Presented by Duxbury Networking

Components of next-gen firewalls

Sophos’ firewall buyer’s guide is an invaluable document that helps end users make wise choices when considering the deployment of a firewall.

Areas to consider are the four must-have critical capabilities (TLS 1.3 inspection, Zero-day threat protection, FastPath application acceleration; and integration with other security products), core firewall capabilities, complementary firewall products, management capabilities, and deployment options.

Core firewall capabilities

“The following technologies are also essential components of any firewall solution.”

“Most of these capabilities are mature, well-established staples in any firewall, so vendors are often differentiated based on ease of management and the level of actionable visibility they provide,” says Andre Kannemeyer – CTO at Duxbury Networking, local distributors of Sophos technology.

Be sure that your next firewall not only includes these features, but provides easy management – and more importantly, greater visibility into risks and issues in each of these areas.

Core capabilities Questions to ask your vendor
Deep packet inspection and intrusion prevention
Provides decryption and inspection for threats and exploits
  • Does your TLS inspection support the latest 1.3 standard?
  • Does it work across all ports and protocols?
  • Is it streaming-based or proxy-based?
  • What is the performance impact?
  • Does it provide dashboard visibility into encrypted traffic flows?
  • Does it provide dashboard visibility into sites that don’t support decryption?
  • Does it provide simple tools to add exceptions for problematic sites?
  • Does it come with a comprehensive exclusion list?
  • Who maintains the list and is it updated periodically?
Advanced threat protection
Identifies bots and other advanced threats and malware attempting to call home or communicate with command-and-control servers
  • Does your firewall include technology to detect previously unseen threats?
  • Does it use machine learning to analyse files?
  • How many machine learning models are applied?
  • Does your solution include sandboxing?
  • Does the sandboxing allow the file through while it’s being analysed?
  • Does the sandboxing solution run on-premises or in the cloud?
  • Does the sandboxing solution include leading endpoint protection technology to identify threats like ransomware in the sandbox environment?
  • What endpoint technology is used to assist in sandboxing?
  • What kind or reporting is provided on-box (versus a separate reporting product)?
  • What kind of dashboard visibility is provided?
Web protection and URL filtering
Provides protection from web-based malware, compromised websites, and web downloads
  • Does your firewall support FastPath acceleration of trusted traffic and elephant flows?
  • Is it done in software or hardware?
  • How are applications identified for FastPath acceleration?
  • What policy tools are provided to admins to control which applications are offloaded?
  • Are any signatures provided out of the box to accelerate and FastPath some applications?
  • Are your FastPath packet flow processors programmable, upgradable, and futureproof?
Application control
Visibility and control over application traffic to shape or block unwanted traffic and accelerate and prioritise essential application traffic
  • What sources of information are used to identify applications?
  • Can the application engine use information obtained from the endpoint to greatly enhance application identification, or is it limited to only what the firewall can glean from the packet?
  • Can applications be assigned to the FastPath and routed out preferred WAN links using policy rules?
  • Does the system provide dashboard insights into cloud apps and shadow IT?
VPN and SD-WAN
Site-to-site and remote access VPN capabilities, SD-WAN overlays, and managing multiple WAN connections
  • Does your firewall integrate with an endpoint technology?
  • What information is shared between the two products?
  • Is a threat identified by one product shared with the other?
  • What is the response when a threat is detected? Can it automatically isolate threats? How does it do this?
  • Does the endpoint provide any information on users or application usage to the firewall?
  • Can the firewall and endpoint be managed from the same console? Is it cloud-based?
  • Can you do cross-product threat hunting (XDR)?
  • Does the vendor offer a fully-managed network monitoring and threat response service?
  • Does the firewall integrate with any other products such as Wi-Fi, ZTNA, edge devices, or network switches?

Complementary firewall products

The following complementary products may be important to extend your network and protection where it’s needed.

Make sure your vendor of choice offers these additional products and makes them easy to integrate with your firewall, either managed directly from the firewall and/or through the same central management console as the firewall.

Complementary products Questions to ask your vendor
Branch office SD-WAN edge devices
Affordable, easy-to-deploy devices for connecting small remote branch offices
  • Do you offer a device for connecting remote locations via a dedicated VPN back to the main firewall?
  • Is it zero-touch to deploy?
  • How much does it cost?
  • Does it support both a dedicated and split-tunnel?
  • What modular connectivity options does it support such as Wi-Fi or LTE?
Wireless access points
Extend the network to include wireless
  • Does the firewall include a built-in wireless controller?
  • How much does it cost?
  • Are your wireless access points plug and play?
  • Do they support multiple radios and SSIDs?
  • Do they support mesh networking?
ZTNA
Zero-trust network access for connecting remote users securely to applications and data
  • Do you offer a ZTNA solution?
  • Is it integrated in any way with your firewall and/or endpoint?
  • Is it managed from the same central management console as the firewall?
  • Does the ZTNA agent deploy alongside your endpoint agent?
  • How is device health integrated into your ZTNA solution?
Email protection
Protection for email from spam, phishing, and unwanted email
  • Do you offer an integrated on-box email protection solution?
  • Do you offer cloud-managed email protection?
  • Does it include sandboxing of suspicious attachments?
  • Does it support email encryption and DLP?
  • Does it provide domain-based routing and a full MTA mode?
  • Does it offer a user portal for quarantine management?
WAF
Web Application Firewall for reverse proxy protection of on-premises servers exposed to the internet
  • Do you offer an integrated on-box WAF capability?
  • Does it make setup easy with pre-defined templates for common server hosted applications?
  • Does it provide hardening, CSS, and cookie tamper protection?
  • Does it provide reverse proxy authentication offloading?

Management capabilities

“Firewall products are often differentiated by how easy they are to manage.”

“Many firewalls that have been on the market for decades suffer from having new capabilities bolted onto the product over time using different user interface concepts that make every section of the product seem like a completely different product,” says Kannemeyer.

The following capabilities can make a huge difference in the deployment and day-to-day management.

Management capabilities Questions to ask your vendor
Central management
Managing multiple firewalls or IT security products
  • Do you offer a cloud management solution?
  • How are multiple firewalls managed through this solution?
  • What other products are managed from the same cloud console?
  • Is threat intelligence shared across products and is cross-product threat hunting possible?
Reporting
What reporting capabilities are offered
  • Does the firewall include on-box storage for log data? How much?
  • Is on-box reporting included? How much does it cost?
  • Is cloud reporting supported? How much does it cost?
  • Can custom reports be created, saved, exported, scheduled?
  • Is syslog export supported?
  • Is cross-product reporting and threat hunting supported?
Management experience
How well does the firewall simplify day-to-day management and highlight what’s important
  • Does your product offer a rich dashboard with drill-down capabilities?
  • Are policies for web, app control, IPS, and traffic shaping all together in one place, or do I need to set these components up in different areas of the product?
  • Is the user experience consistent from one part of the product to the next?
  • Is there extensive built-in context sensitive help, documentation, videos, and other content for a new firewall owner?
User portal
Portal for users to help themselves
  • Does your firewall offer a user portal for users to download VPN clients or settings and manage quarantined emails?

Deployment options

Another important consideration for your next firewall is how easily it will integrate into your network both today and down the road.

You want a firewall that fits your network, not one that demands your network fit the firewall.

“Ensure your vendor offers a variety of deployment options including public cloud platform support such as AWS and Azure, as well as popular virtualisation platforms, and flexible, modular hardware appliance options,” says Kannemeyer.

Deployment options Questions to ask your vendor
Hardware appliances
Ensure your next firewall is as futureproof as possible
  • How many models of appliances do you offer that suit my needs?
  • What connectivity options are included?
  • What modular connectivity options are included?
  • Are redundant power supplies available?
  • What high-availability options are available?
  • Are firmware upgrades included in the licensing?
  • What is the hardware warranty?
Cloud, virtual, software
Public cloud and virtual support for hybrid networks that may be important today or in the future
  • Is your firewall available in the marketplace for public cloud platforms such as AWS and Azure?
  • Do you support all popular virtualisation platforms?
  • Is your appliance available as a software solution to run on X86 hardware?

For more information contact Duxbury Networking, +27 (0) 11 351 9800, [email protected], www.duxbury.co.za

Must Read

Partner Content

Trending Now

Follow Us

Components of next-gen firewalls