This article touches upon the crucial factors that need to be paid attention to before buying the next-generation firewall. This checklist will help you avoid unforeseen expenses.
A next-generation firewall or an NGFW is a third-generation firewall technology that is implemented in hardware or software. It blocks sophisticated attacks by enforcing security policies at the application, port, as well as protocol levels. There are several next-gen firewall options available in the market today.
Although they all aim to address the same critical pain points, there are some significant differences between what’s enabled in specific NGFW offerings. When purchasing a next-generation firewall, businesses need to consider the vendor as well as the product that will impact the overall cost of purchasing and managing the device.
1. Evaluate the Cost of Annual Ownership
This is the very first thing you should check. You need to understand that absolutely any NGFW needs an annual renewal of subscriptions, contracts, updates (different vendors call it differently.) For many, it turns out to be a surprise that a one-time purchase is not enough, and you have to “pay again†every year. And most importantly, without renewing these subscriptions, some crucial features stop working.
These important features may include IPS, URL filtering, application control, antivirus, antispam, sandbox, etc. The full list depends on the specific vendor. Without renewing your subscriptions, your NGFW turns into a regular firewall. The cost of annual ownership may vary, but as a rule, it makes around 30% – 40% of the original purchase.
2. Set Priorities
Many perceive NGFWs as a panacea that can solve all information security problems. But this is not the case. NGFWs protect only from a few vectors of possible attacks on your network. There is no single solution that would guarantee 100% protection. And if someone promises you something like that, then he just wants to deceive you, or he doesn’t fully understand what he is talking about.
The task of the NGFW solution is to reduce the attack surface as much as possible. Do not forget about other means of protection. If you do not have enough funds to purchase an NGFW, then you should not spend your last money and refuse from other tools. Set priorities and evaluate your financial capabilities. The company’s IT security does not start with the purchase of an NGFW. This is only an additional element of a multi-layered protection approach.
3. Fine-Tune the NGFW
Do not even expect that NGFW will adequately protect your company with default settings and a couple of clicks. Any NGFW will have to be fine-tuned, and it should be constantly adjusted to changing threats. Do not forget that information security is not a result, it is a process.
4. Be Ready to Solve Problems and Plan Your Time
Before buying an NGFW, it is worth preparing for technical difficulties. Even if deployment services are included, your solution provider will not do all the necessary work for you. Since information security is a process, you will have to solve new problems that arise. And this is not because NGFWs are bad, it is because they have many features.
To adjust everything to your needs, you will need to spend a decent amount of time. Otherwise, you risk remaining with default settings that use only 20% of NGFW features. Configuring just one SSL inspection feature takes tremendous efforts. (Yes, you will have to turn it on if you are really concerned about security.)
You will have to manually go through sites and applications that stop working after the SSL inspection is turned on. No one will do it for you. Difficulties may appear at different stages of the deployment and during the operation of your new NGFW.
5. Plan a Budget for Training Employees
NGFW is a rather complex product. No matter how the vendors try to simplify it. It contains a lot of functions and pitfalls. You should not assume that you will master a new product immediately.
Therefore, when planning a purchase, be sure to plan a budget for training employees who will administer it. Sometimes you can get training as a gift, it all depends on the deal amount and the loyalty of your partner.
6. Evaluate the Technical Support
You will definitely have to contact technical support. Pay close attention to this issue. Otherwise, you risk being left alone with your problems. Try to find reviews or consult with other clients yourself and ask them to evaluate the technical support. Sometimes the question of technical support is the decisive factor when choosing a vendor.
7. Prepare for Additional Licensing and Features
It often happens that during presentations you are shown how beautiful and functional everything is. However, after making a purchase, you find that not all functionality is available to you. There are no reports (that were shown to you initially), the sandbox does not work, remote users cannot connect, there is no centralized management, etc.
Of course, this is the task of your vendor to understand your needs and provide a tailor-made solution explaining form the start all possible limitations or additions. A good partner should lead you through the checklist. He has to identify all the important points, warn about all possible problems and naturally provide options for solving them.
But it is also a matter of your professionalism to check everything beforehand. I think it will be very unpleasant to ask your management about additional money immediately after the purchase.
8. Carry Out Tests Before Making a Purchase
After buying something without a pilot project, you can only blame yourself (and swear at the vendor who “set you upâ€.) You should never trust marketing booklets. You should not trust datasheets where they provide fantastic performance indicators.
Unfortunately, absolutely all vendors do this. It is highly desirable to conduct at least a few tests before making a purchase. And the most important test is the real work of NGFW on your real traffic.
9. Inspect the HTTPS Traffic
This is another point that many people forget about when choosing NGFW solutions. SSL inspectionOpens a new window is an important additional factor. In an attempt to save the additional costs, many organizations choose a model closely matching their general traffic loads and forget about the HTTPS traffic.
And by enabling the SSL inspection, they discover that their gateway simply cannot cope with it. Your NGFW is absolutely useless without checking SSL, VPNOpens a new window , and other encrypted traffic. So, be sure to consider the additional loading factor in the form of SSL inspection. Otherwise, you will just end up throwing your money away.
10. Be Careful When Choosing Your Vendor
Surely, every company has a partner that has long been supplying some IT products. Working with such partners is convenient. However, NGFW is neither a server, nor a switch, and certainly not a stapler that can be bought from anyone around the corner. It is not always true that your current supplier has the necessary skills, competencies.
Successful deployment and as a result, the security of your company, depends on the qualifications of the partner. When choosing a supplier, you must first look at his experience and technical knowledge. And again, a pilot project will help you here. This way, you will be able to test the NGFW within your infrastructure, determine the necessary configuration, assess partner’s skills, and find if he can provide adequate technical support.