Buyer's Handbook: How to select and implement a next-gen firewall Article 3 of 5

rvlsoft - Fotolia

6 firewall selection criteria to purchase NGFWs

These six key factors will help your company determine the best NGFW product for your organization's needs.

Next-generation firewalls are hardware- or software-based network security products that can detect and block sophisticated attacks beyond traditional firewall technologies.

There are many options for NGFWs, and while they all provide a variety of protection features that are commonly available in point products -- such as traditional firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), wireless management systems, quality of service (QoS) and application control systems -- there are often significant differences between what is available from specific NGFW offerings.

For example, some vendors provide unified threat management products separately from NGFWs for small to midsize businesses, while others embed UTM features in their NGFW base offerings.

Consequently, it is clear that regardless of what vendors call their NGFW products, it is incumbent that buyers understand the precise features each NGFW product under consideration includes. To help get readers started on this process and guide them in making the best NGFW purchase decisions for their particular environments, this article presents six firewall selection criteria to consider, as well as questions to ask when comparing and contrasting these IT security products during the procurement process.

1. Platform type

Most next-generation firewalls are hardware- (appliance), software- (downloadable) or cloud-based (SaaS). Hardware-based NGFWs appeal best to large and midsize enterprises; software-based NGFWs to small companies with simple network infrastructures; and cloud-based NGFWs to highly decentralized, multi-location sites or enterprises where the required skill sets to manage them are wanting or reallocated.

2. Feature set

Not all NGFW vendors offer the similar features. NGFW features typically consist of inline deep packet inspection firewalls, IDS/IPS, application inspection and control, SSL/SSH inspection, website filtering and QoS/bandwidth management to protect networks against the latest in sophisticated network attacks and intrusion.

Additionally, most NGFWs offer threat intelligence, mobile device security, data loss prevention (DLP), Active Directory integration and an open architecture that allows clients to tailor application control and even some firewall rule definitions.

An important caveat is that the features available in NGFWs outside of traditional firewall blocking and tackling do not offer full complements of each. For example, NGFW DLP is not at the level of what's typically provided by a dedicated DLP point product. Also, NGFW application control provides identification and authorization of defined applications, user access and additional time-of-day and upload/download permissions. Some NGFWs are also able to filter packets based on applications and provide content filtering of the application.

The key is for the organization to know what they are buying and whether or not it provides the level of protection required for each specific area of desired security.

3. Performance

Because NGFWs integrate many features into a single appliance, they may seem attractive to some organizations. However, enabling all available features at once could result in serious performance degradation. Admittedly, NGFW performance metrics have improved over the years, but buyers need to seriously consider performance in relationship to the security features they want to enable when determining the vendors and the models of NGFW they choose.

For example, in July 2018, NSS Labs Inc. published the results of a comparative study of 10 NGFWs covering three major areas -- security effectiveness, performance and total cost of ownership (TCO).

The key findings stated that seven of the tested products achieved an above-average overall value rating for TCO per protected megabits per second, while three achieved a below-average rating.

In addition, the NSS tested performance on all 10 NGFWs, finding throughput ranging from 1,028 Mbps to 7,888 Mbps with rates on three of the products significantly lower than their vendor's stated claims.

4. Manageability

This criterion involves system configuration requirements and usability of the management console. System configuration changes and the user interface of the management console should have three key qualities. They should be comprehensive, such that they cover an array of features that preclude the need for augmentation by other point platforms; be possible to exclude features that are not necessary in the enterprise environment; and accessible, such that the management console, individual feature dashboards and reporting are intuitive and incisive.

5. Price

NGFW appliance, software and cloud service pricing varies considerably by vendor and model, with prices ranging from around $300 to as high as $350,000 per device. Some have separate pricing for service contracts.

Companies should closely review individual product offerings to determine what features would work best in the enterprise, factoring in what the organization can and cannot afford to have. If possible, do not pay retail prices. Most vendors will provide volume discounts -- the more users supported the less it costs per user, for example -- or discounts with viable prospects of further purchases.

Overall, pricing should be one of several factors in determining the TCO, the cost of an NGFW and the cost of its operation. For example, the TCO of an NGFW is not just the purchase price, but also the expenses incurred through its use, maintenance, support and operation. An NGFW that appears to be a great bargain might actually have a TCO that is higher than that of another NGFW, or even a combination of point platforms.

6. Support

The 2018 Gartner "Magic Quadrant for Enterprise Network Firewalls" rated support -- with quality, breadth and value of NGFW offerings viewed from the vantage point of enterprise needs. Given the critical nature of NGFWs, timely and accurate support is essential. Companies should obtain references and ask to speak with vendor clients, without the vendor present.

Support criteria for NGFWs should address responsiveness ranked by type of service request, quality and accuracy of the service response, currency of product updates and customer education and awareness of current events.


The level of protection (controls) provided by an NGFW should be commensurate with the value of the assets (risks).

It is important that organizations familiarize themselves with the NGFW vendors and products that best fit their IT environments and business models.

To do so, consider these six criteria: platform base, feature set, performance, manageability, price and support. Then determine which of the remaining NGFW products best meet the organization's TCO requirements.

In addition, perform proof-of-concept evaluations to ensure that selected NGFWs work well in the organization's IT infrastructure. Some NGFW vendors profess installation as easy as pick up and move, for example. For some NGFWs, that is a true statement, but prudent planning and testing prior to deployment is critical.

Hiring the right people or building the skill sets required to manage and maintain this IT security environment with current staff is also important. Last, purchase at month and quarter's end to utilize vendor sales quota requirements for the organization's benefit.

Linda Rosencrance contributed to this report.

Next Steps

Learn about the basics of next-gen firewalls in the enterprise

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing