Next-gen firewalls: Key considerations to make the most of your investment

You’ve purchased a next generation firewall. You understand the WHY, but HOW do you make the most of your investment? What’s NEXT?

When it comes to next-generation firewall technology, determining the best implementation methodology can be a bit daunting, from trying to determine which features to enable first or how to enable new capabilities without impacting users or critical business functions.

It can be a risky proposition to try to enable all the advanced functionality and capabilities in a next-generation firewall at the initial deployment. So risky, in fact, that organizations attempting to do so fail in some way nearly every time. It’s like the good old days of routers, before firewalls were put in place. How do you put a firewall in place to control traffic without complete knowledge of all the required traffic flows so you don’t break something in the process?

Many organizations chose to put the firewall in place with an “allow all” rule and turned on logging so that they gained visibility into the traffic traversing the firewall. After some time passed, organizations then scrutinized the firewall logs, developed appropriate rules to allow the required traffic, removed the “allow all” rule, and put into effect the default deny rule. Similarly, when organizations decided to implement Intrusion (News - Alert) Detection, the normal methodology was to first deploy the sensors in IDS mode, develop appropriate rules and configurations based on the observed logs, then place the sensor in IPS mode, effectively implementing the prevention technology.

This is the exact approach to use when deploying next-generation firewall technology, including the following steps:

• If the existing legacy firewall is being replaced, migrate the existing security policy to the next-generation firewall; otherwise, deploy the NGFW behind the legacy firewall inline.
• Apply all the security features that enable visibility, including user identification, application identification, URL filtering, IPS, antivirus, antispyware, and file inspection.
• Once the NGFW is in place for some time, analyze log output to determine the appropriate enforcement actions to take.
• Enable enforcement rules and blocking actions on the NGFW.
• Fully enable application and user-based policies and security rules.
• Remove and decommission legacy firewall.

The process can take weeks or months to complete, meaning this should not be a “set it and forget it” deployment. Care should be taken so you don’t enable too many new features at one time. With careful planning and a clear way forward, it’s possible to deploy NGFW technology with little to no impact on end users and critical business processes, while drastically improving the security posture of your network, providing increased visibility and enforcement capability.

About the Author: Chris Yates is a Senior Security Architect for Critical Start. Chris has more than 25 years of IT experience, including a decade focused on Information Security. As a Department of Defense employee, he spent 14 years in the public sector. In the private sector, his experience spans the transportation, electric utility, and healthcare industries. A recognized speaker at regional and national security conferences, Yates has delivered insights on security architecture, the security impacts of converged infrastructure, and next generation security tools. He also teaches networking and network security at Southern Nazarene as an adjunct professor.