A Guide to Choosing a Next-Generation Firewall

Now that we have examined the differences between traditional firewalls and the next generation firewalls (NGFW), let's look at five of the top NGFW solutions from Cisco, CheckPoint, Fortinet, WatchGuard and Dell (SonicWALL).

It is important to note that these five vendors were selected as they were highlighted in the most recent industry reports; they're not the only NGFW vendors on the market today and enterprises have other options. We simply highlight five of the highest rated devices according to NSS Labs' testing and our own evaluation of the products.

Comparing Next Generation Firewalls

There are a number of solutions that exist in the information security marketplace that are framed around the concept of a NGFW solution. To distinguish the differences, there are a number of metrics that need to be reviewed and compared including:

  1. Does the NGFW solution provide protection against server application attacks and client application attacks? What is the percentage of time that it does not?
  2. Can the NGFW solution be evaded?
  3. Is the device stable and reliable?
  4. Does the NGFW solution enforce inbound and outbound application polices?
  5. Does the NGFW solution enforce inbound and outbound identity policies?
  6. What is the performance of the solution?

These questions along with a brief review of the solutions provided by these vendors are covered below.

  • Cisco FirePOWER 8350

Cisco's FirePOWER 8350 is part of the acquisition of Sourcefire. The 8350 unit (like all of the 8300 series) can be deployed to be a NGFW, a Next Generation Intrusion Protection System (NGIPS), or an Advanced Malware Protection (AMP) solution separately or independently. The 8350 is the lowest model in the FirePOWER 8300 series of appliances with the 8360, 8370, and 8390 being positioned above it; there are also lower level 8100 and 8200 series appliances available as well as Cisco's native Adaptive Security Appliance (ASA) line of devices. How exactly the FirePOWER line of devices will be integrated is unknown but for now Cisco is offering both the FirePOWER and ASA lines independently.

Cisco FirePOWER 8350

Server Application Attacks (Blocked %)

99.5%

Client Application Attacks (Blocked %)

99%

Evasion Results

Unable to be Evaded

Stable and Reliable

Yes

Successful Enforcement of Application Policies?

Yes

Successful Enforcement of Identify Policies?

Yes

IPS Throughput (Specification)

15 Gbps

IPS Throughput (Tested)

18.7 Gbps

Total Throughput

30 Gbps

Cost per Protected Mbps

$20.03

Dual Power Supplies

Yes

Max Power Consumption

635-1000 Watts (Not clear in datasheet)

Stackable

Yes (Up to 4)

Rack Space Used per unit

2U

  • CheckPoint 13500

CheckPoint's 13500 device is part of the 13000 series of appliances. CheckPoint has a long history of being a respected security solutions provider and the company's devices are one of the most deployed firewalls in use today.

The 13000 series can be deployed to be a NGFW, Next Generation Threat Prevention (NGTP), Next Generation Secure Web Gateway (NGSWG) and/or a Next Generation Data Protection (NGDP) solution separately or independently depending on the blade package used. The 13000 series of appliances includes the 13500 and the 13800 units. There is also a larger series of platforms (41000 and 61000 series) that are available which are focused on large scale data center and service provider networks.

CheckPoint 13500

Server Application Attacks (Blocked %)

97.1%

Client Application Attacks (Blocked %)

95.9%

Evasion Results

Unable to be Evaded

Stable and Reliable

Yes

Successful Enforcement of Application Policies?

Yes

Successful Enforcement of Identify Policies?

Yes

IPS Throughput (Specification)

5.7 Gbps

IPS Throughput (Tested)

6.7 Gbps

Total Throughput

23.6 Gbps

Cost per Protected Mbps

$21.45

Dual Power Supplies

Yes

Max Power Consumption

431 Watts

Stackable

No

Rack Space Used per unit

2U

  • Fortinet FortiGate-3600C

Fortinet's FortiGate-3600C is part of the 3000 series of appliances. The FortiGate-3600C can be deployed to be a NGFW, a traditional firewall, a Virtual Private Network (VPN) Terminator, and/or a Next Generation Intrusion Protection System (NGIPS). There are a number of devices that exist within the 3000 series including the FortiGate-3040B, FortiGate-3140B, FortiGate-3240C, FortiGate-3600C, FortiGate-3700D, FortiGate-3810A and the FortiGate-3950B.

FortiGate-3600C

Server Application Attacks (Blocked %)

97%

Client Application Attacks (Blocked %)

91.8%

Evasion Results

Unable to be Evaded

Stable and Reliable

Yes

Successful Enforcement of Application Policies?

Yes

Successful Enforcement of Identify Policies?

Yes

IPS Throughput (Specification)

15 Gbps

IPS Throughput (Tested)

9.6 Gbps

Total Throughput

60 Gbps

Cost per Protected Mbps

$8.30

Dual Power Supplies

Yes

Max Power Consumption

615 Watts

Stackable

No

Rack Space Used per unit

3U

  • WatchGuard XTM1525

The WatchGuard XTM1525 is part of the 1500 series of devices that include the 1520, 1525 and 2520 appliances. The XTM1525 can be deployed to be a NGFW, a Virtual Private Network (VPN) Terminator, a Next Generation Intrusion Protection System (NGIPS), or a Unified Threat Management (UTM) appliance.

WatchGuard XTM1525

Server Application Attacks (Blocked %)

96.7%

Client Application Attacks (Blocked %)

98.7%

Evasion Results

Unable to be Evaded

Stable and Reliable

Yes

Successful Enforcement of Application Policies?

Yes

Successful Enforcement of Identify Policies?

Yes

IPS Throughput (Specification)

13 Gbps

IPS Throughput (Tested)

3.4 Gbps

Total Throughput

25 Gbps

Cost per Protected Mbps

$11.87

Dual Power Supplies

Yes

Max Power Consumption

130 Watts

Stackable

No

Rack Space Used per unit

1U

  • Dell SonicWALL SuperMassive E10800

Dell SonicWALL SuperMassive E10800 is part of the acquisition of SonicWALL. The E10800 is part of a series of devices that includes the SuperMassive 9000 and 10000 appliances, models 9200, 9400, 9600, 9800, E10400 and E10800. The SuperMassive E10800 can be deployed to be a NGFW, a Virtual Private Network (VPN) Terminator, a Next Generation Intrusion Protection System (NGIPS), or a Unified Threat Management (UTM) appliance.

SonicWALL SuperMassive E10800

Server Application Attacks (Blocked %)

96.4%

Client Application Attacks (Blocked %)

99.1%

Evasion Results

Unable to be Evaded

Stable and Reliable

Yes

Successful Enforcement of Application Policies?

Yes

Successful Enforcement of Identify Policies?

Yes

IPS Throughput (Specification)

28 Gbps

IPS Throughput (Tested)

16.4 Gbps

Total Throughput

40 Gbps

Cost per Protected Mbps

$15.46

Dual Power Supplies

Yes

Max Power Consumption

750 Watts

Stackable

No

Rack Space Used per unit

4U

NGFW Solutions Comparison

The selection of which one of the NGFW devices to deploy really comes down to a number of smaller factors. This is because overall each of these devices fits firmly inside the realm of a Next Generation Firewall and can perform the same tasks. So why select one over the other? Like anything there is going to be an initial gut selection that is based on the personal preference of the person performing the selection, sometimes this is based on facts and sometimes it is based on anecdotal evidence; but it does end up being a part of the selection criteria.

Things that should be considered in this decision include the efficacy of the device, which is covered in the first two rows in each table; mainly, the percentage of the server and client application attacks being blocked. While the variations in these percentages may look minimal, they could mean the difference between a security breech and an unsuccessful attack.

Another thing that should be considered is the overall throughput that is available through the device. Since these devices are not all directly comparable to each other in terms of capacity, this metric is better referenced by the cost of each device per Protected Mbps (an NSS Labs metric); this offers a better apples to apples comparison between these devices. If a specific vender is preferred, odds are that there is a smaller or larger version (lower or higher model) that may be able to fit the specifications of your environment.

A final thing to consider is the amount of power and space that a solution utilizes. Again, since the devices are not directly comparable, a way of roughly determining a way to compare them is to divide the amount of consumption that a device uses against the size of the device (against the amount of total throughput provided).

Here's a side by side comparison of these five NGFW solutions (Please note that this table only includes metrics that differ between the products; for example, since all of the products have the same evasion results, that row is not included in the table below):

 

Cisco FirePOWER 8350

CheckPoint 13500

Fortinet FortiGate-3600C

WatchGuard XTM1525

Dell SonicWALL SuperMassive E10800

Server Application Attacks (Blocked %)

99.50%

97.10%

97.00%

96.70%

96.40%

Client Application Attacks (Blocked %)

99%

95.90%

91.80%

98.70%

99.10%

IPS Throughput (Specification)

15 Gbps

5.7 Gbps

15 Gbps

13 Gbps

28 Gbps

IPS Throughput (Tested)

18.7 Gbps

6.7 Gbps

9.6 Gbps

3.4 Gbps

16.4 Gbps

Total Throughput

30 Gbps

23.6 Gbps

60 Gbps

25 Gbps

40 Gbps

Cost per Protected Mbps

$20.03

$21.45

$8.30

$11.87

$15.46

Max Power Consumption

635-1000 Watts

431 Watts

615 Watts

130 Watts

750 Watts

Stackable

Yes (Up to 4)

No

No

No

No

Rack Space Used per unit

2U

2U

3U

1U

4U

Summary

With the threat landscape becoming more treacherous, it is vital for every enterprise to keep on top of new attacks as they are formulated and organized. The implementation of a NGFW (or multiple NGFWs) should be an essential step in every enterprise's security deployment schedule. 

This article is intended to identify the main differences between a traditional firewall and a next-gen firewall as well as discuss five NGFS solutions from the market leaders, providing a review of the features they offer and how they compare. 

The bottom line is that all of the products discussed here are from well-respected vendors and each provides a complete NGFW solution. Because of this, it will come down to the individual specs and features that will sway each buyer to one product over another. Since the need for these types of products will continue to grow at an ever increasing pace, the competition for the firewall space will most likely increase as well, lowering the cost of the solutions overall.

As of this writing, available options exist for all types of businesses, from SMBs to large-scale enterprises. The true leaders in this space will be determined in the near future as all of these business types inevitably switch from the traditional firewall solutions to these next generation firewall offerings.

Post Authour: Masoud Ostad,IT Securitry Analyst & Service Consultant, ADC International

This post was initially posted here & has been reproduced with permission.

5nt9j5.png?profile=RESIZE_710x

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform