As the threats against our systems and networks evolve, so too should the defensive technology that we rely on.
Next-generation firewalls promise to provide us with better, faster and more intelligent solutions than previous generations of firewalls have. Deeper packet analysis, built-in intrusion detection, application-aware capabilities and integrated anti-virus technologies are just some of the features that these next-generation firewalls promise will better secure our networks.
While it is a welcome step forward that these features will now be integrated into firewalls rather than bolted on as additional options, or indeed in separate systems, we should remember that technology by itself is not a silver bullet in protecting our systems.
Repeatedly, the problems we see with securing networks systems is not necessarily the firewall technology itself, but how that technology is managed and supported. Next-generation firewalls, for all their features, will probably fall to the same fate unless those problems are addressed. The old information security axiom of people, process and technology still holds true when choosing a next-generation firewall.
- As with all platforms, different suppliers offer different solutions with varying features. When reviewing the next-generation firewall for your environment, ensure the features offered are suitable and are required. Having unnecessary services running on your firewall could lead to performance degradation, while unused services can provide potential attack vectors for those wishing to break into your firewall.
- Make sure you identify the correct specifications for the expected network load the next-generation firewall will manage. Remember, next-generation firewall have to do a lot more processing on each network packet than traditional firewalls. This extra processing will have an impact on network performance, so don’t simply replace your existing firewall with a similarly sized next-generation firewall.
- Determine whether you will be able to integrate next-generation firewalls with existing management platforms, or will you have to upgrade or replace these systems. Having multiple management systems not only adds to the cost of managing your security infrastructure, but also to the skillsets required of staff.
- Make sure the log format employed by the selected next-generation firewall can be integrated with your log management or security information and event management (SIEM) solution to provide you with a view of the threats facing your network.
- New technologies bring with them new features, which in turn require new skill sets. It is critical to ensure that those responsible for managing the next-generation firewalls, whether they are internal or outsourced staff, receive the proper training to manage and secure them. Remember, those skills will now extend beyond the traditional firewall management techniques understood by firewall administrators and into the area of deep packet analysis, intrusion detection systems, securing application traffic and anti-malware.
- Firewalls, next-generation or otherwise, still only control traffic entering and leaving your network perimeter. Security threats can come from many other sources so security awareness training for all staff is still critical to ensure they do not click on links or attachments in e-mails or messages that bypass the Firewall filters.
- The biggest challenge when deploying a next-generation firewall is determining what it is going to do. Therefore it is essential that a comprehensive policy is developed outlining what services, applications, protocols and networks should be allowed through the firewall. Agreeing with the business beforehand what can and cannot be accessed through the firewall will ensure only those services and applications required are available. Any changes to the policy should be risk assessed and agreed with the business before implementing.
- No business remains static, and as the corresponding IT requirements change over time, alterations to your firewall will be required. However, unmanaged and/or unauthorised changes can weaken your firewall's defences by opening unnecessary ports or undermining firewall rules. Therefore it is critical that you ensure you have a formal and robust change management process in place to manage all those changes effectively and ensure they do not undermine the security of the firewall.
- Regular reviews of the firewall rules should be conducted to ensure they are optimised from a performance point of view, that certain rules do not clash or undermine other rules, and to remove rules that are no longer required.
- All systems have bugs and next-generation firewalls are no exception. Keep abreast of software patches and upgrades for your firewall and ensure they are applied properly.
Next-generation firewalls provide us with tools and features to better protect our networks, but as with all tools they are only as good as those using them. So, when selecting your preferred next-generation firewall, make sure you consider the people and process elements to the overall solution, as well as the technical elements.
Brian Honan is recognised internationally as an expert in the field of information security.
This was first published in July 2012