Should one go for a URL Filtering as an add-on to NGFW or just deploy a Web proxy, instead?
I am one who advocates that firewalls with URL Filtering can't serve better than Web security solutions (i.e., a Web proxy).
What's your opinion?
Over 50% of security vulnerabilities are non-Web based traffic, such as DNS, DDOS etc and this is where some Web Proxys fall short as they only inspect the Web traffic that is forwarded to them, NGFW's provide superior protection at the edge to inspect all traffic for on-prem users locally.
This is where a SASE solution can help for remote working by providing best of both worlds capabilities such as SWG, NGFW, ZTNA, CASB etc delivered from a Cloud architecture in a unified (single-pass) manor, protecting 'All Traffic from Any user/device anywhere not just Web.
Use a Web Proxy that will protect your users when they are working at home as well. The FW will provide protection when the user is behind it. The web proxy will protect the user at any place, anytime.
Hi @Oleg Pekar and @Manish Nalawade. Can you share your thoughts?
You are analyzing a central solution (perimeter), correct?
So, NGFW with URL filtering is simple & easy to go live without any issues.
But, what is going on with the endpoints, local URL filtering?
Web Proxy like Cisco Umbrella works very well, you have protection at home and at office, with a lot of employees working some days at home and others at the office is a great solution.
NGFW does streaming based scanning it means it will pass the packet as it received due to which there is high probability of malware getting passed via Firewall. Where as Proxy wait for complete
Hi Edwin
organization size ?I think the NGFW should do all the work for you if configured properly eg deep packet inspection and not just certificate inspection mode on the policies.
With deep packet inspection the Firewall will deconstruct and reconstruct the packet this will give you full visibility into network traffic and network protection.
The NGFW like fortigate will also give you protection when connected to the public network through sslvpn with tunnel mode enabled such that all your traffic goes through the HQ when browsing resulting in the same policies that you use when onsite to be the same when you are offsite.
@PrideChieza NGFW coupled with internal resources, e.g. domain controllers, gives a great breakdown per area and scopes well. A FortiGate integrated with user groups can act as a firewall and per group web filter, and yes, if deep packet inspection is really needed can be tweaked to allow very specific traffic. +1 for it doing the had work for you.
This depends on many factors like size of organization, how organization is geo-spread, type of NGFW and Proxy you are looking at or you have. And where proxy is deployed, onprem or cloud? With cloud you have additional options and companies like Zscaler and Netskope started to eat this part of market.
Hi infosec pros,
When choosing to purchase a firewall for an enterprise, what are the most important features and "must-haves" you'd be looking for?
Thanks for sharing your opinions!