Article featured in the industry leading: Network Computing
Written by Samuel Furnica, Cisilion’s Enterprise Presales Consultant
Firewalls, unless they fail, work in the background and receive little attention. Cisilion’s Enterprise Presales Consultant, Samuel Furnica, explains why replacing the legacy Firewall estate should be a priority.
Threats have evolved but legacy firewalls were designed to prevent attacks at the port/protocol level. They had no ability to deal with threats at the upper layers of the OSI model so, is it time to refresh your firewall estate?
According to Gartner, a Next-Generation Firewall (NGFW) is: “A deep-packet inspection firewall that moves beyond port/protocol inspection and blocking, to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”
Overall, the Next-Generation Firewall market is:
- Expected to grow from $2.39 billion in 2017 to $4.27 billion by 2023
- Grow at Compound Annual Growth Rate (CAGR) of 12.3% from 2017 to 2022
When discussing infrastructure, I always highlight that Next-Generation Firewalls can provide application visibility and control by using in-line deep packet inspection, intrusion prevention system (IPS) and other preventative security capabilities. These include TLS / SSL encrypted traffic inspection, URL filtering, bandwidth management, AV and third-party identity management integration.
Next-Generation Firewalls integrate all of this functionality, so it is more than a firewall and IPS service that have been closely integrated into a single appliance.
Benefits of a Next-Generation Firewall
Legacy firewall environments will have multiple dedicated appliances, thus making them complex to manage and costly to maintain. Ageing equipment may be prone to hardware problems or code-based vulnerabilities because manufacturers have ended support, meaning that there will be no software updates or security patches, leaving the network vulnerable to attack.
With the legacy firewall, there is limited visibility and impeded event correlation, because multiple and disparate services run in isolation and cannot piece together the full picture, diminishing the ability to react and defend. Without a Next-Generation Firewall, 191 days is the average length of time it takes for organisations to identify a data breach – and this is just too long.
“Without a Next-Generation Firewall, 191 days is the average
length of time it takes for organisations to identify a data breach”
Adding firewalls piecemeal, for example, to deal with IDS / IPS, web security, SSL decryption gateways and network proxies, will only increase complexity and reduce security. This network complexity and isolated services overhead can be replaced by a single, tightly integrated Next-Generation Firewall. This approach will reduce incident response time from months to hours as all services communicate, share and then deal with the big picture.
Next-Generation Firewalls gives organisations an integrated ecosystem of security tools that work together to uncover threats and resolve solve security problems fast.
PLANNING AND MIGRATION
Before any migration can take place, the right hardware appliances need to be scoped for the environment. A POC is recommended to allow the organisation to understand the types of traffic traversing their firewalls. Adequate planning will ensure that everything is in place for migration day, nothing is done in a rush, and that contingency plans are in place should anything untoward happen.
To minimise user disruption, one of many possible migration approaches would be to install the new firewalls in parallel with the old equipment. Services would be manually migrated to the new platform, the old firewalls disabled and the new firewalls brought online. This approach minimises the need for routing changes and provides a simple rollback plan.
CONSIDERATIONS – What’s Next?
While Next-Generation Firewalls will help to prevent security attacks from the outside, they must not be your only line of defence, regardless of how powerful they are. Even with the best-managed rule configurations, most advanced anti-spoofing capabilities, and defence in depth measures, firewalls cannot stop every attack on their own. To be really certain, you still need:
- Advance malware protection
- Data backup / disaster recovery
- Strong passwords
- Network access control
- Multifactor authentication
- Periodic penetration testing
Even with all of the above technologies, it’s vital to ensure that your employees understand the basics of best practice cybersecurity and have a strong set of cybersecurity policies in place to work with.
Fill out the form below and speak to our experts on how we can transform your infrastructure: