Marie Hattar wrote an interesting post about Firewall Migrations: Five Ways to Maximize Security Resilience & Availability that I would like to share.
“If you are planning an upgrade or migration to next-generation firewalls (NGFWs), it is not just an opportunity to gain richer functionality and a wider range of protections. It is also an excellent time to review your entire security architecture; to ensure it maximizes the value and efficiency of all your security devices, while minimizing the risk of network downtime. This latter point is particularly compelling, as analyst firm Gartner states that the average cost of downtime across a range of industry sectors is well over $300,000 per hour – supporting Benjamin Franklin’s proverb that ‘an ounce of prevention is worth a pound of cure.’
But what does the right architecture look like, and how should you go about building it into your network? By following the five best practice techniques outlined here, you can ensure that your security architecture maximizes your company’s overall security posture and its efficiency.
1: Reduce risks of downtime
Reducing the risk of downtime begins with examining your overall architecture and identifying the potential points for failure or performance issues. The crucial structural feature to avoid is serial inline deployment, in which traffic is passed from one security appliance to the other. Here, a failure in any single device can stop traffic flow and cause a network outage – which in turn leads to substantial drops in productivity, revenue and even business reputation.
The simple alternative is to use modular bypass switches in front of firewalls and other security appliances. These switches must continually monitor all inline devices, ensuring that they are ready to receive traffic. If a device goes down, the bypass switch should steer traffic around it until it is back online.
One potential problem with this approach, however, is that it creates a trade-off between security and network uptime – bypassed traffic may not be inspected with normal levels of rigor while a device is down. This in turn leads to the second best practice.
2: An efficient load balancing act
Pairing the bypass switch with a network packet broker (NPB) introduces the added ability to see and inspect inside network packets, and route them only to the appliances that are appropriate for that type of traffic. This might mean, for example, routing non HTTP/HTTPS traffic around a web application firewall, as there is no benefit from it passing through.
This intelligence-based traffic balancing reduces the unnecessary processing burden on individual appliances – this makes them less likely to become overwhelmed and fail. Once again, network efficiency and security strength is maximized – with the added peace of mind from knowing that all traffic is being inspected by the most relevant tools.
3: Clever configuration for high availability
With modular bypass switches and NPBs in place, the next step is to configure them for optimum availability. Many NPBs, for example, are capable of being deployed in what is called Active-Active mode. This provides automatic and instantaneous recovery of any device in the security architecture while also using available security devices. Clever configuration is about delivering high availability during normal operations, while fully protecting traffic if and when a device does go down. Done right, users would detect no downtime, and security monitoring is unaffected.
4: Better visibility with NPBs
It is important not to assume that increasing the number of security devices in your architecture automatically minimizes risk. The larger and more complex your network gets, the greater the probability of network blind spots. Visibility is as crucial a principle. An advantage of NPBs is that they provide a comprehensive view of your network environment. They capture and aggregate traffic, eliminate data duplication, and strip away unnecessary detail. They can even pre-filter known bad traffic, based on either the originating address or geographic location, allowing you to make intelligent decisions about what traffic to block from reaching your network in the first place.
Out-of-band monitoring tools are best-suited for analyzing network performance, identifying trends and responding to compliance requests. That is, they support the comprehensive and intelligent network visibility that is vital in today’s enterprises. The best tools can be managed remotely and produce customized reports for compliance purposes, supporting the state of continuous compliance that is increasingly demanded.
5: Future-proofing your architecture
In a world in which dynamic agility is king and social media can spread frustration related to a company’s downtime faster than ever before, customer experience and application availability are vitally important. Future-proofing your security architecture with high-speed bypass switches and powerful NPBs eliminates network downtime caused by unplanned device failure, deployments, maintenance or upgrades. You can also maximum uptime for your security infrastructure, reduce the load on security appliances, and therefore extend their useful lifespans, while generating efficient traffic analysis. In addition, you can support growth in network traffic with minimal new investment. Collectively, these benefits help to protect your business against the need for expensive and disruptive future network adjustments.
Bypass switches and network packet brokers create a network security architecture that simultaneously delivers robust protection and operational efficiency – an architecture that works harder for your company, and is able to heal itself in the event of an outage. In terms of security, prevention truly is better – and cheaper – than a cure.”