Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Three Things to Consider Before Implementing Next Generation Firewalls

Increased use of applications, mobility, virtualization, and network security consolidation as well as the evolution of sophisticated threats has driven the evolution of the traditional stateful firewall to what is commonly referred to as a next-generation firewall (NGFW).

Increased use of applications, mobility, virtualization, and network security consolidation as well as the evolution of sophisticated threats has driven the evolution of the traditional stateful firewall to what is commonly referred to as a next-generation firewall (NGFW).

These next-gen firewalls are chock full of features and functionality that provide newfound levels of policy granularity and controls – Application Control, IPS, anti-malware, email security and more – all in one box. However, with this increased control comes more complexity that must be addressed in advance. For example, without properly sizing the NGFW capabilities you plan to use for the environment, firewall performance can drop off significantly. And without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http, and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk.

Here are three key things to consider before implementing a next-generation firewall:

Implementing Next Generation Firewalls1. Define the NGFW features you want to turn on.

Size capabilities such as IPS, Application Control, Identity Awareness, URL Filtering, Advanced Malware Detection, etc. to your environment’s requirements. Make sure you understand the performance impact if you decide to turn on additional features later on.

As part of a firewall refresh, one capability that is typically considered is intrusion prevention. Do you continue with your standalone solution or consolidate and leverage IPS capabilities found in many NGFWs? According to Gartner’s Magic Quadrant for Intrusion Prevention Systems, best-of-breed, next-generation IPS is still found in stand-alone appliances though this gap is closing as NGFWs continue to evolve. If the decision ends up being to use integrated IPS with the firewall, then make sure you properly size this capability and also leverage your current IPS configurations and continue to tune from there.

Another consideration is Identity Awareness. While this is an extremely useful capability, it is dependent on your current Active Directory (AD) setup. If your AD is poorly configured, then it will impact the effectiveness of the firewall’s identity awareness capability. The takeaway here is to make sure your AD is configured well before leveraging the identity awareness functionality.

And finally, make sure you educate users about the policy implications of these newly added security features. For example, if application control is turned on, give your users a heads up on what apps are allowed/not allowed per the implemented policy. While this won’t completely eliminate end-user issues, it should help reduce them.

2. Identify where the NGFW will provide you with the best return.

Advertisement. Scroll to continue reading.

While NGFWs provide more granular capabilities, there may be certain places within the network where it may be more appropriate to have them deployed. Let’s examine some optimal deployment scenarios we’ve compiled by speaking with customers, integrators and analysts.(NOTE: every environment is different and your specific environment needs should be considered):

Start at the Edge to Filter Web-based Traffic. The first and primary point to focus on in the network for NGFW deployment is for external Internet traffic because many applications are Internet applications, such as Facebook, P2P, email, web meeting tools. Deploying at the edge is where NGFWs can significantly improve your security if the right policies are applied. From there, you can add as necessary to branch offices and to the data center, where you should know what applications are running on data center servers and who has been granted access.

Next Generation Firewall Check ListImplement in Dedicated Segments of the Network. Anywhere you have separated and dedicated locations for servers and gateways may be an appropriate place for a NGFW. Examples include PCI DSS segmentation, remote/mobile user segmentation as well as segmenting the network to support Bring Your Own Device (BYOD) initiatives.

3. Security Policy Management. Keep in mind that your organization’s network almost certainly has other devices (and in turn other policies) that must be managed as well, including traditional firewalls, routers, Secure Web Gateways and more. How will you manage policy across all of these devices? And what’s the impact? We’ll drill into these policy management questions in our next installment.

Threats today are much more sophisticated and targeted than what we were dealing with when stateful firewalls were first developed. Now next-generation firewalls provide us with more visibility and control, but as with most technology, you can’t just drop them into your network without careful planning and consideration as they can introduce new levels of complexity.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.