Considerations for building next-generation firewalls

While firewalls have been deployed in enterprises over the past decade, network operators and security experts are constantly evaluating their defenses with increasingly sophisticated attacks with the advent of new and diverse approaches.

According to Gartner researcher Adam Hills, the firewall typically goes through a five-year renewal cycle, allowing organizations to periodically assess what kind of firewall and function is best suited to their needs.

So, what are the main factors to consider when building next-generation firewalls? The selection of processing capacity, introduction standard, and construction are all important.

Next generation vs. others Traditional Firewall

The first question is, why would you need a next-generation firewall (NGFW) instead of a potentially less expensive previous-generation version? According to the PAN (Palo Alto Networks) white paper, a firewall that can track the status of traditional port-based network connections is considered 'foresighted'. "They can see things in their normal form, but they do not know in detail what actually happens," the paper said. NGFW has many new features that allow you to check traffic at a much more subtle level. The function is as follows.

Intrusion Prevention Systems (IPS): This system checks network packet signatures and uses advanced anomaly detection to identify and block threats.

DPI (Deep Packet Inspection): This technology goes beyond simple packet header inspection and blocks traffic packets passing through 'inspection points' in NGFW to find known threats inside them.

SSL inspection: This technology scans encrypted traffic and blocks known threats even if they are encrypted.

IPS, DPI, and SSL services can be implemented by purchasing one NGFW.

Establish a security strategy

When talking to a vendor about NGFW deployment, you first talk about your organization's security behavior. No technology can replace environmental assessment and asset prioritization, which is essential for the most critical tasks to protect. This conversation can involve multiple departments, from IT to networks and security services to HR and executives.

"Basically, organizations need to figure out if they already know where their data is at, and plan to protect it," Gartner researcher Hills said. Companies typically collect these requirements and get estimates from several vendors.

Select a business

After adopting the NGFW idea and considering security requirements, you should evaluate the saturated market composed of companies that provide NGFW. Gartner's latest Magic Quadrant identified PAN, Fortinet, and Check Point Software Technologies (CPST) as leaders in the next-generation firewall market. Gartner cited Cisco and Huawei with Firepower NGFW as challengers in this market.

In addition to the NGFW, there are companies like Forcepoint, a mid-sized, pure security provider that provides a Web and email security platform. Sophos, Juniper Networks, Barracuda Networks, WatchGuard, Sangfor, Hillstone, SonicWall, Anap, Stormshield, the new H3C group (H3C Group are all competing in the NGFW market.

Firewall cost analysis

In addition to the initial capital cost of firewall hardware, there is a cost to consider when introducing a firewall. Firewalls run complex software systems that work with hardware. Most enterprise firewall facilities require multiple hardware and a centralized management system to control them, which can be software only or hardware and software. Other costs include installation, ongoing maintenance, support, and updates.

NSS Labs, which runs tests on infrastructure equipment, says it can be difficult to compare firewall products 1: 1 because companies offer varying levels of network throughput. The initial purchase price for a system with five firewalls and a central management system is $ 30,000 to $ 715,000, with an average of about 200,000 USD.

Throughput Measurement

In addition, NSS causes the difference between maximum ad processing and testing and actual processing. NSS will pay up to 80% when testing the institution's environment and systems.

You need large hardware. The throughput of a network connection is a direct factor. The network configuration method handles throughput. The Alameda County Education Office in the United States boasts a maximum processing speed of 20 Gbps. 5050 Gigabit Ethernet supports up to 200 Gbps throughput.

Why is this so increased? Prior to the new system, dozens of schools in the self-governing provinces managed their own network connections and firewalls. After the redesign, the DOE became a central joint resource for the entire autonomous region. All new incoming and outgoing traffic travels through this central office's firewall. Firewall controllers, software that manages the building of firewall hardware centrally, enable dense policy enforcement for specific users or sites within the network. Firewalls not only learn about blocked threats, but they also keep ongoing updates to the latest vulnerabilities.

"There are a lot of threats and dangers, and not just the content filter system, but a complete firewall, so you can see all these threats in days, hours and minutes," said Ryan Chowert, Do not hide. We are a public institution and a fairly big target for attackers. Conscience, we could not have operated a firewall in the environment. "