Putting the NEXT in Next Generation Firewall: Tales From the Field

March 1st, 2018 by Chris Yates

You’ve purchased a next generation firewall. You understand the WHY, but HOW do you make the most of your investment? What’s NEXT?

When it comes to Next-Generation firewall technology, determining the best implementation methodology can be a bit daunting. You may ask yourself:

  • What features should I enable first?
  • How do I enable these new capabilities without impacting users or critical business functions?

It’s a risky proposal to try to enable all the advanced functionality and capabilities in a Next-Generation firewall at the initial deployment. So risky, in fact, that organizations that attempt to do so fail in some way 100% of the time. (Okay – I kind of made that statistic up, but with the order of magnitude of capability increase, it should be apparent that this is a risky thing to do.) It’s much like the good old days before we put firewalls in place and only had routers. How to we put a firewall in place to CONTROL traffic without complete knowledge of all the required traffic flows so that we don’t break something in the process?

What many organizations chose to do was to put the firewall in place with an “allow all” rule, and turned on logging so that they gained VISIBILITY into the traffic traversing the firewall. After some time then, the firewall logs were scrutinized, and appropriate rules were developed to allow the required traffic, and the “allow all” rule was removed, and the default deny rule was put in effect. Similarly, when organizations decided to implement Intrusion Detection, the normal methodology was to first deploy the sensors in IDS mode, develop appropriate rules and configurations based on the observed logs, then place the sensor in IPS mode, effectively implementing the prevention technology.

It turns out that this is the exact approach to use when deploying Next-Generation firewall technology.

  • If the existing legacy firewall is being replaced, migrate the existing security policy to the Next Generation firewall, otherwise, deploy the NGFW behind the legacy firewall inline.
  • Apply ALL of the security features that enable visibility. (user identification, application identification, URL filtering, IPS, antivirus, antispyware, file inspection)
  • Once the NGFW is in place for some time, analyze log output to determine the appropriate enforcement actions to take.
  • Enable enforcement rules and blocking actions on the NGFW.
  • Fully enable application and user based policies and security rules.
  • Remove and decommission legacy firewall.

This process can take weeks or months to complete, so you shouldn’t consider this a “set it and forget it” deployment, and care should be taken to not try to enable too many new features at one time. With careful planning and a clear way forward, it’s really possible to deploy NGFW technology with little to no impact on end users and critical business processes, while drastically improving the security posture of your network, by providing increased visibility and enforcement capability.


About the Author: Chris Yates is a Senior Security Architect for Critical Start. Chris has more than 25 years of IT experience, including a decade focused on Information Security. As a Department of Defense employee, he spent 14 years in the public sector. In the private sector, his experience spans the transportation, electric utility, and healthcare industries. A recognized speaker at regional and national security conferences, Yates has delivered insights on security architecture, the security impacts of converged infrastructure, and next generation security tools. He also teaches networking and network security at Southern Nazarene as an adjunct professor. You can reach him at [email protected]



Critical Start is the fastest-growing cybersecurity integrator in North America. Our mission is simple: protect our customers’ brands and reduce their business risk. We do this for organizations of all sizes through our award-winning portfolio of end-to-end security services – from security-readiness assessments using our proven framework (the Defendable Network) to the delivery of managed detection and response, incident response, professional services, and product fulfillment. Critical Start has been named to the CRN 2018 Tech Elite 250 and top 100 Security MSPs lists.