Best Practices

Best Practices for Migrating to Next-Generation Firewalls

Next-generation firewalls provide granular access control based on the user, application, and content layers.These
firewalls can distinguish between different types of application traffic, eliminating the all-or-nothing traffic approach of
traditional firewalls. Next-generation firewalls also provide capabilities such as intrusion prevention signatures (IPS)
and deep packet inspection for additional attack protection. Next-generation firewalls enable organizations to balance
protection while still enabling business.

But migrating from traditional to next-generation firewalls can be tedious.The process starts by looking at your existing
firewall infrastructure. Then rules need to be configured based on the granular controls offered by next-generation
firewalls. Once the rule sets are in place, organizations can start to use the more advanced security options, like IPS.

Here are six steps to ensure a smooth migration from traditional firewalls to next-generation firewalls.

1 Normalize Data for Consistent Firewall Migration

Overlapping next-generation firewalls with the existing traditional firewalls is the first step in the migration. During
this time, IT security teams will need to manage across both of these firewall types. Often there are multiple firewall
vendors. To accommodate, you must first normalize data across these different firewall types and vendors, and across
network devices to simplify and enable management.

Normalizing data removes vendor-specific language and provides a consolidated view across multiple vendor rule
sets based on a common language. This allows you to compare results and act on the data in a consistent manner.
Using a firewall management solution that normalizes data is a good starting place for migration, better enabling you
to consolidate management and transition rule sets.

2 Take a Network-Wide View of Your Firewalls for Consistent Control

When implementing next-generation firewalls, administrators need to analyze their firewalls within the context of the
entire network. A firewall management solution should provide a topology view that shows how firewalls would behave
within the network as a whole.

Organizations should first look at how their current traditional firewalls impact their overall network, and then begin
folding in next-generation firewalls in way that delivers protection and flexibility that meets and exceeds their
traditional firewalls.

With a holistic network view, you can analyze access paths, troubleshoot connectivity issues in seconds, and
remediate misconfigurations where needed.

Network visibility is essential to make use of the more granular capabilities of next-generation firewalls. For example,
next-generation firewall policies provide the flexibility to define the network in different network segment zones, such
as external, DMZ, etc. Each zone represents a different trust levels in the network. With topology visibility and intel-
ligence, firewall rules can be analyzed across different zones to ensure the right level of protection is being deployed.
 3 Clean Up Your Rule Sets for Improved Performance and Security
Odds are that your traditional firewall rule sets have grown over time, likely becoming unruly. Frequently rule sets often
include redundant rules or shadow rules, which are blocked by another rule or not used. Due to the granularity of
next-generation firewalls, it is critical that you clean up your rules sets prior to migrating to next-generation firewalls.
Optimizing your rules sets will improve performance and security.

An effective firewall management solution should clearly explain the recommendations for removing redundant and
shadow rules, providing the detail behind the recommendation and giving administrators the confidence to remove these
unnecessary rules. Rule usage analysis is also helpful. Firewall rule log data can be imported to create rule and object
usage metrics and determine which rules are used, not used, or contain unused objects. With this review, administrators
may find that some rules can be narrowed, which tightens access and security.

4 Use Change Management to Migrate with Confidence

Firewall change management what-if modeling allows you to
see the impact a change will have before actually implementing
that change. Changes are conducted in a virtual sandbox to
determine what effect they will have on the network. With this
approach, you can see if solely relying on your next-generation
firewalls will cause security gaps, limit availability, or take
the organization out of compliance. You can then make any
needed changes before actual implementation.
An end-to-end change management system can also help with
the workflow needed during the migration process. A complete
change workflow system enables your team to continuously
monitor planned changes, assess risks, and centrally manage
all firewall change requests. The workflow system should also
provide a complete audit trail with assessment planning and
verification of all change requests. This tracking may be
needed for change analysis or for regulations that require
change history.
One organization deployed next-gener-
ation firewalls but were hesitant to turn
off the traditional firewalls for fear that
the next-generation firewall wouldnt truly
provide the same level of protection.
They overlapped the two types of
firewalls for more than a year. They
implemented a firewall change
management program with what if
modeling, which allowed them to identify
and remediate any issues. They
were able to confidently turn off their
traditional firewallsreducing security
and compliance cost and maintenance.

5 Target Advanced Features to Prevent Attacks

Almost all organizations plan to use the IPS capabilities of their next-generation firewalls, and almost 2/3 plan to use
it in active protection mode, according to a survey conducted by Skybox Security. However, turning on all of your
IPS signatures can limit network performance and may introduce other network impacts. Instead, if you pair your
next-generation firewall IPS capabilities with a vulnerability management program, you can use targeted IPS
signature deployment that helps to preserve performance and minimize IPS signature management.

Just because a vulnerability exists in your network doesnt mean that it poses a risk to your business. An effective
vulnerability management program will be context aware and consider elements specific to your network to determine
the true risk exposure. The vulnerability management program will look at the current threat landscape to determine
likely exploits. It also looks at the full network topology and considers all pathways that a vulnerability exploit might
leverage. It evaluates what assets the exploit might impact and the level of asset criticality to the business. And it
assesses the available security controls, to determine if protection is already in place or what would be the best
security control option to initiate. With this information, the vulnerability management program can provide meaningful
prioritization and remediation recommendations for vulnerabilities.

Best Practices for Migrating to Next-Generation Firewalls 2 www.skyboxsecurity.com

When this type of vulnerability management program is paired with a next-generation firewall IPS and firewall manage-
ment program, the collective process can recommend targeted IPS signatures for pertinent risks when IPS is the best
security control option. This limits the number of active IPS signatures in use and improves network performance.

6 Automate Firewall Management

Simply put, automation is essential for all of these elements of firewall management. With each firewall there can be
thousands of rules that impact thousands of objects with hundreds of changes made every month. Manual firewall
management is unsustainable. Organizations need to be able to audit firewalls on demand for compliance and
conduct on-going assessments for optimal security.

7 Next Steps
When planning your next-generation firewall migration, these best practices can help you with a smooth transition.
Of course, you will want to consider your on-going firewall management needs as well. One of the most important
requirements is the ability to analyze your firewalls within the context of your entire network using interrelated
analysisfirewall, network, change, and vulnerability management. Firewalls cannot be viewed in a silo. And
comprehensive visibility and intelligence improves effectiveness, performance and security, overall reducing the
attack surface.

With next-generation firewalls organizations can improve network security and performance while providing more
flexibility to their business. But an effective approach to migration is important. Skybox Security research shows that
companies are taking an average of 6 months to migrate from traditional to next-generation firewalls. Speeding up
this process can save on costs and improve security faster. The key is to use an effective firewall management
program that facilitates the migration process and helps ensure you dont introduce a problem or increase the level of
risk during the migration.

Skybox Security provides the most powerful risk analytics for cyber security, giving security management and
operations the tools they need to eliminate attack vectors and safeguard business data and services. Skybox solutions
provide a context-aware view of the network and risks that drives effective vulnerability and threat management, firewall
management, and continuous compliance monitoring.

Contact your local Skybox Security representative at www.skyboxsecurity.com/contactus or download the free trial at
www.skyboxsecurity.com/trial.

About Skybox Security

Established in 2002 and headquartered in San Jose, California, Skybox Security is a privately held company with
worldwide sales and support teams that serve an international customer base of Global 2000 enterprises and large
government agencies. Skybox Security customers are some of the most security-conscious organizations in the
world, with mission-critical global networks and pressing regulatory compliance requirements. Today, six of the top
10 global banks and six of the 10 largest NATO members use Skybox Security for automated, integrated security
management solutions that lower risk exposure and optimize security management processes.

www.skyboxsecurity.com | +1 408 441 8060 | www.skyboxsecurity.com/contactus

Copyright 2014 Skybox Security, Inc. All rights reserved. Skybox is a trademarks of Skybox Security, Inc. All other registered or unregistered
trademarks are the sole property of their respective owners. BP_NextGenFirewalls_EN_05282014