Very often I hear some things like... "What's the best firewall in the market?" What Firewall should I buy for my Company?"
The answer is: "Depend on what type of network you need to protect"
It's not the same a network with 100 users than other critical and redundant network with 50,000 users and 300 servers...
In my opinion these are the essential question you need to thinking about.
- How many maximum firewall concurrent sessions are need it?
- How many firewall new sessions per second do you have in your network?
- How many firewall throughput do you need?
- How many VPN tunnels and VPN Troughput do you need?
- What VPN protocols do you want to use (IPSec, L2TP, PPTP)
- Do you require high availability (load balancing, failover)?
- Do you need cobber, fiber, 10-100-1000-10000 Mbps interfaces?
- Are you currently using IPv6 o it will be implemented in the future?
- How many concurrent session and throughput will you need in the future?
Commonly, throughput is calculated by the manufacturers in a Lab with a certain packet sizes and not in a real World
- Control Application
- URL Filtering
- SSL decryption
- Date Loss Prevention
- Bandwidth Management
- Wan Optimization
- Web Cache
Throughput decreases when you enable policy rules with:
There are a lot of Firewall manufacturers. We can talk with Palo Alto Networks, Fortinet, Checkpoint, SonicWall, Whatchguard, Cisco, Juniper, Stonesoft... How we choose?
I think this is the more difficult decision.
A manufacturer has a strong network firewall but his Antivirus is really bad. Another manufacturer has 10GB firewall interfaces and a great throughput capabilities but hasn't Control Application.
Maybe two of them have the same features (more or less) but one of them is a visionary and works with a better technology and the other has a great base installed and better technical support...
In our opinion, the best option is to select 2 or 3 and request a demo in a production environment.
There are companies working on comparing these products like Gartner (who every year release his "Magic Quadrant "), NSS Labs... But take care because there are reports of Enterprise Firewalls, Next Generation Firewalls (NGFW), Unified Threat Management Firewalls (UTM)... There are same manufactures that are evaluated in differents reports with diferent results...
Magic Quadrant for Unified Threat Management
Magic Quadrant for Enterprise Network Firewalls
What's the different between Next Generation Firewall and the Unified Threat Management Firewall? In the next posts we will talk about it...
Another thing to keep in mind is the costs. You need to have to bear in mind the price of:
- Licences * : AV, AntiSpam, IDS/IPS...
- Hardware Support: 4 hours, next day...
- Technical Support: 8x5, 24x7, 4 hours...
It is hard to hit 100% when you are choosing a hardware-based firewall but if you follow these steps, you may be having a good choice:
- Studying the requirements of your network and select the firewall features.
- Chose extra features you need. Antivirus, IPS, AntiSpam...
- Select 2 o 3 vendors and make a test in a Lab. Then make a test in an environment production.
- If you know people that's works with your selected vendors, talk with them a request a recommendations and asking their experience.