Manage Learn to apply best practices and optimize your operations.

Audit concerns when migrating from traditional firewall to NGFW

Learn about a potential audit concern when transitioning from a traditional firewall to a next-generation firewall.

My organization is looking to transition from a traditional firewall to a next-generation firewall (NGFW), but I'm concerned about the overlap when both will be in use. Are there any inherent dangers involved with running them side-by-side during the transition? Or could there even be advantages depending on how we write our firewall policies?

Ask the expert

Do you have a network security question? Submit it now via email! (All questions are anonymous.)

I would argue that there is no harm in utilizing a traditional firewall inline with an NGFW. However, if by "side-by-side," you mean the traditional firewall protects one portion of the network and the NGFW protects another, then I would say while it doesn't necessarily harm your network, this configuration can obfuscate audit results.

In firewall-speak, the term "5-tuple" has become a major part of the lexicon. A play on words making reference to a database term for row, 5-tuple refers to the five database columns referenced in traditional firewalls: source IP, destination IP, source port, destination port and protocol. When someone uses the term "next-generation firewall," they are referring to a firewall that from an audit and logging perspective takes the 5-tuple concept to a more granular level. For example, an NGFW not only takes into account the 5-tuple, but also adds dimensions to each column such as user, application, reputation, etc.

Keeping this background information in mind, you can see why I don't necessarily admonish the use of hybrid firewall products; however, given the differences in granularity, I would argue that using them may cause difficulty when attempting to figure out why certain packets are allowed into the network while others are dropped at the enclave.

That said, NGFWs are quickly becoming the norm in many enterprises, and while there's certainly no problem with having both an NGFW and traditional firewall as inline devices on the network perimeter, I'm confident you'll quickly find that the NGFW is far more capable than your legacy firewall. Once you see it in action, you'll be itching to retire the traditional firewall as quickly as possible.

This was last published in April 2014

Dig Deeper on Network device security: Appliances, firewalls and switches