What you need to remember when buying NGFW? Check list
We have already published a short article “ NGFW selection criteria ”. It also assumes that you have already chosen your NGFW and are going to buy it. What you need to remember? How not to stumble at the last stage - the purchase. In our opinion, this is a very important question, because NGFW of any vendor is not cheap. And if things don’t go according to plan or work differently than you expected, then you may have problems like the person who made the purchasing decision. In this article we will try to reflect the main points that need to be paid attention to BEFORE buying, and not AFTER . Perhaps this small checklist will help you avoid unforeseen expenses and preserve already worn nerves.
1. The cost of annual ownership
The very first item you should check. You need to understand that absolutely any NGFW needs annual renewal of subscriptions, contracts, updates (different vendors call it differently). For many, it turns out to be a surprise that a one-time purchase is not enough and you have to “pay again” every year. And most importantly, without renewing subscriptions, the most important functionality (for the sake of which NGFW is usually bought) stops working. These features include IPS, URL filtering (site categories and reputation), Application Control, Anti-Virus, Antispam, Sandbox, etc. The full list depends on the specific vendor. Without renewing your subscriptions, your NGFW turns into a regular firewall. Although not, unusual, in a wildly expensive firewall. The cost of annual ownership by different vendors is different, but as a rule it varies around 30-40% of the original purchase. Remember this. Will this draw your annual IB / IT budget? Be sure to request information from your partner about the cost of annual ownership. In general, it is strange if the partner did not provide you with these numbers by default.
2. NGFW will not solve all problems of IB
Many perceive NGFW as a panacea for all ills with information security. But this is not the case. NGFW closes only a few vectors of a possible attack on your network. There is no single solution that would guarantee 100% protection. And if someone promises you something like that, then he simply deceives you, or he doesn’t fully understand what he is talking about. The task of NGFW is to narrow the attack area as much as possible. Why all this? In addition, do not forget about the other means of protection. If you suddenly do not have enough funds to purchase NGFW, then you should not spend the last money and “rake out” the budget by refusing other means of protection.eg desktop antiviruses or backup systems. Set priorities and evaluate your financial capabilities. IB of the company begins far from the purchase of NGFW. This is only an additional element of comprehensive protection. Do not expect magical results from just one “box”.
3. Out of the box, any NGFW works extremely poorly.
We recently published a “ Check Point to Maximum ” course , where we showed how to properly configure it for maximum protection. Along the way, we showed how easy it is to bypass NGFW with default settings. And this concerns not only Check Point. The same picture is observed with Fortinet, Palo Alto Networks, Cisco Firepower, etc. (I conducted parallel tests). Do not even expect that NGFW will adequately protect your company with default settings in a couple of clicks. NGFW will have to adjust, and repeatedly, but constantly, adjusting to changing threats. Do not forget that information security is not a result, it is a process .
4. Prepare for problems and plan time.
Buying NGFW is worth preparing for technical difficulties. Even if you buy it with the introduction services. No integrator will do absolutely all the work for you. Since IS is a process, you will have to adjust and you will have to solve problems that arise. And this is not because NGFW is bad, it is because it has so many functions. To bring everything “to the mind”, you will need to spend a decent amount of time. Otherwise, you risk remaining with default settings that do not use and 20% of NGFW features. That only is setting SSL-inspection. You will have to turn it on if you are really confused about security. And you have to manually go through sites and applications.that stop working after the inspection is turned on. No one will do it for you (unless of course you have a non-service technical support model). Similar problems may arise at many stages of the implementation and operation of NGFW. This implies the following two points.
5. Build a budget for training
NGFW itself is a rather complex product. As though vendors did not try to simplify it. It has a lot of functions, there are a lot of subtleties and pitfalls. You should not assume that you will master a new product for you at the moment. Therefore , when planning a purchase, be sure to plan a budget for training employees who will administer it. Sometimes it can be arranged in a single transaction, or receive training as a gift (it all depends on the amount of the transaction and the loyalty of your partner).
6. Technical support
You will definitely have to contact technical support and better if it is productive. There must be an employee who speaks good English. Or consider the option of technical support from Russian partners. Pay close attention to this issue. Otherwise you risk being left alone with your problems . Sometimes the question of technical support is the decisive factor when choosing a partner or even a vendor.
7. Study the issue of licensing in detail.
A very common situation. A pilot project is being conducted, you are shown how beautiful and functional everything is. However, making a purchase, you find that not all of the functionality is available to you. There are no reports that were shown to you initially, the sandbox does not work, remote users cannot connect, there is no centralized management, etc. Of course, this is the task of your partner - to understand your tasks, to form the correct specification and tell about possible limitations or additions. This is a matter of trust. But there is a good saying: “ Trust, but verify .” I think it will be very unpleasant to go to the management for another budget immediately after the purchase.
8. Purchase without tests
Without a pilot project, then you can only blame yourself (well, and swear at the partner who “set you up”). You should not be serious about marketing booklets. It is very desirable to conduct at least a few tests before purchasing. And the most important test is the real performance of the device on your real traffic. It is very important. You can not believe datasheets on devices where they write fantastic performance indicators. Unfortunately, absolutely all vendors sin with this. If you do not have time for such tests, then it remains to hope only on the experience of your partner, who will offer options.
9. Choose a model based on HTTPS inspection.
Another point that many people forget about when choosing a model. SSL inspection is a serious additional burden on your NGFW. Many in an attempt to save money choose a model whose performance is enough butt, while completely forgetting traffic over HTTPS. And by enabling the SSL inspection, they discover that their gateway is “choking”. I repeat once again: “ Without an HTTPS inspection, your NGFW is absolutely useless .” I have already demonstrated this in one of my lessons. So be sure to consider the additional load on the device in the form of SSL inspection. Otherwise, you just throw money away.
10. Buying from a “familiar” partner
A typical mistake when buying NGFW is to buy from a “familiar” supplier. I am sure that almost every company has a partner who “has long been” supplying some IT products. It is convenient and understandable to work with him. Only here NGFW is neither a server, nor a switch, and certainly not a stapler that can be bought from anyone around the corner. It’s not at all true that your current supplier has the necessary skills and competencies. The result of the implementation and security of your company depends on the qualifications of the partner . When choosing a supplier, you must first look at his experience and technical knowledge. This is best determined through a pilot project. So you will immediately kill two birds with one stone:
- Test the NGFW in your infrastructure and determine the model;
- Assess the adequacy of the partner. Can he help you with the implementation and can he then provide technical support.
In fact, this item is the most important. A good partner should lead you through this checklist. He should designate all the important points, warn about all possible problems and naturally give solutions to them.
I hope this note is really useful to someone. This is certainly not a universal recipe, but it will help to avoid the most typical problems. If you have any questions or have comments / suggestions, please write in the comments, or email me .
PS You may be interested in our previous article " Typical NGFW Implementation Scenarios "
PSS Get a trial license and test the solution you are interested in here