Businesses and organizations are fielding more & more next-generation Information Security technologies to reduce their risks as businesses leverage cloud capabilities and from advanced persistent threats. Unfortunately, we see our customers falling into a common Information Technology and general acquisition trap: Significantly underestimating the complexity, cost, and time to complete the Next Generation Firewall (NGFW) fielding.

Purchasing a NGFW is the easy part.

In our experience dealing with Department of Defense programs, we saw this all the time with all types of new technologies being fielded.

At the heart of the problem are two root causes:

• The customer thinks putting in a NGFW is as easy as a 1st generation firewall
• The customer doesn’t know and approved, using a risk based methodology, their communications between servers, users, and Internet

NGFW vs 1st Gen Differences

Digging deeper into the first problem is actually simple: 1st generation firewalls are unaware of the actual traffic being processing by their rules. 1st generation firewalls basically ask “Can Packet A from Server X be allowed to go to Server Y using this Port?” This simple paradigm doesn’t require much to implement and even less to maintain.

NGFWs are aware of the traffic being processed at a far higher level.[1] NGFWs ask “Is the traffic from Server X allowed to communicate to Server Y if Server X is using an approved application signature, from an approved Source, to an approved Destination, from the set of authorized users, and doesn’t contain malware?”

More complex? Yes. More secure? Definitely.

Knowing your Communications

Because the vast majority of organizations do not know their authorized communications down to the details a NGFW needs, they listen to the sales guy… “Hey, we have a learning mode that will solve it for you…” The learning mode will help—up to about 60% and only for the obvious big things…

• If you are only using Office 365 and very commonly used applications, you are done because the NGFW knows these apps and their signatures.
• That specialty application your users use may or may not be known by the NGFW company. The smaller the company, the greater the probability the NGFW will not recognize it.
• Custom coded application…nope.
• You changed the standard config of a known application for some reason. Unknown now.

These are the challenges that many firms don’t realize when they commit to implementing a NGFW. All the unknowns equal increased time to research, design, and implement.

Failure to do this work will result in having an ineffective firewall or worse yet, your organization unknowingly approves unauthorized traffic (e.g., malware/hackers) to be in your network.

Our Point

The point of this article is let everyone know implementing a NGFW will take committed resources in addition to the NGFW admin. To be successful before and after the NGFW is in-place, the resources should:

• Be qualified with NGFW experience and Information Security architecture work. We cannot overstate the part about this being Architecture work. The resources must be able to look at the whole of the organization from business processes down to NGFW signatures. Few IT admins have this ability let alone the time to do this work. Trying to train someone with no experience as an architect and on NGFWs will lead to failure;
• Go through the NGFW logs, hopefully with a Security Incident Event Manager (SIEM), to analyze the traffic patterns;
• Assess the riskiness of each pattern and develop a NGFW policy recommendation;
• And, obtain acceptance of risk for every NGFW policy. We recommend delegating negligible to low risk policies to be approved by the NGFW administrator. Once it moves from Low to Medium, the risk acceptance decision authority should move up the organization’s line of authority.

To give an example, for our Large-enterprise class customer with a very large complex footprint, we identified millions of unique communication traffic patterns. These patterns were then grouped into hundreds of thousands of rules with common policy names. Once loaded into the firewall, the separate rules aggregated into 1-2 thousand distinct policies.

Waaaaaaaaaay on the other end of the spectrum is Peak InfoSec. Our footprint is minuscule in comparison, which led to a couple thousand distinct patterns, and six policies.

Our Recommendation

At Peak InfoSec we strongly encourage all of our clients to pursue NGFW solutions and to:

• Recognize their classic 1st generation firewalls are obsolete and offer limited to no protection for their businesses. Aside from the high availability options, 1st generation firewalls are no different than what you use at home;
• To implement NGFWs at their boundary and, more importantly, for internal Network Segmentation if they have internal servers or zones that need different security levels;
• And, where possible, businesses should extend NGFWs to a complete security fabric like Fortinet’s solution.

Once committed, follow the process above and commit time/resources. The last catch is while the workload significantly drops once your organization has the rules built and approved, applications and their signatures change as vendors release new versions. Make sure you plan for ongoing lifecycle revisions to your policies.

[1] Technically, 1st generation firewalls process rules up Layer 4 in the OSI model. NGFWs process up to Layer 7

Post Author: Matthew Titcombe, CEO and Senior Information Security Consultant, Peak InfoSec

This post was initially posted here & has been reproduced with permission.