Social Network For CISO (Chief Information Security Officers)
Businesses and organizations are fielding more & more next-generation Information Security technologies to reduce their risks as businesses leverage cloud capabilities and from advanced persistent threats. Unfortunately, we see our customers falling into a common Information Technology and general acquisition trap: Significantly underestimating the complexity, cost, and time to complete the Next Generation Firewall (NGFW) fielding.
Purchasing a NGFW is the easy part.
In our experience dealing with Department of Defense programs, we saw this all the time with all types of new technologies being fielded.
At the heart of the problem are two root causes:
Digging deeper into the first problem is actually simple: 1st generation firewalls are unaware of the actual traffic being processing by their rules. 1st generation firewalls basically ask “Can Packet A from Server X be allowed to go to Server Y using this Port?” This simple paradigm doesn’t require much to implement and even less to maintain.
NGFWs are aware of the traffic being processed at a far higher level. NGFWs ask “Is the traffic from Server X allowed to communicate to Server Y if Server X is using an approved application signature, from an approved Source, to an approved Destination, from the set of authorized users, and doesn’t contain malware?”
More complex? Yes. More secure? Definitely.
Because the vast majority of organizations do not know their authorized communications down to the details a NGFW needs, they listen to the sales guy… “Hey, we have a learning mode that will solve it for you…” The learning mode will help—up to about 60% and only for the obvious big things…
These are the challenges that many firms don’t realize when they commit to implementing a NGFW. All the unknowns equal increased time to research, design, and implement.
Failure to do this work will result in having an ineffective firewall or worse yet, your organization unknowingly approves unauthorized traffic (e.g., malware/hackers) to be in your network.
The point of this article is let everyone know implementing a NGFW will take committed resources in addition to the NGFW admin. To be successful before and after the NGFW is in-place, the resources should:
To give an example, for our Large-enterprise class customer with a very large complex footprint, we identified millions of unique communication traffic patterns. These patterns were then grouped into hundreds of thousands of rules with common policy names. Once loaded into the firewall, the separate rules aggregated into 1-2 thousand distinct policies.
Waaaaaaaaaay on the other end of the spectrum is Peak InfoSec. Our footprint is minuscule in comparison, which led to a couple thousand distinct patterns, and six policies.
At Peak InfoSec we strongly encourage all of our clients to pursue NGFW solutions and to:
Once committed, follow the process above and commit time/resources. The last catch is while the workload significantly drops once your organization has the rules built and approved, applications and their signatures change as vendors release new versions. Make sure you plan for ongoing lifecycle revisions to your policies.
 Technically, 1st generation firewalls process rules up Layer 4 in the OSI model. NGFWs process up to Layer 7
Post Author: Matthew Titcombe, CEO and Senior Information Security Consultant, Peak InfoSec
This post was initially posted here & has been reproduced with permission.