Americas

  • United States
by Jeff Rochlin

NGFW buyer’s guide: Top 7 next-generation firewall vendors

How-To
Feb 21, 20228 mins
Enterprise Buyer’s GuidesFirewalls

Pros and cons of next-generation firewalls from Check Point, Cisco, Fortinet, Juniper, Palo Alto Networks, SonicWall, and Sophos

7 firewall shutterstock 2079693529 badge
Credit: Asharkyu / Shutterstock / Foundry

With more employees accessing network resources remotely, the increase in companies deploying hybrid cloud architectures, and the overall escalation of security threats, firewall technology is critical to the integrity, security and the very lifeblood of any enterprise.  

Traditional firewalls are security devices which inspect traffic at the point of network ingress/egress, as well as provide Virtual Private Network (VPN) and encryption capabilities. Firewalls watch traffic by state, port and protocol, and control the flow of the traffic passing through. In a traditional firewall, advanced security features are typically provided by external appliances and services that live outside the firewall platform.

[ Also see What to consider when deploying a next generation firewall. | Get regularly scheduled insights by signing up for Network World newsletters. ]

What are next-generation firewalls

Next-generation firewalls (NGFWs) offer the same capabilities of a traditional firewall with added features such as deep packet inspection (DPI), integrated intrusion protection (IIP), web filtering, antivirus, antispam, antimalware, SSL, and SSH traffic inspection, all with an eye towards the detection and isolation of threats in real-time. 

These added features are integrated into the NGFW platform and are typically managed from a single console. Since all of these features are provided by the same vendor, next-gen firewalls are easier to maintain and are more convenient when vendor support is needed.

While basic firewall functionality is foundational to all products in the NGFW market, the firewall is no longer just an appliance that sits in your data center. The adoption of cloud has required that a firewall must provide features beyond the physical device, such as virtualized appliances, firewall as a service (FWaaS) and containerized versions.

Next-generation firewall vendors have SASE on their roadmaps

Secure Access Service Edge (SASE) is an emerging service model that incorporates WAN optimization and other security services such as Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) through a cloud-based implementation that provides uninterrupted access for users anywhere and anytime. 

Forward-looking NGFW vendors have begun to incorporate these feature sets in their product lines. While widespread SASE implementation is considered a ways off, NGFW vendors have it on their product roadmap.

The top four vendors in this multibillion-dollar market are (in no particular order): Palo Alto Networks, Fortinet, Cisco, and Check Point Software Technologies. They represent roughly 64% of implementations according to IDC. Juniper Networks, SonicWall and Sophos fill out a good portion of the remaining market.

Here is an analysis of the top NGFW vendors, including their strong points and weaknesses, based on reports from industry analyst groups such as Gartner and IDC.

1. Palo Alto Networks: Pro: Broad product line, consolidated management. Con: Pricey

Palo Alto Networks provides a wide selection of NGFW features packaged as hardware based (PA-Series), Virtual (VM-Series), FWaaS (Prisma Access) and containerized (CN-Series) options.

All of their products are managed through the same Panorama software, and they offer additional subscription-based features to manage Internet of Things (IoT) security, enterprise Data Loss Prevention (DLP), Software as a Service (SaaS) security, advanced URL filtering, threat prevention and DNS security. The company’s WildFire Malware Analysis Engine can sandbox detected threats.

Palo Alto Networks provides a consolidated, single-vendor solution for multiple security needs through a “single pane of glass”.

These products do come at a cost, making them one of the highest-priced offerings in the marketplace. In addition, their SD-WAN product requires a separate license, while others include this in their basic offerings. Also of note, Palo Alto Networks doesn’t offer a cloud-based firewall manager in Panorama, and instead requires a plug-in to be installed on the clients.

2. Fortinet: Pro: Strong homegrown product line, integrated management. Con: Global PoPs lacking

Fortinet’s NGFW product line, FortiGate, is available in hardware, as a virtual appliance and as a FWaaS (FortiSASE) option. They offer centralized management platforms in their FortiManager and FortiGate Cloud products. Their products offer capabilities such as a Secure Email Gateway (SEG), Web Application and API Protection (WAAP), Network Access Control (NAC), Identity and Access Management (IAM), a Security Operations Center (SOC) as a service, SASE and Zero Trust Network Access (ZTNA) products.

Fortinet offers integration between your network operations center (NOC) and SOC operations in their Fabric Management Center. Like the Palo Alto WildFire system, Fortinet offers Endpoint Detection and Response (EDR), which detects threats that exist in your environment and sandboxes them for analysis, while keeping them from spreading.

Fortinet is also pushing the FortiGate product line to be used in place of branch office routers. This would enable the management of Fortinet switches and wireless access points in remote office networks through the same FortiManager management interface.

Fortinet lacks a dedicated container firewall and requires basic management features through a distributed plug-in. They also tend to lag behind other vendors in rolling out cloud Points of Presence (PoPs) and the geographic diversity of their PoPs.

3. Cisco: Pro: Extensive product offerings. Con: Maybe too extensive

Cisco offers intrusion prevention, advanced malware protection, cloud-based sandboxing, URL filtering, endpoint protection, web gateway protection, SEG security, network traffic analysis, network access control and a cloud access security broker (CASB) which helps protect other companies’ cloud-hosted services through their Cisco Secure Firewall, Cisco Secure Workload, and the Meraki MX series products.

They offer centralized management through the Umbrella Secure Internet Gateway for FWaaS, the Cisco Firewall Management Center for on premises appliances and Cisco Defense Orchestrator for cloud-based solutions, in addition to a multi-cloud management and control product.

Their SecureX extended detection and response (XDR) platform provides XDR at no additional cost to detect, hunt and remediate threats. Additionally, Cisco supports the Snort open-source intrusion detection system/intrusion prevention system (IDS/IPS) which provides an enhanced signature set.

Cisco provides multiple firewall product lines for different use cases instead of taking a single platform approach. Also, their Umbrella product does not offer an integrated SASE and requires multiple different subscriptions to additional products such as Cloudlock (Cisco’s stand-alone CASB) and an SD-WAN through their Meraki products.

4. Check Point Software Technologies: Pro: Focused security solutions. Con: No integrated SD-WAN

Check Point focuses on preventing and blocking attacks. They offer hardware appliances (Quantum), as well as virtual appliances and cloud security products under the CloudGuard brand. They also have a FWaaS product (Harmony) as part of their Secure Access Service Edge (SASE) solution.

Check Point offers on-premises (Quantum Security Management) and cloud-hosted (Infinity Portal) centralized management and monitoring portals, as well as their Infinity SOC product, which comprises their security orchestration, automation, and response (SOAR) offering, and CloudGuard, their cloud security counterpart.

Check Point doesn’t offer an SD-WAN solution, but instead works with partners to provide solutions to this rapidly growing market and their container product lacks application control.

5. Juniper: Pro: Advanced threat detection. Con: Slow to adopt FWaaS and SASE

Juniper offers its SRX Series Services Gateways in hardware appliances, virtual appliances (vSRX) and containers (cSRX). vSRX can be hosted on the customer’s own hypervisor, AWS, Azure, Google Cloud, IBM Cloud and Oracle Cloud. Juniper also offers Security Information and Event Management (SIEM), Distributed Denial of Service (DDoS) mitigation and threat intelligence, advanced threat detection capabilities, and IoT security.

It also has partnerships for industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments that pull information from the company’s threat prevention service and a third-party source to adapt their firewalls to new threats as they emerge.

Juniper has been late to the party when it comes to FWaaS or SASE. Their business focus is more on networks and their security products reflect it, leading Gartner to consider them a challenger player in the NGFW space. Earlier this month, however, Juniper launched a new cloud-delivered security package, Juniper Secure Edge, as part of its SASE architecture. Secure Edge adds firewall-as-a-service capabilities and extends Juniper’s Security Director Cloud management platform.

6. SonicWall: Pro: Quality products. Con: Lacks FWaaS, containers

SonicWall has three hardware appliance lines (TZ, NSa and NSsp series) along with a virtual appliance firewall (NSv series). The NSv products can be hosted on the customer’s own hypervisor or can be found in the Amazon and Azure marketplaces. SonicWall also provides integrated EDR, SEG, ZTNA, CASB capabilities and SD-WAN workflow to simplify branch onboarding in their SonicWall Cloud Edge product.

The SonicWall Cloud App Security product handles CASB functionality for SaaS applications, focusing on Microsoft 365 and Google Workspace, Box and Dropbox. They provide centralized management for their SonicWall Switch, SonicWall Access Point and SonicWall Next-Gen Endpoints through their Network Security Manager.

SonicWall lacks a containerized firewall, FWaaS and identity-based product offerings in their lineup.

7. Sophos: Pro: Managed threat response. Con: No FWaaS or container

Sophos offers their Sophos Firewall hardware (XGS Series and SD-RED), a cloud security posture management (CSPM) product (Cloud Optix), endpoint and server protection (Intercept X) and products for EDR and ZTNA.  Through their Managed Threat Response product, Sophos provides the capabilities of a SOC as a managed service all through a centralized management portal (Sophos Central).

Sophos doesn’t offer FWaaS or a containerized firewall. The CSPM product doesn’t take full advantage of Infrastructure as a Service (IaaS) tags, making implementation of firewall policy rules more difficult.

Next-generation firewall purchases require thorough product evaluations

Network security is critical in today’s world of bad actor attacks and ransomware attacks, so it is vital for network executives to do a thorough evaluation of any NGFW product before you bring it into your infrastructure. The work you do upfront will pay off in a good night’s sleep going forward.