We have entered the application age and while there are plentyof productivity benefits for most organizations, there are alsorisks. In addition to the increased use of applications, a moremobile workforce and more sophisticated threats have driven anevolution in the way we must secure the gateway.

Enter next-generation firewalls, which Gartner predicted in itsIT Market Clock for Infrastructure Protection 2011 will increasethe commoditization of stateful firewalls within the next couple ofyears.

However, while NGFWs provide you with more granular control,they also in turn can increase the complexity of your policies andrequire some additional planning and considerations. In a recentsurvey, TheState of Network Security 2012, 84% of respondents stated thatNGFWs help them feel more secure, but 76.1% noted a cost ofmanaging next-generation firewalls in terms of administrativeburden.

For example, without careful design and maintenance, a poorlyoptimized NGFW policy could take what was a single rule allowinghttp and become a policy that includes 10,000 new rules, one perapplication – creating more opportunity for error and risk.

Next-Generation Firewalls: Their Place in theNetwork

Next-generation firewalls go beyond filtering traffic from port80 or 443 and deliver more control by providing the ability tofilter by application type and user identity. With this addedgranularity you can define what groups of users can do with aparticular application, which allows for better security andultimately a business advantage (i.e. the marketing team needs tobe able to post to Facebook, but a developer does not).

The first and primary point to focus on in the network for NGFWdeployment is for external Internet traffic because manyapplications are Internet applications, such as Facebook, P2P,email and Web meeting tools.

Deploying at the edge is where NGFWs can significantly improveyour security if the right policies are applied. From there, youcan add as necessary to branch offices and to the data center,where you should know what applications are running on data centerservers and who has been granted access.

Firewall Policy Considerations

With more granular control comes more complexity. The morecomplex your network policies are, the greater opportunity there isfor misconfigured firewalls. And according to Gartner, 95% offirewall breaches are due to misconfigurations – as opposed toflaws with the firewalls. If policies are set at an applicationlevel, you must understand each application, its business value todifferent users and any potential risks that come with it.

Firewall policy decisions are no longer black or white. As therule sets and features increase, so does the complexity. Somequestions you must ask yourself (and answer!) before leveraging theapplication and user-aware policies available to you in a next-genfirewall are:

• How many more change requests per week should you expect toprocess?
• Can your existing team handle the extra load withoutdegradation to turnaround time?
• Will you require additional headcount?
• What is the impact if you define policy via rules like “blocksocial networks, file sharing and video streaming, and allow allother Web traffic”?

IT must understand what applications are needed by what usersand provide access – without slowing down business productivity andwithout opening security gaps for data leakage or malware.

Here are six tips for managing next-generation firewallpolicies:

1. Tune your policies. Run regular reports tospot new applications in use on the network and understand anytrends and impact from a security and performance perspective.Actionable intelligence regarding application usage is extremelyhelpful in optimizing policies and removing unused applicationsfrom policies. Identify rules that can be tightened based onapplication and user/user group needs. For example, if anapplication is only required by one group of users (i.e. marketingteam needs access to Facebook) then that application can be openedup to that specific group and can be restricted from others.
2. Reorder rules to improve performance. Sincefirewalls sequentially sift through endless rule sets to identifythe rule that matches every packet, another way to optimize yournext-generation firewall policy is to reorder rules based onthroughput (rules where there is heavier application usage shouldbe on top). This can help address any potential performance issuesand delay what otherwise would be necessary hardwarepurchases.
3. Identify rules to remove from the rule base.Oftentimes firewall rules are forgotten about and even duplicatedthrough change requests. Being able to identify these types ofrules can significantly help you reduce the overhead on your adminteam and on the firewall.
4. Run regular risk queries. Whether running aquery from your DMZ to Internal or against specific applications,there are a lot of known risks and configuration best practices youcan leverage (i.e. NIST, PCI, etc.) to identify vulnerable rulesand understand the remedies. You should also define acceptableapplications for your organization and then create exceptions orsegment by users/user groups as needed. Additionally, recent researchhas shown that common risks in firewall policies are lax outboundpolicies.
5. Ensure continuous compliance. Run reports toensure that your policies are in compliance with regulatoryrequirements such as PCI DSS, SOX, etc., and also your owninternally defined standards.
6. Automate the firewall change request process.Maintain your optimized and risk-free policy over time byautomating the firewall change request process. With traditionalfirewalls, the primary fields for change management consist ofsource, destination and port, but with NGFWs it expands to source,destination, port AND users and applications, creatingmore opportunities for change requests to pile up veryquickly.

Next-generation firewalls certainly provide some additionalbenefits over traditional firewalls, but in order to truly reap thebenefits without adding complexity and in turn risk, you must mapout a plan in advance of your implementation and have a process tomanage these policies over time in the context of your broadernetwork environment.

Sam Erdheim isdirector of marketing at AlgoSec in Boston.