James Thew - Fotolia
Next-generation firewalls protect enterprise networks from intrusions and attacks with integrated network security platforms that include inline deep packet inspection firewalls, intrusion prevention systems, application inspection and control, SSL/SSH inspection, website filtering and quality of service and bandwidth management.
Choosing the best NGFW can be challenging, but organizations can simplify the buying process by completing a next-generation firewall comparison and creating a shortlist of products. They do not have to choose the top-rated NGFW product in the industry, but rather the NGFW that best fits and meets their specific enterprise requirements.
So who are the players? This article examines these eight NGFW vendors: Barracuda Networks Inc., Check Point Software Technologies Ltd., Cisco, Fortinet Inc., Forcepoint, Juniper Networks, Palo Alto Networks Inc., and SonicWall.
Questions to consider when looking for the best NGFW vendor product include: What is the company's product line? Are its next-generation firewalls for cloud service providers, large enterprises, or SMBs? What NGFW features come with the base product? What features need an extra license? How is the firewall sold and priced? What differentiates one product from another?
As one might anticipate, there are many similarities between NGFWs. However, the differences are worth mentioning and comparing.
Who is the NGFW for?
All NGFWs are designed to protect midsize to large enterprises. Cisco, Check Point, Fortinet, Barracuda and Juniper, however, also offer NGFW products for SMBs. All the NGFWs examined in this article, meanwhile, support both virtual and physical deployments, as well as deployments in cloud environments, such as Azure, AWS and Google Cloud Platform.
What features are available?
Common features available in all NGFW products include unified threat management (UTM), non-disruptive inline bump-in-the-wire configuration, network address translation, stateful packet inspection, VPN, integrated signature-based intrusion protection systems (IPS) engine and application awareness. They also tend to include the ability to incorporate information from outside the firewall -- including directory-based policy, blacklists and whitelists. In addition, they provide an upgrade path to include future information feeds and security threats and offer SSL decryption to enable the identification of undesirable encrypted applications.
Uncommon NGFW features vary by vendor, so this is where organizations can start to differentiate between products:
- SonicWall prevents advanced threats with cloud-based and on-box threat prevention that includes multi-engine sandboxing, antimalware, intrusion prevention and web filtering.
- Cisco provides application visibility and control as well as next-generation intrusion prevention, advanced malware protection and URL filtering.
- Forcepoint offers whitelisting and blacklisting by client application and version, antimalware sandboxing and high availability clustering of devices and networks.
- Barracuda CloudGen Firewall offers Layer 7 application profiling, intrusion prevention, web filtering, malware and advanced threat protection, antispam protection and network access control.
- Juniper's SRX series integrates UTM, IPS and application visibility and control capabilities for a comprehensive threat management framework.
- Check Point's NGFW includes the Check Point IPS Software Blade, an IPS that provides geo-protections as well as frequent, automated threat definition updates.
In a next-generation firewall comparison, it's important for the organization to understand which features require additional licenses, so they can decide if these add-ons are worth the cost.
For example, if a company requires data loss prevention, it might consider a NGFW that offers DLP. Or, should it determine that the DLP components of NGFWs aren't sufficiently powerful enough for its purposes, it may decide to go with a stand-alone DLP rather than an integrated product. The same would apply for web application firewall technology and threat intelligence services. For example, in addition to Cisco's base license, threat and malware detection and URL filtering features require additional, optional licenses.
How is the NGFW sold, licensed and priced?
When an organization purchases a product, it receives a copy of the software or appliance and a license to use it. The company doesn't actually own the software -- ownership rights belong to the software company, and customers are limited by the terms and conditions of the license. All NGFW products are licensed per physical device. Additional licenses are required for uncommon features. Organizations should closely read the terms and conditions to determine what services are available in the base NGFW products and what services require additional licenses.
While Check Point and Fortinet sell through channel organizations, the other NGFW vendors profiled here sell direct and through channel partners. All NGFW products, meanwhile, are priced by scale based on the type of hardware used and the service contract. The wide price range differences not just between vendors, but between the various offerings from individual vendors are of particular importance. Companies should do a comprehensive next-generation firewall cost comparison when looking into purchasing a NGFW.
For example, Fortinet's Fortigate 200E for midsize companies offers 15 pricing configurations from $2,700 for just the hardware to $14,850 for the hardware plus a five-year subscription to FortiGate-200E Hardware plus 24/7 FortiCare and FortiGuard Enterprise Bundle.
And there are 11 pricing options for the SonicWall NSA 2650 for SMBs, ranging from $1,996 for just the appliance, to $8,880 for a five-year subscription to SonicWall NSA 2650 Secure Upgrade Plus Advanced Capture Security Center Edition.
While the pricing structure appears disparate, similarities do exist in the lower-end product lines. The smaller the NGFW needed, the simpler the pricing. The larger the enterprise and volume purchase potential, the greater the disparity, but also the greater the bargaining power on the part of the customer.
Licenses typically come in one-, two- and three-year subscriptions. Some vendors also offer five-year subscriptions. As the number of users increase, volume discounts often apply. K3DES generally recommends not paying retail price on security products; however, keep in mind that vendors tend to be less flexible with single purchases. One approach is to time purchases for month or quarter end, as vendors are often under pressure to meet and exceed sales quotas.
Is there a free trial version of the NGFW available?
Fortinet doesn't offer a free trial for its FortiGate NGFW, but it does offer a full working demo so users can try out its features. Cisco offers a free two-week trial, while the other vendors provide free 30-day downloadable full virtual appliance or virtual machine versions to test. Juniper provides potential customers with a 60-day free trial, including a 30-day evaluation of advanced security services, including IPS, AppSecure and UTM.
The key differentiators between NGFW products
Below are some highlights of the noted differences between the top NGFWs:
- Check Point offers centralized management and role-based administration. The firewalls combine perimeter, endpoint, cloud and mobile security and also offer application control, advanced URL filtering and data loss prevention.
- SonicWall has patented Reassembly-Free Deep Packet Inspection, a technology that allows for centralized management for users to deploy, manage and monitor thousands of firewalls through a single pane of glass dashboard.
- Fortinet's FortiGate NGFW adds intrusion prevention, application control and antimalware to the traditional firewall-VPN combination.
- Barracuda claims to have advanced troubleshooting capabilities and smart lifecycle management features built into its large scaling central management server. Its CloudGen Firewall F-Series, which includes physical and virtual appliances, is available for AWS, Microsoft Azure and Google Cloud.
- Juniper SRX has updated its advanced threat prevention appliances to simplify security data integration. As a result, the on-premises devices now ingest and analyze data from any third-party firewall or security data source. The product also offers application visibility and control, IPS, user-based application policies and UTM.
Each NGFW vendor has established a foothold in unique areas that set them apart from the rest. The key for customers is to identify the differentiators that meet and exceed their needs in their next-generation firewall comparisons.
Consider the following criteria in selecting the NGFW vendor and model for an enterprise: Identify the players, develop a shortlist, perform a proof of concept, make reference calls, consider cost, obtain management buy-in and work out contract negotiations. Total cost of ownership is also critical. Last, but no less important, consider the skill set of company staff and the business model and growth expectation for the enterprise. These are all important factors in making a final decision.
Which is the best NGFW product for your organization?
The plan to thwart attacks on enterprise network environments will always be based on risk. The level of protection should be commensurate with the value of the asset. If protection requires a next-generation firewall, familiarization with NGFW vendor products and models to fit the organization and business model is critical.
Linda Rosencrance contributed to this report
In part one of this series, learn about the basics of next generation firewalls in the enterprise
In part two of this series, find out about the three things to consider before deploying NGFWs
In part three of this series, discover the six criteria for buying next-generation firewalls