How to choose NGFW or what manufacturers are not talking about?
Consideration No. 1. Everything is specifically
underlined. Over the past few years, I have been very closely involved in the topic of NGFW, and the most frequent request from clients choosing a solution to protect the network is a comparison and questions of the difference between the leaders of different quadrants Gartner, NSS Lab and so on. And that could be a simple task. But, as one hero of the famous series said ...

Unfortunately, there is not a single vendor with completely reliable information in marketing brochures and DataSheet-ahs. Each of them either understands something, or uses the obviously useless characteristics that are obtained using artificial tests. They have millions of tricks. In most cases, only personal experience and a large (huge) practice of working with all the solutions on the market can help you thoroughly choose a solution for a specific task for the budget that you have.
Without experience, you are doomed to endlessly look at comparisons like this:
In general, it’s obvious that this will not bring you any closer to balanced objective and reasoned criteria for choosing a solution for protection.
Consideration No. 2. Each blacksmith of his own happiness (misfortune)
The problem of choice appears primarily due to the lack of source data. If someone expects to see further a comparison of all vendors by a trillion criteria, then you can safely skip this article. I do not set such a task for myself, and I see it more harmful than useful. Firstly, everyone has different tasks, and secondly, the situation on the market is changing rapidly, today someone does not have an actual certificate of this or that supervisory authority or some feature, and tomorrow, bang, and everything appeared. The value of such a comparison was multiplied by 0. But this does not mean that such comparisons should not be. In my opinion, everyone can compile a matrix of criteria by answering for themselves and their organization what is critical, important and desirable when choosing an NGFW solution, and then put “+” and “-” on your personal matrix. So you get the most effective comparison, tailored exactly to your task. To draw up such an objective matrix, to draw your attention to places where there are a lot of lies and shortcomings on the part of respected leaders, I set as the goal for this article.
Consideration No. 3. Comparison Criteria
Let's move on to the criteria. Determine which ones are important to you and which ones you can discard because of their irrelevance. For each criterion, I will try to give explanations and warnings from personal experience.
1. Certification in the Russian Federation
This is an excellent watershed when choosing an NGFW solution. There are companies that do not allow solutions without a FSTEC certificate before comparison in principle. But there are many nuances. Firstly, you can immediately divide the manufacturers into:
- “Ours” - domestic manufacturers mostly have certificates and this is often their only strength;
- “American” - it is more difficult for them to get certificates, often this is a certificate for an old version of software, which can be “end of support”, or with old bugs, updating or patching a holey solution can be a problem;
- “Israel” is a fortunate combination of circumstances; you cannot say otherwise. Functional superiority over domestic developments and the absence of political contradictions receive certificates and quite quickly (“of course, everything is relative”) for current versions.
Secondly, what else should I pay attention to:
- Does the solution have FSTEC and FSB certificates?
- What version of software and which models of equipment are certified? How current and current is the model and model? Is it supported? Does it contain security holes that are closed in newer versions.
- Certification class? Let me remind you that from December 1, 2016, the FSTEC changed everything.
- What is specifically certified by ITU / IPS / IDS / VPN?
- Current certificates, expiration dates and prospects for renewal?
It happens that the vendor claims to have certificates, but the version is old and technical support is no longer available or is about to be gone. Some extend support for certified versions in the Russian Federation. You can find out only from experienced partners or honest vendors, with the right question.
2. What is the licensing scheme for the solution as a whole?
Everything is simple here. Someone sells a piece of iron, and load it with traffic, how many will sustain, so many will sustain. There are solutions with pricing per user + features. Count and choose. As for the first option with the sale of hardware (or virtual machine), do not believe datasheets. Only real testing will show actual load and performance. You all have different traffic, tasks, and networking. All possible tests for each cannot be done in advance. Only a pilot project will give an honest result.
3. Notification and import
This is a pitfall, which you yourself will guess the last. Almost all NGFW solutions have cryptography. To bring such a device in a suitcase is dangerous from a criminal point of view. So, for each model you need to get a notification on import. The vendor himself usually does this. The right guys do quickly and almost immediately, as soon as these latest models appear. But not everyone does this, there are players on the NGFW market who have not been notified for years, and you cannot import and sell their devices. But to a large extent, this is not about them. Just remember that if a new model appeared on the site, you really need at least a month or two to receive documents for import. Remember this when at the end of the year you urgently need to "master" the budget.
Questions for comparison:
- Is it possible to import into the Russian Federation, are there notifications for these models?
- Is there a possibility of "gray" supplies and how to check? I recommend not to get involved with gray schemes.
4. Technical support
You will remember about it already having spent money, and sometimes you can be very disappointed. Sometimes so much that you have to spend another budget to change the decision. Again, the pilot project helps put everything in its place. As part of the testing, you can evaluate the competencies and qualifications of the integrator partner, and often the support work of the vendor itself. Recommendation, if the vendor does not have support in the Russian Federation (or the number of engineers is less than 10 people), you will be guaranteed to solve your problems yourself and in isolation. Decide for yourself how critical this is for you. Some vendors allow partners to provide their first line, specify before the purchase, who and under what conditions will help you with troubles in the work of the solution.
Add. Questions:
- Who provides and on what terms?
- How much is and the conditions for extending those. support?
- What is included in the technical support?
- Does the vendor have Russian-speaking local support, how many engineers?
- How is the technical support and replacement in case of breakdown?
- Has the company been sold or bought by someone in the past 2 years? How many times? Often after such perturbations, extending support even for existing equipment results in a problem.
5. Country of origin
As in the first criterion with certification, for many under sanctions this is an important criterion. The lists of companies under sanctions are expanding, and no one can reliably say who will be there in a year. Again, this is far from all.
Add. questions:
- What is the vendor's attitude towards sanctions?
- Are there any sanctioned customers and their relationship with the vendor?
6. Are there additional licenses and hidden charges?
Ask and listen carefully who will start talking and what.
7. Market share and company history.
This can be important if you strategically choose a partner to protect your company and do not intend to change the decision in a year. Plus NGFW is a fairly competitive market, some of the eminent players have already left it, although they started very cheerfully. And the history of the company can tell a lot about successes, stages of development and the focus of work. There are players imprisoned only for the security theme, and there are those who, even before the heap, also do ngfw gateways, but there are fewer of them.
- How old is the market?
- Industry achievements (gartner / nss lab), bonuses and awards?
- Product portfolio. What else is the company doing?
- What is the company's focus and breadth of development?
8. URL filtering and categorization of Internet traffic
Here we come to more or less technical criteria. Categorizing the Internet works differently for everyone. What is important to pay attention to? I will give an example. If you just want to block social. network, then you have enough of the simplest solution, the main sites are blocked at all. But sometimes you may have more difficult tasks: let's say the HR department is allowed to chat in social services. networks, PR department - post posts and pictures, and watching videos and listening to music in social networks. networks must be closed to everyone. Here, many vendors will shrug their hands and there will be units who detail traffic and can implement such a scheme.
- Own bases or subscription to third-party bases?
- What is the licensing scheme (by users or not)?
- The number of categories and detail Runet. How many categories?
- Does the solution have HTTPS traffic inspection technology and how is it implemented?
Almost all HTTPSs have traffic parsing with certificate spoofing; if not, this is no longer an NGFW solution. But there are enough subtleties in work, problems with the performance of the gateway with the analysis of https traffic. Here I have one piece of advice: only a pilot project will show you everything and clearly explain what I'm talking about now.
9. Proxy
Many NGFW gateways can operate as a proxy server. If you decide to use this option, answer the following questions for yourself:
- Does it cache or not? Do you need to?
- Is explicit / transparent mode supported?
- Does X-forward IP work?
- Is Reverse proxy functionality supported?
- Are bandwidth limits used?
- Are limits on the volume of downloaded traffic used?
- Is there policy integration across AD users and groups?
- Are there any performance drops in this mode of operation of the gateway?
10. Protection against malicious traffic (antivirus)
- Are you using your own databases or partners?
- What is the antivirus licensing scheme?
- Do I need to buy any licenses from third-party manufacturers?
- What is the performance of a system with antivirus protection enabled?
11. Integration with MS AD and other services
IP policies have long passed. All self-respecting solutions can be friends with MS AD and apply traffic policies for users and groups. But everything integrates differently. Someone asks to put the agent on domain controllers, someone does without agents. Someone wants an agent for the desktop, someone asks you to enter the login password in the browser, someone just a little bit and in different configurations. Tip: pilot and field case solving. There are no universal solutions. Each NGFW solution has its own problems and workaround.
- What is the scheme of work (agents, access rights to AD)?
- What integrates AD / Radius / Tacacs + and others? Maybe you have not only AD.
- What integration methods are used? How are they implemented? (agents / access rights, domain controllers, web portal / terminal servers)
12. IPS / IDS
This is my favorite. How many cases, bought IPS, installed, set up three checkmarks and live with a full sense of security and security. Bullshit, bullshit, is no good. IPS requires careful, thoughtful configuration and updates every day, or even more often. The first criterion for choosing is the convenience of the interface. Ask to show the interface for customization. You will have to deal with hundreds and thousands of signatures, if you do not understand them, there will be no sense from IPS. If it will be difficult for you to track new signatures and it is not clear what they are protecting from, then the effectiveness of such protection will be minimal. You will HAVE to deal with signatures and their settings, of course, if you do not want to parse hundreds of logs when IPS blocked an attack on apache, flying towards your IIS server. And this is very close. Apart from you, no one knows your infrastructure better. About DETECT I can only say that there should be a minimal amount of it. Firstly, it will save gateway resources, and secondly, it will keep your network safe. Threshing traffic on all signatures, writing a log about detection, and ultimately skipping the attack to the server is the most stupid of possible deployment scenarios. Be smarter and regularly check perimeter security.
- How much signature database?
- What is the frequency of updates? Update rate and response to incidents by the IS vendor. There are examples when a vendor writes signatures for months and years on the most critical vulnerabilities ...
- Ease of administration. How are IPS filtering rules configured?
- Detection and blocking visibility. Is there a notification and reporting system?
13. Defining and filtering applications
With applications, this is the thing; almost all respected players in the NGFW market have them. The question is rather, how many applications do you personally need, this time. Two - how well the gateway detects these applications and quickly blocks them. Workarounds at work? The same viruses and bots can pretend to be Skype, for example. How does the proposed solution work out such a scenario? Again, the best comparison is a pilot project. You will feel all the ins and outs of yourself on yourself right away or not, everything depends on the decision.
- How many applications are in the database? Base increase speed?
- What is the details of Runet?
- What is the licensing scheme for web filter and applications?
- Is there a download block by file type? What formats are supported and recognized?
- Databases own or partner by subscription?
14. Blocking botnet traffic
To be honest, more and more viruses are turning into bots. In our work, we have not seen reports for a long time after network audits in which bot activity was not recorded. This means that the network has a bunch of already infected PCs, but no one knows about this. These are ransomware, surveillance software, banking trojans, and a bunch of other things ... What does this lead to? To sadness in the eyes of administrators and security engineers, management and business owners. How to fight and what to do in order not to get depressed? Detect and block bot traffic on the network at all levels and immediately treat infected machines. Spend a pilot and check all of the above.
- What methods of detecting and blocking bot-infected machines are used?
- What is the licensing scheme for bot protection?
- Performance when enabling bot traffic inspection?
15.
DLP Information Leak Detection . Some NGFW solutions offer this functionality. The thing is useful, although it often lags behind a full-fledged DLP solution in terms of functionality and capabilities. But as an additional system or module with integration to the main DLP solution can be very useful. The idea is simple, if you already have DLP, specify whether NGFW can be integrated with your DLP system, if DLP is not, then it is better to take NGFW with DLP functionality, it will come in handy.
- What protocols does it analyze?
- What methods of detecting sensitive data are used?
- How does the system determine data encryption?
16. Remote access (VPN / SSL)
Ask yourself and the vendor questions about possible options for connecting remote users. What technologists are there, what are the implementation scenarios, nuances in the work? Ask for a demo, look at all this through the eyes of the user? Will it be convenient for them to use the chosen solution. Better yet, bring the focus group to the testing phase of the pilot project.
- SSL VPN
- GOST SSL VPN
- IPSec VPN
- Support for 2-factor authentication (SMS, Certificate, Token)
17. Support for mobile devices.
If you want to provide access for mobile employees, decide from which devices they will connect. Not all OSs may be in the list of supported ones; not all devices may have applications.
- iOS
- Android
- Windows
- Other
18. GOST VPN
If you need GOST VPN, most likely you will buy a Russian solution, but there are import suppliers of certified GOST VPN. The main problem with GOST encryption is performance. And there are problems with centralized management, reporting and troubleshoot of such solutions. Key generation at least 1 time in 6 months and much more. Only the pilot will show all the beauty and versatility of this task. Test it out. And ask for the test at least one cluster in the center and two remote devices for offices. Point-to-point you will be collected in 5 minutes, no doubt. But a more complicated scheme will already be difficult to show beautifully. Some manufacturers can buy OS certificates and images and make a certified solution purchased many years ago certified. This is often convenient.
- Ease of administration. Centralized or distributed?
- Guest encryption performance? What is the maximum bandwidth of the guest VPN channel?
- Cost of a certified software version? How is it purchased?
- What are the possible implementation and procurement scenarios?
19. Protection against spam and checking SMTP traffic.
Mail is number 1 among the channels of infection and transmission of malware. But nobody can turn it off completely, so you need to defend yourself and deal with what and from whom it flies to our mail server. Here only testing will show you an objective picture. Many NGFW solutions have mail protection in a separate product, someone combines everything on one device. Functionality is also different. So only a test will give you the big picture.
- What spam checking mechanisms are used?
- Own base or integration with partners?
- Is there an SMTP Relay \ MTA function?
- Are attachments and archives checked?
20. Sandbox - blocking 0-day attacks.
Almost all modern NGFW solutions have got sandboxes. Someone bought them, someone developed it themselves. In fact, here comes the most interesting fight. I will not ship the details, test and test again. On the fingers, explaining CPU-level ROP detection will be difficult, but many do not even need it. So we take a gateway with a sandbox from different manufacturers and test it by comparing the results, you will quickly understand everything yourself, without the buzzwords and marketing names of the technologies. Remember, hackers are smart guys, how long ago they came up with sandboxes ...
- Is the Cloud used as a service?
- Is it possible to use hardware modules?
- What emulation and detection methods are used?
- How is protection against detection and bypass of the sandbox implemented?
21. Cluster / Failover
Again, test better. Every self-respecting manufacturer has a cluster. But the implementation of all is different, each may have its own quirks. As if a scythe on a stone would not find. Of the bonuses, some vendors "off the wheels" on the cluster give a good discount.
- What are the cluster modes? (Active / Standby and / or Active / Passive and / or Active / Active)
- Failover mode. What will happen to the traffic?
- How to change the cluster operating mode during operation?
- Is VRRP supported?
22. Support for dynamic routing.
Last purely technical criterion. Look at your infrastructure and evaluate all the features of routing implementation inside the perimeter. Try to understand what you need from the NGFW gateway, but do not turn it into a kernel router. Traffic protection and routing are still different tasks and it is better not to mix them.
- BGP
- OSPF
- Rip
- ISIS
- IPv6 support
23. What technologies are used for VPN, NAT, Dynamic Routing, ISP redundancy?
This is about the architectural features, the transparency of technology, and their troubleshoot. Separately, it is worth clarifying the logic of the work of policies and the processing of rules when passing traffic. Sometimes amazing things can appear here.
24. Centralized management
Without this, nowhere is now. Remember, you choose the solution with which you live and work every day. If it is uncomfortable, incomprehensible, slow, poorly maintained, you will curse the day you chose it. Security is out of the question. The solution should be clear, with good logs for the troubleshoot, with centralized management of all gateways and a good reporting system.
- Are there any restrictions on the number of gateways and which ones?
- What is the procedure for adding new gateways to the control center?
- Is there a distributed management model?
- Is a multi-domain management model supported?
- What is the management interface?
25. Availability of a reporting and logging system.
If you do not read the logs of your security systems, this means they do not work. Safety is a process; it requires the attention and reaction of people on the ground. If the logs are inconvenient to read, there are no correlations, there is no mail notification system - this is a bad system. There will be little sense from her. And this is the weakness of all vendors in NGFW. The situation is different for everyone, someone is better, someone is worse, someone has no reporting at all. But even those who are considered the leader in this aspect have gaps and not all reports you can build easily and without compulsion.
- Own system or third-party products?
- Integration with SIEM. Which ones and how?
- If an external reporting system (3d-party) is used, how much does it cost and how is it licensed?
26. Real performance of equipment and VM gateways
Once again - everyone lies. Alas, it’s true. Do not believe the datasheets and those mega-gig-tera bits that are in them. It is almost always synthetic, not related to real life. Only testing in your environment will show the correctness of your choice and model. Remember, avaricious pays twice (multiple times). If there is not enough budget for the desired model, either bargain with the vendor, or buy another vendor with functionality in a simpler way, but with greater iron performance. Buying a system and disabling all protection features is the worst of all options. Why do you need another router for the money?
- Testing methods and results?
- The difference between marketing data and real ones in life?
27. What is the underlying operating system of the solution?
Sometimes it is important in architectural terms. It’s better if the vendor has its own OS, worse if Linux, bsd, and so on are altered in every way on the knee.
28. The cost of annual ownership
Now everyone is moving to a system of annual payments. Almost all functional modules from all manufacturers are renewed by subscription. Antivirus, URL filtering, application control, IPS, etc. everything requires updating signatures, this is the daily work of more people and artificial intelligence, this work must be paid for, everything is fair here. Here the cost is different for everyone. In order not to round your eyes in a year, ask the cost of annual payments at the selection stage and before the purchase. Protect your eyesight.
- What will happen if you do not receive an extension?
- Are there annual payments and subscriptions?
- What is included in the extension?
29. Availability of engineers and a partner network of the Russian Federation
This, as with support, will be of great help at the implementation stage (if you do not order it separately) and at the operation stage. Everyone has bugs. The question is how quickly you will find a solution to emerging problems and will you do it alone or with a team of professionals. Plus, decide who within your organization will administer the NGFW gateways. Estimate the prevalence of certified engineers in the market for how much they cost. And it will turn out, as with OpenSource. Everything seems to be free, but employees cost space money, and there is no one to replace them.
- The presence of a large number of certified engineers in the Russian Federation.
- What is the equipment demo-fund of partners?
- How many partners in the Russian Federation?
Conclusion
First, thank you for reading. I hope the article is useful and drew your attention to topics that you might not have been obvious. Truth is born in a dispute, so if you disagree with something, then leave comments. We are primarily for objectivity.
Secondly, I carefully avoided mentioning the vendors, since the main thing is that you decide for yourself what your task is and find a solution specifically for it, a solution that most fully meets your specific needs and goals. Then everyone will be happy.
And if you already have security and traffic inspection systems, check their operation and effectiveness, as described in our previous article .