Teach you to choose a qualified next-generation firewall

With the gradual rise of the network activity, the threat that the enterprise faces is growing exponentially. As an enterprise IT manager, how should choose Next Generation firewall. Nearly two-thirds of network traffic is web-based applications, with new security threats and network bandwidth usage increasing. Today's network traffic requires proper control of the next-generation firewall (NGFW).

According to Gartner, NGFW "is a wire-speed integrated network platform for in-depth inspection of traffic and to prevent attacks." "A qualified NGFW includes all the standard features of the first generation firewall (for example, network address translation, packet filtering and stateful packet detection, and other common network functions)."

When your firewall and/or intrusion prevention devices are close to the update cycle, Gartner recommends a comprehensive understanding of NGFW capabilities. Because you will find that some network security vendors claim that their products have overlapping functions with NGFW, but in fact they are not really the next generation of firewalls. So, you should look for a truly qualified enterprise-class NGFW. So here we give you the following criteria:

1, scanning detection capability

2, the application of intelligent

3, Performance

4, manageability

Scanning

Like the first generation firewalls, NGFWS includes the ability to detect states. However, they also require deep packet detection (DPI) capabilities in addition to the traditional firewalls. Many NGFW vendors advertise their own DPI features, but by carefully examining their products, you will find that they limit this and minimize protection. Many NGFW vendors use proxies to allow traffic through malware scanning gateways. This can severely degrade network performance and even have some firewalls up to 95%.

Some large files or a medium number of smaller file transfers, the agent-based firewall's limited memory will soon be depleted. When all memory is consumed, these firewalls block all file transfers. Many manufacturers take untested documents, which means that they can be checked against all files. That is, to avoid stopping the network, select not to scan it to allow packets to pass through.

Some so-called next-generation firewall vendors are not able to scan large files or some protocols. By file size, the ability to scan files is limited, and they scan only a small part of the malware protocol. When evaluating NGFW, you should look for a wide range of protocols to scan all ports, except for the original TCP traffic, by scanning all sizes of files, viruses and malware, botnets and other threats, decrypting, scanning, and encrypting SSL packets.

Application Intelligence

One of the fundamental capabilities of NGFW is the ability to control applications and optimize network operations. The ability of different NGFW to solve these problems has a certain gap in different degrees. A reliable NGFW should:

For the growing application database signature, the scanning application should be able to provide real-time visualization of the operation. Enterprises can consider adopting custom applications that extend application intelligence and control to wireless terminals on the network.

A NGFW control effectiveness is equally important, and it can detect and control the number of applications. A NGFW with a strong signature database should include thousands of unique application and application components, and update the new signatures every day. In addition, NGFW should go beyond simply allowing administrators to "allow", "block" or "Log in" applications, and should provide a comprehensive set of application management features, such as application bandwidth management.

In addition, users can also control and optimize what you do not see. When you evaluate NGFW, you must consider whether their products are integrated to allow you to see the real-time functionality of the application and user traffic, visual forensics analysis tools and dashboards. As applications increase, you need to customize the application program control, most NGFW may not be so easy to implement. A viable NGFW should be able to identify and optimize custom applications in the company. In addition, it should allow you to develop custom features for specific applications so that these applications pass through the underlying traffic attributes or control protocols.

More and more enterprises are facing the proliferation of wireless terminals, these devices scattered on the edge of the network. At this point, companies should consider a NGFW that provides powerful intelligent control of wireless applications. Have enough intelligence, control, and visualization to operate. Many security devices now have only the flow control of cable users, ignoring the large number of laptops, smartphones, and tablets that rely on wireless networks.

Companies should look for such NGFW, which integrates wireless switches and controllers, allowing the configuration and management of distributed wireless deployments while providing the application intelligence and control of WiFi edges. Ideally, NGFW should be able to control all wireless communication application intelligence policies to maintain wireless bandwidth efficiency.

Performance

Gartner points out that NGFW "supports online management with non-disruptive operational configuration over the network." "In other words, they should do the minimum delay possible. The tight integration of IPs with other features is key to achieving this. The Dantong mechanism implements and executes seamless policies without causing delays or reduced performance to unacceptable levels. This is important because enabling NGFW services should not cause a network to be paralysed.

Perform a DPI-state packet detection for each file and each network connection using the agent's firewall, significantly reducing performance. Instead, selecting qualified NGFW, they are able to provide real-time dpi.

Manageability

A scalable and reliable distributed management solution that guarantees security and a strong ROI, and the security of an enterprise deployed to multiple sites is important.

For example, some of the next-generation firewall vendor management platform, the lack of large-scale distributed management solutions, a wide range of deployment is often an easy to manage proof. There are some other next-generation firewall vendors lack a cohesive distributed management platform. This complex management process and solution will affect the total cost of ownership (TCO) of the enterprise.

Other

Selected NGFW should provide netflow/ipfix support, NetFlow and Ipfix are two industry standards. Traditionally, NetFlow export data for switches and routers are deployed, such as IP source and destination addresses, source and destination ports, 3-tier protocol types, and service classes. However, both Ipfix and NetFlow versions can be extended to mobile devices on the network, such as application data, user data, and additional data exports of URL data.

Editorial Reviews:

NGFW promises to help companies regain control of their networks through integrated intrusion prevention, stateful detection and deep packet detection capabilities. But the manufacturer's products are very different, they use their own methods to scan the network traffic, you will get different performance, function, will have a different impact on the network. You take the time to make sure that NGFW can provide what you need.