In the olden days, the line between network security and business contingency fell on two basic choices — either block everything in the interest of network security, or enable everything in the interest of your business; and these choices left little room for compromise. Nowadays, the options have grown considerably, however, these new choices have also brought with them an array of more sophisticated, advanced threats that evade even traditional security mechanisms.
For businesses to enable better productivity they need to create the right balance between access to applications and data while protecting the network from new and more sophisticated threats.
In order to do this properly you need to have your next-generation firewall designed from the ground up. To help you simplify your next firewall design we’ve put together a list of the four most critical things your next-generation firewall should do for you.
1. Centralize your management systems
You next-gen firewall should have a centralized system that allows you to deploy, view and control all firewall activity through a single dashboard. Centralized management also gives you the freedom to automate routine tasks, reuse elements and employ shortcuts and drill-downs to produce maximum efficiency with minimal effort.
However, a good next-gen firewall can be managed individually via a command-line interface, or through a full-featured browser-based interface. Role-based administration, combined with pre- and post-rules, allows you to balance centralized control with the need for local policy editing and device configuration flexibility.
2. Allow user and application control
Most companies are comprised of different levels of employees with different tasks and application needs. A network firewall should have user and application control in order to create detailed policies that can be based on characteristics such as user identity, user role and specific aspects of a web application.
Modern enterprise firewalls should also have more advanced user and application controls such as the ability to expand user groups, domain names and TLS matches, as well as detailed user and application usage information in reports, logs and statistics.
Suggested Reading: "How to Plan for Mobility Without Sacrificing Your WLAN's Security"
3. Positive control model
This feature allows you to enable specific applications or functions and block everything else (implicitly or explicitly). You should have the ability to inspect and classify all types of traffic across all ports all the time.
As threats can easily bypass a port-based firewall using a variety of techniques, this mechanism identifies applications, threats and malware; all traffic is classified, regardless of port, encryption (SSL or SSH), or evasive techniques employed.
Once traffic is fully classified, you can reduce the network threat footprint by allowing specific applications and denying all others. This feature in a next-gen firewall will enable you to empower your business with policies that revolve around applications, users, and content.
4. Complete context = more-informed policy control
For you to make the best decisions on policy control, you will need to have clear application visibility and context of the application activity, the associated content or threat, who the user is, and on what type of device. In your efforts to protect your wireless network, your next-gen firewall should provide you all valuable data points.
Each of these data points by itself paints a partial picture of your Wi-Fi network, yet when taken in complete context provides a full view of any potential security risks, allowing you to make more informed policy decisions.
Suggested Reading: "11 Features to Look for in Your Next Generation Firewall"
The goal in deploying a next-gen firewall is to align network security with your key business initiatives. This will allow you to grow your business without having to choose between profit and security.
You want your next-generation firewall (NGFW) to ensure business resiliency, a reasonable total cost of ownership, continuous uptime, scalability and flexibility to handle change. And of course, it must fit your budget and your network's specific needs.