• Main
  • Blog
  • How to properly choose a firewall

How to properly choose a firewall

Logo
How to properly choose a firewall

firewall

The task of selecting a next-generation network firewall (NGFW) may seem simple at first glance, but it is not. In this article, we will explore the nuances and pitfalls based on our own years of experience in the network equipment market.

First, let’s list the criteria for selecting devices.
The questionnaire includes a series of questions, the answers to which allow for the most accurate selection of a solution.

  1. Required throughput, Mbps.
  2. Hardware or virtual implementation?
  3. Is fault-tolerant solution required? Cluster.
  4. The type and number of interfaces for connecting to existing network equipment.
  5. Availability, warranty period, and technical support.
  6. Composition and duration of subscriptions for extended functionality of the firewall.
  7. Availability of accompanying systems such as an event logging server, centralized management system.
  8. The required number of remote access VPN connections and connections between sites.
  9. Placement of the firewall? For installation on the perimeter, in the local network, or for the protection of dedicated segments?
  10. Requirements for implementation and training of administrators

NOW LET'S EXAMINE EACH POINT IN DETAIL WITH A THOROUGH DESCRIPTION OF THE FEATURES

Throughput

At this stage, it is necessary to select a solution from the manufacturer's model range and compare its specifications with those required to solve the set tasks.

If you rely on the manufacturer's throughput data from information leaflets, you should always be aware that these figures are obtained on “synthetic traffic” in ideal laboratory conditions. In real life, the throughput will be significantly lower. Reach out to us, as we have extensive experience in selecting devices from various manufacturers for specific tasks.

throughput

Keep in mind that not all of the channel's throughput to the Internet provided by the communication operator is consumed by the firewall. Routers, dedicated servers, etc., may also be installed in parallel. To choose the correct model of the firewall, it is important to know the required throughput for the interaction of local network resources and the Internet. This can be determined using Netflow/Sflow protocol families. Potential growth should also be considered.

Also, when planning throughput, it is necessary to take into account that resource-intensive tasks such as SSL inspection or VPN can heavily load the central processor (CPU), thereby reducing throughput. Some firewalls have onboard special-purpose processors (ASIC) that can reduce the load on the central processor.

For the most accurate selection based on throughput, the option of evaluating the device in a pilot project on the organization's real traffic is suitable.

Implementation Options

The features of selecting a hardware solution include answers to questions like:

  • Placement in a rack or on a desk?
  • How many units in the rack?
  • Is power redundancy required?
hardware and virtual implementation

When placing the firewall as a virtual machine, it should be kept in mind that the virtualization server is also susceptible to attacks from untrusted segments and requires a specialized approach to its protection.

The performance of virtual solutions largely depends on the server hosting the virtual machine and can be accurately assessed only during a pilot (test) implementation.

Virtual machine implementation typically occurs in rented virtual capacities.

Virtual solutions are usually licensed based on the number of processor cores allowed for use in the virtual machine.

Clustering

There are different operating modes for devices as part of a fail-safe pair: Active-Active and Active-Passive. Let's look at these in more detail.

clustering of firewalls

Active-Active

  • Advantages: Increased throughput by balancing traffic between devices
  • Disadvantages: Complexity in diagnostics and fault detection

Active-Passive

  • Advantages: Simplicity of implementation
  • Disadvantages: Backup devices are always in standby mode while the main one is operating.

Exclamation point Important addition: Different manufacturers have different approaches to licensing additional functionality for fail-safe systems. There are options where the set of subscriptions is purchased in one instance for all devices of the fail-safe system.

It's important not to forget about the requirements for dedicated interfaces to create a cluster.

Interfaces and Ports

To increase the throughput of connections of firewalls to existing network equipment, interfaces with speeds of 10Gbit/sec are not always necessary. Options for aggregating interfaces with a throughput of 1Gbit/sec using protocols from the EtherChannel family, such as LACP, are possible.

If a connection using SFP+ type connector interfaces is still required, DAC cables are recommended.

interfaces and ports

Warranty and Support

There are three options:

  • Manufacturer support
  • From the distributor
  • From a partner involved in commissioning

Each option varies in cost, response time, and engineer qualification. Generally, the longer the term, the lower the cost.

warranty and support

When choosing the level of support, also consider the following:

  • Response time. Business hours or 24x7
  • Is an engineer's presence at the customer's site required?
  • Is there a replacement for failed equipment and how quickly is it carried out?

Subscriptions for Extended Functionality

Typically, the following functionalities are licensed and renewed every year:

  • Antivirus (AV)
  • Intrusion Prevention System (IPS)
  • Email Protection. Anti-Spam (AS)
  • URL Filtering (WEB Filter)
  • Application Control (APP Control)

subscriptions for extended functionality

It's important to note that devices from some manufacturers can operate without subscriptions, but access to update servers will not be available. This feature can be taken into account in case of difficulties with timely purchasing of renewals.

Event Logging Systems and Centralized Management Systems

Provided both in hardware and virtual implementations.

Dedicated event logging systems are purchased if a long-term storage or rapid search by specific conditions is required.

Centralized management from one system is common if there are more than 10 devices.

centralized management systems

Remote Access VPN

Most manufacturers adhere to a licensing model for remote access based on the number of simultaneous connections. However, some manufacturers offer the ability to connect the maximum number of users with basic functionality.

The basic functionality always requires careful analysis as not all models of equipment can solve the set task. For example, the function of saving the password in client software may be absent.

For some entry-level models, there are limitations on the number of VPN connections between sites.

remote access vpn

Placement of Network Firewall Devices

Possible options:

1
Perimeter Protection. Controlling the interaction between local network resources and the Internet network. For this placement, maximum functionality is required, including SSL inspection. It is possible to combine the role of a perimeter firewall and a remote access server. Devices are typically hardware-based.
2
Traffic control within the local network. Here, devices of maximum performance are required as the data transmission speeds within the local network are multiples of 10Gbit/sec. Implementation as virtual machines is possible. Extended functionality includes an intrusion prevention system.
3
Protection of Dedicated Local Network Segments. Organization of demilitarized zones. In this case, the device is precisely selected to solve a specific task.
placement of firewalls

Training, Implementation

  • With large volumes of equipment purchases, training can be a bonus. Check with the vendor.
  • All LWCOM specialists are certified and have been trained on equipment from all major suppliers. Trust the professionals.
  • Before the final choice of solution, an important factor is the availability of extensive documentation and a community of engineers in the public domain.

In conclusion

In this article, we have examined the main issues that arise when selecting network firewall devices. In real situations, there will be significantly more of them. LWCOM solves such issues every day and has tremendous experience in implementing such tasks.

We will help select the network firewall (NGFW) necessary for solving the tasks of your organization. We will deliver the equipment on time, integrate it into the existing IT infrastructure of the company, and train the staff in the nuances of administration and management.

Ask the article author a question
Eugene
Eugene
expert on network solutions
Quantity - up to 3 files, size - not more than 5 MB
By clicking the button, you consent to the processing of personal data.