Q

Audit concerns when migrating from traditional firewall to NGFW

Learn about a potential audit concern when transitioning from a traditional firewall to a next-generation firewall.

My organization is looking to transition from a traditional firewall to a next-generation firewall (NGFW), but I'm concerned about the overlap when both will be in use. Are there any inherent dangers involved with running them side-by-side during the transition? Or could there even be advantages depending on how we write our firewall policies?

Ask the expert

Do you have a network security question? Submit it now via email! (All questions are anonymous.)

I would argue that there is no harm in utilizing a traditional firewall inline with an NGFW. However, if by "side-by-side," you mean the traditional firewall protects one portion of the network and the NGFW protects another, then I would say while it doesn't necessarily harm your network, this configuration can obfuscate audit results.

In firewall-speak, the term "5-tuple" has become a major part of the lexicon. A play on words making reference to a database term for row, 5-tuple refers to the five database columns referenced in traditional firewalls: source IP, destination IP, source port, destination port and protocol. When someone uses the term "next-generation firewall," they are referring to a firewall that from an audit and logging perspective takes the 5-tuple concept to a more granular level. For example, an NGFW not only takes into account the 5-tuple, but also adds dimensions to each column such as user, application, reputation, etc.

Keeping this background information in mind, you can see why I don't necessarily admonish the use of hybrid firewall products; however, given the differences in granularity, I would argue that using them may cause difficulty when attempting to figure out why certain packets are allowed into the network while others are dropped at the enclave.

That said, NGFWs are quickly becoming the norm in many enterprises, and while there's certainly no problem with having both an NGFW and traditional firewall as inline devices on the network perimeter, I'm confident you'll quickly find that the NGFW is far more capable than your legacy firewall. Once you see it in action, you'll be itching to retire the traditional firewall as quickly as possible.

This was first published in April 2014
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close