Jan 22 2013

Do’s and Don’ts of Deploying Next-Gen Firewalls

Application-aware functionality isn’t suitable for every network.


1. Do use next-gen firewalls to protect organizational users. Because next-generation firewalls focus on who is using the network and what application they're using, network managers have much better control over which applications can and can't be run, and by whom. In this scenario, network managers gain better visibility and better control over the things that matter.

2. Do deploy next-gen firewalls to secure wireless guest networks. Most guests will be well behaved, but these new security appliances can help identify and block unwelcome behavior, such as security evasion or violations of appropriate-use policies. The products are "user-aware," which makes it easier to separate out guests from staff members with mobile devices, giving less access to the former and more to the latter.

3. Do replace aging secure web gateways with next-gen firewalls. The proxy server market existed because firewalls couldn't do a good job of controlling applications and users, but it was difficult for IT teams to integrate these servers into the network. Next-gen firewalls include the most important features of secure web gateways, which means most network managers can get by with fewer devices to purchase, configure and support.


1. Don't use next-gen firewalls to protect organizational servers. The world of servers is very address-centric and IP-centric, and all of the additional power of advanced features is wasted in this area. Worse, the performance impact and the potential for false positives make next-gen features costly in terms of both management and hardware.

2. Don't use next-gen firewalls for virtual private networks, unless the firewall in question was designed as an enterprise-ready VPN. The newer next-gen wares and small and medium- sized business firewalls with advanced features have primitive VPN capabilities and management tools. For any but the simplest of VPN tasks, network managers will find that separating next-gen application controls from remote access and site-to-site VPNs is the best and most manageable solution.

3. Don't use the application control features of next-gen firewalls where no false negatives or false positives can be tolerated. Because next-gen models use heuristics and algorithms to identify applications, they will never be 100 percent accurate. Some applications, especially crafty ones such as Skype and BitTorrent, will be able to get through, and some applications may also be inappropriately blocked. When protecting users, an occasional error in blocking an application is to be expected, especially because early tools did a poor job of identifying and blocking applications. But when protecting servers, any false positive can interrupt legitimate traffic, so next-generation application control features should not be enabled.