Do I Need to Upgrade My Firewall? What Are My Options?
When a firewall is working, it’s the last thing on your mind. But, did you know that most firewalls have a lifespan of three to five years?
There are many signs that it’s time for a new firewall. Your current product may lag or be reaching the end of its support life. Maybe your license renewal is coming up, or you need to support more remote staff. You may need to respond to a breach or support business growth. Or you may be looking for a newer feature set that meets recent compliance requirements.
No matter the reason, updating your firewall can feel overwhelming. What protections do you need? Which software is right for your organization? How much will it cost? How quickly can it be implemented?
It may seem like just yesterday that you upgraded your firewall or maybe the firmware running on it.
At Kelser Corporation, we know how you feel. Not only did we upgrade our own firewall recently, we’ve also spent years helping clients evaluate firewall options for their real-world applications. We know the options and can help you figure out what will work best for your business.
I’m here to walk you through some of the indications that you might need a new firewall and some things to consider when evaluating the pros and cons (as well as costs) of different kinds of firewalls. I’ll help you make sense of it all.
What’s the best firewall for me?
Before deciding which firewall will best suit your organization, it’s important to understand what you are using now. How well does it support your existing infrastructure? What features does it have? What features do you wish it had? How many users does it support? How does it integrate with existing infrastructure? Do you have compliance requirements?
You want a system that can handle the amount of traffic (or throughput) your organization needs. How many remote users do you have? How many brick-and-mortar locations need to be supported?
Another factor to consider is projected business growth in the coming few years. Select a firewall size/model that can scale up to accommodate future business needs. If your organization outgrows the firewall you buy today, your entire system will suffer serious lag time.
On the other hand, if you buy a system with a 500MB circuit but don’t use all of it, you are wasting money. Size the system to your specific needs.
Many times, even one piece of information can limit your options, making the decision much easier. For example, if you use dynamic routing today, you likely need at least a mid-level firewall. Or, if integration with identity management is required, a high-end firewall may be the best choice.
It’s important to know what you have in place and determine where the gaps are so that your new firewall choice will eliminate them.
And, if you can buy more storage or a better processor, always buy it now!
What is a Next Generation Firewall?
Like most things, firewalls have evolved. Here’s what you need to know:
Layer 3 Firewalls
Legacy model firewalls operate on the third (or network) layer of the Open Systems Interconnection (OSI) model, where routers operate.
Layer 3 firewalls use the same protocols as routers to scan communications based on Internet protocol (IP) address, port address, and other router-based protocols. They can be configured to block a specific IP address, but they are limited in their scope.
Layer 3 firewalls have evolved to incorporate “statefulness” where the firewall can keep track of sessions and can protect against session hijacking. Layer 3 and stateful firewalls have progressed to what we now know as Next-Generation Firewalls (NGFW).
Next-Generation Firewalls (NGFW)
NGFWs incorporate many advanced features beyond just access control lists and network address translation.
In the last three to five years, the industry has been buzzing about NGFWs that provide higher-level inspection and more intelligence.
Two key elements of NGFWs are:
- Cloud integration provides real-time monitoring of threat updates and pushes immediate resolutions to your system, shutting down threats before they reach your network.
- Internal segmentation is more important as organizations require added remote and wireless capability.
Layer 7 Firewalls
Layer 7 firewalls are a recent evolution. They operate in the seventh layer of the OSI model, also known as the application layer. This allows for more advanced traffic filtering specifications. Known for being “application-aware,” they can scan data packets and reject any that contain malware.
Layer 7 firewalls also can block input from a geographic location. They can block a whole country based on what it knows and what it sees them sending.
Many platforms are incorporating layer 7 firewalls as a native feature, eliminating the need for separate physical devices, and providing for a more streamlined infrastructure.
What does firewall software cost?
Depending on the size and scope of your business, next-generation firewall protection can cost from $500 to $10,000 or more. A good mid-range firewall that would suit most applications costs between $2,000 and $4,000.
Why such a big price range?
The cost of a firewall ties directly to the features provided and the user support bandwidth. Other factors that affect price are encryption speed, remote access, cloud integration, application sophistication, amount of traffic (or throughput), and compliance requirements.
The bottom line is that if you don’t already have one, you need a next-generation firewall now.
Three Kinds of Firewalls: Cost, Limitations and More
There are three basic types of firewalls available in the market today: entry-level, mid-range and high-end firewalls.
Entry-level firewalls are an affordable way to get next-generation protection at a value.
Entry-level firewalls cost between $500 and $1,000. They are often subscription-based and priced for a given number of users. That cost usually includes the hardware, a license subscription for support, and firmware upgrades for the next one to three years.
Who are they good for?
They are best suited for organizations of 40 or fewer employees who work at a single office location and primarily use computers to browse the Internet.
Their throughput is usually limited to 50-75Mpbs, and that may decrease if you use any Virtual Private Network (VPN) functionality on the device (IPSec, SSL, or remote access).
Entry-level firewalls have limited features. They have limited ability to link to the cloud and integrate with identity management (for multi-factor authentication). They are difficult to scale to changing business needs. Their dynamic routing capability is limited and they can’t do LTE backup (but they can use a redundant internet circuit).
These firewalls are typically “fail-open”: if your subscription lapses, the default is to just let the traffic pass through without any further inspection. Your business keeps operating without firewall protection.
A few examples of entry-level firewalls are the lower level Cisco Meraki MX series, Sonicwall and Watchguard.
Mid-range firewalls offer higher-end features and more flexibility than entry-level firewalls.While it is more expensive than entry-level, you get what you want for the premium price.
Mid-range firewalls cost between $2,000 and $4,000. They are available by subscription.
Who are they good for?
They are a good choice for businesses with more than 40 employees or multiple sites, in addition to smaller businesses that regularly use complex applications.
If you have compliance requirements, (like NIST, PCI, HIPAA, etc.,) this may be where you start looking for a suitable product that has the encryption levels (e.g. FIPS 140-2) and advanced logging capabilities for your environment.
Mid-range firewalls provide more robust remote-access capability and are specifically designed for handling SD-WAN comfortably. They offer more multi-factor authentication ability and cloud integration. They have greater throughput capacity and are scalable, providing more room for growth to respond to business needs.
They offer dynamic routing and are available by subscription.
Some mid-range firewalls also offer virtual options for those starting to need firewall functionality in their cloud deployments. Many firewall vendors now offer cloud integrations with AWS, Azure, Google Cloud, Oracle Cloud, and others.
Kelser worked with a healthcare provider that was expanding to 10 locations. They had basic firewall protection, but they needed SD-WAN and wanted to improve their security posture with next-generation features.
They also wanted cloud integration and increased remote access. They invested in a mid-range firewall at their main location and smaller units at the satellite offices, providing reasonable pricing and LTE backup. They now have a consistent security posture across all their locations.
Examples of mid-range firewalls are Fortinet, Cisco ASA, and Palo Alto.
In simplest terms, high-end firewalls can handle a greater workload faster.
High-end firewalls can cost $10,000 and up.
Who are they good for?
They are good for organizations with multiple data centers and distributed workloads.
High-end firewalls use dynamic routing and can handle applications that require major throughput (10GB and up with 5,000 connections). At Kelser, we helped a multi-site hospital system implement a high-end firewall to support wireless access for guests and patients as well as streaming capability, so patients can watch Netflix. High-end firewalls are also a good choice for time-sensitive applications like e-commerce, voice, and day trading.
High-end firewalls offer features like robust remote-access ability and dual-factor authentication capability. They use optic throughput for better voice transmission. They also can handle internal segmentation, applying specific security measures to different parts of the internal network.
It is easy to accommodate business growth in high-end firewalls with modular scaling for additional processing power, memory, and physical port requirements.
High-end firewalls can exist in both a physical form factor and can also be deployed in the most complex of cloud computing environments. For on-premises firewalls, they are tightly integrated with real-time, updated cloud services provided by the vendor and included with your subscription.
They constantly monitor for new threats and push updates to your network before threats can get to it.
Cloud integration also makes it possible for you to have the firewall and switching on-site while connecting to a virtual private network (VPN) using a licensed virtual version in the cloud.
A high-end firewall’s ability to be customized can be a double-edged sword. Customization is good for your business long-term but short-term, it can make installation more complex, leading to a longer, more detailed deployment schedule. The customization also can make it more complex to manage.
Cisco, Fortinet, and Palo Alto all have models that can be classified in the high-end firewall category.
Ready To Upgrade Your Firewall?
In the same way that any car can get you from point A to point B, all firewalls provide the same service. But, like a car, it’s what’s under the hood that makes the difference in terms of quality, speed, and longevity. And, you will likely pay more for the features you want and need.
We can help you explore an upgrade that will protect your business with minimal impact on productivity.