Firewalls are crucial for companies with information on-line. However, because the security market is mature and well-established, decision makers need to know more than whether to pick an appliance or software firewall. They need to know how to pick the right firewall based on their companies' needs. This can be a daunting experience, given the thousands of criteria each solution has. To help you navigate through the market, the Information Security Firewalls Market Report looks at four of the leaders in the information securities firewall market: Cisco, Check Point, Juniper Networks, and Symantec. Earlier, we evaluated their solutions based on a set of priorities using TEC's decision engine (see Part One). To view all the criteria used and the subsequent results, visit TEC's security evaluation knowledge base at www.securityevaluation.com.
In part two, we will continue to explore the firewall market, discuss current market trends, and make user recommendations on how to selection an appropriate solution.
This is Part two of a two-part note.
Part One provided the market overview, technology background, and product analysis.
Current Market Trends
While more and more companies are migrating to appliance firewalls, many appliance firewalls do not offer the flexibility of software firewalls. The advantage of appliance firewalls is that you can install and configure them more quickly, and often they offer performance gains that cannot be matched by software firewalls. However, the disadvantage of appliance firewalls is that they typically cannot respond to new security exploits as quickly as software firewalls. Software firewall vendors can respond to new exploits by releasing new code that organizations can download and install "on the fly". Additionally, updating an appliance firewall is more cumbersome and for that reason, appliance firewall vendors do not typically release updates as often.
While firewall and virtual private network (VPN) products were originally separate and distinct, the two product types have converged and now, most firewalls offer built-in VPN capabilities. Similarly, VPN products today come bundled with built-in firewalls. Check Point has in fact dropped the well-established Firewall-1 branding and now sells its firewall and VPN together in one package known as VPN-1. This could be confusing to prospective buyers who are looking for a firewall, and who may end up thinking that VPN-1 only offers VPN capabilities.
While traditionally most VPN products were either based on Internet protocol security� (IPSec) or secure sockets layer (SSL), more and more vendors are starting to offer both. IPSec is a collection of standards and works at the network layer. SSL works at the application layer. IPSec traffic can be routed, and SSL traffic cannot.
More vendors are starting to offer deep packet inspection (DPI). DPI is an exciting new technology that could cut into the intrusion detection and prevention market. Some IT decision makers may opt to purchase a DPI firewall in lieu of a stateful packet inspection (SPI) firewall and an additional intrusion detection system. Intrusion detection vendors should rightly be worried about losing market share and start innovating other technologies to remain competitive.
Recommendations to Enterprise Firewall Customers
There is significant value to be gained from one-stop-shopping. You can leverage better pricing and decrease administrative complexities. For these reasons, organizations that already have a significant investment in any of these vendor's products, and are, for the most part, satisfied with the products and service, should consider sticking with their trusted vendor. Switching vendors and products is extremely expensive and there should be lengthy requirements and justification for an IT decision maker to recommend switching significant amounts of firewalls from one vendor to another.
In many large enterprises, firewalls made by different vendors exist as part of the same architecture plan using a screened-subnet model. If you use two different vendors to set up a perimeter choke point, it is possible that an exploit get through the second firewall, if it has gotten through the first.
Check Point, Cisco, Juniper, and Symantec are all reputable vendors with good products. However, for networks that are laden with performance bottlenecks, Juniper or Cisco firewalls may be a better choice. Symantec makes an all around solid firewall based on the firewall code from its acquisition of AXENT.
Probably the biggest mistake IT decision makers make when purchasing firewalls is buying firewalls with features that they have no need for. Relevant Technologies recommends keeping your firewall requirements basic, and buying only those features you plan on using. For this reason, we recommend doing a full scale product evaluation that takes into consideration your priorities of the particular features offered on the market. While one type of firewall may be best for one organization, it may not necessarily be best for another organization because each organization has its own unique requirements. For example, if you're organization does not use SSL VPNs, you don't necessarily need to purchase a firewall with SSL options.
Large enterprises that are prone to network performance problems may want to take a close look at both Juniper and Cisco firewalls which are optimized for performance. Organizations that have had past security incidents related to application exploits may want to consider a DPI firewall. If your organization does not have a senior firewall engineer with a strong understanding of how firewalls work, you are probably better off using appliance firewalls. Savvy firewall engineers who are well-versed in security may prefer software firewalls due to their robust customizability.
No comments:
Post a Comment