How to choose NGFW or what manufacturers keep back?
In this article, I would like to discuss the question: “How to choose NGFW solution from the variety of products, solutions and vendors offered?” In this regard, we will consider a few considerations on this issue and form a “check list” for which it is desirable to run in front of choosing a solution.
Consideration number 1. All specifically keep back
For the past few years, I have been working very closely on the topic of NGFW, and the most frequent request from clients choosing a network protection solution is comparison and questions about the differences between the leaders of the various quadrants of Gartner, NSS Lab, and so on. And this could be a simple task. But, as one hero of the famous series said ...
Unfortunately, there is not a single vendor with fully reliable information in marketing brochures and DataSheet-ah. Each of them either keeps back something, or uses obviously useless characteristics, which are obtained with the help of artificial tests. They have millions of tricks. In most cases, only personal experience and a great (huge) practice of working with all solutions on the market can help you to choose in detail the solution for a specific task for the budget that you have.
Without experience, you are doomed to endlessly browse comparisons like this:
In general, it is obvious that this will in no way bring you closer to weighted objective and reasoned selection criteria for protection.
Consideration number 2. Each smith of his own happiness (misfortune)
The problem of choice appears primarily due to the lack of source data. If someone expects to see further comparison of all vendors by trillion criteria, you can safely skip this article. I do not set myself such a task, and I see it more harmful than useful. Firstly, everyone has different tasks, secondly, the situation on the market is changing rapidly, today someone does not have an actual certificate of this or that supervisory authority or some feature, and tomorrow, bang, and everything will appear. The value of such a comparison was multiplied by 0. But this does not mean that such comparisons should not be. In my opinion, everyone can create a matrix of criteria, answering for themselves and their organization, which is critical, important and desirable when choosing an NGFW solution, and then put down "+" and "-" in your personal matrix. So you get the most effective comparison that meets exactly your problem. To make such an objective matrix, to draw your attention to the places where there are a lot of lies and nedogovorok on the part of respected leaders, I set as a goal for this article.
Consideration number 3. Comparison criteria
Let's move on to the criteria. Determine which ones are important to you, and which ones can be discarded because of their irrelevance. For each criterion, I will try to give explanations and warnings from personal experience.
')
1. Certification in the Russian Federation
This is an excellent watershed when choosing NGFW solutions. There are companies that do not allow solutions without the FSTEC certificate before comparison in principle. But here lies a lot of nuances. First, you can immediately divide the manufacturers into:
Secondly, what else should you pay attention to:
It happens that the vendor declares the presence of certificates, but the version is old and there is no technical support, or is about to disappear. Some extend support for certified versions on the territory of the Russian Federation. You can only get it from experienced partners or honest vendors, with the right question.
2. What is the licensing scheme for the solution as a whole?
It's simple. Someone sells a piece of iron, and load it with traffic, how many will withstand, as much as withstand. There are solutions with pricing per user + features. Count and choose. As for the first option with the sale of a piece of iron (or virtual machine), do not believe datasheets. Only real testing will show the actual load and performance. You all have different traffic, tasks and networking. All possible tests for each not done in advance. Only a pilot project will give an honest result.
3. Notification and importation
This is an underwater rock, about which you yourself guess last. Virtually all NGFW solutions have cryptography. To carry in a suitcase such a device is dangerous from a criminal point of view. So for each model you need to get a notification for import. This is usually done by the vendor himself. The right guys do quickly and almost immediately, as soon as these new models appear. But not everyone does this, there are players on the NGFW market, who have not received the notification for years, and it is impossible to import and sell their devices. But to a large extent it’s not about them. Just remember that if a new model appeared on the site, you really need at least a month or two to receive documents for import. Keep this in mind when, at the end of the year, it is necessary to urgently “master” the budget.
Questions for comparison:
4. Technical support
You will remember about it already having spent the money, and sometimes you can be very disappointed. Sometimes so much so that you have to spend another budget to change the decision. Again, the pilot project helps to put everything in its place. As part of testing, you can assess the competencies and qualifications of the integrating partner, and often the work of supporting the vendor itself. Recommendation, if the vendor does not have support in the Russian Federation (or the number of engineers is less than 10 people), you will be able to solve your problems alone and with guarantee. Decide for yourself how critical this is for you. Some vendors allow partners to provide their first line, specify before the purchase, who and under what conditions will help you with troubles in the work of the solution.
Add. Questions:
5. Country of origin
As in the first criterion with certification, for many in the context of sanctions this is an important criterion. Lists of companies under sanctions are growing, and no one can reliably tell who it will be there in a year. Again, this is not all.
Add. questions:
6. Are there additional licenses and hidden fees?
Ask and carefully listen to who and what to say.
7. Market share and company history
This may be important if you are strategically choosing a partner to protect your company and do not intend to change the decision in a year. Plus NGFW is a fairly competitive market, some of the famous players have already left it, although they started very cheerfully. And the history of the company can tell a lot about the successes, stages of development and focus of the work. There are players sharpened only under the topic of security, and there are those who even do ngfw-gateways to the heap, but they are fewer.
8. URL filtering and categorization of Internet traffic
Here we come to more or less technical criteria. The categorization of the Internet works differently for everyone. What is important to pay attention to? I will give an example. If you want to just block social. network, then you have enough of the simplest solution, the main sites are blocked at all. But sometimes you may have more difficult tasks: let the HR department allow you to chat in social services. networks, PR department - to post posts and pictures, and watching videos and listening to music in the social. networks need to close all. Here, many vendors will sort out their hands and only a few will remain who detail the traffic and can implement such a scheme of work.
Almost all HTTPS traffic analysis with certificate substitution is, if not - this is no longer an NGFW solution. But here are the subtleties in the work, the performance problems of the gateway with the analysis of https traffic, enough. There is one piece of advice from me: only a pilot project will show you everything and clearly explain what I am talking about now.
9. Proxy
Many NGFW gateways can function as a proxy server. If you decide to use this option answer the following questions for yourself:
10. Protection against malicious traffic (antivirus)
11. Integration with MS AD and other services
Long gone are the policies of IP. All self-respecting solutions are able to be friends with MS AD and apply traffic passing policies for users and groups. But everything is integrated in different ways. Someone asks to put an agent on the domain controllers, someone dispenses with agents. Someone wants an agent for the desktop, someone asks to enter the login password in the browser, someone just a little bit and in different configurations. Tip: pilot and case solving fieldwork. There are no universal solutions. Every NGFW solution has its own problems and workaround.
12. IPS / IDS
This is my favorite. How many cases, bought IPS, set, three ticks set up and live with a full sense of safety and security. Nonsense, nonsense, is no good. IPS requires careful, thoughtful configuration and updates every day, and even more often. The first criterion when choosing - the convenience of the interface. Ask to show the interface to configure. You will have to deal with hundreds and thousands of signatures, if you do not understand them, there will be no sense from IPS. If it will be difficult for you to track new signatures and it is not clear what they are protecting from, then the effectiveness of such protection will be minimal. You MUST deal with the signatures and their configuration, of course, if you do not want to disassemble hundreds of logs when IPS blocked an attack on apache flying towards your IIS server. And this is all the time. Except you, nobody knows your infrastructure better. About DETECT I will only say that it should be the minimum number. First, it will save gateway resources, and second, it will keep your network safe. Threshing traffic across all signatures, writing a log about detection, and as a result skipping the attack to the server is the stupidest possible implementation scenario. Be smarter and regularly check the perimeter security.
13. Defining and filtering applications.
With applications, this is the thing that almost all respected NGFW players have. The question is rather how many applications you personally need, this time. Two - how well the gateway detects these applications and blocks them quickly. Workarounds at work? The same viruses and bots can pretend to be Skype, for example. How does the proposed solution handle this scenario? Again, the best comparison is a pilot project. You will immediately feel the whole story, or you will not, everything depends on the decision.
14. Blocking botnet traffic
To be honest, more and more viruses turn into bots. We have not seen reports in our work for a long time after the network audits, in which there would be no bot activity registered. This means that there are a lot of already infected PCs on the network, but nobody knows about it. These are cryptographers, and surveillance software, and banking trojans, and a whole lot more ... What does this mean? To the sadness in the eyes of administrators and information security engineers, management and business owners. How to fight and what to do, so as not to become sad? Detect and block bot traffic on the network at all levels and immediately disinfect infected machines. Guide the pilot and check all the above.
15. Leak detection
DLP. Some NGFW solutions offer this functionality. The thing is useful, although often DLP lags behind the full-fledged solution in terms of functionality and capabilities. But as an additional system or module with integration to the main DLP solution can be very useful. The idea is simple, if you already have DLP, specify whether you can integrate NGFW with your DLP system, if DLP is not, then it is better to take NGFW with DLP functionality, it will be useful.
16. Remote access (VPN / SSL)
Ask yourself and the vendor questions about the options for connecting remote users. What technologists are there, what implementation scenarios, nuances in the work? Ask for a demonstration, look at all this through the eyes of the user? Will it be convenient to use the chosen solution? Better yet, attract the focus group to the testing at the pilot project stage.
17. Mobile device support
If you want to provide access to mobile employees, decide from which devices they will connect. Not all operating systems can be in the list of supported, not all devices can have applications.
18. GOST VPN
If you need GOST VPN, most likely you will buy a Russian solution, but there are import suppliers certified GOST VPN. The main problem with GOST encryption is performance. And there are also problems with centralized management, reporting and troubleshooting of such solutions. Key generation at least 1 time in 6 months and a lot more then. Only the pilot will show all the beauty and versatility of this task. Test it. And ask in the test at least one cluster in the center and two remote devices for offices. Point-to-point you collect in 5 minutes, no doubt. But the scheme is more difficult it will be difficult to show nicely / For some manufacturers, you can purchase additional certificates and OS images and make a certified solution bought many years ago certified. Often it is convenient.
19. Spam protection and SMTP traffic checking
Mail - number 1 among the channels of infection and transmission of malware. But nobody can turn it off at all, so you need to defend yourself and deal with the fact that it flies to us from the mail server. Here only testing will show you an objective picture. For many NGFW solutions, mail protection is placed in a separate product, someone combines everything on one device. The functionality is also different. So only the test will give you a complete picture.
20. Sandbox - blocking 0-day attacks
Almost all modern NGFW solutions acquired sandboxes. Someone bought them, someone developed it himself. In fact, here comes the most interesting struggle. I will not ship the parts, test and test again. On the fingers, CPU-level detection of ROP will be difficult to explain, and for many it is not even necessary. So we take a gateway with a sandbox from different manufacturers and test, comparing the results, you will quickly understand everything yourself, without clever words and marketing names of technologies. Remember, smart guys hackers, how long they came up with sandboxes ...
21. Cluster / failover
Again, test it better. Cluster is at all self-respecting manufacturers. But the implementation is different for everyone, everyone can have their own quirks. As if the spit on the stone is not found. Of the bonuses, some vendors "from the wheels" on the cluster give a good discount.
22. Supports dynamic routing.
The last purely technical criterion. Look at your infrastructure and appreciate all the features of the implementation of routing inside the perimeter. Try to understand what you need from the NGFW gateway, but do not turn it into a kernel router. Protecting traffic and routing are different tasks and it’s better not to mix them.
23. What technologies are used for VPN, NAT, Dynamic Routing, ISP redundancy?
This concerns the issue of architectural features, and the transparency of the work of technologies, and their troubleshooting. Separately, it is necessary to clarify the logic of the policy and the processing of rules for traffic. Sometimes amazing things can appear here.
24. Centralized management
Without this, nowhere. Remember, you choose the solution with which you live and work every day. If it is inconvenient, incomprehensible, slow, poorly supported, you curse the day when you chose it. About security here, even speech does not go. The solution should be clear, with good logs for trashshut, with centralized management of all gateways and a good reporting system.
25. Availability of reporting and logging system
If you do not read the logs of your security systems, it means they do not work. Security is a process, it requires attention and the reaction of people on the ground. If the logs are inconvenient to read, there are no correlations, there is no mail notification system - this is a bad system. There will be little sense from her. And this is the weak side of all vendors in NGFW. The situation is different for everyone, for someone better, for someone worse, for someone there is no accountability at all. But even those who are considered leaders in this aspect have gaps and not all reports can be built easily and without compulsion.
26. Real hardware and VM gateway performance
Once again - everyone lies. Alas, but it is true. Do not believe the datasheets and mega-giga-tera bits in them. It is almost always synthetic, unrelated to real life. Only testing in your environment will show the correctness of your choice and model. Remember, the miser pays twice (repeatedly). If you do not have enough budget for the desired model, either bargain with the vendor, or buy another vendor with functionality for simpler, but with more iron performance. Buy a system and disable all features of protection - the worst of all options. Why do you need another router for such money?
27. What is the base operating system of the solution?
Sometimes it is important in architectural terms. It is better if the vendor has its own OS, worse if Linux, bsd, etc., which are completely modified on the knee.
28. Cost of annual ownership
Now everyone is switching to a system of annual payments. Almost all functional modules for all manufacturers are extended by subscription. Antivirus, URL filtering, application control, IPS, etc. everything requires updating signatures, this is the daily work of a larger number of people and artificial intelligence, this work should be paid for, everything is fair here. That's the cost of all different. In order not to get round after a year, ask the cost of annual payments at the stage of selection and before the purchase. Take care of your eyesight.
29. Availability of engineers and partner network of the Russian Federation
This, as with support, will be a great help during the implementation phase (if you do not order it separately) and during the operation phase. Everybody has bugs. The question of how quickly you will find a solution to the problems that arise and whether you will do it alone or with a team of professionals. Plus, decide who within your organization will administer the work of the NGFW gateways. Estimate the prevalence of certified engineers in the market, how much they cost. And it turns out, as with OpenSource. Everything seems to be free, but the employees are worth the money in space, and there is no one to replace them.
Conclusion
First, thanks for reading. I hope the article is useful and turned your attention to topics that you may not have been obvious. Truth is born in a dispute, so if you disagree with something, leave comments. We are primarily for objectivity.
Secondly, I diligently avoided mentioning vendors, since the main thing is for you to decide for yourself what your task is and find the solution for it, the solution that most fully meets your specific needs and goals. Then everyone will be happy.
And if you already have a system of security and inspection of traffic, check their work and efficiency, as described in our previous article .
Consideration number 1. All specifically keep back
For the past few years, I have been working very closely on the topic of NGFW, and the most frequent request from clients choosing a network protection solution is comparison and questions about the differences between the leaders of the various quadrants of Gartner, NSS Lab, and so on. And this could be a simple task. But, as one hero of the famous series said ...
Unfortunately, there is not a single vendor with fully reliable information in marketing brochures and DataSheet-ah. Each of them either keeps back something, or uses obviously useless characteristics, which are obtained with the help of artificial tests. They have millions of tricks. In most cases, only personal experience and a great (huge) practice of working with all solutions on the market can help you to choose in detail the solution for a specific task for the budget that you have.
Without experience, you are doomed to endlessly browse comparisons like this:
In general, it is obvious that this will in no way bring you closer to weighted objective and reasoned selection criteria for protection.
Consideration number 2. Each smith of his own happiness (misfortune)
The problem of choice appears primarily due to the lack of source data. If someone expects to see further comparison of all vendors by trillion criteria, you can safely skip this article. I do not set myself such a task, and I see it more harmful than useful. Firstly, everyone has different tasks, secondly, the situation on the market is changing rapidly, today someone does not have an actual certificate of this or that supervisory authority or some feature, and tomorrow, bang, and everything will appear. The value of such a comparison was multiplied by 0. But this does not mean that such comparisons should not be. In my opinion, everyone can create a matrix of criteria, answering for themselves and their organization, which is critical, important and desirable when choosing an NGFW solution, and then put down "+" and "-" in your personal matrix. So you get the most effective comparison that meets exactly your problem. To make such an objective matrix, to draw your attention to the places where there are a lot of lies and nedogovorok on the part of respected leaders, I set as a goal for this article.
Consideration number 3. Comparison criteria
Let's move on to the criteria. Determine which ones are important to you, and which ones can be discarded because of their irrelevance. For each criterion, I will try to give explanations and warnings from personal experience.
')
1. Certification in the Russian Federation
This is an excellent watershed when choosing NGFW solutions. There are companies that do not allow solutions without the FSTEC certificate before comparison in principle. But here lies a lot of nuances. First, you can immediately divide the manufacturers into:
- “Ours” - domestic producers generally have certificates and this is often their only forte;
- “American” - it’s harder for them to get certificates, often it’s a certificate for an old version of software, which can be “end of support”, or with old bugs, update or patch a leaky solution can be a problem;
- “Israel” is a lucky coincidence, otherwise you can’t tell otherwise. The functional superiority over domestic developments and the absence of political contradictions receive certificates and rather quickly (“of course, everything is relative”) to the current versions.
Secondly, what else should you pay attention to:
- Does the solution have certificates of FSTEC and FSB?
- What software version and hardware models are certified? How much is the version and model currently relevant? Is it supported? Does it have security flaws closed in newer versions.
- Certification class? Let me remind you that from December 1, 2016, FSTEC changed everything.
- What exactly is ITU / IPS / IDS / VPN certified?
- Current certificates, expiration dates and renewal prospects?
It happens that the vendor declares the presence of certificates, but the version is old and there is no technical support, or is about to disappear. Some extend support for certified versions on the territory of the Russian Federation. You can only get it from experienced partners or honest vendors, with the right question.
2. What is the licensing scheme for the solution as a whole?
It's simple. Someone sells a piece of iron, and load it with traffic, how many will withstand, as much as withstand. There are solutions with pricing per user + features. Count and choose. As for the first option with the sale of a piece of iron (or virtual machine), do not believe datasheets. Only real testing will show the actual load and performance. You all have different traffic, tasks and networking. All possible tests for each not done in advance. Only a pilot project will give an honest result.
3. Notification and importation
This is an underwater rock, about which you yourself guess last. Virtually all NGFW solutions have cryptography. To carry in a suitcase such a device is dangerous from a criminal point of view. So for each model you need to get a notification for import. This is usually done by the vendor himself. The right guys do quickly and almost immediately, as soon as these new models appear. But not everyone does this, there are players on the NGFW market, who have not received the notification for years, and it is impossible to import and sell their devices. But to a large extent it’s not about them. Just remember that if a new model appeared on the site, you really need at least a month or two to receive documents for import. Keep this in mind when, at the end of the year, it is necessary to urgently “master” the budget.
Questions for comparison:
- Is it possible to import into the Russian Federation? Are there any notifications for these models?
- Is there a possibility of "gray" deliveries and how to check? I recommend not to contact the "gray" schemes.
4. Technical support
You will remember about it already having spent the money, and sometimes you can be very disappointed. Sometimes so much so that you have to spend another budget to change the decision. Again, the pilot project helps to put everything in its place. As part of testing, you can assess the competencies and qualifications of the integrating partner, and often the work of supporting the vendor itself. Recommendation, if the vendor does not have support in the Russian Federation (or the number of engineers is less than 10 people), you will be able to solve your problems alone and with guarantee. Decide for yourself how critical this is for you. Some vendors allow partners to provide their first line, specify before the purchase, who and under what conditions will help you with troubles in the work of the solution.
Add. Questions:
- Who provides and under what conditions?
- How much is the conditions for the extension of those support?
- What is included in technical support?
- Does the vendor have Russian-speaking local support, how many engineers?
- How is technical support and replacement in case of breakage?
- Has the company been sold or bought by someone in the past 2 years? How many times? Often, after such perturbations, to extend support even to the existing equipment results in a problem.
5. Country of origin
As in the first criterion with certification, for many in the context of sanctions this is an important criterion. Lists of companies under sanctions are growing, and no one can reliably tell who it will be there in a year. Again, this is not all.
Add. questions:
- What is the attitude of the vendor to the sanctions?
- Are there customers from the list of sanctions and their relationship with the vendor?
6. Are there additional licenses and hidden fees?
Ask and carefully listen to who and what to say.
7. Market share and company history
This may be important if you are strategically choosing a partner to protect your company and do not intend to change the decision in a year. Plus NGFW is a fairly competitive market, some of the famous players have already left it, although they started very cheerfully. And the history of the company can tell a lot about the successes, stages of development and focus of the work. There are players sharpened only under the topic of security, and there are those who even do ngfw-gateways to the heap, but they are fewer.
- How many years on the market?
- Industry achievements (gartner / nss lab), awards and prizes?
- Product portfolio. What is the company still doing?
- What is the focus of the company and the breadth of development?
8. URL filtering and categorization of Internet traffic
Here we come to more or less technical criteria. The categorization of the Internet works differently for everyone. What is important to pay attention to? I will give an example. If you want to just block social. network, then you have enough of the simplest solution, the main sites are blocked at all. But sometimes you may have more difficult tasks: let the HR department allow you to chat in social services. networks, PR department - to post posts and pictures, and watching videos and listening to music in the social. networks need to close all. Here, many vendors will sort out their hands and only a few will remain who detail the traffic and can implement such a scheme of work.
- Own database or a subscription to a third-party database?
- What is the licensing scheme (by users or not)?
- Number of categories and details of the Runet. How many categories?
- Does the solution have HTTPS traffic inspection technology and how is it implemented?
Almost all HTTPS traffic analysis with certificate substitution is, if not - this is no longer an NGFW solution. But here are the subtleties in the work, the performance problems of the gateway with the analysis of https traffic, enough. There is one piece of advice from me: only a pilot project will show you everything and clearly explain what I am talking about now.
9. Proxy
Many NGFW gateways can function as a proxy server. If you decide to use this option answer the following questions for yourself:
- Caches or not? Do you want?
- Is explicit / transparent mode supported?
- Does X-forward IP work?
- Is the reverse proxy functionality supported?
- Are bandwidth limits used?
- Are limits on the volume of downloaded traffic used?
- Is there policy integration across users and AD groups?
- Is there a drawdown in performance in this mode of operation of the gateway?
10. Protection against malicious traffic (antivirus)
- Are you using your own databases or partners?
- What is an antivirus licensing scheme?
- Do I need to buy any licenses from third-party manufacturers?
- What is the performance of the system with anti-virus protection enabled?
11. Integration with MS AD and other services
Long gone are the policies of IP. All self-respecting solutions are able to be friends with MS AD and apply traffic passing policies for users and groups. But everything is integrated in different ways. Someone asks to put an agent on the domain controllers, someone dispenses with agents. Someone wants an agent for the desktop, someone asks to enter the login password in the browser, someone just a little bit and in different configurations. Tip: pilot and case solving fieldwork. There are no universal solutions. Every NGFW solution has its own problems and workaround.
- What is the scheme of work (agents, access rights to AD)?
- What is AD / Radius / Tacacs + and others integrated with? Maybe you have not only AD.
- What integration methods are used? How are implemented? (agents / access rights, domain controllers, web portal / terminal servers)
12. IPS / IDS
This is my favorite. How many cases, bought IPS, set, three ticks set up and live with a full sense of safety and security. Nonsense, nonsense, is no good. IPS requires careful, thoughtful configuration and updates every day, and even more often. The first criterion when choosing - the convenience of the interface. Ask to show the interface to configure. You will have to deal with hundreds and thousands of signatures, if you do not understand them, there will be no sense from IPS. If it will be difficult for you to track new signatures and it is not clear what they are protecting from, then the effectiveness of such protection will be minimal. You MUST deal with the signatures and their configuration, of course, if you do not want to disassemble hundreds of logs when IPS blocked an attack on apache flying towards your IIS server. And this is all the time. Except you, nobody knows your infrastructure better. About DETECT I will only say that it should be the minimum number. First, it will save gateway resources, and second, it will keep your network safe. Threshing traffic across all signatures, writing a log about detection, and as a result skipping the attack to the server is the stupidest possible implementation scenario. Be smarter and regularly check the perimeter security.
- What is the volume of the signature database?
- What is the frequency of updates? The update rate and the response to information security incidents by the vendor. There are examples when a vendor writes signatures for the most critical vulnerabilities for months and years ...
- Ease of administration. How are IPS filtering rules configured?
- Visibility detection and blocking. Is there a notification system and reporting?
13. Defining and filtering applications.
With applications, this is the thing that almost all respected NGFW players have. The question is rather how many applications you personally need, this time. Two - how well the gateway detects these applications and blocks them quickly. Workarounds at work? The same viruses and bots can pretend to be Skype, for example. How does the proposed solution handle this scenario? Again, the best comparison is a pilot project. You will immediately feel the whole story, or you will not, everything depends on the decision.
- What is the number of applications in the database? Base rate increase?
- What is the detail of the Runet?
- What is the licensing scheme of the web filter and applications?
- Is there a download lock by file type? What formats are supported and recognized?
- Base own or partner subscription?
14. Blocking botnet traffic
To be honest, more and more viruses turn into bots. We have not seen reports in our work for a long time after the network audits, in which there would be no bot activity registered. This means that there are a lot of already infected PCs on the network, but nobody knows about it. These are cryptographers, and surveillance software, and banking trojans, and a whole lot more ... What does this mean? To the sadness in the eyes of administrators and information security engineers, management and business owners. How to fight and what to do, so as not to become sad? Detect and block bot traffic on the network at all levels and immediately disinfect infected machines. Guide the pilot and check all the above.
- What methods of detecting and blocking bot-infected machines are used?
- What is the bot protection licensing scheme?
- Performance when you turn on the inspection of bot traffic?
15. Leak detection
DLP. Some NGFW solutions offer this functionality. The thing is useful, although often DLP lags behind the full-fledged solution in terms of functionality and capabilities. But as an additional system or module with integration to the main DLP solution can be very useful. The idea is simple, if you already have DLP, specify whether you can integrate NGFW with your DLP system, if DLP is not, then it is better to take NGFW with DLP functionality, it will be useful.
- What protocols analyzes?
- What methods of detecting sensitive data are used?
- How does the system determine data encryption?
16. Remote access (VPN / SSL)
Ask yourself and the vendor questions about the options for connecting remote users. What technologists are there, what implementation scenarios, nuances in the work? Ask for a demonstration, look at all this through the eyes of the user? Will it be convenient to use the chosen solution? Better yet, attract the focus group to the testing at the pilot project stage.
- SSL VPN
- GOST SSL VPN
- IPSec VPN
- Support 2-factor authentication (SMS, Certificate, Token)
17. Mobile device support
If you want to provide access to mobile employees, decide from which devices they will connect. Not all operating systems can be in the list of supported, not all devices can have applications.
- iOS
- Android
- Windows
- Other
18. GOST VPN
If you need GOST VPN, most likely you will buy a Russian solution, but there are import suppliers certified GOST VPN. The main problem with GOST encryption is performance. And there are also problems with centralized management, reporting and troubleshooting of such solutions. Key generation at least 1 time in 6 months and a lot more then. Only the pilot will show all the beauty and versatility of this task. Test it. And ask in the test at least one cluster in the center and two remote devices for offices. Point-to-point you collect in 5 minutes, no doubt. But the scheme is more difficult it will be difficult to show nicely / For some manufacturers, you can purchase additional certificates and OS images and make a certified solution bought many years ago certified. Often it is convenient.
- Ease of administration. Centralized or distributed?
- Ghost encryption performance? What is the maximum bandwidth of the GOST VPN link?
- Cost of certified software version? How is it acquired?
- What are the possible implementation and procurement scenarios?
19. Spam protection and SMTP traffic checking
Mail - number 1 among the channels of infection and transmission of malware. But nobody can turn it off at all, so you need to defend yourself and deal with the fact that it flies to us from the mail server. Here only testing will show you an objective picture. For many NGFW solutions, mail protection is placed in a separate product, someone combines everything on one device. The functionality is also different. So only the test will give you a complete picture.
- What spam checking mechanisms are used?
- Own base or integration with partners?
- Is there an SMTP Relay \ MTA feature?
- Are attachments and archives checked?
20. Sandbox - blocking 0-day attacks
Almost all modern NGFW solutions acquired sandboxes. Someone bought them, someone developed it himself. In fact, here comes the most interesting struggle. I will not ship the parts, test and test again. On the fingers, CPU-level detection of ROP will be difficult to explain, and for many it is not even necessary. So we take a gateway with a sandbox from different manufacturers and test, comparing the results, you will quickly understand everything yourself, without clever words and marketing names of technologies. Remember, smart guys hackers, how long they came up with sandboxes ...
- Is the cloud used as a service?
- Is it possible to use hardware modules?
- What methods of emulation and detection are used?
- How is protection from detecting and circumventing the sandbox?
21. Cluster / failover
Again, test it better. Cluster is at all self-respecting manufacturers. But the implementation is different for everyone, everyone can have their own quirks. As if the spit on the stone is not found. Of the bonuses, some vendors "from the wheels" on the cluster give a good discount.
- What are the cluster modes? (Active / Standby and / or Active / Passive and / or Active / Active)
- Failover mode. What will happen to the traffic?
- How to change the mode of the cluster in the process?
- Is VRRP supported?
22. Supports dynamic routing.
The last purely technical criterion. Look at your infrastructure and appreciate all the features of the implementation of routing inside the perimeter. Try to understand what you need from the NGFW gateway, but do not turn it into a kernel router. Protecting traffic and routing are different tasks and it’s better not to mix them.
- Bgp
- Ospf
- Rip
- ISIS
- IPv6 support
23. What technologies are used for VPN, NAT, Dynamic Routing, ISP redundancy?
This concerns the issue of architectural features, and the transparency of the work of technologies, and their troubleshooting. Separately, it is necessary to clarify the logic of the policy and the processing of rules for traffic. Sometimes amazing things can appear here.
24. Centralized management
Without this, nowhere. Remember, you choose the solution with which you live and work every day. If it is inconvenient, incomprehensible, slow, poorly supported, you curse the day when you chose it. About security here, even speech does not go. The solution should be clear, with good logs for trashshut, with centralized management of all gateways and a good reporting system.
- Are there any restrictions on the number of gateways and what?
- What is the procedure for adding new gateways to the control center?
- Is there a distributed management model?
- Is a multi-domain management model supported?
- What is the management interface?
25. Availability of reporting and logging system
If you do not read the logs of your security systems, it means they do not work. Security is a process, it requires attention and the reaction of people on the ground. If the logs are inconvenient to read, there are no correlations, there is no mail notification system - this is a bad system. There will be little sense from her. And this is the weak side of all vendors in NGFW. The situation is different for everyone, for someone better, for someone worse, for someone there is no accountability at all. But even those who are considered leaders in this aspect have gaps and not all reports can be built easily and without compulsion.
- Own system or third-party products?
- Integration with SIEM. What and how?
- If an external reporting system (3d-party) is used, how much is it and how is it licensed?
26. Real hardware and VM gateway performance
Once again - everyone lies. Alas, but it is true. Do not believe the datasheets and mega-giga-tera bits in them. It is almost always synthetic, unrelated to real life. Only testing in your environment will show the correctness of your choice and model. Remember, the miser pays twice (repeatedly). If you do not have enough budget for the desired model, either bargain with the vendor, or buy another vendor with functionality for simpler, but with more iron performance. Buy a system and disable all features of protection - the worst of all options. Why do you need another router for such money?
- Test methods and results?
- Difference of marketing data and real in life?
27. What is the base operating system of the solution?
Sometimes it is important in architectural terms. It is better if the vendor has its own OS, worse if Linux, bsd, etc., which are completely modified on the knee.
28. Cost of annual ownership
Now everyone is switching to a system of annual payments. Almost all functional modules for all manufacturers are extended by subscription. Antivirus, URL filtering, application control, IPS, etc. everything requires updating signatures, this is the daily work of a larger number of people and artificial intelligence, this work should be paid for, everything is fair here. That's the cost of all different. In order not to get round after a year, ask the cost of annual payments at the stage of selection and before the purchase. Take care of your eyesight.
- What happens if you do not receive a renewal?
- Are there annual payments and subscriptions?
- What is included in the extension?
29. Availability of engineers and partner network of the Russian Federation
This, as with support, will be a great help during the implementation phase (if you do not order it separately) and during the operation phase. Everybody has bugs. The question of how quickly you will find a solution to the problems that arise and whether you will do it alone or with a team of professionals. Plus, decide who within your organization will administer the work of the NGFW gateways. Estimate the prevalence of certified engineers in the market, how much they cost. And it turns out, as with OpenSource. Everything seems to be free, but the employees are worth the money in space, and there is no one to replace them.
- The presence of a large number of certified engineers in the Russian Federation.
- What is a demo-fund of equipment from partners?
- What is the number of partners in the Russian Federation?
Conclusion
First, thanks for reading. I hope the article is useful and turned your attention to topics that you may not have been obvious. Truth is born in a dispute, so if you disagree with something, leave comments. We are primarily for objectivity.
Secondly, I diligently avoided mentioning vendors, since the main thing is for you to decide for yourself what your task is and find the solution for it, the solution that most fully meets your specific needs and goals. Then everyone will be happy.
And if you already have a system of security and inspection of traffic, check their work and efficiency, as described in our previous article .
Source: https://habr.com/ru/post/324368/
All Articles