Pakhnyushchyy - Fotolia

Manage Learn to apply best practices and optimize your operations.

Shifting to next-gen firewalls changes security dynamics

Next-generation firewalls offer a lot of capabilities. But how do you add them into your security portfolio?

Next-generation firewalls (NGFWs) are all the rage in the information security community. Vendors are clamoring to gain a foothold in enterprises with new and enhanced products that promise to bring contextual awareness to network security. Network professionals considering their first NGFW deployment project should make sure they address some key questions before getting started. These include the rationale for deploying the technology, identifying the location(s) that would most benefit from deploying next-gen firewalls, and selecting the capabilities that are suited for a particular environment.

Moving from niche products to NGFWs

The current security environment in many organizations involves the use of disparate technologies that focus on one particular component of the organization's security strategy. For example, network security services often come in the form of firewalls, intrusion detection and prevention systems, network access control and data loss prevention services. While using this approach allows the enterprise to select the most suitable product in each category, it presents the added challenge of managing and monitoring these standalone systems.

The next-gen firewall brings many different security technologies together on a single device. Network security features fit alongside desktop security, content filtering and other components of the security infrastructure. This provides network administrators with a single management interface for multiple systems and, even more important, allows those features to share threat and asset information. The true value of NGFWs is the consolidated monitoring they offer, providing administrators with a clearer view into enterprise security than they achieved with niche products.

Placing NGFWs on the network

The benefits of NGFWs come with a price, of course. In this case, that cost comes in the form of a premium price tag when compared with other technologies. Network professionals considering an NGFW deployment should carefully consider the locations on the network that would most benefit from their enhanced security services. For example, it may not be cost-effective to deploy a NGFW at the organization's border. Instead, consider deploying NGFWs at selected chokepoints on the internal network where they have the most value.

The first priority for placing NGFW technology in most organizations is protecting services that exposed to the Internet.

The first priority for placing NGFW technology in most organizations is protecting services that are exposed to the Internet. Web servers, mail servers and other devices that must allow public access are at the greatest risk for attack and, therefore, stand to benefit the most from NGFW protection. For this reason, any DMZ networks are good candidates for NGFWs.

Once you've protected your DMZs, consider turning to other high-value network segments. Are there particular classes of users that are at greater risk -- either because of the types of data they handle or the activities they undertake? For example, a network segment containing credit card point-of-sale terminals would be an excellent location for NGFW technology, providing rapid response when threats such as the BackOff point-of-sale malware hit.

Selecting NGFW capabilities

Networking and security teams should collaborate when selecting the specific NGFW capabilities they will deploy. There are two reasons that a conservative approach to capability selection is appropriate. First, the administrators responsible for network security must be prepared to operate and monitor the new capabilities. Second, many capabilities are separately licensed and require an upfront and ongoing investment to maintain.

The most straightforward approach is to choose an NGFW platform that offers all of the services you expect to deploy in the long term, but to license only those that you plan to use immediately. Roll out a set of services that closely matches the services you currently offer on disparate niche products and then take some time to properly transition the team to the NGFW. Once things are under control, consider deploying new capabilities one at a time until you reach your desired end state.

Next-gen firewalls have great promise for improving the efficiency and effectiveness of both networking and security teams. Organizations should take care to select an NGFW strategy that places devices in locations where they will achieve the most value and carefully deploy a set of services that balances security needs with operational requirements.

About the author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for and Information Security magazine and the author of several information security books, including the CISSP Prep Guide and Information Security Illuminated.

Next Steps

Must-have NGFW features

Making the NGFW plunge

Assessing the NGFW landscape

This was last published in December 2014

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.