Network security basics: A Buyer's Guide
A collection of articles that takes you from defining technology needs to purchasing options
Plenty of options exist when choosing the right network security product. But narrowing these down to a single choice can become a real headache. That's why we recommend looking at security tools from a network-wide perspective. Instead of haphazardly choosing individual security tools based on marketing rhetoric or generic research reports, look at your overall network architecture to determine where data resides and how end users access that data. You can use this information to gauge which specific features or implementation methods might be the best overall fit.
Additionally, make sure you compare how your network security product will interoperate with existing or future security tools. A defense-in-depth strategy is critical to the overall success of a network security architecture. Choosing security tools that accentuate the benefits and capabilities of other security tools goes a long way in creating an overall security architecture.
In this article, we will present two different company scenarios that detail real-world criteria for distinctly different network postures. In doing so, we will use each scenario to map business security needs to specific security products. The goal will be to present how a specific network security product would be the best choice, depending on where company data resides, how users and devices access company data, where security tools are deployed, and the need for a defense-in-depth architecture. The security tools and top vendors we will be evaluating are:
Next-generation firewalls (NGFW)
- Check Point Software Technologies Inc.
- Palo Alto Networks
Secure Web gateways (SWG)
- Blue Coat Systems Inc.
- Zscaler Inc.
Network access control (NAC)
- Bradford Networks
- ForeScout Technologies Inc.
- FireEye Inc.
- Palo Alto Networks
Cloud versus in-house control
Suppose we have two different companies: Company X and Company Y. Company X has not yet adopted cloud computing, while Company Y is fully embracing the cloud and various as-a-service offerings. In Company X, all critical applications and data reside within private data centers. Company Y, on the other hand, has opted to store its data in the cloud. Both companies maintain highly sensitive data, and so require that users and devices have strict access control policies applied.
Given the traditional architecture scenario for Company X, hardware appliances deployed and managed inside the private data center are ideal. A cloud-based network security product is out of the question, since the organization has made the decision to maintain critical data and network components on premises. But for Company Y, cloud-deployed and managed tools are preferred because they offer increased flexibility in terms of tool placement and manageability.
Any of the top NGFWs you choose in the scenario for company X will work just fine. Each of the three vendors offers highly capable Layer 7 firewalls with advanced threat protection. Whichever firewall you select, the firewall appliance or virtual machine can be easily deployed between the internal network and Internet or WAN edges.
When you look at the cloud deployment architecture of Company Y, Check Point and Palo Alto have the edge over Cisco, because they offer virtualized NGFWs that act identically to their hardware appliance counterparts. Additionally, both offer NGFW as a service in larger cloud providers, including Amazon Web Services.
In terms of the ideal secure Web gateway, there are some things to consider. Both Blue Coat and Websense offer their SWGs as appliances and as cloud services. Zscaler only offers its SWG as a cloud service. So, in this situation, Zscaler is ideal for Company Y, but not for Company X. Blue Coat and Websense would be better options for Company X, because each offers appliance-based SWG platforms that could easily be deployed into private data centers.
The next choice to make is determining the best NAC vendor for each type of network. The NAC features needed depend heavily on the importance of protecting company data, and how the company approaches BYOD and the Internet of Things (IoT). So not only are deployment options important, but so are the feature sets that each NAC product provides. Company X, for example, has strict BYOD polices; its primary focus is on data loss prevention. It's very likely that the company is also cautious when it comes to the concept of IoT. As a result, Company X is interested in leveraging user/device identification and resource accessibility. For in-house deployments -- as would be the case for Company X -- Cisco and ForeScout offer robust systems that are perfect for private data center architectures. Both Cisco and ForeScout are commonly heralded as two of the best in the industry today. They also tend to shine when it comes to company-wide authentication and authorization policy enforcement.
Company Y might find Bradford's NAC a better fit. While Bradford does offer flexible and robust hardware appliances that can be deployed in private data centers, it also sells its NAC as a virtual appliance that can be deployed in the cloud. Each product has easy-to-manage BYOD features that work well with BYOD-friendly environments. So, if the goal of Company Y is to manage security tools from the cloud, and with BYOD security in mind, then Bradford is the way to go.
Finally, let's consider the malware sandbox. FireEye is the most logical network security product in a traditional on-premises setting like the one described for Company X. FireEye's AX platform is a standalone system and can be easily deployed in a private data center, positioned where it can analyze traffic in-line. Products from Palo Alto and Websense are better deployed in cloud architectures, like the scenario described for Company Y, because both vendors offer sandboxing as a cloud service.
Further defense-in-depth considerations
While making security tool decisions based on data architectures and data flows is a great start, it doesn't fully complete the picture. Today's security tools can no longer simply work as independent systems. They must also cooperate with one another to provide optimal security, greater efficiencies and ease of management.
In many situations, your decision might boil down to a case of using security tools from a single vendor, as opposed to choosing a top vendor for each network security product. Integrating the tools so they work together becomes easier when everything is from the same vendor. The same goes for troubleshooting and support. So while you may not have the absolute best tool available in each security category, you can be more confident that the tools will provide a more seamless, end-to-end blanket of security coverage. Most of the major network vendors, such as Check Point, Cisco, Palo Alto and Websense, have solid security tools in most of the categories we've been discussing.
If you do choose to go with the top-of-the-line approach when selecting individual security tools, make sure the products you choose have been proven to work well together in a shared network environment. We'd recommend categorizing the priority of each security tool in your defense-in-depth strategy. Then, choose each tool in order of importance, making sure each successive tool works smoothly with the one selected before it. In terms of prioritization of security tools, the order may differ from company to company, depending on specific security needs. In most cases, however, the most important security tool your enterprise deploys will almost certainly be the NGFW. The firewall was -- and is -- the linchpin for most defense-in-depth strategies. So make sure you choose your NGFW first.
Suppose you've determined that the second most important network security product for your company is a malware sandbox. You should choose what you feel is the best, but only if it works well with the NGFW selection you've made. This is critical, as NGFWs often have to cooperate with a malware gateway by flagging suspicious data as it flows through the firewall. That flagged data is then sent to the malware sandbox for analysis. If the two technologies don't work well together, you'll likely have to choose the second or third best malware sandbox -- whichever one works the best with your firewall to create a unified security approach.
Each of the security tools mentioned in this article will assist in providing an overall defense-in-depth strategy for your enterprise network. Keep in mind that there are plenty of other security tools that aren't mentioned in this series, but should be considered as part of your overall security architecture. We simply presented four tools that are making the biggest impact on security architectures today.
As you can see, choosing the right network security products largely boils down to data flow and architecture, and how the tools work together as a unified security strategy. While most enterprise-class security products can work in most any environment, we presented scenarios that pointed to differences in deployment methods and compatibility that make one or two stand out for a particular network architecture.
Integrate an NGFW into your existing security architecture.
Take our quiz on choosing a secure Web gateway.
Learn how to solve issues around security interoperability.
Stay in touch with trends in network security.