Top 10:Firewall Shopping Checklist

Best viewed with Adobe Reader

NEXT

Fast and Furious – Performance1

NEXT

Fast and Furious – Performance1As with sports cars, performance is a top buying criteria for firewalls. Because if you can’t keep up with the traffic—real traffic, not traffic in the labs—your apps will be unhappy, and your users even more so. Like test driving a performance vehicle, performance is not a single measure, it involves a combination of factors:

Total throughput: How much traffic can you push through the firewall? What percentage is encrypted? (Oh yes, that can slow you down, sports fan!)

Port speed: Start thinking 100GbE ports. You can buy this technology today, and it’ll be worth every penny. It’s like buying shoes for your kids that are a little bigger than they need—you’re never sorry a month later when their feet have grown a full inch. Be prepared.

Connections per second and the number of concurrent user sessions are part of the mix. Go ahead, let your network open up so CPS doesn’t hold you back.

NEXT

Unstoppable – Availability2

NEXT

Unstoppable – Availability2Availability is not for the faint of heart. If you falter for even a minute, you could lose a lot—revenue from your web site, reputation for your service levels, and, in particular, your job if your SVP personally experiences an outage.

Availability is conveniently measured by our friends, the “nines.” Five nines (or 99.999 percent) equates to roughly 5.39 minutes of unplanned downtime per year. That may not sound like a lot of downtime, but for organizations that count their page views or shopping cart completions in increments of seconds, things could turn ugly very quickly.

For best availability, look for six nines for your firewall protection (roughly 31.5 seconds of downtime per year) to ensure the window of non-protection is minimized.

Oh yes, don’t forget that a little high availability can go a long way. You might want to cluster multiple firewalls together, so if one goes down, another can take over. Be unstoppable!

NEXT

3 Up and Out — Scalability

NEXT

The ability to scale up, and scale out—both are important to think about. That is, if you want to stay in business.

But up and out are two different things. If scaling up is in the cards, shop for a firewall solution that lets you add a card while the system is up and running—boosting performance without having to suffer downtime. If you need a major upgrade, look for solutions that can do it without interruption, through in-service software upgrades.

When scaling out, virtual firewalls might be the way to go. Virtual security systems can be spun up in minutes (not hours, not days, not weeks). And the beauty of virtual firewalls is that when you don’t need them anymore, press a button and POOF! They are gone. Just one thing—make sure your virtual firewalls can be managed, and policies aligned, consistently with your physical firewalls.

3 Up and Out — Scalability

NEXT

4 Look Closer – Next Generation Security Services

NEXT

4 Look Closer – Next Generation Security Services

How much can you see? Depending upon where your firewall is deployed, you must think about seeing the right level of security depth at the right place for the right reason.

Look for the ability to add security services to a firewall where it makes sense. And the choices should allow you to see as much as you need. Services should give you awareness of applications, users and content.

Application awareness allows firewalls to block, allow, or do deeper packet inspection of any application that you’re attempting to run on your network. Ensure you can write your own custom application signatures, in case you want to run homegrown apps now or in the future. Lastly, ensure that you can control the apps bandwidth threshold. Video can be useful, but can consume too much bandwidth if left unchecked.

User awareness capabilities should integrate with Active Directory. This simplifies life, since you are able to build and manage policy based on users or groups rather than by IP addresses.

Look for your firewall to do content security that filters content for viruses, spam, and web threats at the network level. Don’t leave content security to the endpoints, which may not get threat updates as frequently.

NEXT

Red or Blue Pill – Choice in Deployment Options5

NEXT

Because choice of form factor matters. In some cases, you need the more powerful red pill, with all the might of a carrier-class ASICs-based firewall. In other cases you need the blue pill as a Next Generation Firewall with unified threat management (UTM)… or perhaps 5,000 of them for your worldwide branch office deployment.

Or you might even consider a virtual pill, since virtual security is coming on strong—for the data center, the cloud, and for branch deployments.

Choose a vendor that can right size your firewall for every deployment based on the specific situation. Can it be chassis, appliance, or virtual? Can the vendor support enterprise edge as well as the data center?

Red or Blue Pill – Choice in Deployment Options5

NEXT

Keep Calm and Manage Centrally – Centralized Management6

NEXT

If you only need one firewall, consider yourself lucky. Most enterprise organizations need a bunch—some for the data center, some for the office environments, some for those pesky branch offices thousands of miles away.

That’s why we say “keep calm and manage centrally.” It’s the only way to keep your sanity, and frankly having a single point of administrative control makes everything much more efficient. Keep in mind you might want many levels of access—depending on your users—so be sure to get role-based access control.

Look for policy control that’s consistent across physical and virtual devices, across data centers, office environments, and the cloud.

Keep Calm and Manage Centrally – Centralized Management6

NEXT

Spy vs. Spy – Up-to-the-Second Threat Intelligence7

NEXT

PSSST. I have some intel. You can gain an information advantage over the bad guys through threat intelligence services on command and control server threats, GeoIP-based information, bad actors (like the bad spies) and much more.

But we know that the black hats are super smart. They know how to spoof IPs, anonymize behind TOR, and generally run circles around technology. This is why up-to-date threat intelligence is so important.

Make sure you have a firewall solution that can consume and take action on real-time threat intel. Start by utilizing a variety of threat data sources to ensure intelligence is current and actionable. Feeds should be delivered immediately to a central management point, and then distributed to your enforcement points. Create policies to decide what to do with certain intelligence entries. For example, block all C&C IP addresses or deep-packet inspect all GEO-IP data from a questionable country.

Spy vs. Spy – Up-to-the-Second Threat Intelligence7

NEXT

Open for Business – Open Data Feed Model8

NEXT

Even though it’s counterintuitive, an open threat intelligence platform that accepts threat feeds and services from multiple vendors (sources) can help beef up enforcement points and smack down threats and attacks faster.

Threat intelligence feeds keep a business up to date on the latest threats and security information. Then the business can leverage that information through policies to secure the network. For example, if a new Command and Control Center (the place where cyber-criminals love to lurk) is discovered, that information can be sent to firewalls and immediately instructed to block the attacks.

These threat feeds can come from multiple sources. Don’t be locked into one security vendor’s sources. They may not have the best intelligence for your business. You may also have some of your own. When shopping for a firewall, make sure it can support feeds that are open, giving you the option of accepting whatever information makes most sense to your business, including your own custom feeds.

Open for Business – Open Data Feed Model8

NEXT

Boldly Go – High Capacity9

NEXT

Capacity is a subset of performance. But it’s not the same. Capacity relates to better security as well. Capacity refers to the number of intelligence entries that can be acted upon within a given firewall. For instance, there can be nearly a half million Command and Control center entries alone (IP’s and URLs where cybercriminals reside while extracting data from compromised systems in your network). But that’s not all. There are GEO IP lists, as well as custom IP’s and URLs that can be added. You could end up with a million entries for a firewall to check. If a firewall cannot handle the volume, you may be missing some very important security information, simply because the firewall does not have the capacity.

Look for high capacity firewalls that can handle big intelligence.

Boldly Go – High Capacity9

NEXT

10 Right This Way – Does it Route?

NEXT

10Secure routers are all the rage. Integrating firewall capability with a router is another use case that fits many customers’ architectures. An enterprise that wants to own and manage a device residing in a branch office can provide a combination of wide-area network (WAN) connectivity, create secure tunnels to headquarters, and protect local users from attack. Many companies want to manage these secure routers remotely as well.

This consolidated approach makes a lot of sense, since traffic must go through a router to get to its destination.

Make sure that your firewall has the ability to do routing, just in case you need it someday.

Right This Way – Does it Route?

NEXT

Turn it up to 11 – Choose a security vendor that pumps up the volume11

NEXT

Juniper SRX Series Services Gateways turns up the volume to 11 by filling all of the requirements described in this Firewall shopping list:

1. Performance2. Availability3. Scalability4. NGFW services5. Choice of deployment options6. Centralized management7. Up-to-the-second threat intelligence8. Open data feed model9. High capacity10. Support for secure routing

For more information: www.juniper.net/security

Turn it up to 11 – Choose a security vendor that pumps up the volume11

NEXT

Learn more at www.juniper.net/security