August 20, 2018
firewall, APIs, SDN, software defined networking, DN7200, next-generation firewall, IDS, Intrusion Detection System, IPS, Intrusion Prevention System, DLP, Data Loss Prevention, DDOS, Distributed Denial of Service, NAT, Network Address Translation, Layer 3 Firewall, Stateful Firewall, Layer 7 Firewall, WAF, Web Application Firewall, Forward Proxy, Reverse Proxy, Load Balancer, Routing, Router, policy management, public cloud integration, VPN, SSL, IPsec, FIPS 140, Programmability, Identity-based Firewall, NSX
Large data center environments accrete layers of solutions that overlap functionally over time. Assessing the current solution set with an eye to reducing the number of solutions in use can create opportunities for operational improvements and cost reductions.
Nemertes undertook a “paper evaluation” of the network and security solutions used by XYZCo, a large organization with multiple data centers. For a set of six solutions from Checkpoint, Cisco, F5, Palo Alto Networks, and VMware, we scored solutions on a broad array of specific functions grouped into 16 functional capability areas. The areas reflect roles the solutions might play in the environment, ranging from router or load balancer to Web Application Firewall or Intrusion Prevention System.
Based on the evaluation, we determined that (on paper) XYZCo should be able to dispense with its Checkpoint and Cisco solutions and proceed with the others filling in for them.
Should testing at scale in a production-like environment bear out the vendors’ claims regarding all the needed functionality, XYZCo has other work ahead of it: doing a thorough analysis of the impact on staff and staffing; redesigning the network as needed to take advantage of the new systems; designing a new management structure and infrastructure; and assessing the impact on costs of all this change, including training costs, inventory management costs, gain of leverage with some vendors, and loss of leverage with others.
Table of Contents
- Executive Summary
- Too Much of a Good Thing
- Less is More
- A Typical Large Enterprise Case: Meet XYZCo
- The Platforms Under Review
- Review Methodology
- Functional Requirements
- Capability Area 1: Routing
- Capability Area 2: Layer 3 Firewall
- Capability Area 3: Layer 7 Firewall
- Capability Area 4: Intrusion Detection System
- Capability Area 5: Intrusion Protection System
- Capability Area 6: Load Balancing
- Capability Area 7: VPN Endpoint Support
- Capability Area 8: Data Loss Prevention
- Capability Area 9: Forward Proxy
- Capability Area 10: Reverse Proxy
- Capability Area 11: Network Address Translation (NAT)
- Capability Area 12: Web Application Firewall
- Capability Area 13: Firewall on Authenticated Identity
- Capability Area 14: Software-Defined Networking (SDN) Ready
- Capability Area 15: Public Cloud Integration
- Capability Area 16: Global Policy Management
- An Example Evaluation Matrix: Load Balancing
- Whose Cuisine Reigns Supreme? Who Gets Chopped?
- Challenges and Concerns
- Need for Detailed Cost Analysis
- Potential Staff Training and Certification Requirements
- Revisions in Network Architecture and Topology
- Management and Orchestration Rationalization
- Conclusions and Recommendations