Answer

Audit concerns when migrating from traditional firewall to NGFW

My organization is looking to transition from a traditional firewall to a next-generation firewall (NGFW), but I'm concerned about the overlap when both will be in use. Are there any inherent dangers involved with running them side-by-side during the transition? Or could there even be advantages depending on how we write our firewall policies?

Requires Free Membership to View

Ask the expert

Do you have a network security question? Submit it now via email! (All questions are anonymous.)

I would argue that there is no harm in utilizing a traditional firewall inline with an NGFW. However, if by "side-by-side," you mean the traditional firewall protects one portion of the network and the NGFW protects another, then I would say while it doesn't necessarily harm your network, this configuration can obfuscate audit results.

In firewall-speak, the term "5-tuple" has become a major part of the lexicon. A play on words making reference to a database term for row, 5-tuple refers to the five database columns referenced in traditional firewalls: source IP, destination IP, source port, destination port and protocol. When someone uses the term "next-generation firewall," they are referring to a firewall that from an audit and logging perspective takes the 5-tuple concept to a more granular level. For example, an NGFW not only takes into account the 5-tuple, but also adds dimensions to each column such as user, application, reputation, etc.

Keeping this background information in mind, you can see why I don't necessarily admonish the use of hybrid firewall products; however, given the differences in granularity, I would argue that using them may cause difficulty when attempting to figure out why certain packets are allowed into the network while others are dropped at the enclave.

That said, NGFWs are quickly becoming the norm in many enterprises, and while there's certainly no problem with having both an NGFW and traditional firewall as inline devices on the network perimeter, I'm confident you'll quickly find that the NGFW is far more capable than your legacy firewall. Once you see it in action, you'll be itching to retire the traditional firewall as quickly as possible.

This was first published in April 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: