Next-Generation Firewall Comparison

asa

asa

Cisco ASA

No shortage of people who can help you configure it. A lot of people learn firewalls on this platform. Performance-wise it’s pretty poor for the money. Commodity hardware running Linux can match or exceed the performance of their heavy hitters (5585-X). The NGFW functionality isn’t really there (the only NGFW part of it is the Firepower add-on which will further degrade performance). It’s a decent firewall if you want a SPI firewall. AnyConnect is the best client VPN solution out there. If you’re a Cisco shop soup-to-nuts and don’t have a lot of bandwidth this can be a solid choice. Cisco is excellent at detailed disclosure for security vulnerabilities and release notes which helps promote confidence. If your major concern is something like PCI compliance Cisco is a great checkbox pick. The ASA OS is based on Linux.

Juniper SRX

Great CLI. If you’re a fan of Juniper you’ll like this box. Pretty much a Cisco ASA with a better CLI and more reasonable pricing. Like the ASA not really a NGFW player but a solid pick for a traditional firewall. The larger units look like they have some level of hardware acceleration based on Cavium network CPUs but it seems fairly limited. JunOS is based on FreeBSD.

Fortinet FortiGate

The founder started NetScreen to develop ASIC-based hardware accelerated firewalls. A few years before Juniper bought NetScreen (now discontinued) he went off to start Fortinet with the same goal but expanding on that into more of a NGFW vision. FortiGate has the best raw performance for the money of any of these offerings. It’s popular when you have high bandwidth needs. FortiOS is based on Linux. Both ScreenOS (NetScreen) and FortiOS were caught having backdoors which might keep you up at night.

Palo Alto Networks

Founded by Nir Zuk in 2005 (who worked at Check Point then NetScreen) Palo Alto is the new hotness right now. Palo Alto has the best GUI hands-down and is focused on application awareness. The combination of ease-of-use and ability to see (almost) everything has made it very popular. It’s also one of the highest priced. If you’re looking for an all-in-one solution and price is no object PAN might be the way to go. That said when I did an extended demo I ran into more than a few service-affecting bugs across multiple versions and even had them enter weird states that were only resolved with a reboot. I was impressed for the first day and less impressed after a few weeks. PANOS is based on Linux.

Check Point Technologies

Based in Israel. The claim to fame for Check Point is basically the invention of Stateful Packet Inspection (SPI) filtering (e.g. what everyone takes for granted today). They’ve been around a long time and their former employees make up a disproportionate amount of security company CEOs and entrepreneurs. They’re basically the IBM of firewall companies. High level of confidence in security and stability and good management tools for large deployments. Can be expensive but the pricing is negotiated so it can vary greatly between people. Like the ASA and SRX there isn’t really the mature NGFW feature set that you’ll see in PAN or FortiGate here. At the end of the day it’s obscure enough that you’re stuck going specifically to Check Point for support. As a result the ASA can pretty much deliver the same experience for a lower TCO here (IMHO).

These are the major players in the commercial space.

If you don’t have high bandwidth requirements and are looking for something that’s primarily a SPI firewall then the Cisco ASA can be a pretty solid choice. The Juniper SRX is in a similar category (think of it as a discount ASA with a nicer CLI). If you’re doing client VPN then it might be worth going with a dedicated ASA for that just to get AnyConnect (which is the best client experience available right now).

If you need high bandwidth (> 1G) then you’re really looking at FortiGate. Their ASIC-based filtering is really hard to match. I still don’t feel good about recommending them with a common CEO being linked to his two firewall companies found to have backdoors.

If you want full web filtering with SSL inspection then you’re looking at FortiGate or Palo Alto Networks. Note that using this functionality will significantly decrease performance and break some applications and websites. You might ultimately decided to just disable it. Consider that before making it a deal breaker for the others. Personally I prefer DNS-based filtering to proxy-based and SSL inspection (OpenDNS can be a good choice here. They’ve been bough up by Cisco).

In terms of IDS and IPS I honestly think it’s a disservice to perform these tasks on the firewall. You’re better off (IMHO) doing so out-of-band using a tap or SPAN into dedicated sensors. This keeps IDS performance out of the critical path (increasingly important with denial of service attacks) and a company focused on IDS will usually do a better job than the IDS bundled with a firewall. The dedicated Sourcefire appliances (the company founded by the creators of Snort and now owned by Cisco) is a good example.

A lot of this comes down to your security architecture and whether you want an all-in-one magic box or if you’re willing to combine discrete components in an overall architecture. NGFW by definition is all-in-one but once people run into performance concerns or incompatibilities introduced by application filtering they often resort to disabling a lot of functionality leaving only the basic firewall in place.

In this respect the ecosystem of Cisco ASA plus OpenDNS plus Sourcefire (and even plus AMP) can be very competitive with things like Palo Alto. The difference is that you’re assembling multiple components.

The reason I mention all this is because (1) if you need to scale then you’ll almost be forced to take this path and (2) if you don’t need an all-in-one NGFW solution you can look at a wider range of solutions.

If you don’t need to worry about being fired for not having someone to blame in the event of a breach and going the Open Source route is an option for you then there are some options there too. There is a pretty good argument to be made for Open Source as a requirement for security infrastructure in a time when we’re seeing state actors pressure even the most reputable technology companies to insert backdoors or methods to bypass controls and encryption.

VyOS

VyOS is a Linux-based network operating system. Linux netfilter (iptables) is the most peer-reviewed packet filter implimentation in the world and has rock solid performance. VyOS ties everything together to provide a consistent CLI and unified configuration file much like traditional network devices and as a recent development commercial support is available though some of the developers directly. If you need a good SPI firewall VyOS can be a solid choice. Using an 8-core CPU and 10GbE interfaces you can build a VyOS system that will handle over 10 Gbps for 512-byte packets and 20 Gbps for packets > 1024 bytes (placing it in ASA 5585 territory) for under $1000 per unit. I’ve been running production VyOS units at multi-gigabit traffic levels (4-5 Gb avg) without incident since release 1.0.1 (~ October 2011 for the first unit IIRC). The stability has been rock solid. The upgrades have been painless. I was forced to go this path because the budget vanished but it’s worked out remarkably well. Today I have 40+ units in production (but the background in Linux and development to do so with confidence).

You can also look into things like OpenVPN for client VPN and Snort or Bro for IDS. Depending on your scale that savings can go toward hiring more staff to focus on security (which is often the best use of limited funds).

One thing to watch out for is that a lot of vendors want you to believe that there is a Silver Bullet for security. My experience says there isn’t. Because everyone is so concerned about security right now there seems to be infinite dollars available and a new company popping up every day to accept your money in exchange for the promise of security. I honestly think it’s a bubble and that in a few years there will be a reckoning when people ask if they’re really more secure after dumping millions into Silver Bullet security solutions.

IMHO you should focus on sound design practices. Defense in Depth. Lay out an architecture that takes more than the network into account and use risk management to identify where the biggest gains can be made for the least cost. A lot of organizations focus so much on throwing money at a vendor and then thinking they’re secure but neglect the basics like training people how to use a password manager or how to spot a phishing scam. If I had a choice between a top-of-the-line Palo Alto Networks firewall and a dedicated staff member to focus on education and outreach I’d pick the staff member without hesitation.

As a disclaimer my background is as a network engineer first and security engineer second … so my focus is more often on avoiding the introduction of performance bottlenecks and additional points of failure unless there is a good reason to do so. This may make me come off a bit harsh towards things like SSL inspection and all-in-one firewalls.

Author: soucy