Three things to consider before deploying a next-generation firewall

Expert contributor Mike Villegas outlines the three factors to consider when making the decision to purchase and deploy a next-generation firewall.

In a world of recurring breaches where threats grow more sophisticated every day, enterprises are increasingly looking for a single-security architecture that combines high performance and effective, proactive protection products. The indifference engendered by the (once common) attitude of, "We've never had a breach," or, "We're not a big target," is quickly dissipating.

Enterprises today see a large proliferation of IT security point products and services that, although effective, appear to be architecturally desultory, reactive and tactical in nature.

Architecturally, disparate point product integrations are often forced to work together. They are also reactive and tactical rather than proactive and strategic. IT infrastructures and networks, meanwhile, have become more complex, where the perimeters and location of corporate data, especially in cloud technologies, are no longer distinctly marked.

Next-generation firewalls (NGFWs) offer a good complement of security point products that, although not yet the silver bullet, seem to address all these issues.

NGFWs are not for everyone, however. When deciding whether or not to deploy the technology (or making the business case for purchasing to management), first determine if the investment in an integrated NGFW security product is justifiable, is aligned with existing IT strategies, and has a well-defined total cost of ownership (TCO).

Is the investment justifiable?

For some companies, traditional network firewalls, intrusion prevention systems (IPS) and supporting routers/switches that are networked to protect environments are sufficient. These basic firewall services regulate the network connections between computer systems of differing trust levels.

This level of security is not enough for everyone today, however. Enterprises need to assess whether a traditional firewall is sufficient or whether a combination of discreet network security point products, or a NGFW, is a better option.

One reality that some fail to consider when deploying a NGFW, however, is the large commitment an integrated network security product entails.

Experience has shown that most enterprises, at a minimum, need firewalls, IPS, antivirus, malware protection, threat intelligence and some sort of wireless security capability. NGFWs cover all these bases and more, often with aplomb. By contrast, if an enterprise chooses to deploy point products for each type of security technology, then the individual cost, maintenance and protection mechanisms would have to be added up, considered and weighed against the challenge of separately supporting each type of security technology. This also includes, among other things, the effort involved in integration, training, monitoring and reporting (as well as quality of service (QoS)) to ensure the proper level of security by every point product individually and in total.

Enterprises also need to look at their network architecture, threat vectors and risk appetite to determine if point products or NGFWs are the best approach. Unlike point products, NGFWs provide a single vendor, architecture and management interface for more flexibility in providing differing levels of protection, common reporting and, typically, a cost reduction by negating the need to purchase separate security appliances and services.

One reality that some fail to consider when deploying a NGFW, however, is the large commitment an integrated network security product entails, at least at first. Migrating to a NGFW often requires a considerable expenditure and architectural remediation effort in the short run. For some organizations, that may exceed the benefits of converting, especially if their initial investment for their existing point products deployment has been significant.

Nonetheless, converting to a NGFW realizes substantial savings (not just in money, but in time and effort in support and management) over time. And, because they are integrated, NGFWs tend to be more effective because security services provided -- such as IPS, deep packet inspection, application controls, VPN, SSL, wireless, mobile security and others -- have been designed, tested and vetted to work together. The integration has already been done and provided in a box.

While savings over the long haul could be considerable with a NGFW, and the efficacy of integrated security is well known, the decision to take the plunge now or wait until later comes down to the level of commitment and resources available to an organization.

Does it align with existing IT strategies?

Organizations that deploy NGFWs may discover they do not require all the security features these appliances support. What features are required by an enterprise should be determined in advance, as this will influence what NGFW product is bought and which security services to enable.

Some NGFWs have all these security features built into the appliance at no additional cost. Experience shows that enterprises often don't activate all of them, however, since they have not found all the security features to be necessary, or because they do not fit the organization's business model. Then there are other NGFWs that, although the security services are built into the appliance, charge to enable features in an a la carte fashion, for example.

NGFW services that might not apply to all enterprises, but could be added to the mix when needed, include -- but are not necessarily limited to -- Active Directory integration, data loss prevention (DLP), multifactor authentication, application control, QoS, mobile device security, SSL, VPN and threat intelligence.

Ready to buy a NGFW?

In addition, when looking to purchase a NGFW, ensure IT security strategies are aligned with the organization's business model. For example:

  • Large retail companies might opt for a NGFW product at the corporate headquarters, but go with point products in each retail store -- whether from the same vendor or not.
  • Online retail businesses that do not have brick and mortar locations typically require robust, and therefore, increasingly integrated network security products that focus on QoS, load balancing, IPS, Web application security, SSL, VPN and strong firewalls with deep packet inspection.
  • Enterprises that are heavily regulated via standards (e.g., PCI, HIPAA, HITECH Act, Sarbanes-Oxley, FISMA, PERC, etc.) would also need to address remote access controls, two-factor authentication, Active Directory integration and, possibly, DLP.

Whatever course is taken, information security decisions need to be integrated with the IT department's strategic goals. IT, in turn, exists to support the business. IT does not drive the business. The business drives the business. IT's purpose is to ensure the IT infrastructure (perimeter and core deployments) exist to allow the business to achieve its strategic goals. So, however IT goes about protecting the enterprise -- be it via a NGFW or a combination of point products -- it must do so while balancing the need for people in business operations to get their job done.

What is the total cost of ownership?

According to the 2014 State of the Network Study, conducted by Network World, the top business objective (54%) and the top technology objective (55%) of enterprises were to decrease operations and IT operations costs through consolidation/simplification, respectively. The remaining top technology objectives were to improve security and risk management (50%), boost end-user workforce productivity (43%), adopt technologies that allow for sharing of resources (40%), and increase/enable mobility -- e.g., BYOD programs, consumer technologies (40%).

What has not changed for several years in this study has been the first business objective. Enterprises are clearly looking to lower IT operations costs through consolidation and simplification. That is why we are seeing a major trend towards integrating services, such as using colocation and managed services. We see this as well in the deployment of integrated security technologies such as NGFWs.

For NGFWs, the TCO accounts for the upfront cost of purchase and deployment, and the cost of operation. The TCO of a NGFW is not just the purchase price, but also the expenses incurred through its use, maintenance, support and operation. A NGFW that appears to be a great bargain might actually have a TCO that is higher than that of another NGFW product, or even a combination of point products.

Security products (including NGFWs), if rich with features, flexible and easy-to-use, generally allow for favorable results at a reasonable price. However, this sometimes comes at the expense of a considerable amount of time spent by security and network engineers -- not so much learning how to use the NGFW, but refining and tweaking it. This takes away from what otherwise would be time spent doing their normal job duties.

Another consideration to factor into the TCO of a NGFW purchase and deployment is the amount of time required to address false positives that are the bane of security. false positives typically result from blanket policies set during initial implementation. These tend to dissipate over time, however, as administrators learn proper NGFW policy optimization.


Before deciding to purchase a NGFW, assess the organization's risk posture, threat vectors and business model. Then, should it be determined that NGFWs are the right option for securing the enterprise, ensure the operation and deployment plan (1) justifies an integrated rather than point product, (2) aligns with business strategies, and (3) the TCO is worth the time, effort and expense.

How does one measure success? An optimal implementation of a NGFW should be comprehensive, flexible and easy to use. This means, among other things, that the enterprise needs the NGFW to help (1) safeguard that mission-critical server downtime is reduced to maximize revenue and sustain high user satisfaction, (2) reduce operating costs incurred in maintaining security, (3) ensure ease of use for enabling services and maintenance security requirements, and (4) provide proper levels of security commensurate with risks and regulatory requirements.

Next Steps

UTM vs. NGFW: Comparing unified threat management, next-gen firewalls

Palo Alto NGFW fails NSS Labs report, war of words ensues

This was last published in February 2015

Dig Deeper on Network security