My organization is looking to transition from a traditional firewall to a next-generation firewall (NGFW), but I'm concerned about the overlap when both will be in use. Are there any inherent dangers involved with running them side-by-side during the transition? Or could there even be advantages depending on how we write our firewall policies?
Ask the expert
Do you have a network security question? Submit it now via email! (All questions are anonymous.)
I would argue that there is no harm in utilizing a traditional firewall inline with an NGFW. However, if by "side-by-side," you mean the traditional firewall protects one portion of the network and the NGFW protects another, then I would say while it doesn't necessarily harm your network, this configuration can obfuscate audit results.
In firewall-speak, the term "5-tuple" has become a major part of the lexicon. A play on words making reference to a database term for row, 5-tuple refers to the five database columns referenced in traditional firewalls: source IP, destination IP, source port, destination port and protocol. When someone uses the term "next-generation firewall," they are referring to a firewall that from an audit and logging perspective takes the 5-tuple concept to a more granular level. For example, an NGFW not only takes into account the 5-tuple, but also adds dimensions to each column such as user, application, reputation, etc.
Keeping this background information in mind, you can see why I don't necessarily admonish the use of hybrid firewall products; however, given the differences in granularity, I would argue that using them may cause difficulty when attempting to figure out why certain packets are allowed into the network while others are dropped at the enclave.
That said, NGFWs are quickly becoming the norm in many enterprises, and while there's certainly no problem with having both an NGFW and traditional firewall as inline devices on the network perimeter, I'm confident you'll quickly find that the NGFW is far more capable than your legacy firewall. Once you see it in action, you'll be itching to retire the traditional firewall as quickly as possible.
Related Q&A from Brad Casey, Contributor
Can Project Sonar, an Internet-scanning project, benefit enterprise network security? Expert Brad Casey discusses.continue reading
Does your enterprise track eliminated firewall rules? It's one of the change management best practices suggested by expert Brad Casey.continue reading
The Department of Defense is using a converged network security architecture to simplify security management. Learn about the security benefits.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.