Dos and don’ts for next-gen firewalls

Plug it in and turn it on? Next-generation firewalls just aren’t that simple. Here’s advice from the experts on choosing the right device and getting the most it.

DO understand the new management paradigm. Policies and rules are built around applications and users, not just ports and protocols, and will be tightly tied to business practices—authorized and ad hoc—that are very different. However, once the admins get the knack, rule sets will be more streamlined and specific.

“There’s a learning curve; you come to deal with terms that are much more human-understandable, using user names and groups instead of IP addresses,” says Oded Gonda, vice president of network security at Check Point. “It requires some patience for people used to working in a very network-centric role.”

DO have policies controlling application use. Have at least basic application policies that can be translated into rules that take advantage of next-gen capabilities, rather than simply transferring old rules without regard to what you are now able to do. This enables users to productively use applications that may have been banned or severely restricted.

“Organizations that already have a policy, or goals, or a culture of what they can do, will be much more successful,” says Young. “I see a lot of dissatisfaction when organizations don’t have those policies, [and they] bring in application control and don’t have anything to enforce.”

DO consider the incumbent vendor. Retraining and re-creating your rule base can be a major disruption. While next-gen requires some rule changing, there’s generally more headaches associated with changing vendors. If you have a major investment in a firewall vendor across a large, distributed enterprise, account for the level of change you’re talking about. Young recommends planning for two- and five-year windows with the aim of reducing or eliminating multiple firewall vendors.

DO service branch offices as well as central locations. Next-gen firewalls from the same vendor should be deployed in branch offices. If you have UTM appliances in branch offices, plan on replacing them with appropriately sized appliances as you bring in the next-gen technology. This will allow central management, one-source service and uniform policy administration.

DON’T ignore the value of application visibility. There is considerable value in simply monitoring application and user activity through the next-gen firewall, even if you already have Web application acceptable-use policies in place. You will see activities and application usage that you may have been unaware of, that will help you tweak existing rules or create new rules and policies, and avoid restricting or blocking productive business activity.

“There’s an element of discovery in terms of what was going over the wire that helped me visualize potential threats or hot spots I didn’t necessarily anticipate,” says Rahbany.

DON’T forget proprietary applications. These are not the apps you’re going to be watching for unauthorized activity—at least not through your firewall—but you want to make sure you do no harm.

“It’s a bit of a weak link for a lot of vendors,” says Phifer, “Most have some methodology for identifying them.” She recommends taking a sampling of proprietary applications, crafting rules and policies, and finding out whether there is a risk of blocking legitimate apps or generating false positives.