Next-generation firewall buyer's guide for CISOs

Deployment architecture

Most NGFW products are available in multiple deployment models: hardware appliances, software to install on an organization's hardware, cloud-based software and cloud-based SaaS. In most cases, an organization can use these models within a single deployment architecture. For example, this might include a SaaS NGFW to monitor cloud-based network traffic, an NGFW hardware appliance to monitor traffic in on-premises data centers, and a single interface to manage all NGFWs.

Designing the deployment architecture necessitates choosing which deployment model to use at logical network ingress and egress points, including boundaries between two organizational networks. Factors to consider include the following:

• Scalability. CISOs must consider the organization's future scaling needs. For example, choose a software-based NGFW deployment model if the network's throughput is expected to increase in the next few years.
• Monitoring. Consider teams' ability to efficiently monitor network traffic in existing locations versus rerouting traffic to pass through NGFWs in other locations.
• Reliability. Teams should understand the reliability requirements for any deployment and how to achieve them -- for example, load-balancing across multiple hardware firewalls or cloud instances.
• Control. Assess the degree of control required over NGFW deployments -- from monitoring and managing all NGFWs on-premises to enlisting a service provider to monitor and manage all NGFWs.
• Features. Consider the ability to add NGFW features and capabilities over time, such as advanced AI technologies, without degrading the tool's performance or reliability.

Budgeting

Every vendor's NGFW offerings involve a unique combination of purchases, licensing, subscriptions and features. Reviewing NGFW products can be time-intensive, requiring apples-to-apples comparisons to fully understand the budgetary implications of a deployment model for each network point.

The following are some common NGFW acquisition and implementation costs, although some only apply to certain deployment models:

• Hardware appliances or commodity hardware to run NGFW software.
• One-time and recurring licenses and subscriptions, including technical support fees.
• Deploying tool or service components, such as individual NGFWs and management consoles.
• NGFW integration with enterprise technologies, including log management systems and identity and access management tools.
• Training for NGFW implementers, administrators and stakeholders, as well as recurring training fees.
• Securing the NGFW tool or service and its individual components.
• Piloting and deployment.
• Transitioning and retiring legacy technologies.
• Upgrade costs.
• Labor costs for managing, monitoring and maintaining NGFWs.

Operational costs vary based on the deployment model. For example, estimating operational costs for cloud-based NGFW deployments is particularly complex. Some NGFW vendors offer sophisticated pricing estimators that take into account the number of NGFWs, optional security services, the volume of network traffic passing through each NGFW, tool architecture, management options and technical support.

On-premises deployment models are easier to estimate, as they are based on known investments in similar cybersecurity technologies.

ROI

Capturing the true ROI for NGFWs and other cybersecurity technologies is challenging for CISOs. The risk/reward of not having the NGFW versus the cost of the hypothetical cyberattack it would prevent is difficult to define.

The value of NGFW technologies can be generally demonstrated by evaluating the reduction in data breaches and thwarted attacks, more efficient incident response times, labor reduction, prevention of reputational damage and more system uptime.

Remember, when determining the true ROI for an NGFW, consider whether other cybersecurity technologies would have stopped the incident. If so, it doesn't mean the NGFW didn't provide value, as it's always advisable to have multiple control layers in place as a failsafe. It just means the NGFW's ROI isn't as high as it would have been had it been the only tool used.

Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.