In this post, we'll try to identify what are the main features need to be analyzed before buying an Enterprise Network.

Very often I hear some things like... "What's the best firewall in the market?" What Firewall should I buy for my Company?" 

The answer is: "Depend on what type of network you need to protect"

It's not the same a network with 100 users than other critical and redundant network with 50,000 users and 300 servers...



In my opinion these are the essential question you need to thinking about.

Features

  • How many maximum firewall concurrent sessions are need it?
  • How many firewall new sessions per second do you have in your network?
  • How many firewall throughput do you need?
  • How many VPN tunnels and VPN Troughput do you need?
  • What VPN protocols do you want to use (IPSec, L2TP, PPTP)
  • Do you require high availability (load balancing, failover)?
  • Do you need cobber, fiber, 10-100-1000-10000 Mbps interfaces?
  • Are you currently using IPv6 o it will be implemented in the future?
  • How many concurrent session and throughput will you need in the future?

Be careful when calculating the throughput. Throughput is the average rate of successful message delivery over all your network interfaces, not only on the Internet connections.
Commonly, throughput is calculated by the manufacturers in a Lab with a certain packet sizes and not in a real World

Today, Firewalls has extra features to keep in mind.
  • Control Application
  • Antivirus
  • IDS/IPS
  • AntiSpam
  • URL Filtering
  • SSL decryption
  • Date Loss Prevention
  • DHCP
  • Bandwidth Management
  • Wan Optimization
  • Web Cache
  • Proxy
  • ...

When you are dimensioning your future firewall, take care with the extra features because they have a direct impact in the performance of the firewall.
 
Throughput decreases when you enable policy rules with:
  • Antivirus
  • IPS/IDS

CPU and Memory increases when you enable policy rules with any of these extra features.

Vendors

There are a lot of Firewall manufacturers. We can talk with Palo Alto Networks, Fortinet, Checkpoint, SonicWall, Whatchguard, Cisco, Juniper,  Stonesoft... How we choose?

I think this is the more difficult decision.


A manufacturer has a strong network firewall but his Antivirus is really bad. Another manufacturer has 10GB firewall interfaces and a great throughput capabilities but hasn't Control Application.
Maybe two of them have the same features (more or less) but one of them is a visionary and works with a better technology and the other has a great base installed and better technical support...

In our opinion, the best option is to select 2 or 3 and request a demo in a production environment.

There are companies working on comparing these products like Gartner (who every year release his "Magic Quadrant "), NSS Labs... But take care because there are reports of Enterprise Firewalls, Next Generation Firewalls (NGFW), Unified Threat Management Firewalls (UTM)... There are same manufactures that are evaluated in differents reports with diferent results...

For example:

Magic Quadrant for Unified Threat Management

Magic Quadrant for Enterprise Network Firewalls

What's the different between Next Generation Firewall and the Unified Threat Management Firewall? In the next posts we will talk about it...

Costs

Another thing to keep in mind is the costs. You need to have to bear in mind the price of:
  • Appliance
  • Licences * : AV, AntiSpam, IDS/IPS...
  • Hardware Support: 4 hours, next day...
  • Technical Support: 8x5, 24x7, 4 hours...

* If you are working in critical and redundance environment and you need an active-passive (failover) cluster, you need to pay the licences for the active node and the passive node too.

Summary

It is hard to hit 100% when you are choosing a hardware-based firewall but if you follow these steps, you may be having a good choice:
  1. Studying the requirements of your network and select the firewall features.
  2. Chose extra features you need. Antivirus, IPS, AntiSpam...
  3. Select 2 o 3 vendors and make a test in a Lab. Then make a test in an environment production.
  4. If you know people that's works with your selected vendors, talk with them a request a recommendations and asking their experience.