Professional Documents
Culture Documents
Skybox Security Best Practices Migrating Next-Gen Firewalls EN PDF
Skybox Security Best Practices Migrating Next-Gen Firewalls EN PDF
Skybox Security Best Practices Migrating Next-Gen Firewalls EN PDF
Next-generation firewalls provide granular access control based on the user, application, and content layers.These
firewalls can distinguish between different types of application traffic, eliminating the all-or-nothing traffic approach of
traditional firewalls. Next-generation firewalls also provide capabilities such as intrusion prevention signatures (IPS)
and deep packet inspection for additional attack protection. Next-generation firewalls enable organizations to balance
protection while still enabling business.
But migrating from traditional to next-generation firewalls can be tedious.The process starts by looking at your existing
firewall infrastructure. Then rules need to be configured based on the granular controls offered by next-generation
firewalls. Once the rule sets are in place, organizations can start to use the more advanced security options, like IPS.
Here are six steps to ensure a smooth migration from traditional firewalls to next-generation firewalls.
Normalizing data removes vendor-specific language and provides a consolidated view across multiple vendor rule
sets based on a common language. This allows you to compare results and act on the data in a consistent manner.
Using a firewall management solution that normalizes data is a good starting place for migration, better enabling you
to consolidate management and transition rule sets.
Organizations should first look at how their current traditional firewalls impact their overall network, and then begin
folding in next-generation firewalls in way that delivers protection and flexibility that meets and exceeds their
traditional firewalls.
With a holistic network view, you can analyze access paths, troubleshoot connectivity issues in seconds, and
remediate misconfigurations where needed.
Network visibility is essential to make use of the more granular capabilities of next-generation firewalls. For example,
next-generation firewall policies provide the flexibility to define the network in different network segment zones, such
as external, DMZ, etc. Each zone represents a different trust levels in the network. With topology visibility and intel-
ligence, firewall rules can be analyzed across different zones to ensure the right level of protection is being deployed.
3 Clean Up Your Rule Sets for Improved Performance and Security
Odds are that your traditional firewall rule sets have grown over time, likely becoming unruly. Frequently rule sets often
include redundant rules or shadow rules, which are blocked by another rule or not used. Due to the granularity of
next-generation firewalls, it is critical that you clean up your rules sets prior to migrating to next-generation firewalls.
Optimizing your rules sets will improve performance and security.
An effective firewall management solution should clearly explain the recommendations for removing redundant and
shadow rules, providing the detail behind the recommendation and giving administrators the confidence to remove these
unnecessary rules. Rule usage analysis is also helpful. Firewall rule log data can be imported to create rule and object
usage metrics and determine which rules are used, not used, or contain unused objects. With this review, administrators
may find that some rules can be narrowed, which tightens access and security.
Just because a vulnerability exists in your network doesn’t mean that it poses a risk to your business. An effective
vulnerability management program will be context aware and consider elements specific to your network to determine
the true risk exposure. The vulnerability management program will look at the current threat landscape to determine
likely exploits. It also looks at the full network topology and considers all pathways that a vulnerability exploit might
leverage. It evaluates what assets the exploit might impact and the level of asset criticality to the business. And it
assesses the available security controls, to determine if protection is already in place or what would be the best
security control option to initiate. With this information, the vulnerability management program can provide meaningful
prioritization and remediation recommendations for vulnerabilities.
7 Next Steps
When planning your next-generation firewall migration, these best practices can help you with a smooth transition.
Of course, you will want to consider your on-going firewall management needs as well. One of the most important
requirements is the ability to analyze your firewalls within the context of your entire network using interrelated
analysis—firewall, network, change, and vulnerability management. Firewalls cannot be viewed in a silo. And
comprehensive visibility and intelligence improves effectiveness, performance and security, overall reducing the
attack surface.
With next-generation firewalls organizations can improve network security and performance while providing more
flexibility to their business. But an effective approach to migration is important. Skybox Security research shows that
companies are taking an average of 6 ½ months to migrate from traditional to next-generation firewalls. Speeding up
this process can save on costs and improve security faster. The key is to use an effective firewall management
program that facilitates the migration process and helps ensure you don’t introduce a problem or increase the level of
risk during the migration.
Skybox Security provides the most powerful risk analytics for cyber security, giving security management and
operations the tools they need to eliminate attack vectors and safeguard business data and services. Skybox solutions
provide a context-aware view of the network and risks that drives effective vulnerability and threat management, firewall
management, and continuous compliance monitoring.
Contact your local Skybox Security representative at www.skyboxsecurity.com/contactus or download the free trial at
www.skyboxsecurity.com/trial.