Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Firewall Migrations: Five Ways to Maximize Security Resilience & Availability

If you are planning an upgrade or migration to next-generation firewalls (NGFWs), it is not just an opportunity to gain richer functionality and a wider range of protections. It is also an excellent time to review your entire security architecture; to ensure it maximizes the value and efficiency of all your security devices, while minimizing the risk of network downtime.

If you are planning an upgrade or migration to next-generation firewalls (NGFWs), it is not just an opportunity to gain richer functionality and a wider range of protections. It is also an excellent time to review your entire security architecture; to ensure it maximizes the value and efficiency of all your security devices, while minimizing the risk of network downtime. This latter point is particularly compelling, as analyst firm Gartner states that the average cost of downtime across a range of industry sectors is well over $300,000 per hour – supporting Benjamin Franklin’s proverb that ‘an ounce of prevention is worth a pound of cure.’

But what does the right architecture look like, and how should you go about building it into your network? By following the five best practice techniques outlined here, you can ensure that your security architecture maximizes your company’s overall security posture and its efficiency.

1: Reduce risks of downtime

Firewall Migration PlansReducing the risk of downtime begins with examining your overall architecture and identifying the potential points for failure or performance issues. The crucial structural feature to avoid is serial inline deployment, in which traffic is passed from one security appliance to the other. Here, a failure in any single device can stop traffic flow and cause a network outage – which in turn leads to substantial drops in productivity, revenue and even business reputation.

The simple alternative is to use modular bypass switches in front of firewalls and other security appliances. These switches must continually monitor all inline devices, ensuring that they are ready to receive traffic. If a device goes down, the bypass switch should steer traffic around it until it is back online.

One potential problem with this approach, however, is that it creates a trade-off between security and network uptime – bypassed traffic may not be inspected with normal levels of rigor while a device is down. This in turn leads to the second best practice.

2: An efficient load balancing act

Pairing the bypass switch with a network packet broker (NPB) introduces the added ability to see and inspect inside network packets, and route them only to the appliances that are appropriate for that type of traffic. This might mean, for example, routing non HTTP/HTTPS traffic around a web application firewall, as there is no benefit from it passing through.

This intelligence-based traffic balancing reduces the unnecessary processing burden on individual appliances – this makes them less likely to become overwhelmed and fail. Once again, network efficiency and security strength is maximized – with the added peace of mind from knowing that all traffic is being inspected by the most relevant tools.

3: Clever configuration for high availability

With modular bypass switches and NPBs in place, the next step is to configure them for optimum availability. Many NPBs, for example, are capable of being deployed in what is called Active-Active mode. This provides automatic and instantaneous recovery of any device in the security architecture while also using available security devices. Clever configuration is about delivering high availability during normal operations, while fully protecting traffic if and when a device does go down. Done right, users would detect no downtime, and security monitoring is unaffected.

4: Better visibility with NPBs

It is important not to assume that increasing the number of security devices in your architecture automatically minimizes risk. The larger and more complex your network gets, the greater the probability of network blind spots. Visibility is as crucial a principle. An advantage of NPBs is that they provide a comprehensive view of your network environment. They capture and aggregate traffic, eliminate data duplication, and strip away unnecessary detail. They can even pre-filter known bad traffic, based on either the originating address or geographic location, allowing you to make intelligent decisions about what traffic to block from reaching your network in the first place.

Out-of-band monitoring tools are best-suited for analyzing network performance, identifying trends and responding to compliance requests. That is, they support the comprehensive and intelligent network visibility that is vital in today’s enterprises. The best tools can be managed remotely and produce customized reports for compliance purposes, supporting the state of continuous compliance that is increasingly demanded.

5: Future-proofing your architecture

In a world in which dynamic agility is king and social media can spread frustration related to a company’s downtime faster than ever before, customer experience and application availability are vitally important. Future-proofing your security architecture with high-speed bypass switches and powerful NPBs eliminates network downtime caused by unplanned device failure, deployments, maintenance or upgrades. You can also maximum uptime for your security infrastructure, reduce the load on security appliances, and therefore extend their useful lifespans, while generating efficient traffic analysis. In addition, you can support growth in network traffic with minimal new investment. Collectively, these benefits help to protect your business against the need for expensive and disruptive future network adjustments.

Bypass switches and network packet brokers create a network security architecture that simultaneously delivers robust protection and operational efficiency – an architecture that works harder for your company, and is able to heal itself in the event of an outage. In terms of security, prevention truly is better – and cheaper – than a cure.

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...