There’s a lot of pressure on CISOs to button up their networks to make them impervious to breaches. That’s a mission impossible, of course. But it can lead to infosec pros looking for the perfect appliance that solves everything — like a next-generation firewall.

But in a blog U.S. security consultant Kevin Beaver reminds IT departments that NGFWs might not be the right solution for every environment, despite their advantages in being application-aware devices.

In particular, he urges security pros to ask the following questions:

  • Is integrating multiple security controls into one system going to create more of a single point of failure? What about network performance issues?
  • Are each of the individual security controls (i.e., application-layer and malware protection) truly what you need? If so, are they good enough to address the threats and vulnerabilities your business faces given your environment and its unique circumstances?
  • Are the monitoring and reporting features adequate for your real-time needs? What about for compliance and auditing?
  • How will these features help reduce your known risks?
  • How does your vendor’s support measure up? Do you feel comfortable that they’ll be there when the going gets rough? Are they forthcoming with information and quick to patch their own security flaws?

“The potential for risk investing in next-generation firewalls certainly exists — i.e., spending good money on something you didn’t need, especially when other common security basics haven’t yet been addressed,” he writes. “If you’re going to go down the path of next-generation firewalls, ask yourself — and especially prospective vendors — the hard questions.”