3 Tips for Next-Generation Firewalls: Sizing and Deployment
By Sam Erdheim
Increased use of applications, mobility, virtualization, and network security consolidation as well as the growth of sophisticated threats has driven the evolution of the traditional stateful firewall to what is referred to as a next-generation firewall. One of the highlights from Gartner's IT Market Clock for Infrastructure Protection 2011 is that next-generation firewalls will increase the commoditization of stateful firewalls within the next couple of years.
These next-generation firewalls (NGFWs) are chock full of features and functionality that provide newfound levels of policy granularity and controls -- application control, IPS, anti-malware, e-mail security and more – all in one box. However, with this increased control also comes more complexity that -- if not planned for and managed well -- can cause more harm than good. Without properly sizing the NGFW capabilities you plan to use for the environment, firewall performance can drop off significantly. Without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing HTTP and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk.
There are three key things to consider before you implement a next-generation firewall.
1. Determine and plan for the NGFW features you plan to use for your environment.
Calculate the size capabilities (such as IPS, application control, identity awareness, URL filtering, and e-mail security) as necessary and understand the performance impact if you decide to turn on additional features later.
As part of a firewall refresh, one capability that is typically considered is intrusion prevention. Do you continue with your standalone solution or consolidate and leverage IPS capabilities found in many next-generation firewalls? According to Gartner's Magic Quadrant for Intrusion Prevention Systems, best-of-breed, next-generation IPS is still found in standalone appliances, though this gap is closing as NGFWs continue to evolve. Before making this decision, consider the following:
- Does your incumbent firewall offer a viable NGFW option?
- Do you need to separate the firewall and IPS for organizational or operational reasons?
- Is it most important to have best-of-breed IPS?
- Are there places in the network where you need IPS but don't need a firewall?
If your decision is to use integrated IPS with the firewall, make sure you properly size this capability and also leverage your current IPS configurations and continue to tune from there.
Consider the identity awareness capability that NGFWs provide. Although this is an extremely useful capability, it is dependent on your current Active Directory (AD) setup. A poorly configured AD will impact the effectiveness of the firewall's identity awareness capability, so make sure your AD is properly configured before leveraging the identity awareness functionality.
Finally, make sure you educate users about the policy implications of these newly added security features. For example, if application control is turned on, explain to your users what apps are allowed/not allowed per the implemented policy. This won't completely eliminate end-user issues, but it should reduce them.
2. Identify the optimal places in your network where the next-generation capabilities will provide you with the best return.
Although NGFWs provide more granular capabilities, there are certain places within the network where it may be more appropriate to have them deployed. Let's examine some optimal deployment scenarios we've compiled by speaking with customers, integrators, and analysts. Every environment is different and your specific environment needs should be considered:
-- Start at the edge to filter Web-based traffic: The first and primary point to focus on in the network for NGFW deployment is for external Internet traffic because many applications are Internet applications, such as Facebook, P2P, e-mail, Web meeting tools. Deploying at the edge is where NGFWs can significantly improve your security if the right policies are applied. Then you can add as necessary to branch offices and to the data center, where you should know what applications are running on data center servers and who has been granted access.
-- Implement in dedicated segments of the network: Anywhere you have separated and dedicated locations for servers and gateways may be an appropriate place for a NGFW. Examples include PSS DSS segmentation, remote/mobile user segmentation, and security policy management.
PCI DSS segmentation: For organizations that must comply with PCI DSS, you may want to segment your PCI environment from the rest of your network and then run PCI risk queries against this environment and report on compliance status. NGFWs can help here because of deeper policy granularity at an application and user level.
Remote/mobile User Segmentation: With increased user mobility (i.e. the same person appearing in different places with different IP addresses, policy is applicable to a device tied to a person as opposed to an IP address), routing this traffic through a NGFW may make sense; for example, conduct user-based filtering where mobile users are connecting through VPN or for WiFi traffic.
Security policy management: Your organization's network almost certainly has other devices (and, in turn, other policies) that must be managed as well, including traditional firewalls, routers, and secure Web gateways. How will you manage policy across all of these devices, and what's the impact? We'll drill into these policy management questions in our the second part of our discussion.
A Final Word
Threats today are much more sophisticated and targeted than what we were dealing with when stateful firewalls were first developed. Now, next-generation firewalls provide more visibility and control, but as with most technology, you can't just drop them into your network without careful planning and consideration because they also introduce new levels of complexity.
Next week we'll examine policy considerations and how to manage security policy in a mixed environment.
Sam Erdheim is the director of security strategy at AlgoSec, a specialist in network security policy management. You can contact the author at firstname.lastname@example.org.