Tactical Advice

Do’s and Don’ts of Deploying Next-Gen Firewalls

Application-aware functionality isn’t suitable for every network.
Do’s and Don’ts of Deploying Next-Gen Firewalls
Credit: iStockphoto/ThinkStockPhoto

Do's

1. Do use next-gen firewalls to protect organizational users. Because next-generation firewalls focus on who is using the network and what application they're using, network managers have much better control over which applications can and can't be run, and by whom. In this scenario, network managers gain better visibility and better control over the things that matter.

2. Do deploy next-gen firewalls to secure wireless guest networks. Most guests will be well behaved, but these new security appliances can help identify and block unwelcome behavior, such as security evasion or violations of appropriate-use policies. The products are "user-aware," which makes it easier to separate out guests from staff members with mobile devices, giving less access to the former and more to the latter.

3. Do replace aging secure web gateways with next-gen firewalls. The proxy server market existed because firewalls couldn't do a good job of controlling applications and users, but it was difficult for IT teams to integrate these servers into the network. Next-gen firewalls include the most important features of secure web gateways, which means most network managers can get by with fewer devices to purchase, configure and support.

Don'ts

1. Don't use next-gen firewalls to protect organizational servers. The world of servers is very address-centric and IP-centric, and all of the additional power of advanced features is wasted in this area. Worse, the performance impact and the potential for false positives make next-gen features costly in terms of both management and hardware.

2. Don't use next-gen firewalls for virtual private networks, unless the firewall in question was designed as an enterprise-ready VPN. The newer next-gen wares and small and medium- sized business firewalls with advanced features have primitive VPN capabilities and management tools. For any but the simplest of VPN tasks, network managers will find that separating next-gen application controls from remote access and site-to-site VPNs is the best and most manageable solution.

3. Don't use the application control features of next-gen firewalls where no false negatives or false positives can be tolerated. Because next-gen models use heuristics and algorithms to identify applications, they will never be 100 percent accurate. Some applications, especially crafty ones such as Skype and BitTorrent, will be able to get through, and some applications may also be inappropriately blocked. When protecting users, an occasional error in blocking an application is to be expected, especially because early tools did a poor job of identifying and blocking applications. But when protecting servers, any false positive can interrupt legitimate traffic, so next-generation application control features should not be enabled.

Sign up for our e-newsletter

About the Author

Joel Snyder

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...