have some form of API capabilities, Cisco is one of the few products that's solely focused on APIs as a foundation for CASB intelligence gathering.

Further defense-in-depth architecture considerations

Making network security tool decisions based on data architectures and data flows is a great start, but it doesn't fully complete the picture. Today's security products can no longer simply work as independent systems. They must also cooperate with one another to provide optimal security, greater efficiencies and ease of management.

In many situations, your decision might boil down to a case of using security tools from a single vendor, as opposed to choosing a top vendor for each network security product. Integrating the tools so they work together becomes easier when everything is from the same vendor. The same goes for troubleshooting and support. So, even if you don't have the absolute best tool available in each security category, you can be more confident the products will provide a more seamless, end-to-end blanket of security coverage. Most of the major network vendors, such as Check Point, Cisco, Palo Alto and Forcepoint, have solid security tools in most of the categories discussed here.

If you do choose to select top-of-the-line individual security tools, make sure the products you choose work well together in a shared network environment. We'd recommend categorizing the priority of each security tool in your defense-in-depth strategy. Then, choose each tool in order of importance, making sure each successive tool works smoothly with the one selected before it. How a company may prioritize its security tools will depend on its specific security needs. In most cases, however, the most important security tool your enterprise deploys will almost certainly be the NGFW. The firewall was -- and is -- the linchpin for most defense-in-depth strategies. So, make sure you choose your NGFW first.

Suppose you've determined the second most important network security tool is a malware sandbox. You should choose what you feel is the best, but only if it works well with the NGFW selection you've made. This is critical, as NGFWs often have to cooperate with a malware gateway by flagging suspicious data as it flows through the firewall. That flagged data is then sent to the malware sandbox for analysis. If the two technologies don't work well together, you'll likely have to make a different choice -- whichever malware sandbox works the best with your firewall to create a unified security approach.

Each of the security tools mentioned here will assist in providing an overall defense-in-depth strategy for your enterprise network. Keep in mind there are plenty of other security tools that aren't mentioned in this series, but should be considered as part of your overall security architecture. We simply presented five categories of tools that are making the biggest impact on security architectures today.

Choosing the right network security tool largely boils down to data flow and architecture, and how the products work together as a unified security strategy. Most enterprise-class security products can work in almost any environment. We presented scenarios that pointed to differences in deployment methods and compatibility that make one or two stand out for particular network architecture.

Next Steps

What do network access control products offer?

How AstraZeneca uses cloud access security brokers

Learn how to protect your devices and networks

This was last published in August 2017

Dig Deeper on Network Security