Businesses are always looking for the best way to protect themselves against cyber-attacks, and Next-Generation Firewalls (NGFWs) have become a popular solution in recent years. NGFWs offer many features that traditional firewalls do not, such as the ability to inspect encrypted traffic and identify malicious activity.
There’s no doubt that a Next-Generation Firewall (NGFW) is an important piece of your business technology infrastructure. However, with all the different options on the market, how do you know which one is right for you? That’s where a few MSP experts come in. Today, we’ll share insights into some of the best NGFW providers on the market today. Whether you’re looking for SonicWall, Cisco, or another provider, these MSP experts have got you covered!
Let’s get into the benefits of NGFWs and helpful insights from these MSP experts about some of the best providers on the market.
Anthony Buonaspina, BSEE, BSCS, CPACC, CEO and Founder, LI Tech Advisors
“Next-Generation Firewalls (NGFW) are part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functions. NGFWs are able to block malware from entering a network, something that traditional firewalls would never be able to achieve. NGFWs can be a low-cost option for companies looking to improve their basic security because they can incorporate the work of antiviruses, firewalls, and other security applications into one solution.
Since we are a Cisco house and highly recommend their products to all our clients. Cisco may be more expensive than other manufacturers of security products. However, their integrated products and premier support along with their ease-of-use integrated dashboards are well worth their extra cost. According to Cisco, “a next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.”
I have always had the philosophy of offering the best solutions to a client. I always lead with the best solution provider for my clients and give them the choice of the best and most popular solutions offered by the most stable companies, along with alternative lower-cost solutions. My recommendation is to always go with the top NGFW solution provider. For LI Tech Advisors, we always lead with Cisco NGFW security products. Threats to personal devices and larger networks are changing every day. With the flexibility of an NGFW, it protects devices and companies from a much broader spectrum of intrusions.”
Ashu Bhoot, CEO, Orion Networks
“We highly recommend switching to NGFW. As the cyber threat landscape gets more and more complex, it becomes harder for pattern recognition across multiple platforms and also is challenging operationally to ensure each of your security solutions is keeping up. NGFW provides the “single pane of glass” functionality that helps to monitor these threats and manage them much more effectively. Besides that, NGFW also helps ensure much less impact on overall system resources and provides a considerably higher throughput across your network.”
Bryan Badger, CEO, Integral Networks
“I tell everyone that if you are not paying for some form of an annual subscription for services, then that firewall is essentially pointless and you have a false sense of security. NGFW with active and more advanced security subscriptions is what is required at a minimum these days. Then those services need to be managed to ensure proper black and whitelisting and then a review of that log data to make changes as necessary to keep things protected.
In addition to that, if you have a remote workforce, how do you keep them secure when they connect to various wifi networks to gain internet access? More of these types of WiFi networks often block traditional VPNs which are old school and should be phased out.
For remote workforces, depending on the needs and level of access, we ensure Palo Alto Network’s GlobalProtect is always on, so no matter where they are, their internet is coming from behind our managed Palo network device in our datacenter. Citrix Secure Internet is another product that is fully cloud-based that we work with and are actually moving clients over to away from Palo simply because it is cloud-managed. Then the last piece we do is to provide our clients with a Secure Workspace in order to keep all data, LOBs and to do all work from within a secure workspace completely agnostic of device or location.”
Eric Schueler, Senior VP of Information Technology, HRCT
When it comes to security, Sophos is at the top of the list. Sophos is always at the top of the third-party test results with their endpoint and server protection products and when you combine a firewall with endpoint and server protection, you can write rules that will block access to your most critical parts of your network if the AV agent is in an unhealthy status. Plus, with the Sophos Managed Threat Response service that we bundle with all of our fully managed customers, their 24/7 security operations center pulls in firewall data along with endpoint data to catch suspicious activity that, if it went unnoticed, would later become a ransomware attack.
Ilan Sredni, CEO & President, Palindrome Consulting, Inc. – “Delivering Peace of Mind”
“Next-Generation Firewall selections are only a part of what we call next-generation security. Although we have focused on delivering Cisco Meraki solutions for our clients due to their robust security protocols, easy reporting tools, and granular level of security, it’s not the end all be all. Cisco Meraki also delivers a management dashboard for a single pane of glass view into security. We pair our NGFW with a 24/7 SOC, advanced next-generation endpoint protection with AI, and a granular level of management of the architecture.”
Joe Cannata, Owner, Techsperts, LLC
“Next-Gen Firewalls are a part of our standard security stack for all clients. These advanced firewalls provide additional capabilities beyond the standard set of features typically found in traditional firewalls. Some of these advanced features include DNS filtering, virus protection, email security, intrusion prevention, threat detection, VPN, ad blocking, application control, and advanced reporting to name a few. The capabilities of these next-gen firewalls along with the other layers of security implemented at different levels of the network provide a well-rounded solution to help businesses conduct business in a relatively safe manner.”
Kenny Riley, Technical Director, Velocity IT
“Next-Gen firewalls are the new gold standard for the protection of networks from outside internet threats. Where standard firewalls simply allow and block internet traffic based on open and closed ports within the firewall policies, next-gen firewalls add additional layers of security and features such as gateway anti-virus, URL filtering, intrusion detection & prevention, content control, application control, spam filtering, and more.
There are several available choices of Next-Gen Firewall vendors. Some of the top picks are SonicWall, Fortinet, WatchGuard, and Sophos. As an IT service provider that manages several networks containing a mixture of firewalls from different vendors, we prefer WatchGuard’s next-gen firewalls for their intuitive user interface and overall effectiveness in terms of network protection.
One major plus of WatchGuard firewalls vs. other firewalls such as SonicWall, is when you purchase a WatchGuard firewall, you are allocated a set number of SSL VPN users out of the box that your employees can use for remote access, whereas with SonicWall, SSL VPN licenses must be purchased separately.”
Nick Martin, Director of Managed Services, Mainstreet IT Solutions
Next-Generation Firewalls are a critical point of security for our customers. We do not allow customers to stray from this standard, as it becomes a requirement if they want to work with us. We spent a lot of time evaluating Next-Gen Firewalls a couple of years ago. We arrived at providing Fortinet’s FortiGate solution. It had the best ratio of security, performance, and price to best fit our offering after a bunch of research and testing.
Another thing we look for, besides the product offering, is how the vendor innovates over time. Fortinet has continually innovated its various offerings and has been putting a lot of time and effort into providing new ways of securing environments. For example, Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) are relatively new offerings to the market. Yet we have seen Fortinet integrate these new offerings quickly and efficiently, which gives us a lot of confidence that our customers’ environments are being protected by a vendor that we are confident in.
One additional factor about choosing Fortinet is the ability to provide reporting for customers. Fortinet gives a lot of analytics that are useful for reporting tools, both for ourselves as the IT provider and for our customers to show we are protecting what we say we are.”
Thomas Andersen, Information Security Architect, BACS Consulting Group, Inc.
“We are big proponents of NGFW at BACS. The concept of a UTM firewall has been around for at least a decade, but NGFWs bring it a step further by putting the licensing and management under a single pane of glass in the cloud, which makes our job, as service providers to multiple organizations that much easier. It is really important to be conscious of data flowing through the main ingress point to a client network, which is why it is tremendously important to have DPI running at that choke point.
One thing a lot of people don’t get right when it comes to standing up an NGFW solution is the proper sizing of these systems. Whenever you turn up a UTM service, the data throughput is going to be impacted (sometimes severely) by the necessary extra processing power. Because of this, it is important to consult the manufacturer’s product data sheet to select the right solution for your organization. An NGFW with a throughput rated X Mbps or Gbps can easily lose 20-40% of its speed at the edge because of this!
As long as the solution is sized right, an NGFW will serve your organization well. As the threat of attack increases exponentially year upon year, not having an NGFW on the edge of your network is doing you a big disservice. The convergence of SASE architecture, SD-WAN, and NGFWs is a big thing and is only becoming more so in the move we have been making over the last two years towards a hybrid decentralized office presence. Practically, most company networks are becoming decentralized, and this means that even though the core of the network is still there, the office may have been shifted into satellite offices, with several employees working from home.
The NGFW-driven movement of management consoles in the cloud, the movement of DPI to the Application Layer of network traffic, and the need to secure all the spokes in the wheel that connect the hybrid office mean that you can command all the ends of the decentralized network from a single console, and not from disparate firewalls that require internal network access to manage. It is a huge benefit to the administrator and to the company to be able to bring all this hardware under a single console and integrate it seamlessly with identity, security, SIEM/SOAR, DNS, MDM, and MDR technologies. For this reason, we are a huge proponent of Cisco. That capability is already here under the Umbrella, while some vendors are still struggling to catch up.”