If you haven’t yet upgraded to a next-generation firewall (NGFW), it’s time to consider doing so. Next-generation firewalls offer much more advanced protection against security breaches and cyber attacks than do traditional firewalls, which provide only basic filtering of network traffic. Next-gen firewalls have a variety of cybersecurity technologies—including malware scanning and blocking, protection against distributed denial of service attacks, network intrusion detection and prevention, and granular control over the network activities of applications and users—all under a single, unified architecture and interface.
A next-gen firewall can be an all-in-one security solution for organizations without the need or budget for more complex products, or a valuable front-line component of a large organization’s cybersecurity solution.
Making the move to a next-generation firewall
If you’re considering a next-gen firewall implementation, read ahead for the seven key steps in an firewall migration, according to IT security experts.
- Start with an estimate of the organization’s future network traffic and cybersecurity needs. Too often, IT managers buy firewalls based on current requirements, but those can change rapidly. Experts recommend buying based on estimates of traffic and security requirements three years in the future.
- Develop a sustainable roadmap with stakeholders. Talk to line-of-business and department managers to ensure regulatory and compliance mandates are met. Some business leaders may have concerns about protecting sensitive data, while others may worry that a new firewall will interfere with certain work activities. Their feedback can help guide the selection and implementation process.
- Develop a checklist of features. Firewall vendors and services providers are not all the same. Consider whether you want a hardware device, an application, or a firewall service, and what specific security capabilities you’ll need. (For more on the features of next-generation firewalls, read Next Generation Firewalls Provide Broad Cybersecurity Protection.) For example, having granular control over the network access of different applications and end users is a critical capability, but firewall vendors each do it differently.
- Consider using a managed cybersecurity services provider rather than an in-house firewall application or device. With so much of today’s computing taking place in the cloud, it often makes sense to use a cloud-based security service provider. Managed security services providers not only have up-to-date technologies—a critical benefit given the rapid rise of cybersecurity threats—but also have the management and security expertise to identify and resolve problems quickly... faster than most IT departments.
- Do a phased implementation. Unless you need all the firewall’s functionality at once, it’s usually best to start by just monitoring traffic to identify areas of concern. What web sites are being visited? What cyber threats are most common? What applications access the internet, and how? A next-generation firewall can be used initially to identify problem spots and assess vulnerabilities.
- Don’t stop with monitoring. IT departments sometimes turn on monitoring features and then fail to configure and activate the rest of the firewall. That’s a major mistake, say experts. An organization isn’t secure unless it has defensive capabilities and monitoring alone is not defensive. Bob Pruett, field security solutions executive for consulting company, SHI, estimates that more than 60% of next generation firewalls aren’t being used to their full potential, which is a waste of the firewall and leaves the organization open to attack. “It’s disheartening to see a very large percentage being used as traditional stateful firewalls,” he commented.
- Learn to say “yes, but” to end-users. While IT managers often must say “no” to end users who clamor for fewer security restrictions, they can say “no” in way that end-users will respect and appreciate. Pruett calls it the “yes, but” approach: “I say, ‘Yes, you can do this, but we have to put in limitations because it could be dangerous to the organization and this is how.’”
For more insight and advice on implementing next-generation firewalls, watch the webcast Best Practices when Deploying Next Generation Firewalls, with SHI’s Pruett, Fortinet’s Vincent Delbar, technical partner manager, and Darren Carroll, our own director of security products.