Next Gen Firewalls: Maximizing Security and Resilience
Next-generation firewalls (NGFWs) are fast becoming the ‘now generation’ of firewalls: a recent survey found that NGFWs represent half of the current firewall infrastructures in nearly 300 of the 600 organizations polled, and that just 7% of respondents said they had not yet deployed NGFWs in their networks.
NGFWs deliver a lot of advantages over conventional appliances - such as application awareness and more granular control over traffic and access - but they are not a silver bullet that can defeat any network threat. Simply replacing existing firewalls with NGFWs does not automatically improve an organization’s security posture. If you want their power, it’s important to match them with a network architecture designed to support their functions. Of course you also want to make sure you minimize risks of downtime due to outages or failures in the process.
Information Security Buzz recently published our article looking at how companies can ensure their networks are structured for maximum security and resilience when they are planning a migration from conventional firewalls to NGFWs, and here’s a recap of the five key principles we outlined.
1. Inventory your potential points of failure
Minimizing downtime begins with the actual structure of your architecture. The classic mistake is to depend too heavily on serial inline deployment, passing traffic in a linear way from one security device to another. If one device fails, the entire pathway fails – which is something to be avoided at all costs. Instead, deploy modular bypass switches in front of firewalls to continually monitor all inline devices, and steer traffic around one should it fail.
2. Load balance your traffic
In the event of a failure or traffic bursts that go over capacity, bypassed traffic might not be inspected at all. This is where network packet brokers (NPBs) come in. The simple ones can load balance across multiple tools and offer options for decryption. The more advanced ones can be programmed to monitor the status of each tool, programmed to failover in specific ways, and even identify traffic from trusted sources so it can be only pass through minimal inspection. This intelligence-based traffic routing reduces the unnecessary processing burden on individual security appliances, making them far less likely to fail or become bottlenecks.
3. Configure with care
If your security tools are inline, you better have a bypass switch. If you have multiple security tools - and who doesn't these days - you are employing a bypass plus an NPB that you want to program with specific failover instructions. Now it is all about programming simplicity. You may be a master at command line interface programming and can draft hundreds of instructions without fail, but how many like you are in your org? And would you trust that programming to anyone else? I didn't think so. An intuitive drag and drop GUI that allows you to create rules and makes sure each connection is valid before allowing it, would make everyone sleep better.
4. Visibility, visibility, visibility
More security devices don’t automatically equal minimized risk. As your network grows and becomes more complicated, visibility into that network becomes ever more important, as it allows rapid identification of vulnerabilities and infections, and any anomalies in traffic flow and device behavior. You need visibility into your traffic that can scale as your business scales. You need advanced features like a Security Fabric that provide visibility with security in mind.
5. Think about the future
A truly robust and efficient network architecture doesn’t just support outstanding security and performance today – it also supports you into the future. High-speed bypass switches and powerful NPBs eliminate network downtime caused by unplanned device failure, deployments, maintenance or upgrades, and in turn help insure your company’s reputation. They also reduce the load on security appliances, extending their useful lifespans, and generate intelligence for feeding into business and IT growth strategies.
So when planning or deploying NGFWs, it’s an excellent time to consider a next-generation network infrastructure to match.