5 mistakes to avoid in choosing an NGFW

Incorrectly Sizing the Firewall.

Avoid relying solely on datasheets and other “performance on paper” summaries as they are inaccurate points of comparison for firewalls. There are fundamental differences in features and offerings from one firewall vendor to the next. For example, one vendor might measure consolidated threat prevention features (e.g., intrusion prevention systems (IPS), antivirus, command and control, URL filtering) in terms of performance impact, while another might highlight performance impact based solely on best-of-breed IPS capabilities in a standalone box. To ensure accurate “apples to apples” firewall comparisons, organizations should size capabilities to their real-world environments’ requirements (e.g., IPS, application control, advanced malware detection) in addition to their traffic mix. When doing so, it’s critical to account for performance impact resulting from enabling other features in the future.

In addition, advanced capabilities, such as SSL decryption, will vary in performance impact depending on processing logistics. Some vendors decrypt using the hardware form factor, while others decrypt using software – each with varying degrees of performance effect. Further, threat response performance should only be compared with all required signatures activated. Carefully read the documentation for out-of-the-box collections of signatures to determine actual coverage. Performance often continues to degrade with the introduction of additional signatures.

  • Avoid trade-offs between security and performance. You should never have to decide between enabling a feature or signature and crippling your performance.
  • Accurately map to your requirements for throughput and traffic composition. It is difficult for anyone to argue against testing the actual traffic to be secured. Simulators can’t represent custom applications, real-world usage scenarios or shadow IT.
...read more

Without risk, there’s rarely a reward, but not all risks are necessary. Take an important purchase like a new firewall. How can you know you’re making the right choice for your organization’s unique needs when so many vendors are essentially saying the same thing?

Actually, it’s simple and risk-free.

Try before you buy. Test the technology in your environment.

Traditional port- and protocol-based approaches simply can’t keep up with today’s more sophisticated and evasive attacks. Clearly, the time is right to move or upgrade to the most advanced next-generation firewall. As you prepare for this change, we’ll provide information on the technology itself, perspectives from peers who’ve made the transition, and ways you can lessen the learning curve for your teams. We’ll also show you how to test our next-generation firewall in your environment, and prove that it’s the right fit for your organization’s needs today and into the future.