Transcription
SonicWall Next-GenerationFirewall Buyer’s GuideHow to choose the right next-generationfirewall to secure your network
Table of ContentsExecutive Summary3Evolution of the Firewall4Essential NGFW Capabilities5Selecting Advanced NGFW Features7Networking Requirements8Management8Technology Integration9NGFW Deployments9Price-Performance Ratio and Support10NGFW Feature Comparison of Top Five Vendors11Conclusion and Next Steps12About SonicWall132 SonicWall NGFW Buyer’s Guide
Executive SummaryRansomware is up. IoT attacks are up. Encrypted threats areup. In a rapidly changing IT landscape — one characterized bycompanies rushing headlong into the cloud, network trafficpercent increases in the double digits, and BYOD and remotework policies — cybercriminals are enjoying unprecedentedopportunities. And protecting against these attacks isbecoming increasingly challenging, as businesses need toprotect multiple attack surfaces and implement the latestsecurity controls just to keep up.The enterprise perimeter now extends to anywhere workgets done. And regardless of whether your entry points areon-premises, in the cloud, in the data center or at the branchoffice, each one needs to be protected. The good news3 SonicWall NGFW Buyer’s Guideis that security defenses have evolved, too — particularlyfirewalls, the most important security defense to protectany enterprise perimeter, including those of distributed anddiffuse enterprises.The firewalls of today are more agile, more capable and morepowerful than when the technology debuted 20 years ago. Asenterprises consider these next-generation firewalls (NGFW),there are several criteria that should be considered, includingfeatures, platform capabilities, performance and management.
Evolution of the FirewallCybercrime looks nothing like it did two decades ago.Fortunately, neither do firewalls: Today’s next-generation firewallsfeature a host of new security controls, significantly higherperformance and a great variety of form factors. How do thesefirewalls compare to their early ancestors? Let’s take a look:Zone-Based Firewall (ZBF)Zone-based firewall is like stateful firewall, except it isconfigured using more advanced networking concepts.Instead of assigning rules based on connection and interfaces,an administrator would create zones and assign multipleinterfaces to those zones. Some of the common zones usedare LAN (private or trusted), WAN (public or untrusted) andDMZ (demilitarized zone). Multiple zones can have rules to fullyinspect, allow or deny connections.Access Control Lists (ACLs) orStateless FirewallNetwork ACLs have existed for a long time. They are usedto filter network traffic. With ACLs, traffic can be allowed ordenied in both inbound and outbound directions. NetworkACLs are typically configured in routers, switches or serversusing layer 2 to layer 4 rules based on IP address, MAC addressand ports.Unified Threat Management (UTM)UTM firewalls were originally designed to consolidatemultiple stand-alone security controls into a single appliance.Security controls (such as firewall, intrusion prevention, URLfiltering and antivirus) are combined into a single operatingsystem and management console. This solution is idealfor small and medium-sized businesses that do not have abig security budget, or do not have high performance andscalability requirements.A typical ACL rule in a network device looks as follows: Rule Number ACL Name Source IP / Port Destination IP / Port Allow / Deny ACLs inspect individual packets but do not inspect flows ormaintain state of the flow.Next-Generation Firewall (NGFW)Stateful FirewallThe concept of NGFW was first defined by Gartner, publisherof the Magic Quadrant for Network Firewalls. NGFWs havethe option to add all the security controls that are availablein UTMs, as well as advanced controls such as VPN, usercontrol, application control and sandboxing. Apart fromadvanced security controls, NGFWs are designed tosupport the high performance and scalability needs of largeenterprises. The rest of this document will focus on NGFWsand different factors that enterprises should consider in theirbuying decision.Stateful firewall is different from ACLs or stateless firewall,mainly because they can inspect network connections allthe way from layer 2 to layer 7. Stateful firewalls maintainthe context of a given connection. This means packets arematched to connections they belong to, offering additionalsecurity to prevent hacking techniques like spoofing. Somestateful firewalls can also perform deep packet inspection andcan be installed on dedicated hardware.OSILayers14INTRUSIONDETECTION ANDPREVENTION SYSTEMSTATEFULFIREWALLSACLS1990’s4 SonicWall NGFW Buyer’s GuideZONE BASEDFIREWALLWITH VPN2000’s7NEXT GENERATIONFIREWALLAPPLICATIONCONTROLAND URL FILTERING2010’s
Essential NGFW CapabilitiesZone-Based Firewall (ZBF)Application ControlZBFs offer stateful inspection with advanced network securityfeatures for large enterprise network infrastructure. A ZBF orstateful firewall is the foundation for any NGFW, and a basicrequirement to support other features. Choose ZBFs overstateful firewalls for enterprises with large networks, as it iseasier to configure and define policies with ZBFs.NGFWs came into fruition with the addition of applicationcontrol, IPS and URL filtering, forming a single enterpriseclass platform. Application control allows enterprises todefine firewall policies based on applications (e.g., Facebook,YouTube, Salesforce) and micro-applications (e.g., chat andIMs). Application Control gives granular control over networktraffic based on user identity and email addresses whileproviding application-layer access control to regulate webbrowsing, file transfer, email exchange and email attachments.Virtual Private Network (VPN)Distributed enterprises typically have remote branch officesthat need secure access to the corporate network. Therecent expansion in Work-From-Home (WFH) policies has alsoresulted in many employees working remotely. VPNs providerobust, secure access to corporate networks and resources,so it is essential to consider VPN as part of your NGFW.It is important to make sure the NGFW provides acomprehensive VPN solution with site-to-site andremote-access encryption. It should include advancedfeatures such as route-based VPN and easy VPN with dynamicrouting. A VPN is also important in case you are considering anSD-WAN solution.VPN configuration should be simple. It needs to be managedfrom within the NGFW user interface, with configurationwizards that provide step-by-step guidance in setting up theVPN tunnels. Enterprises should consider a VPN concentratorat the edge to manage both IPsec and SSL VPN connections.Intrusion Prevention SystemIntrusion Detection and (or) Prevention System (IDS/IPS)was originally developed as a stand-alone solution, whichlater became part of the NGFW stack. IPS within the NGFWprovides an additional layer of needed security by stoppingattacks that exploit vulnerabilities. The intrusion detectionis done using signatures for known exploits, and is based onanomaly detection.IPS within the NGFW can be deployed in detection mode(alert only) or in prevention mode (alert and block). There isno performance penalty for detection mode compared toprevention mode. Initially configure IPS in detection modebefore moving to prevention mode to understand exploits,explore false positives and perform incident responses. Animportant aspect to look for in an IPS is the threat intelligencefeed that keeps the signature database up to date in the NGFW.5 SonicWall NGFW Buyer’s GuideLook at the type of applications that are included in a NGFWdatabase to make sure all the applications that are in use withinthe enterprise are supported.Web Control (URL Filtering)Web control compares requested websites against a massivedatabase containing millions of rated URLs, IP addresses anddomains. It enables administrators to create and apply policiesthat allow or deny access to websites based on individual orgroup identity, or by time of day, using pre-defined categories.It also dynamically caches website ratings locally onto theNGFW for instantaneous response times. An NGFW should beable to do URL filtering based on business point of view (blockbased on category – business) as well as based on security(block based on reputation – security).Consider NGFWs with threat intelligence feeds that issupported by world-class research team for IPS, applicationcontrol and web control to make sure NGFW stopslatest threats.
This year, we havealso seen VPNs asone of the top securityfeatures being usedby customers.2019 MAGIC QUADRANT FORENTERPRISE FIREWALLS6 SonicWall NGFW Buyer’s Guide
Selecting Advanced NGFW FeaturesNetwork and Cloud SandboxingFor effective zero-day threat protection, enterprises needNGFWs that include malware-analysis technologies and candetect evasive advanced threats. Sandboxing technologyscans traffic and extracts suspicious code for analysis, butunlike other NGFW security controls, it also analyzes a broadrange of file types and sizes. This enables enterprises tostop zero-day and evasive threats that can slip through othersecurity controls within NGFW.Enterprises need to consider solutions that offer both onpremises and cloud-delivered sandboxing based on theirperformance and privacy needs. This technology should beaugmented with global threat intelligence infrastructure thatrapidly deploys remediation signatures for newly identifiedthreats to all NGFWs in the enterprise, thus preventingfurther infiltration.Enterprises should consider sandboxing technology thatexamines every byte until the last byte before delivering afinal verdict to allow or block. This avoids any false positivesor negatives and ensures that highly elusive zero-day threatsare blocked.Multi-instance firewallMulti-instance is a modern next-generation approach to legacymulti-tenancy that supports multiple firewalls with separateconfiguration on a single appliance. With this approach, eachfirewall instance is isolated with dedicated compute resourcesto avoid resource starvation.7 SonicWall NGFW Buyer’s GuideLook for dedicatedthreat intelligence whenevaluating NGFWs.This allows enterprises to use containerized architecture.Enterprises can run multiple independent firewall instances,software versions and configurations on the same hardwarewithout managing different physical appliances.Dedicated Threat IntelligenceAs mentioned earlier, most of the security controls in an NGFWshould be augmented by threat intelligence to keep themup-to-date on the latest threats and signatures, among otherthings. Threat intelligence feeds should be supported by aresearch team that gathers, analyzes and vets informationround the clock and across the globe. Look for vendors witha dedicated team of cybersecurity professionals, advancedmachine learning algorithms and security sensors that arespread around the globe to deliver up-to-date threat feeds thatautomatically block threats in nanoseconds. While looking intothreat intelligence in NGFWs, it is important to consider DNSsecurity that protects enterprises against malicious domains.
Networking RequirementsAn enterprise-grade platform and operatingsystem are at the core of any physical or virtualNGFW. There are many networking featureswithin the operating system that make a bigdifference in evaluating and choosing your nextNGFW. The following are a few that should beconsidered in enterprise deployments:SD-WAN SecuritySD-WAN technology allows organizations and enterpriseswith branch locations to build highly available and higherperformance WANs. By using low-cost internet access(broadband, 3G/4G/LTE, fiber), organizations can costeffectively replace expensive WAN connection technologiessuch as MPLS with SD-WAN. SD-WAN Security enablesdistributed enterprises to build and protect high-performingnetworks across remote sites against cyberattacks.Top five capabilities neededin an NGFW platform:High Availability/ClusteringNGFWs should support Active/Passive with statesynchronization in high availability mode and Active/Active inclustering mode. It should also support the ability to offloadthe deep packet inspection load to passive appliance and toboost throughput.Encrypted Traffic InspectionThis decrypts and inspects TLS/SSL encrypted traffic on thefly, without proxying. It also applies control policies to protectagainst threats hidden inside encrypted traffic. Enterprisesshould make sure that the NGFW supports the latest version ofencryption protocols, such as TLS 1.3. Secure SD-WANHigh Availability/ClusteringEncrypted Traffic InspectionMulti-instance FirewallDedicated Threat IntelligenceManagementEnterprise-wide management of NGFWs isone of the most important considerations.This involves configuration of NGFWsand usability for day-to-day operationsfrom a single-pane-of-glass console. Thisconsole needs to be able to manage most,if not all, security controls across multiple NGFWs deployedon-premises and in the cloud from a central location. Some ofthe important features that need to be considered are:Unified Policy: This should provision layer 3 to layer 7 controlsin a single rule base on every NGFW, providing admins with acentralized location for configuring policies.8 SonicWall NGFW Buyer’s GuideMonitoring: Look for real-time monitoring, reporting andanalytics to help troubleshoot, investigate risks, and guidesmart security policy decisions and actions.Cloud and on-prem: Configuration and management of NGFWshould be available via the cloud or through an on-premisesmanagement system.Scalability: It should scale to any size organization, managingnetworks with up to thousands of firewall devices deployedacross many locations.Console: Enterprises should look for a NGFW that uses asingle pane of glass to manage all security functions, such asIPS, URL filtering and others, from a single location.
Technology IntegrationIt is important to consider the type oftechnology integrations that the NGFWsupports. This allows enterprises to protecttheir existing investments. Some of thetechnology integrations to consider are:SIEM: Integration with security incidentand event management enables rigorous investigation ofcybersecurity threats and examination of anomalous data.IaaS: It should integrate with all major IaaS providers tosupport multi-cloud deployments across AWS, Azure or GCP.Automation: It should enable business process automationthrough synchronized catalogs inventories, agreementsand tickets.Zero Trust Network Access (ZTNA): This augments the VPNto provide access to only sanctioned assets and networkswhile VPN provides layer 3 access.NGFW DeploymentsThe three main deployments of NGFW arebased on the environment: physical, virtualand cloud.Physical: Enterprises should considerphysical appliances for on-premisesdeployments that require high performanceand connectivity. Physical appliances can offer more than 100Gbps throughput and 100 GbE connectivity. Appliances comein various form factors and performance levels for differentdeployment needs from data centers to remote offices.Virtual: NGFWs can be deployed in virtual environments.They can be managed using the same system that is usedto manage physical appliance. There are a variety of virtualenvironments when choosing a virtual appliance. It is importantto make sure that your environment is supported.9 SonicWall NGFW Buyer’s GuideCloud: Many companies are moving their data centers andapplications to the cloud. NGFWs have evolved to support avariety of private and public clouds, including AWS, Azure, GCPand VMWare. Even if your organization has not yet embracedthe cloud, it is important to select a vendor that supports allthe major public clouds.The three maindeployments of NGFW arebased on the environment:physical, virtual and cloud.
Price-Performance Ratio and SupportPrice-Performance RatioSupportApart from security features, price and performance shouldalso be considered. Every vendor has different models thatvary widely in performance, and each one has different pricepoints and pricing models. For example, physical appliancesmay have a one-time big purchase price with a few minoryearly subscriptions, while most cloud firewalls are pricedbased on yearly subscription.Buying an NGFW is a significant and technically complexinvestment. Not only should you get support, but alsochoose a vendor that has excellent support ratings. Vendorsprovide many different support options, including simplephone support, on-site support and professional services.Enterprises can use professional services to help deploy,configure, tune and maintain their NGFWs to simplifyoperations. Support options also include availability by thenumber of days in a week and hours in a day, such as theexamples shown below:Before getting into price/performance analysis, it is importantto know the projected three-year or five-year total cost ofownership (TCO). Most vendors do not have an all-inclusiveprice; they will charge separately for appliance, licenses fordifferent security controls and support. It is important toconsider the cost of high availability pairs and clustering incalculating TCO.After determining the total cost of ownership, you canperform price/performance analysis across differentvendors. Let us say the three-year TCO came to 250,000and the NGFW throughput is 100 Gbps. In that instance,the price/performance ration would be 250,000/100, or 2,500 per Gbps. Monday to Friday – 8 a.m. to 5 p.m. local time 24 hours and seven days a week (24/7) 24/7 with on-site support from a security professional 24/7 with continuous professional services supportConsider the cost of highavailability pairs andclustering in calculatingtotal cost of ownership.10 SonicWall NGFW Buyer’s Guide
NGFW Feature Comparisonof Top Five VendorsStandard SecurityZone-based FWSonicWallCiscoPalo AltoFortinetCheck PointYesYesYesOptionalOptionalYesYesYesASA OnlyYesYesIPSec VPNYesYesIPSYesYesRoute-based VPNApp ControlURL FilterAdvanced SecuritySandboxingTrue Multi-tenancyInspect EncryptedThreat IntelRemote AccessVPN ClientMobile ClientZTNACloud and E-MailCloud App SecurityE-Mail sYesYesYesYesYesYesNo,Virtual SystemsYesYesYesYesYesYesYesYesYesSSL-VPN onlyIPSec & SSL VPNIPSec & SSL VPNIPSec & SSL n FirewallYesYesOn eNo11 YesIPSec & SSL VPNWirelessSingle pane of glassYesNo,Virtual DomainsYesCentral ManagerYesYesNo,Virtual SystemsNot on NGFWUnified es,Multi-instanceSD-WANSwitch managementYesYesYesCloud & on-premYesSonicWall NGFW Buyer’s GuideSeparateYesCloud & on-premNoYesOn-prem onlyNoYesYesYesYesSeparateYesNoYesCloud & on-premPartialNoYesOn-prem onlyNo
Conclusion and Next StepsTo recap, there are many factors to consider and options tochoose from before selecting your next-generation firewall.Some of those factors and choices include: Security Controls: IPS, Application Control, URL Filteringand others Advanced Security: Sandboxing, Zero Trust NetworkAccess and others Network Size: This determines the number ofNGFWs needed Virtual or Cloud: Enterprises with virtual and cloudenvironment need Virtual and Cloud NGFWs Performance: Choose a NGFW with enough capacity so itwill not be a bottleneck in the network Support options: There are many options: online, on-siteand professional service. Choose the option that’s right foryour team based on your team’s expertise and workload.When it comes to solving business challenges, enterprisesare generally eager to adopt new technologies, such as cloudcomputing, workforce mobility and automation. But now, many12 SonicWall NGFW Buyer’s Guideenterprises are finding their digital transformation journeyladen with new challenges, including a surge in the numberof connected devices, million
routing. A VPN is also important in case you are considering an SD-WAN solution. VPN configuration should be simple. It needs to be managed from within the NGFW user interface, with configuration wizards that provide step-by-step guidance in setting up the VPN tunnels. Enterprises should consider a VPN concentrator
