Buyer's Handbook: How to select and implement a next-gen firewall Article 5 of 5

twobee - Fotolia

Explore this NGFW comparison of leading vendors on the market

Explore some of the top NGFWs currently on the market -- based on features and user reviews -- to help you make a buying decision

As hacking techniques and cyberattacks become increasingly sophisticated, enterprises are deploying next-generation firewalls for better security. NGFWs detect and block network attacks by enforcing security policies at the application, port and protocol levels.

Discover some of the top next-generation firewalls on the market below.

Barracuda CloudGen Firewall

Barracuda Networks Inc.'s CloudGen Firewall is a family of physical, virtual and cloud-based appliances that protect and enhance an organization's network infrastructure. It offers Layer 7 application profiling, intrusion prevention, web filtering, malware and advanced threat protection, antispam protection and network access control. Implementation is easy, even for someone new to this aspect of IT, and support is excellent, according to users on the Gartner review site.

Features include the following:

  • Advanced threat protection, an optional subscription, provides deep visibility into malware behavior and checks files against a cryptographic hash database regularly updated in real time.  
  • Intrusion detection and protection improve network security by providing complete and comprehensive real-time network protection against a number of network threats, vulnerabilities, exploits and exposures in operating systems, applications and databases.
  • Botnet and spyware protection defend organizations against botnet infections by blocking access to malicious sites and servers, as well as detect potentially infected clients based on domain name system sink holing technology.
  • Malware protection secures networks against viruses, worms, Trojans, malicious Java applets, as well as programs using known exploits on PDF, picture and office documents, macro viruses and more.
  • Custom application definitions, in addition to the thousands of applications preloaded in application control, can be created and tailored to an individual organization's needs.

Check Point Next-Generation Firewall

Check Point Software Technologies Ltd. Next-Generation Firewall offers centralized management and role-based administration. The firewall combines perimeter, endpoint, cloud and mobile security, as well as application control, advanced URL filtering and data loss prevention (DLP). Although most users on the Gartner review website say Check Point offers the best firewall product on the market in terms of preventing attacks, some add it is also the most expensive.

Features include the following:

  • Identity awareness gives administrators detailed visibility into the users, groups, applications, machines and connection types on their networks, enabling them to assign permissions to the right users and devices.
  • Application control enables organizations to create granular security policies based on users or groups to identify, block or limit the use of web applications and widgets, including social networking, instant messaging, video streaming, voice over IP and games.
  • Logging and status includes Smart Log, an advanced log analyzer that provides real-time visibility into billions of log records over numerous domains and timeframes.
  • Intrusion prevention system includes the Check Point IPS Software Blade that secures a network by inspecting packets traveling through a gateway. The IPS also provides geo-protections and automated updates to threat definitions.
  • Ease of expansion allows enterprises to add other features and blades, including DLP, threat emulation and threat extraction software blades.

Cisco Firepower Next-Generation Firewall

Firepower Next-Generation Firewall, the foundation of Cisco's integrated security architecture, prevents breaches and can quickly detect and mitigate stealthy attacks using deep visibility and advanced security capabilities, Cisco offers a range of options to address the needs of small and midsize businesses, enterprises, government organizations and service providers. According to users, Cisco's Adaptive Security Appliance (ASA) 500-X series of firewalls are good, easy to use and reliable. Implementation may be complicated, however.

Features of the Cisco ASA 5500-X series with FirePower Services for small to midsize business and branch offices include the following:

  • Next-generation firewall, a threat-focused NGFW, provides ASA firewall functionality, advanced threat protection, as well as combined advanced breach detection and remediation in one device.
  • ASA firewall offers rich routing and a stateful firewall with dynamic clustering for high-performance. It also includes highly secure and reliable access with Cisco AnyConnect VPN.
  • NGIPS (next-generation intrusion prevention system) provides advanced threat prevention and mitigation for known and unknown threats.
  • Advanced malware protection offers detection, blocking, tracking, analysis and remediation to protect organizations against targeted and persistent malware attacks.
  • Full contextual awareness provides policy enforcement based on complete visibility of users, client-side applications, mobile devices, vulnerabilities, communication between virtual machines, threats and URLs.

Forcepoint Next-Generation Firewall

Forcepoint NGFW offers consistent security, performance and operations across physical, virtual and cloud systems. It's designed from the ground up for high availability and scalability, as well as centralized management with full, 360-degree visibility. On the Gartner review site, users like that it can decrypt traffic while safeguarding data, but some users would like Forcepoint to provide more product documentation.

Features include the following:

  • Multilink connectivity for SD-WAN enables admins to centrally deploy and manage broadband, wireless and dedicated lines at each location. This provides full control over what traffic goes over each link with automated failover.
  • Automated, zero-downtime updates enables policy changes and software updates to deploy to hundreds of firewalls and IPS devices around the world in minutes rather than hours, without the need for service windows.
  • Human-centric endpoint context provides access policies that can whitelist or blacklist specific endpoint applications, patch levels or antivirus status as well as consolidate users' behaviors into actionable dashboards.
  • Antimalware sandboxing in the form of Forcepoint Advanced Malware Detection blocks previously undetected zero-day threats, ransomware and other attacks before they steal sensitive corporate data or damage systems.
  • Top-ranked anti-evasion defense provides multilayer stream inspection to defeat advanced attacks that traditional packet inspection can't detect.

Fortinet FortiGate Next-Generation Firewall

Fortinet Inc.'s FortiGate enterprise firewalls use security processors and threat intelligence security services from FortiGuard labs to provide high-performance threat protection. FortiGate offers automated visibility into applications, users and networks and also provides security ratings to adopt security best practices.

FortiGate is easy to use and offers a fast and highly intuitive configuration, according to users on the Gartner review website. Users also say IT support could be better.

Features include the following:

  • High-performance threat protection and SSL inspection performance protect enterprise from malware attacks hiding in encrypted traffic.
  • Continuous risk assessment via automated workflow and auditing features help companies protect their networks with fewer security staff members. They also ensure organizations meet security and regulatory compliance requirements.
  • The management console provides comprehensive network automation and visibility.
  • Enterprise-class security management allows companies to manage all security assets with a single pane of glass.
  • Protection of mission-critical applications provides highly scalable segmentation and ultra-low latency to protect network segments.

Huawei USG6300 Series Next-Generation Firewall

Huawei Technologies Co. Ltd.'s Unified Security Gateway (USG) Next-Generation Firewalls provide comprehensive protection for small to midsize companies and enterprise branch locations. They offer an integrated firewall, intrusion prevention, antivirus and data leak prevention. Huawei identifies more than 6,300 applications, analyzes service traffic in six dimensions and automatically generates security policy suggestions to combat threats. Huawei has been banned from doing business with the U.S., effective mid-August 2018, following a three-month reprieve granted by the U.S. President Donald Trump. Gartner users like the performance of the USG firewalls, but some say they're too expensive.

Features include the following:

  • Integrated protection combines application-layer defense and application identification.
  • Application-specific controls identify more than 6,000 applications -- including mobile and web applications -- and their functions, then implement access control and service acceleration. For example, this feature identifies the voice and data services of an instant message and applies different control policies for the services.
  • User-specific authentication supports eight user authentication methods, including Remote Authentication Dial-In User Service, Lightweight Directory Access Protocol and Active Directory authentication, and synchronizes user information from the existing user authentication system.
  • Location-specific access control identifies the locations from which application traffic and attack traffic originate and detects network exceptions. Then implements differentiated access control for locations, user-defined for IP addresses.
  • IPS detects and defends against more than 5,000 vulnerabilities. It also identifies and defends against web application attacks, such as cross-site scripting and SQL injection attacks.
  • Antivirus defends against more than 5 million viruses and Trojans, according to the company. The virus signature database updates daily.
  • Advanced persistent threat (APT) defense identifies and extracts suspicious traffic from the network and sends it to the sandbox for threat analysis. The sandbox runs the file to analyze and identify its behaviors to determine if the traffic is malicious. The firewall then processes the traffic according to the detection results the sandbox provides.

Juniper SRX Series

Juniper Networks' SRX Series firewalls are high-performance products for enterprises and service providers that deliver security, routing and networking capabilities. Specifically for security, the SRX Series offers a next-generation firewall, application visibility and control, IPS and other security services. SRX Series devices enable organizations to protect and control their business assets. Gartner users say the SRX firewall is reliable, with potential room for improvement on some features.

Features include the following:

  • Firewall user authentication provides another layer of protection in the network by restricting or permitting users individually or in groups and controls who and what can access the network.
  • Intrusion detection and prevention allow enterprises to selectively enforce various attack detection and prevention techniques on network traffic passing through IDP-enabled devices. This protects against network-based exploit attacks aimed at app vulnerabilities.
  • AppSecure, a suite of application security capabilities, detects application behaviors and weaknesses. It prevents application-borne security threats that are difficult to detect and stop and uses application identification and classification to provide visibility, enforcement, control and protection over the network.
  • Unified threat management enables businesses to protect themselves from spam, viruses, worms, spyware, Trojans and malware. It allows companies to implement a comprehensive set of security features, including antispam and web filtering.

Palo Alto next-generation firewalls

Palo Alto Networks Inc.'s next-generation firewalls give organizations complete visibility into and precise control over their network traffic and protect them from unknown threats. Palo Alto's NGFW models range from the low-end PA-200 to the high-end PA-7000. The firewalls combine policy enforcement and cyberthreat prevention through the company's Content-ID and WildFire sandboxing features. On the TrustRadius review site, users say the PA-800 series is easy to set up and the firewall manages traffic effectively.

Features of the PA-800 for enterprise branch offices and midsize companies include the following:

  • Application classification identifies the application, regardless of port, SSL/SSH encryption, or evasive technique in use. It categorizes unidentified applications for policy control and threat forensics.
  • Security policy enforcement deploys consistent policies to local and remote users running on Windows, macOS, Linux, Android or Apple iOS. It integrates firewall policies with 802.1X wireless, proxies, network access control and any other user identity information source.
  • Threat prevention blocks known threats, including exploits, malware and spyware, across all ports. It limits unauthorized transfer of files and sensitive data and enables web surfing that's not related to work tasks and also identifies and analyzes unknown malware, then automatically creates and delivers protection.

Editor's note: Using extensive research into the next-generation firewalls market, TechTarget editors focused on the vendors that lead in market share, plus those that offer traditional and advanced functionality. Our research included data from TechTarget surveys, as well as reports from other respected research firms, including Gartner and TrustRadius.

SonicWall next-generation firewalls

SonicWall provides next-generation firewalls for businesses of all sizes. The company offers five models in its TZ Entry-Level Firewall Series for SMBs and distributed enterprises. These firewalls all include deep packet inspection, multi-engine sandboxing, antimalware, intrusion prevention, web filtering and secure remote access.

SonicWall's midrange firewall also includes application intelligence and control, real-time visualization and wireless LAN management. Its firewall for large enterprises offers sandboxing, SSL inspection, intrusion prevention, antimalware, application identification, content filtering, real-time threat handling, centralized management, analytics and reporting. Users have high praise for the company's TZ series on the TrustRadius website, saying it is well-suited for small and midsize companies and is flexible, as well as easy to configure and manage.

Features of the TZ series include the following:

  • Advanced threat protection includes a cloud-based multi-engine sandbox that extends firewall threat protection to detect and prevent zero-day threats.
  • Centralized management and reporting enables organizations to centrally manage security policies, providing real-time monitoring and delivering compliance and usage reports.
  • Capture Cloud Platform delivers cloud-based threat prevention and network management as well as reporting and analytics.
  • Distributed network protection provides each site, such as distributed networks found in retail organizations, its own TZ firewall that connects to the internet often through a local provider.
  • Capture Security Center centralizes deployment, ongoing management and real-time analytics of the TZ firewalls.

Sophos XG Firewall

Sophos Ltd.'s XG Firewall provides visibility into an organization's network, users and applications directly from the control center. Businesses also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls. The XG Firewall offers protection against the latest advanced threats, including ransomware, cryptomining, bots, worms, hacks, breaches and APTs. Most users on Gartner say Sophos XG Firewall is one of best on the market, as it protects the network from external and internal threats. Some say support is lacking, however.

Features include the following:

  • Hidden risk exposure offers visibility into top-risk users, unknown applications, advanced threats, suspicious payloads and more. It offers on-box reporting at no extra charge as well as the option to add Sophos iView for centralized reporting across multiple firewalls.
  • Automatic incident response identifies sources of infections on the network and automatically limits access to other network resources.
  • Next-gen intrusion prevention system provides advanced protection from all types of modern attacks and protects users and apps on the network in addition to protecting server and network resources.
  • Live antispam offers protection against the latest spam campaigns, phishing attacks and malicious attachments.
  • Policy-based DLP automatically triggers encryption or blocks or notifications based on the presence of sensitive data in emails leaving an enterprise.

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing