Industry Trends

How to Select a Network Firewall—A Guide for SMBs

By Joel Boyd | April 08, 2022

While it's impossible to foresee how growth and expansion will affect your network and security requirements, making a wise investment is still possible. Regardless of your configuration, a firewall still serves as the critical inspection point for all network traffic. The right firewall will help prepare your business for growth by consolidating the number of products you must manage, reducing costs and cycles, and making the overall management of your network infrastructure more effortless and cost-efficient.

The challenge is sifting through the vast array of firewall options to find the best one for your organization now and that can grow with you as your organization and network expand. So, what questions do you need to consider when choosing a firewall for your business? Here are some critical considerations:

Does the throughput match your business needs?

As anyone can tell you, throughput demands are a moving target. Yesterday's ultraperformance is today's baseline requirement. As the volume and maturity of users, devices, and applications increase, bandwidth demands naturally intensify. Your firewall must be able to quickly identify applications, scale to process and secure increasing network traffic demands, especially now as most traffic is encrypted hitting 95% as estimated by Google’s latest Transparency report. Decrypting SSL including the latest TLS1.3, is the key to identify bad actors hiding in those encrypted paths.

What type of inspection do you require from your firewall?

Generic CPUs were never developed to perform specialized inspection, analysis, correlation, and response tasks modern firewalls need to deliver—including things like performing deep inspection of encrypted traffic that can quickly overwhelm generic CPUs. Just as advanced graphics demand specialized GPUs to render rich video streams, the increasingly sophisticated technologies and tactics used by today's cybercriminals demand more processing power. Effectively analyzing streaming traffic in real-time requires a much more specialized and intensive process that most firewalls cannot deliver.

The second issue is longevity. Selecting a firewall should be a long-term investment. But even though most businesses expect their technology to last two to four years, over half end up purchasing additional tools and workarounds every one to two years to either fill gaps in their existing solution or compensate for creeping performance issues according to research. The best rule of thumb is to make an educated guess about your bandwidth requirements in three years, double it, and then select a firewall that is very comfortable with securing that volume of traffic.

How quickly and effectively can it analyze traffic for threats?

Your firewall serves as the critical inspection point for all network traffic. And in today's application-centric business environment, performance is vital. Unfortunately, few firewalls were designed to meet the digital performance needs of today's small businesses. Getting one fast enough is almost always cost-prohibitive. Performance is determined by the device's central processing unit (CPU) and its alignment with its underlying operating system. Therefore, a key consideration is whether its CPU can support the specialized functions of high-performance security inspection or if it's built around generic processors being asked to do something they weren't designed to do.

Do you want a multivendor solution or one from a single vendor?

Multivendor: A multivendor, best-of-breed strategy is not wrong. But it is more complex. Look for solutions built using common standards and open APIs to reduce the time and effort required to develop and maintain workarounds to help discrete solutions operate more like a system. And if not managed correctly, vendor sprawl can render your entire security environment less effective by fragmenting visibility and control, especially when security devices deployed at different network edges struggle to share threat intelligence. Cybercriminals are experts at finding and exploiting security gaps and areas of weakness. Such gaps are most commonly due to misconfigurations and a lack of interoperability and deep integration between security products.

Single vendor: Solutions provided by a single vendor, especially when supported by a common OS, can significantly reduce deployment time, simplify management, and improve operational efficiency. Centralized orchestration also helps eliminate configuration errors and reduce the potential for human error. But perhaps the most significant advantage is that a deeply integrated system is the only way to implement the automation needed for instant threat detection and remediation. The challenge is that many single-vendor platforms often include sub-par components that diminish the effectiveness of the entire system. Look for vendors who regularly put each security element through rigorous, public testing and that publish specs based on real-world conditions so you can make fair comparisons between solutions.

Non-Negotiables for NGFWs

While most firewalls include nice-to-have features vendors promote to differentiate their solution, you need to focus on the fundamentals. If those don't meet your requirements, none of the bells and whistles are worth your time or money. At a minimum, your firewall must provide:

  1. Decryption: To inspect traffic, a firewall must be able to read it. Which means it must first be decrypted. But given the need to maintain optimal user experience, decryption, inspection, and re-encryption needs to happen in as close to real-time as possible. Look carefully at this because many firewall vendors won't even publish their performance numbers for inspecting encrypted traffic because they are so bad.
  2. Advanced Threat Protection: Because the threat landscape is evolving so rapidly and moving to smaller targets, your firewall must combine traditional threat-matching signatures with advanced AI and machine-learning capabilities to identify all threats, new or old and protect organizations from known, zero-day and unknown threats.
  3. Content Filtering: The most effective way to prevent users from being infected by malicious websites and downloading ransomware is to prevent them from going there in the first place. This requires AI/ML powered web and content filtering. With video becoming a predominant tool for human communication, inspecting video traffic becomes a core pillar of any security policy.
  4. Endpoint Integration: Employees with unpatched applications give hackers a backdoor to install malware.. Built-in network access control and endpoint visibility can enforce access policy based on endpoint risk and hygiene assessments, forcing the end-user to update and patch their system appropriately before being allowed on the network. Once on board, endpoints can share threat intelligence within the ecosystem and prevent other users from falling victim to the previously seen malware.
  5. Sandboxing: Sandboxing opens and "detonates" files and attachments unknown to AV inspection to determine if they are malicious. The challenge is that most sandbox solutions allow files to pass through, requiring IT teams to track them down and remove them if they are deemed to be malicious. Inline sandboxing will enable you to hold a potentially malicious file until a final verdict is received to proactively block previously unknown threats.
  6. IoT visibility and control: The future is increasingly connected and IoT must be factored in. Your firewall should be able to perform automated discovery, real-time segmentation, and policy enforcement for IoT devices. This includes IoT device and OS detection and tracking, vulnerability correlation, and virtual patching.
  7. Remote Access: Providing secure access to remote workers is a fundamental requirement of any firewall. An effective VPN solution needs to not only be fast, but able to scale as users move between on-premises and remote work. But VPN is just the start. It does not provide the sort of advanced protections—such as access control and application monitoring—that today’s hybrid networks require. Built-in ZTNA extends VPN functionality by ensuring per-session user and device access to applications and resources. This protects against threats that exploit less inspected VPN tunnels or newly deployed application protocols in order to avoid detection. And additional integration with a security client and coordination with cloud-based services further ensures that every user anywhere complies with the same access policy. 
  8. Secure SD-WAN: Few standalone SD-WAN solutions include security. Look for a firewall that not only natively supports SD-WAN but that can seamlessly apply security to connections. Converging connectivity with security opens up new possibilities for advanced routing and functionality that enables and optimizes user experience without ever compromising on protection.

Your Firewall Must Support a Larger Security Framework

A security framework, where every component is designed to work together as an integrated fabric from the beginning, enhances the sharing of threat intelligence and indicators of compromise to better detect and automatically respond to threats quickly and accurately. The right firewall solution should operate seamlessly within a comprehensive security framework that can span and adapt to your evolving needs.

Choosing the right firewall provides the peace of mind that comes from knowing that your security works now and will continue to protect and sustain your business in the future—even as technologies and business strategies continue to evolve. Additionally, working with a vendor who understands your needs now and tomorrow ensures longevity, prevents unnecessary workarounds, and avoids the rip and replace conversations down the road that can derail a business.

Find out how the Fortinet Security Fabric is the industry’s highest-performing cybersecurity platform, powered by FortiOS, with a rich open ecosystem delivering broad, integrated, and automated protection across an organization’s entire digital attack surface.

 

Curious to learn more? Check out our Firewall Buyer’s Guide now.