Putting the NEXT in Next Generation Firewall: Tales From the Field

You’ve purchased a next-generation firewall. You understand the why, but how do you make the most of your investment? What’s next?

When it comes to next-generation firewall technology, determining the best implementation methodology can be a bit daunting. You may ask yourself:

• What features should I enable first?
• How do I enable these new capabilities without impacting users or critical business functions?

It’s a risky proposition to try to enable all the advanced functionality and capabilities in a next-generation firewall at the initial deployment. So risky, in fact, that organizations that attempt to do so fail in some way 100% of the time. (Okay – I kind of made that statistic up, but with the order of magnitude of capability increase, it should be apparent that this is a risky thing to do.) It’s much like the good old days before we put firewalls in place and only had routers. How do we put a firewall in place to control traffic without complete knowledge of all the required traffic flows so that we don’t break something in the process?

What many organizations chose to do was to put the firewall in place with an ‘allow all’ rule, and turned on logging so that they gained visibility into the traffic traversing the firewall. After some time then, the firewall logs were scrutinized, and appropriate rules were developed to allow the required traffic, and the “allow all” rule was removed, and the default deny rule was put in effect. Similarly, when organizations decided to implement Intrusion Detection, the normal methodology was to first deploy the sensors in IDS mode, develop appropriate rules and configurations based on the observed logs, then place the sensor in IPS mode, effectively implementing the prevention technology.

It turns out that this is the exact approach to use when deploying next-generation firewall technology.

• If the existing legacy firewall is being replaced, migrate the existing security policy to the next-generation firewall, otherwise, deploy the NGFW behind the legacy firewall inline.
• Apply ALL of the security features that enable visibility. (user identification, application identification, URL filtering, IPS, antivirus, antispyware, file inspection)
• Once the NGFW is in place for some time, analyze log output to determine the appropriate enforcement actions to take.
• Enable enforcement rules and blocking actions on the NGFW.
• Fully enable application and user-based policies and security rules.
• Remove and decommission legacy firewalls.

This process can take weeks or months to complete, so you shouldn’t consider this a ‘set it and forget it’ deployment, and care should be taken to not try to enable too many new features at one time. With careful planning and a clear way forward, it’s really possible to deploy NGFW technology with little to no impact on end users and critical business processes, while drastically improving the security posture of your network, by providing increased visibility and enforcement capability.

by Chris Yates | Senior Security Architect, CRITICALSTART
March 1, 2018