What you need to remember when buying NGFW? Check list

We have already published a short article “ NGFW selection criteria ”. Here it is assumed that you have already chosen your NGFW and are going to buy it. What you need to remember? How not to stumble at the last stage - the purchase. In our opinion, this is a very important question, because NGFW of any vendor is not cheap. And if things don’t go according to plan or work differently than you expected, then you may have problems like the person who made the purchasing decision. In this article we will try to reflect the main points that need to be paid attention to BEFORE buying, and not AFTER . Perhaps this small checklist will help you avoid unforeseen expenses and save the already tattered nerves.

1. Cost of annual ownership

The very first item you should check. You need to understand that absolutely any NGFW needs annual renewal of subscriptions, contracts, updates (different vendors call it differently). For many, it turns out to be a surprise that a one-time purchase is not enough and you have to “pay again” every year. And most importantly, without renewing subscriptions, the most important functionality (for which NGFW is usually bought) stops working. These features include IPS, URL filtering (site categories and reputation), Application Control, Anti-Virus, Antispam, Sandbox, etc. The full list depends on the specific vendor. Without renewing your subscriptions, your NGFW turns into a regular firewall. Although not, unusual, in a wildly expensive firewall . The cost of annual ownership of different vendors is different, but as a rule it varies around 30-40% of the original purchase. Remember this. Will this draw your annual IB / IT budget? Be sure to request information from your partner about the cost of annual ownership. In general, it is strange if the partner did not provide you with these numbers by default.

2. NGFW will not solve all problems of IB

Many perceive NGFW as a panacea for all ills with information security. But this is not the case. NGFW closes only a few vectors of a possible attack on your network. There is no single solution that would guarantee 100% protection. And if someone promises you something like that, then he simply deceives you, or he doesn’t fully understand what he is talking about. The task of NGFW is to narrow the attack area as much as possible. Why all this? In addition, do not forget about the other means of protection. If you suddenly do not have enough funds to purchase NGFW, then you should not spend the last money and “rake out” the budget by refusing other means of protection , for example, desktop antivirus or backup system. Set priorities and evaluate your financial capabilities. The company's IB does not start with the purchase of NGFW. This is only an additional element of comprehensive protection. Do not expect magical results from just one “box”.
')

3. Out of the box, any NGFW works extremely poorly.

We recently published a “ Check Point to Maximum ” course, where we showed how to properly configure it for maximum protection. Along the way, we showed how easy it is to bypass NGFW with default settings. And this concerns not only Check Point. The same picture is observed with Fortinet, Palo Alto Networks, Cisco Firepower, etc. (I conducted parallel tests). Do not even expect that NGFW will adequately protect your company with default settings in a couple of clicks. NGFW will have to tune, and repeatedly, but constantly, adjusting to changing threats. Do not forget that information security is not a result, it is a process .

4. Prepare for problems and plan time.

Buying NGFW is worth preparing for technical difficulties. Even if you buy it with the introduction services. No integrator will do absolutely all the work for you. Since IS is a process, it will have to be adjusted and problems will have to be solved. And this is not because NGFW is bad, it is because it has so many functions. To bring everything “to the mind”, you will need to spend a decent amount of time. Otherwise, you risk remaining with default settings that do not use and 20% of NGFW features. That only is setting SSL-inspection. You will have to turn it on if you are really confused about security. And you will have to manually go through sites and applications that stop working after the inspection is turned on. No one will do this for you (unless of course you have a non-service technical support model). Similar problems can arise at many stages of the implementation and operation of NGFW. This implies the following two points.

5. Build a budget for training

NGFW is itself a rather complex product. As though vendors did not try to simplify it. It contains a lot of functions, there are a lot of subtleties and pitfalls. You should not assume that you will master a new product for you at the moment. Therefore , when planning a purchase, be sure to plan a budget for training the employees who will administer it. Sometimes it can be arranged in a single transaction, or receive training as a gift (it all depends on the amount of the transaction and the loyalty of your partner).

6. Technical support

You will definitely have to contact technical support and better if it is productive. There must be an employee who speaks good English. Or consider the option of technical support from Russian partners. Pay close attention to this issue. Otherwise you risk being left alone with your problems . Sometimes the question of technical support is the decisive factor when choosing a partner or even a vendor.

7. Read the licensing issue in detail.

A very common situation. A pilot project is being conducted, you are shown how beautiful and functional everything is. However, making a purchase, you find that not all of the functionality is available to you. There are no reports that were shown to you initially, the sandbox does not work, remote users cannot connect, there is no centralized management, etc. Of course, this is the task of your partner - to understand your tasks, to form the correct specification and tell about possible limitations or additions. This is a matter of trust. But there is a good saying: “ Trust, but verify .” I think it will be very unpleasant to go to the management for another budget immediately after the purchase.

8. Purchase without tests

Without a pilot project, you can then only blame yourself (well, swear at the partner who “set you up”). You should not be serious about marketing booklets. It is highly desirable to conduct at least a few tests before purchasing. And the most important test is the real performance of the device on your real traffic. It is very important. You can not believe datasheets on devices where they write fantastic performance indicators. Unfortunately, absolutely all vendors sin with this. If you do not have time for such tests, then it remains to hope only on the experience of your partner, who will offer options.

9. Choose a model based on HTTPS inspection.

Another point that many people forget about when choosing a model. SSL inspection is a serious additional burden on your NGFW. Many people in an attempt to save money choose a model whose performance is enough butt, while completely forgetting traffic over HTTPS. And by enabling the SSL inspection, they discover that their gateway is “choking”. I repeat once again: “ Without an HTTPS inspection, your NGFW is absolutely useless .” I have already demonstrated this in one of my lessons. So be sure to consider the additional load on the device in the form of SSL inspection. Otherwise, you just throw money away.

10. Buying from a “familiar” partner

A typical mistake when buying NGFW is to buy from a “familiar” supplier. I am sure that almost every company has a partner who “has long been” supplying some IT products. Working with him is convenient and understandable. Only here NGFW is neither a server, nor a switch, and certainly not a stapler that can be bought from anyone around the corner. It’s not at all true that your current supplier has the necessary skills and competencies. The result of the implementation and security of your company depends on the qualifications of the partner . When choosing a supplier, you must first look at his experience and technical knowledge. This is best determined through a pilot project. So you will immediately kill two birds with one stone:

1. Test the NGFW in your infrastructure and determine the model;
2. Rate the adequacy of the partner. Is he able to help you with the implementation and can he then provide technical support.

In fact, this item is the most important. A good partner should take you through this checklist. He should mark all the important points, warn about all possible problems and naturally give the options for their solution.

Conclusion

I hope this note is really useful to someone. This is certainly not a universal recipe, but it will help to avoid the most typical problems. If you have any questions or have comments / suggestions, please write in the comments, or email me.

PS You may be interested in our previous article " Typical NGFW Implementation Scenarios "