Increased use of applications, mobility, virtualization, and network security consolidation as well as the evolution of sophisticated threats has driven the evolution of the traditional stateful firewall to what is commonly referred to as a next-generation firewall (NGFW).
These next-gen firewalls are chock full of features and functionality that provide newfound levels of policy granularity and controls – Application Control, IPS, anti-malware, email security and more – all in one box. However, with this increased control comes more complexity that must be addressed in advance. For example, without properly sizing the NGFW capabilities you plan to use for the environment, firewall performance can drop off significantly. And without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http, and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk.
Here are three key things to consider before implementing a next-generation firewall:
1. Define the NGFW features you want to turn on.
Size capabilities such as IPS, Application Control, Identity Awareness, URL Filtering, Advanced Malware Detection, etc. to your environment’s requirements. Make sure you understand the performance impact if you decide to turn on additional features later on.
As part of a firewall refresh, one capability that is typically considered is intrusion prevention. Do you continue with your standalone solution or consolidate and leverage IPS capabilities found in many NGFWs? According to Gartner’s Magic Quadrant for Intrusion Prevention Systems, best-of-breed, next-generation IPS is still found in stand-alone appliances though this gap is closing as NGFWs continue to evolve. If the decision ends up being to use integrated IPS with the firewall, then make sure you properly size this capability and also leverage your current IPS configurations and continue to tune from there.
Another consideration is Identity Awareness. While this is an extremely useful capability, it is dependent on your current Active Directory (AD) setup. If your AD is poorly configured, then it will impact the effectiveness of the firewall’s identity awareness capability. The takeaway here is to make sure your AD is configured well before leveraging the identity awareness functionality.
And finally, make sure you educate users about the policy implications of these newly added security features. For example, if application control is turned on, give your users a heads up on what apps are allowed/not allowed per the implemented policy. While this won’t completely eliminate end-user issues, it should help reduce them.
2. Identify where the NGFW will provide you with the best return.
While NGFWs provide more granular capabilities, there may be certain places within the network where it may be more appropriate to have them deployed. Let’s examine some optimal deployment scenarios we’ve compiled by speaking with customers, integrators and analysts.(NOTE: every environment is different and your specific environment needs should be considered):
• Start at the Edge to Filter Web-based Traffic. The first and primary point to focus on in the network for NGFW deployment is for external Internet traffic because many applications are Internet applications, such as Facebook, P2P, email, web meeting tools. Deploying at the edge is where NGFWs can significantly improve your security if the right policies are applied. From there, you can add as necessary to branch offices and to the data center, where you should know what applications are running on data center servers and who has been granted access.
• Implement in Dedicated Segments of the Network. Anywhere you have separated and dedicated locations for servers and gateways may be an appropriate place for a NGFW. Examples include PCI DSS segmentation, remote/mobile user segmentation as well as segmenting the network to support Bring Your Own Device (BYOD) initiatives.
3. Security Policy Management. Keep in mind that your organization’s network almost certainly has other devices (and in turn other policies) that must be managed as well, including traditional firewalls, routers, Secure Web Gateways and more. How will you manage policy across all of these devices? And what’s the impact? We’ll drill into these policy management questions in our next installment.
Threats today are much more sophisticated and targeted than what we were dealing with when stateful firewalls were first developed. Now next-generation firewalls provide us with more visibility and control, but as with most technology, you can’t just drop them into your network without careful planning and consideration as they can introduce new levels of complexity.