My organization is looking to transition from a traditional firewall to a next-generation firewall (NGFW), but I'm concerned about the overlap when both will be in use. Are there any inherent dangers involved with running them side-by-side during the transition? Or could there even be advantages depending on how we write our firewall policies?
Ask the expert
Do you have a network security question? Submit it now via email! (All questions are anonymous.)
I would argue that there is no harm in utilizing a traditional firewall inline with an NGFW. However, if by "side-by-side," you mean the traditional firewall protects one portion of the network and the NGFW protects another, then I would say while it doesn't necessarily harm your network, this configuration can obfuscate audit results.
In firewall-speak, the term "5-tuple" has become a major part of the lexicon. A play on words making reference to a database term for row, 5-tuple refers to the five database columns referenced in traditional firewalls: source IP, destination IP, source port, destination port and protocol. When someone uses the term "next-generation firewall," they are referring to a firewall that from an audit and logging perspective takes the 5-tuple concept to a more granular level. For example, an NGFW not only takes into account the 5-tuple, but also adds dimensions to each column such as user, application, reputation, etc.
Keeping this background information in mind, you can see why I don't necessarily admonish the use of hybrid firewall products; however, given the differences in granularity, I would argue that using them may cause difficulty when attempting to figure out why certain packets are allowed into the network while others are dropped at the enclave.
That said, NGFWs are quickly becoming the norm in many enterprises, and while there's certainly no problem with having both an NGFW and traditional firewall as inline devices on the network perimeter, I'm confident you'll quickly find that the NGFW is far more capable than your legacy firewall. Once you see it in action, you'll be itching to retire the traditional firewall as quickly as possible.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading