Firewalls have long played a critical role in cybersecurity. Their level of functionality has grown in sophistication over the years in answer to the growing complexity of evolving threats. Their job has been made even more challenging by the rise of the cloud, the Internet of Things (IoT), and the beginning of the work-from-home (WFH) era. Firewalls must now extend much further than the four walls of one building.
Firewall Software Overview
- Key Firewall Features
- Firewall Buying Tips
- Best Firewall Software
Key Firewall Features
Firewall features vary considerably from vendor to vendor. Some focus on providing protection to all endpoints, others protect the enterprise as a whole. Some are focused on the cloud, others on-prem, and many take care of both. They also vary in the market they target — ranging from individual device firewalls to carrier-class firewalls. For this guide, we feature mainly models that serve the mid-sized to large enterprise market.
Here are some of the features available in modern firewalls:
- Network Segmentation to define boundaries between network segments to prevent potential threats outside the network and protect sensitive data.
- Access Control to define the people or groups and devices that can access network applications and systems. This is often provided via integration with Identity and Access Management (IAM) and Role-based Access Control (RBAC) tools.
- Remote Access VPN to enable remote and secure access to the network from remote users via multi-factor authentication, endpoint compliance scanning, and encryption.
- Zero Trust Networks to allow access and permissions only pertinent to specific roles by enforcing least privileged access policies at the network level.
- Email Security to protect email accounts and content from external threats.
- Data Loss Prevention (DLP) to prevent exposure of sensitive information
- Intrusion Prevention Systems (IPS) to detect or prevent network security attacks such as brute force attacks, Denial of Service (DoS) attacks and exploits of known vulnerabilities.
- Sandboxing to run code or open files in a safe, isolated environment on a host machine that mimics end-user operating environments.
- Hyperscale Network Security to scale as demand increases.
- Cloud Network Security via Software-defined Networking (SDN) and Software-defined Wide Area Network (SD-WAN) solutions.
Firewall Buying Tips
- Firewall vendors are constantly adding features. Many cover most of the above functions, but they also offer many other features, often at higher rates. Therefore, it is important to specify requirements upfront and not become distracted by the latest bells and whistles.
- Carefully evaluate how a proposed firewall platform integrates with existing security tools and operating systems.
- Review the centralized management capabilities of proposed products.
- Favor vendors that have a proven track record of firewall protection for any cloud platforms currently in use.
- Consider Firewall as a service (FWaaS), which Gartner predicts will rise from fewer than 5% market penetration today to 25% within 4 years.
Also read: Steps to Building a Zero Trust Network
Best Firewall Software
Enterprise Networking Planet considered a wide range of firewall products and suites. Here are our top picks, in no particular order.
Check Point Quantum Security Gateways go beyond the standard next generation firewall by combining SandBlast Zero Day autonomous threat prevention, hyper-scale networking, and unified management. They protect enterprises against cyber-attacks across the data center, network, cloud, mobile, endpoint and IoT.
- Delivers threat prevention with SandBlast Zero Day protection out of the box
- Up to 1.5 Tbps of threat prevention security performance on demand with cloud-level expansion and scalability on-premises
- Unified security policy across data center, network, cloud, endpoint, mobile and IoT increasing threat visibility
- Said to cut security operations by up to 80%
- Eliminates labor-intensive manual threat classification and updates
- Gateways updated automatically by AI-based threat prevention for protection against even zero-day threats
- Up to 52 gateways capable of 1.5 Tera/bps of threat prevention performance
- Spin up new security gateways on demand
- Full active-active redundancy.
Cisco Secure Firewall is offered by a company known for its breadth of networking, security, and storage offerings. Therefore, you can expect tight integration across a wide range of IT sectors. For example, Cisco Secure Firewall provides a deep set of integrations between core networking functions and network security. Further features include zero trust, micro-segmentation, and SD-WAN capabilities. These appliances are said to offer a 3x performance boost over the previous generation.
- Hardware-based capabilities for inspecting encrypted traffic at scale
- Dynamic application visibility and control through a Cisco Secure Workload integration
- Management options include Firewall Device Manager (FDM), Cisco Secure Firewall Management Center (FMC), Cisco Defense Orchestrator (CDO), and Cisco Security Analytics and Logging.
- Cisco Secure Workload integration enables visibility and policy enforcement for distributed and dynamic applications across the network and workload
- Advanced threat intelligence via Talos underpins the Cisco security ecosystem by defending infrastructure from malicious and unknown threats.
Palo Alto Networks
Palo Alto Networks’ PA-7000 Series machine learning (ML)-powered next-generation firewalls enable enterprise-scale organizations and service providers to deploy security in high-performance environments, such as large data centers and high-bandwidth network perimeters. It offers prevention capabilities to stop advanced cyberattacks, and high-throughput decryption to stop threats hiding under the veil of encryption. It is built to maximize security-processing resource utilization and automatically scale as new computing power becomes available.
- Machine learning-enabled firewall
- Highest Security Effectiveness score in the 2019 NSS Labs firewall test report with 100% of evasions blocked
- 5G-native security built to safeguard service provider and enterprise 5G transformation
- Extends visibility and security to all devices, including unmanaged IoT devices, without the need to deploy additional sensors
- Supports high availability with active/active and active/passive modes
Fortinet offers a great many firewalls to fit needs from the home office to the enterprise. The FortiGate 7121F, for example, is an enterprise-class model. It is powered by purpose-built security processing units (SPUs), including the latest NP7 (Network Processor 7) to enable security-driven networking. These firewalls are recommended for hybrid and hyperscale data centers. They seek to eliminate many other points products by consolidating capabilities such as secure sockets layer (SSL) inspection, web filtering, and intrusion prevention systems (IPS).
- Traffic is inspected at hyperscale as it enters and leaves the network. Only legitimate traffic is allowed, without degrading the user experience
- FortiGate firewalls can communicate within the Fortinet security portfolio as well as third-party security solutions in a multivendor environment
- Integration with artificial intelligence (AI)-driven FortiGuard and FortiSandbox services to protect against known and zero-day threats and improve operational efficiency through integration with Fabric Management Center
- Identifies thousands of applications inside network traffic for deep inspection and granular policy enforcement
- Protects against malware, exploits, and malicious websites in both encrypted and unencrypted traffic
- Ultra-low latency via SPU technology
- Integrates with layer 7 security and virtual domains (VDOMs)
- Zero Touch Integration with Fortinet’s Security Fabric Single Pane of Glass Management.
Forcepoint scored high in both security effectiveness and TCO in NSS Labs tests of the Forcepoint Next Generation Firewall. It aims to cut the complexity and time needed to get a network running smoothly and securely. Its unified software core provides consistent capabilities, acceleration, and centralized management. The Forcepoint NGFW Security Management Center (SMC) can configure, monitor, and update up to 2000 Forcepoint appliances — physical, virtual, and cloud — from one pane of glass.
- Centrally managed, whether physical, virtual or in the cloud
- Administrators can deploy, monitor, and update thousands of firewalls, VPNs and IPSs in minutes, all from a single console
- Advanced clustering for firewalls and networks eliminates downtime, and administrators can rapidly map business processes into controls to block advanced attacks, prevent data theft, and properly manage encrypted traffic
- Deploy Forcepoint NGFW to remote offices and branch locations without an on-site technician
- Forcepoint’s Smart Policies express business processes in familiar terms such as: users, applications, and locations
- Easy grouping replaces hardcoded values, enabling policies to be dynamically reused throughout your network
- Administrators can quickly update and publish policies to all affected firewalls
- Forcepoint SMC makes it easy to visualize and analyze what’s happening throughout the network.
WatchGuard combines good security with high performance. It has a range of firewalls spanning from the home office to mid-sized enterprises. It also has firewalls designed for rugged environments such as industrial facilities or high-temperatures regions. The Firebox M470, M570 and M670 firewalls are specifically engineered for midsize and distributed enterprises that are struggling to effectively and affordably secure networks in the face of explosive growth in bandwidth rates, encrypted traffic, video use, and connection speeds. With an operating system built on the latest generation of processors from Intel, they have plenty of power to run security scanning engines in parallel, without causing a bottleneck in performance.
- Two M470s, M570s, or M670s form an active/passive high availability pair
- Performance of up to 34 Gbps throughput
- 5.4 Gbps throughput with full Total Security Services running
- Drag-and-drop VPN creation
- RapidDeploy technology to make fast work of extending the network
- Optional 8×1 Gb fiber, 4×10 Gb fiber, and 8×1 Gb copper expansion modules.
Juniper Networks offers physical, virtual, and container firewalls. Its SRX firewalls scale all the way from small business deployments to massive data center and service provider environments. SRX 5000 series units are powered by the Junos OS, provide six nines reliability and availability, scalability, and services integration. They aimed at the service provider, large enterprise, and public sector networks
- The SRX5400, SRX5600, and SRX5800 are part of the Juniper Connected Security framework, which is built to protect users, applications, and infrastructure from advanced threats
- Carrier-grade next-generation firewall and advanced security services such as application security, content security, and intrusion prevention system (IPS)
- Integrated threat intelligence services via Juniper Networks Advanced Threat Prevention (ATP), Juniper’s open threat intelligence platform in the cloud
- Supported by Juniper Networks Junos Space Security Director, which enables distributed security policy management through a centralized interface that enables enforcement across emerging and traditional risk vectors
- Each services gateway can support near linear scalability with the addition of Services Processing Cards (SPCs) and I/O cards (IOCs), enabling a fully equipped SRX5800 to support up to 1 Tbps throughput
- Connectivity options include 1GbE, 10GbE, 40GbE, and 100GbE interfaces
- Supporting up to 960 Gbps of data transfer.
CrowdStrike Falcon Firewall Management simplifies management of host firewalls native to the operating system, making it easy to manage and enforce host firewall policies. Delivered via the CrowdStrike Falcon lightweight agent, a single management console and a cloud-delivered architecture, Falcon Firewall Management enhances protection from network threats with minimal impact on the host.
- The Falcon platform is built on the cloud-scale AI-powered CrowdStrike Security Cloud that processes trillions of events per week
- Contextual telemetry provides insight to both automatically protect and inform action – from investigation to firewall policy and rule creation
- A single, lightweight agent and management console for endpoint protection and firewall security management
- Administrators can create, enforce and monitor firewall rules and policies and pivot to investigation with network events and complete process information
- The cloud-native CrowdStrike Falcon platform uniquely combines firewall and network events with other endpoint data to prevent breaches using a single lightweight agent
- Open, extensible platform and APIs enable CrowdStrike partners to expand their solutions, leveraging Falcon data. Firewall-related partner integrations include AWS and Illumio
- With AWS Network Firewall, joint customers are able to leverage CrowdStrike Falcon platform capabilities by extending threat intelligence and detection to streamline incident response (IR) and simplify operations. This includes adding domain indicators of compromise (IOCs) to the AWS Network Firewall for IR and proactive threat hunting to extend to all Amazon virtual private clouds (VPC).
- Illumio consumes CrowdStrike enriched endpoint telemetry to build “allowlist” policies in Illumio Edge.
Barracuda CloudGen Firewalls and Web Application Firewalls are purpose-built for securing cloud-connected networks. They protect users, applications, and data — regardless of what your infrastructure looks like. They ensure secure and reliable connections among multiple sites on premises and the cloud with consumption-based pricing.
- Tight integration with cloud platforms such as AWS and Azure
- Budget-friendly consumption models
- Secure, reliable branch-to-cloud connectivity
- Central management of security at the source
- Firewalling, IPS, URL filtering, dual antivirus, and application control take place in the data path
- Sandboxing and other resource-intensive tasks are offloaded to the cloud
- Secure SD-WAN connectivity Up to 24 bonded broadband connections per VPN tunnel for increased application performance and built-in redundancy.