Technical and administrative considerations on acquiring a NGFW-based network security solution

The network security solution in use at the Pisa Research Area since 2008, is based on two on premise Next Generation Firewalls (NGFWs) capable of protecting the network infrastructure using typical NGWF features such as application awareness, threat prevention, anti-virus, anti-spyware, URL filtering, file blocking, DDoS protection, etc. Unlike traditional packet filtering firewalls, NGFWs enforce security policies not only based on network traffic attributes (e.g. IP addresses, protocol numbers and port numbers, etc.) but also on other types of attributes, such as the username of an authenticated user, the name of the used application, the type of the transported data, etc. Furthermore, NGFWs support the concept of zone-based firewalling and allow the configuration of individual protection rules regardless of the used network layer protocol, thus implementing a dual stack (IPv4/IPv6) firewall. There are various NGFW manufacturers in the market. Therefore, a public organization in need of acquiring a NGFW-based network security solution, should compare various products in order to select the best quality-price ratio. Unfortunately, at the time of writing of this document, there are no standard methods, i.e. benchmarks, for objectively evaluating and comparing performance indicators of NGFW devices from different manufacturers. For this reason, organizations are forced to make a choice by following a logical process that takes into account a series of different evaluation criteria (technical, practical, economical, administrative, etc.). This document tries to address the various issues that an organization might face during the phases of selection and acquisition of a security solution based on NGFW technologies, mainly considering both technical and administrative aspects.