What to look for in a Next Generation Firewall (NGFW)
Your legacy Cisco ASA firewalls are nearing the end of life (EOL) and so now your boss has tasked you with selecting a new firewall solution. You’ve heard that the Next Generation Firewall (NGFW) is the next big thing when it comes to protecting network perimeters, but you really don’t know a lot about it. Where do you start? What do you look for? What questions do you ask?
In this blog entry, I will provide some quick pointers on how to create a list of requirements against which you would evaluate potential NGFW candidates.
If you are starting your requirements development from scratch, an easy place to start is the Payment Card Industry Data Security Standards (PCI DSS) organization. The PCI DSS publication, “Requirements and Security Assessment Procedures,” can be used as a foundation for developing NGFW requirements for your agency. The latest version of the PCI DSS publication is version 3.1 from April 2015. You can download it here.
You can create the language your boss wants to see by copying, pasting, and editing the PCI DSS document. Once that’s done, you will have a bunch of vendors hitting you up for meetings. What questions do you ask these guys to make sure you are getting the right product for your requirements?
At a minimum, your questions should focus on application identification, application policy control, threat prevention, management, networking, and hardware. Here is the list of questions you should ask. Feel free to copy and modify to fit your own procurement needs.
Application Identification (App-ID)
- Describe how the gateway will accurately identify applications and the mechanisms used to classify applications.
- Is identification based on an intrusion prevention system (IPS) or deep packet inspection (DPI) technology? You want DPI.
- If it’s DPI, how is its classification accuracy and completeness? And are there performance issues when App-ID features are turned on?
- How is the traffic classification mechanism different from other NGFW vendors?
- How are unknown applications handled?
- Are custom application signatures supported?
- How is SSL-encrypted traffic identified, inspected, and controlled?
- How do the SSL controls delineate between personal protected (e.g., banking, shopping, health) and non-personal protected traffic (e.g., Gmail, Facebook, Dropbox)?
- How many applications are identified (provide a list) and what is the process for updating the application database (for example, software upgrade or dynamic update)?
- If a new application is needed, what is the process for adding it to the device?
- Can an end-user submit an application for identification and analysis and/or define custom applications?
- Does the product support URL filtering? Describe the URL filtering database. Is the database located on the device or on another device?
- Describe/list any other security functions that can leverage the application information collected, including drilldown details and user visibility features.
Application Policy Control
- Describe the process for implementing policy-based application controls.
- What are the available application policy control parameters (e.g., user, IP address, date and time) and how they can be used for policy enforcement?
- Can policy controls be implemented for all applications identified?
- Can policy controls be implemented for specific users or groups?
- How are remote access environments supported (for example, Citrix and Terminal Services)?
- Can port-based controls be implemented for all applications in the application database?
- Can the solution perform traditional firewall-based access controls?
- Can policy controls be implemented from a single management interface? For example, Cisco is notorious for having to use ASDM to manage the legacy ASA chassis and FireSIGHT console to manage NGFW features. You don’t want that.
- Are users warned when they attempt to access a URL or application that violates policy?
- Describe the intrusion prevention features and antivirus engine.
- List the types of threats that can be blocked. List the file types that can be blocked.
- Is data filtering supported?
- Can the threat prevention engine scan inside SSL-encrypted traffic? What about compressed traffic?
- Describe the management capabilities and visibility tools of your NGFW solution.
- Does device management require a separate server or device?
- Are application policy controls, firewall policy controls, and threat prevention features all enabled from the same policy editor?
- What tools provide a summary view of the applications, threats, and URLs on the network?
- Describe any log visualization tools.
- Are reporting tools available to understand how the network is being used and to highlight changes in network usage?
- Describe the logging and reporting capabilities of the solution.
- Describe how management access is ensured when the device is under heavy traffic load.
- Are there any central management tools available?
- Describe Layer 2 and Layer 3 capabilities of your NGFW solution.
- Are 802.1q VLANs supported? What is the VLAN capacity?
- Is dynamic routing supported (for example, OSPF, BGP, and RIP)?
- Describe any QoS or traffic shaping features.
- Is IPv6 supported?
- Are IPSec VPNs supported? SSL VPNs?
- What deployment options are available (e.g., L2 in-line, L3 in-line, tap, passive)?
- Describe any high availability (HA) capabilities.
- Is the solution software-based, an OEM server, or a purpose-built appliance?
- Describe solution architecture. Is it single-pass, multi-pass? How is data plane and control plane separated?
Phew … what a list! Hopefully this comes in handy. For more help, don’t hesitate to reach out to SwishData. We have a team of engineers available to help you navigate through the NGFW procurement process.