Home

Which is better: a one-vendor firewall strategy, or a two-vendor firewall strategy?  Why?

There is no right answer here; well, the right answer is  "it depends" :) From a security standpoint, it's best to have multiple vendors and multiple firewalls in this case. If there is a zero-day vulnerability in a firewall from Vendor 1, then the Firewall from Vendor 2 will likely not be affected. Now, having multi-vendor firewalls is more challenging from support and employee training. It is easier to get your team trained on supporting one firewall vendor and keeping up with all new features than training on multiple firewall products. I have been on both ends of the fence, and it's way easier from a management/organizational side to deal with one vendor/product, but it doesn't mean it's the best approach.  Cost is likely increased in multiple vendor strategies. Let's say you need to buy 1000 firewalls. If you buy them from one vendor, your purchasing power is higher, so you can negotiate better pricing vs buying 250 firewalls from 4 different vendors. In the case above, if you need to purchase firewall management software to manage all the policies remotely, firmware updates etc., very likely, having one management product to manage 1000 firewalls will be cheaper than four different vendor management products.  If you are an MSP, then it makes sense to have a multi-vendor strategy to offer an entry-level firewall, mid-range firewall, and enterprise-level depending on the client. They can all be from different vendors, and the differentiator here is the price, support, features etc. Again, it's hard to tell what is better without knowing much about your use case and environment. 

Anonymous Author
There is no right answer here; well, the right answer is  "it depends" :) From a security standpoint, it's best to have multiple vendors and multiple firewalls in this case. If there is a zero-day vulnerability in a firewall from Vendor 1, then the Firewall from Vendor 2 will likely not be affected. Now, having multi-vendor firewalls is more challenging from support and employee training. It is easier to get your team trained on supporting one firewall vendor and keeping up with all new features than training on multiple firewall products. I have been on both ends of the fence, and it's way easier from a management/organizational side to deal with one vendor/product, but it doesn't mean it's the best approach.  Cost is likely increased in multiple vendor strategies. Let's say you need to buy 1000 firewalls. If you buy them from one vendor, your purchasing power is higher, so you can negotiate better pricing vs buying 250 firewalls from 4 different vendors. In the case above, if you need to purchase firewall management software to manage all the policies remotely, firmware updates etc., very likely, having one management product to manage 1000 firewalls will be cheaper than four different vendor management products.  If you are an MSP, then it makes sense to have a multi-vendor strategy to offer an entry-level firewall, mid-range firewall, and enterprise-level depending on the client. They can all be from different vendors, and the differentiator here is the price, support, features etc. Again, it's hard to tell what is better without knowing much about your use case and environment. 
1 upvotes
Anonymous Author
I think had a great answer. The only thing, speaking as someone who is not an MSP, is also looking at what other tools you have in place to mitigate risk if you have a single-vendor. As he said multiple firewalls is likely impractical due to cost, both due to capital outlays/lack of pricing power as well as support. Like anything else in security there is give-and-take so we try to look at the best way to deploy our capital from a TCO perspective. In this case I might look at using the savings of using one vendor towards other tools such as NAC. If were an MSP, however, a tiered approach with multiple vendors makes sense as customers will have different pricing points and you’d want flexibility in terms of being able to integrate with varying tech stacks on the customer side. While firewalls are an incredibly important tool in any security stack I think it’s imperative that they are considered just that and we need to consider the marginal return of diversifying risk in one component of the stack as opposed to addressing other potential threat vectors that might not be as well protected.
0 upvotes