Nov 04 2013

Beef Up Security With a Next-Generation Firewall

These best practices will help protect your network.

The deployment of a next-generation firewall (NGFW) requires a well-planned and well-executed implementation strategy. Attention to detail is essential for the deployment of one of the most critical pieces of security infrastructure within a network. Frequently, downtime or latency issues within a network will start at the firewall. Effective deployment of an NGFW can prevent these problems.

In terms of access, control and segmentation, many similarities exist between standard and next-generation firewalls. The NGFW contains the base feature set of a firewall, along with additional functionality that can be found in complete product classes such as secure web gateways (for example, URL filtering) and intrusion prevention systems.

The primary function of an NGFW is to protect users rather than servers; thus, a next-generation firewall is better suited to deployment at the network perimeter rather than in a data center environment. Additionally, application control can reduce and streamline the current firewall rule set.

Infrastructures, policies and regulatory compliance efforts vary from agency to agency, so an IT shop can’t rely on a “cookie cutter” NGFW implementation. However, any organization deploying an NGFW should consider several standard best practices.

Performance Considerations

Successful implementation of an NGFW requires a solid, fact-based foundation. IT administrators must make sure they have a detailed understanding of a network’s performance numbers. This knowledge will help to ensure that an optimal NGFW solution is deployed, which will save the enterprise time and money.

Agencies must review network performance metrics and their year-over-year changes. As network speeds increase from year to year, so does the richness of the content. When making future calculations, IT teams should include the performance overhead to ensure that an NGFW does not become a bottleneck for network traffic.

Performance Metrics

An agency’s network performance averages will fluctuate daily depending on various functions, and these performance averages may be cyclical (for example, many regulatory deadlines create greater traffic for compliance reporting). Considering such metrics will help an agency avoid deployment of an unsuitable device. IT administrators should produce performance reports at least monthly and specifically track:

  • Transactions per second
  • Connections per second
  • Peak performance bandwidth
  • Off-peak performance bandwidth
  • Average percentage of Secure Sockets Layer/Transport Layer Security client-side and clear traffic mix. This number is critical if SSL/TLS decryption is enabled. An off-box SSL/TLS solution is recommended; however, if an agency uses an on-box SSL/TLS solution, it should make sure it can cluster and scale the solution.

Configuration Advice

Many products are capable of converting firewall rules to an NGFW. Some agencies may have 5,000 rules, while others have as many as 60,000. Converting this many rules to a new nomenclature is no small task, whether the conversion is done by hand or through a rule conversion tool.


NSS Labs has conducted a thorough test of numerous next-generation firewall products. See the results of the test here:

The ability to configure application-centric policies will greatly reduce the current firewall’s rule set, and it may even negate the need for a rule conversion tool. However, IT administrators should still perform an in-depth audit of the current firewall’s rules, since artifacts of previously allowed IP addresses and protocols often remain.

In some cases, audits have discovered that an agency unknowingly continued to allow connections to a third party with which it was no longer partnered. If documentation for questionable rules cannot be found, their IP addresses should be traced and monitored for activity.

Deployment Considerations

The deployment of an NGFW depends on an agency’s current needs and its existing network security infrastructure. The NGFW’s function at the highest level is to protect users while also providing the base functionality of the current firewall. Its ability to configure per application adds to its functionality. While the goal is to replace the perimeter firewall with an NGFW, consider the following deployment points:

  • Dual-Firewall Deployment: Some agencies will deploy an NGFW in addition to an existing firewall. In this case, the NGFW should be deployed in Layer-2 monitoring mode. As the least invasive deployment method, this also allows for the collection of performance statistics, offers contextual network traffic visibility of applications and is ideal for tuning policy. Deploying dual firewalls is a simple way to avoid potential misconfigurations and to let the IT staff safely test the NGFW waters.
  • Consolidation Deployment: This deployment leverages additional NGFW functionality such as URL filtering and threat mitigation in order to replace a current stand-alone secure web gateway or intrusion protection system. It is critical to perform a thorough analysis of the organization’s performance metrics and to communicate with security teams to determine whether the network has the capacity to enable these features. Advanced NGFW features that were once part of stand-alone products should be enabled via a tiered approach. To ensure performance stability, IT staff should test a new feature for at least 30 days before another feature is implemented.

Deployment considerations will vary between agencies. IT administrators should proceed with caution when implementing any critical piece of network technology such as an NGFW.

<p>Kheng Ho Toh/Veer</p>

More On