NFGWs have some great capabilities but many organizations are only benefitting from a limited set of features. Why? Because organizations are worried they will impact business performance by slowing down traffic if they turn on too many capabilities or are simply too over-stretched handling a growing list of daily security tasks.
With organizations taking up to 206 days on average to discover a breach and the average cost of cybercrime globally now at $11.7 million per organization, according to the Ponemon Institute, the proactive use of a NGFW has never been more of a critical issue.
The role of NGFWs
Gartner refers to NFGWs as “deep packet inspection firewalls”. They go beyond port/protocol examination to add application level inspection to include threat emulation, intrusion detection system/intrusion prevention system (IDS/IPS) and the ability to use external intelligence outside the firewall, for example, along with all the capabilities of traditional firewalls.
NFGWs help organizations to protect their networks, endpoints and applications from malicious attacks, including advanced persistent threats (APTs), zero-day attacks, malware, ransomware and unauthorized access. But it is not a case of installing NFGWs and leaving them to do the job. They need to be continually managed, monitored and updated throughout their lifecycle to work effectively.
NGFWs, unlike IT security point solutions, come with a single vendor, architecture and management controls, designed to provide greater flexibility and agility together with faster threat screening and administration processes when it comes to deployment and troubleshooting. Properly deployed and proactively managed, NFGWs can provide comprehensive network visibility, cut complexity and automate management tasks, creating efficiencies and reducing costs.
The challenges of NGFWs
However, a shortage of skilled IT professionals, together with advancing threats and growing data throughputs, are stretching IT departments to the maximum. Vendors such as Fortinet are continually updating features, and it can be difficult for IT teams to keep on top of what they should be implementing.
Setting up micro segmentation, for example, is a significant project. Also referred to as a network segmentation or an internal firewall, it is used to protect key departments, like R&D, or provide an extra layer of protection to databases storing sensitive data. By implementing boundaries, enterprises can stop attacks spreading and compromising the whole network.
Micro segmentation needs to be based on a sound business-focused security strategy. No amount of technology can replace the critical work of evaluating the most important business-critical assets that need to be protected. A third-party consultant can help by carrying out a full risk analysis and map the connections between applications, workloads and environments.
One of the biggest tasks facing IT administrators is keeping on top of which applications should be blocked and which applications employees are allowed to access – a significant task in light of the dizzying array of cloud and Shadow IT services employees routinely access.
Data encryption is also a key topic. If an enterprise doesn’t use its NGFW to decrypt encrypted Secure Socket Layer (SSL), Transport Layer Security (TLS), and Secure Shell (SSH) traffic, it can be a major blind spot. A massive 70 percent of malicious binaries now use some encryption and 50 percent of global traffic is now encrypted according to the Cisco 2018 Cybersecurity Report. TLS inspections within a NGFW provide a lightweight data loss prevention (DLP) tool which decrypts and inspect outbound traffic to ensure that sensitive data is not wrongly sent out.
Of course, the NGGW’s configuration needs to be optimized from the outset, otherwise performance will be impaired. It is worthwhile checking errors have not been introduced from a previous firewall through the use of auto-migration tools. Getting a third party to give all the settings a health check can be really beneficial as there is always the risk of human fallibility.
Periodically, the enterprise will need to access a report on the sizing and usage of its NGFW solution to ensure it is able to deal with the changing volumes of traffic within its business. One key concern is whether you’re getting the advertised throughput of your NGFW.
NSS Labs, an independent validation center for NGFWs, notes that the throughput of firewalls could be up to 80 percent less than the advertised rate for some vendors in real-world environments. It’s something that Orange believes is really important and one of the reasons why we work with Fortinet, which has received its fourth consecutive NFGW NSS recommendation, based on security effectiveness, performance and value.
Tests show our NGFWs achieve their rated throughput and are the only advanced threat protection solution recommended from the edge to the endpoint. But we still double check by running regular tests on the deployed NGFW to ensure it has the spare capacity to deal with an attack.
Looking to the future, NGFWs are an excellent way to secure growing volumes of IoT traffic but customers need to set new policies and validate existing ones to truly make it work effectively. Adversaries are already exploiting security weaknesses in IoT devices to gain access to systems – including industrial control systems that support critical infrastructure.
Assistance in managing an NGFW
Given the somewhat demanding requirements of NFGWs, some organizations are choosing to go down the co-managed NFGW route. Organizations can benefit from teaming with NFGW experts, who benefit from economies of scale, an up-to-date knowledge of regulation and compliance, 24/7 support, faster response to incident and access to highly trained security teams.
Our Flexible Security Platform, for example, uses Fortinet firewall virtualization technology and provides an end-to-end service, covering installation, supervision and operational maintenance. A dedicated intuitive web portal and pay-per-use services enables the user to retain control. Features can be activated and deactivated as required. We have integrated this service in our network, so customers can upgrade and downgrade functionality and even bandwidth literally on the click of a button - maximizing efficiency and effectiveness while minimizing cost.
The next step will be the adoption of universal Customer Premise Equipment (uCPE) – a single box that can run a virtualized NFGW, alongside other application optimization and traffic acceleration functions, on demand, providing an innovative platform for virtualized services.
NFGWs: no-longer an option
Every enterprise today needs an NFGW in one form or another. Traditional security methods don’t have the granularity or segmentation to adequately protect data from current and emerging attacks.
The DIY route to NFGW can be difficult and complex. A co-managed option undoubtedly takes the stress out of protecting your critical business assets, providing access to experts on tap. But, whichever option you decide on a properly configured NGFW will substantially reduce your threat vectors.
Peter Franken has been working in IT security since over 30 years. As security researcher and consultant he worked for the Dutch government, developed the architecture of a NATO military project, participated in European security studies and helped to secure commercial organizations. He has been one of the original authors of product evaluation criteria (the Common Criteria), and provided masterclasses on IT security (post graduate).