This post is part of a blog series where we examine the 10 things to test in your future next-generation firewall. These 10 points will help ensure your next firewall matches the needs of your organization in its current and future states.
Manage Your NGFW Using Simple and Effective Tools
To be responsive to business needs, security teams need flexibility that allows firewall changes both from a centralized tool and on-site in real time. If a firewall manager allows local administrators to make changes only to a limited set of features, the local team must heavily rely on global teams, potentially located in another region, to make changes. This results in delays, gaps, limited visibility and granular administrator access.
Why Should You Advocate and Test This Capability?
To minimize the delay in making changes locally and keep your security aligned with your organizations guidelines, your firewall should support complete management of all firewall features and offer role-based access control for multiple administrators. Your local firewall managers’ tools should support the full feature set on the centralized tool for local administration, allowing local teams to accomplish their respective tasks on time. Your central management tool should augment local data with overarching visibility into the actions of local administrators and, if required, alert and allow for remote override changes to keep the firewall in line with organizational guidelines.
Move Beyond the Status Quo
Ensure Granular Control While Deploying Configuration Changes
In a multi-firewall environment, it is not unusual for multiple administrators to make configuration changes at the same time. It’s very likely that one will want to commit recent changes before another is completely done making his or her own. If your firewall manager doesn’t allow for selective change commits, then those incomplete changes will also be deployed. This can have serious security implications, such as users being able to access blocked sites or being blocked from business-critical applications. When selective configuration deployment and rollback isn’t possible, administrators would have to manually undo half-baked changes, redo and redeploy them, adding to operational overhead and delaying improvement of the security posture.
Manage Logs Effectively at Scale
The central manager acts as a single pane of glass for the organization’s security and network, providing a holistic view and context for analyzing security events. In many cases, central firewall managers collect and consolidate firewall logs in multi-firewall deployments. An incoming log rate (generally expressed in logs per second, or LPS) that exceeds the manager’s capacity will impact its performance.
Performance impact on the central manager is generally seen through an unresponsive user interface or timed-out database queries. In today’s high-throughput digital world, it is not uncommon for a single high-end firewall to exceed the LPS capacity of the central manager acting as a log manager. The likelihood of running into capacity issues in a multi-firewall deployment is very high.
High-throughput log processing needs are generally addressed through a separate log management appliance. A firewall manager, in conjunction with a log manager, is the most appropriate solution for most enterprises. With this setup, the central manager is relieved of log management responsibility and can focus solely on firewall management. When provisioned, the central manager queries the data on the log managers to provide centralized visibility and brings raw logs to the central manager only when required, reducing performance impact.
Keep Your Security Posture Up to Date
Each of the many features of a next-generation firewall is purpose-built to address a specific network security need and empower an organization’s growth. In a multi-firewall environment, manual firewall configuration changes are inefficient and often result in security gaps and inconsistent prevention. Automation will provide faster, more accurate responses to ever-changing cybersecurity threats.
The preferred way to act on this is to leverage NGFW APIs to automate changes, alleviating network security teams’ operational overhead while reducing human error. For this to be possible, your NGFW APIs should allow for automated changes to all firewall features through a full set of flexible APIs.
Recommended RFP Questions
- Can local administrators work directly on the appliance, and make configuration changes as needed, without having to log in to a central manager?
- Can central administrators monitor and view the changes made by local administrators?
- Can you choose which firewall administrator’s configuration changes should be deployed on the firewalls?
- When deployments go wrong, can you quickly roll back changes from specific users and restore working configuration?
- Can the central firewall manager separate log management from core configuration management yet still act as single pane of glass for unified visibility?
- Can your log managers ingest logs at high throughput (e.g., 50,000 LPS)?
- Does your firewall have APIs for every feature so that you can automate configuration changes?