"Advanced persistent threat" are three words that keep IT security professionals up at night. APTs are highly sophisticated, well-funded attacks that use advanced hacking tools and creative strategies to overcome even high-level security measures. Federal agencies are among the most popular targets for APTs, which often are supported by foreign governments or organized crime.
Agencies need a comprehensive strategy to defend themselves against APTs, and many security professionals are incorporating next-generation firewalls (NGFWs) as an important element of such a strategy. Security experts are excited about the new features of these devices and the promise that they hold for bolstering perimeter defenses against increasingly sophisticated cyberattackers.
NGFWs take a comprehensive approach to information security management by combining different security technologies within a single device. They perform the basic firewall protection expected of a perimeter security device but supplement this stateful inspection with intrusion prevention, content filtering and application control features. Security administrators benefit from a single management interface, and agencies benefit by having these diverse security technologies operate in a coordinated fashion. IT professionals should consider several strategies to maximize the effectiveness of their NGFW deployments.
Deploy Application-Specific Rules Carefully
The power of the NGFW rests in its ability to make decisions based on contextual information. Unlike stateful inspection firewalls, the NGFW is aware of each specific application and user that is generating web traffic and can make judgments based on that information. Is an accounting user accessing the budget information system from the office in the middle of the day? That sounds right. What about a database administrator accessing a physical security system from offsite in the middle of the night? Time for an alarm!
While this contextual information offers great promise, security professionals must implement it cautiously. Adding application-specific rules can dramatically increase the complexity of a firewall rule set and lead to the disruption of production applications. Prudent NGFW deployment strategies take a phased approach, slowly introducing application-specific rules after they have been carefully tested.
Develop Partnerships Throughout the Agency's IT Group
Deploying an NGFW must be a coordinated effort across the IT organization. While security administrators may drive the NGFW initiative, other stakeholders must have their views represented. For example, networking professionals should participate in the design of the new environment to ensure compatibility with the existing network infrastructure. The NGFW will, by nature, be a network bottleneck. It must be sized to handle the agency's peak network utilization and still perform its security functions. Similarly, application engineers should play a critical role in designing the NGFW's app-specific rules.
Agencies that successfully deploy NGFW technology do so by developing cooperative partnerships involving diverse subject matter experts. It's far easier to build these relationships in the beginning of a deployment than to bring these groups together only when crisis strikes.
Build a Test Environment
The IT staff responsible for operating an NGFW will need to work with the device in a safe environment. Building a test lab prior to the deployment allows staff to work with the device without affecting production systems. As actual deployment approaches, the device can transition to a more fully functioning test environment that includes many of the services found in the production environment. This approach will allow IT staff to model changes and proceed to production only when confident that those changes will succeed.
Creating a test environment involves added cost, but it is often possible to obtain test gear at a lower cost than for a production environment. Some vendors offer special licensing options for nonproduction equipment. Additionally, a test environment does not need the throughput capacityof a production system.
Deploy NGFWs Tactically
Switching to an NGFW is not an all-or-nothing decision. Agencies don't need to replace every firewall in operation with NGFW technology, nor do they necessarily need to replace their high-bandwidth border firewalls. It's possible to deploy NGFWs strategically, targeting areas that would benefit most from the technology, including:
- Data center network segments that house systems offering publicly exposed services, such as those contained within a demilitarized zone.
- Network segments that house systems containing highly sensitive data, such as health information or financial records.
- Network segments that house systems known to pose specific security risks or known to be high-value targets for APT attackers.
By targeting these high-value areas, agencies can invest wisely, using limited financial resources to provide advanced protection to the most sensitive areas of their networks, while relying on currently deployed stateful inspection firewalls for other areas.
Agencies can reap great benefits from the deployment of next-generation firewall technology. NGFWs promise to enhance security controls at a time when agencies face increasingly sophisticated threats from both foreign and domestic sources. By leveraging NGFW technology, agencies can increase their insight into network activity and prevent malicious actors from gaining a foothold on their networks.