As more organizations consider implementing next-generation firewalls (NGFWs), network teams have to consider a...
number of possible changes in design and firewall architecture within their data center environments. To determine the proper placement for NGFW platforms, it's key to determine the most appropriate use cases for your deployment. The most common NGFW deployment scenarios are as follows:
- NGFW as firewall replacement: Many organizations are considering a NGFW purchase as current firewall infrastructure approaches end of life (EOL) or licenses come up for renewal. In these scenarios, the NGFW platform will likely sit inline where the previous firewall was located. As with a traditional firewall, redundancy and load balancing for traffic (clustering capability) is essential.
- NGFW as IPS replacement: Enterprises are also considering NGFW devices to replace existing intrusion prevention system sensors and infrastructure. Depending on the models chosen, this may be a more costly purchase, but it's a reasonable consideration for organizations that need another layer of application inspection in addition to a base set of IPS functions at limited numbers of locations within their networks. Unfortunately, NGFW platforms may not scale as well as a more traditional IPS infrastructure, and the cost of deployment may go up significantly by taking this approach, as IPS platforms are usually deployed inline at locations such as major ingress points, DMZ zones and behind VPN platforms. Ensure NGFW platforms have fail-open or bypass mechanisms to allow traffic in a failure scenario; active-active or active-passive pairing is also recommended if possible.
- NGFW as firewall and IPS replacement: For organizations looking to condense security infrastructure specifically, and have EOL and license renewal scenarios coming up, the purchase of an NGFW may make a lot of sense operationally. If a single platform can meet the organization's needs, and additional layers of defense in depth are in place, then this is a sound option for reducing costs and operational overhead for management and maintenance. In this scenario, network consolidation may be possible because the NGFW can replace multiple devices. The key considerations for this scenario are: a) port density; b) redundancy and availability options; and c) aggregate throughput.
- NGFW as additional control: For organizations looking to add another layer of defense, particularly those that are swapping out a secondary firewall layer or just adding a new layer, NGFW platforms can provide a range of new security features. Placement in your architecture will depend on what functionality you are using. For user identification and passive monitoring, devices can be placed "out of band" using taps or mirroring if necessary. For any blocking actions, though, inline placement will be required where the traffic passes through.
A key attribute of any next-generation firewall architecture being evaluated should be speed. Given the intense processing and analysis of packets coming through any NGFW device, traffic latency must be a major concern. Many products boast sustained speeds of 10 gigabit and more, but these should be tested thoroughly with real production traffic if possible before making a purchase, especially if the product will be placed inline. For organizations looking to inspect Secure Sockets Layer (SSL) traffic with the NGFW platforms, all SSL traffic you want to inspect must be routed to the system, either through normal traffic flow or by using intelligent taps or SSL traffic brokers. Many NGFS platforms experience significant latency with SSL decryption and inspection enabled, however, so you should carefully test it prior to deployment. And regardless of the deployment scenario, test it for throughput under load and have clustering and redundancy options available.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security, lead faculty at IANS and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering.