More Tips for Next-Generation Firewalls: Security Policy Management

By Sam Erdheim

In the first part of our discussion we examined what to consider and what steps to take before implementing a next-generation firewall. This week we will examine policy considerations and how best to manage security policy when you have a mixed environment.

In a recent survey, The State of Network Security 2012, 84 percent of respondents asked if NGFWs help them feel more secure answered yes, confirming the value of NGFWs for most organizations. Nearly half (47 percent) cited better control as the reason for a greater feeling of security, and more than a third (37 percent) cited increased visibility.

However, 76 percent of respondents noted the administrative burden of managing next-generation firewalls. When specifying the reasons NGFWs have added to the workload, 41 percent stated that their NGFW policies were managed separately from traditional firewall policies, and 23 percent said additional policies must be managed.

Organizations considering adopting NGFWs would be well advised to centralize and automate their firewall policy-management processes across their entire enterprise. Automating these processes can help organizations reap the full benefits that next-generation firewalls provide without increasing the operational workload, decreasing firewall performance, introducing risk, and/or slowing down the business.

Typically, a next-generation firewall is implemented into a defense-in-depth architecture (i.e., an environment that also has traditional firewalls, Secure Web Gateways, an IPS, etc.) and the policy enforcement capabilities within each device type are not equal. The most common approach to replacing a traditional firewall with a NGFW is to migrate the policy. Although different vendors have their own homegrown tools for conversion, you want to also leverage a firewall policy management solution that can compare the policies between the two different firewalls to ensure that the NGFW is properly configured.

Once this is done, you can remove the original, stateful firewall from the network and rely upon the NGFW which will be working as if it were a stateful firewall (at this point the NGFW isn't leveraging application or identity awareness). Alternatively, you can leave the original firewall in place; many organizations prefer a defense-in-depth approach where the next-generation firewall runs behind the traditional firewall to provide an additional layer of security.

The NGFW will pull in application, user, and group information that can be used to slowly build out more granular policies. For example, if the old rule number 14 is the most used rule in the report, you can dig into this more with a filter to show that the rule is only supporting Flash and SharePoint. With this information, you can then fine-tune the rule to allow only these two applications so there is no impact to the business but also no unnecessary exposure.

With either approach, it makes sense to gradually extend your policies to improve security without impacting business productivity. If after 30, 60, 90, or 120 days (use an interval that works for your business, but make sure you aren't forgetting anything that is only used annually and may not be picked up in this shorter "learning mode" session) you are using only 10 of 100 applications, you have some decisions to make. Continue to monitor usage (more on this shortly). Leverage the application categories delivered with next-generation firewalls (categories and information vary by vendor) and which are also updated by the firewall vendor to ease policy management. If one category contains 273 applications but you only want to provide access to five specific applications of this type, you can block the category and add exceptions for those five in use.

Once your policies are properly migrated over to the NGFW, how you optimize and manage these policies over time is of great importance, especially within the context of your entire network. Remember that it's not just the next-generation firewall policy that you have to analyze and manage, you most likely have other devices as well (i.e., traditional firewalls, routers, etc.). Managing your security policy across all of these devices (which, in addition to being different device types, can also be from multiple vendors and different models) is a major challenge. Otherwise you're managing policy in multiple silos which is one of the major pain points identified in The State of Network Security 2012.

Here are six additional tips:

Tip #1: Tune your policies

Run regular reports to spot new applications on the network and to understand any trends and impacts from a security and performance perspective. Such actionable intelligence regarding application usage is extremely helpful in optimizing policies and removing unused applications from policies. Identify rules that can be tightened based on application and user/user group needs. For example, if an application is only required by one group of users (i.e., the marketing team needs access to Facebook), that application can be opened to that specific group and others are restricted.

Tip #2: Reorder rules to improve performance

Because firewalls sequentially sift through endless rule sets to identify the rule that matches every packet, another way to optimize your next-generation firewall policy is to reorder rules based on throughput (rules where there is heavier application usage should be on top). This can help address any potential performance issues and delay what otherwise would be necessary hardware purchases.

Tip #3: Identify rules to remove from the rule base

Oftentimes firewall rules are forgotten and even duplicated through change requests. Being able to identify these types of rules can significantly help you reduce the overhead on your admin team and on the firewall.

Tip #4: Run regular risk queries

Whether running a query from your DMZ to Internal or against specific applications, there are many known risks and configuration best practices you can leverage (i.e., NIST, PCI, etc.) to identify vulnerable rules and understand the remedies. You should also define acceptable applications for your organization and create exceptions or segment by users/user groups as needed.

Tip #5: Ensure continuous compliance

Run reports to ensure that your policies are in compliance with regulatory requirements (such as PCI DSS and SOX) and your own internally defined standards.

Tip #6: Automate the firewall change request process

Maintain your optimized and risk-free policy over time by automating the firewall change-request process. With traditional firewalls, the primary fields for change management consist of source, destination and port, but with NGFWs it expands to source, destination, port, and users and applications, creating more opportunities for change requests to pile up very quickly.

A Final Word

NGFWs deliver more granular control than traditional firewalls by being application and user aware, which is a boon for IT security professionals and business users to ensure better security without impacting user productivity. However, that is not to say that next-generation firewalls don't come with their own set of challenges. Just as standard firewalls need to be managed due to the complexity of having thousands of rule sets and the potential for errors, the need increases greatly with NGFWs and their application control/whitelisting capabilities which introduce new layers of policy and new security tools that must be managed in the context of the broader network.

Sam Erdheim is the director of security strategy at AlgoSec, a specialist in network security policy management. You can contact the author at