This post was contributed by James Tolosa
Greg Young, research vice president for Gartner, predicts that 30 percent of enterprises will deploy a next-generation firewall by 2017. In this never-ending fight to secure your business against Internet threats, hackers, and malware, a next-generation firewall is a strong addition to any network security strategy. A next-generation firewall packs features like as application control, user-visibility, content filtering, and intrusion prevention into a single platform that secures growing cloud and mobile applications. Most next-generation firewalls allow you to manage all of these capabilities from a single pane of glass.
If you are upgrading to a next-generation firewall, there are several things to consider:
Replacing your current firewall with a new next-generation firewall without proper testing can lead to disastrous results. Build a lab that resembles the production environment and run simulated traffic if possible. Here’s a short list of items to review while testing:
- Firewall rule set: This is what determines what is allowed and denied access into and out of the network. Perform as much research as possible to determine what rules need to be created.
- Performance: Yes, you sized your new firewall hardware according to your old firewall specs. When you add new features such as application control and malware scanning, the old specs may not be enough. You may need to scale up in order to get the proper performance.
- Configuration: The new interface and reporting look VERY cool! But have you taken the time to gather input from other team members on their thoughts regarding administration of the firewall? How about creating VPNs and firewall rules? What seems cool and simple for one person isn't always the same for the next!
Build a deployment and back-out plan
Things to remember when building a firewall deployment plan:
- Inform business stakeholders of the impending firewall upgrade. All application traffic traverses the appliance to access the Internet. You will want to make sure that all parties are aware when their applications may be offline. Administrators should schedule maintenance during off-peak hours, preferably on weekends to minimize the impact to the business. Have a back-out plan: So your firewall upgrade didn't go as planned. Network traffic wasn't flowing as usual. Maybe the appliance wasn't powering up once it was installed. A few tips on how you can avoid such catastrophic events:
- Have your previous firewall ready to re-insert into the network. The unit was previously working and should suffice until the issue can be resolved.
- If you have the luxury of multiple firewall appliances, configure a secondary unit in case the first one fails. You’ll be happy the second unit was configured and the maintenance was successful on the first try!
Adopting a next-generation firewall provides several benefits that will improve security against Internet hackers and stealthy malware while improving performance over traditional stateful firewalls. Take time to plan your deployment strategy carefully. The goal is to minimize network outage scenarios that may impact core business hours and productivity.