A business’s network edge or perimeter was once upon a time easily defined. Everything was neatly aligned with Head Office and Branch office egress points and that was defined as the network edge.
Traditionally a Firewall would be deployed at the edge egress points and you’re done, Network Edge or Perimeter protection was in place.
With the advent of Cloud Computing, an increasingly mobile workforce and choice of device and consumerisation of applications, the perimeter of a network now looks very different.
Nowadays the edge is very difficult to define for most businesses and edge protection has changed forever with the proliferation (and consumption) of cloud technologies. It’s no longer a traditional boundary. This however doesn’t mean that the traditional Firewall is dead.
The Traditional Perimeter
Securing the traditional perimeter or edge of the traditional network is still a core security requirement. The deployment of Next Generation Firewalls (NGFW) on these egress points is still considered an essential component of a defence in depth strategy. The Firewall has developed with the times and is now an aggregation point for Cloud and SD-WAN services, in addition to the threat prevention and detection components included.
There are a number of differentiating factors when evaluating NGFW including:
- Intrusion Prevention System (IPS) Effectiveness
- Policy Management (Features and Granularity)
- Application Visibility
- User Visibility
- Integration and Aggregation capability and features for Mobile workforces
Integration and Aggregation capability and features for SaaS, IaaS and other CLOUD Services;
- SSL Decryption options
- SD-WAN features and capabilities
- Security Orchestration and automation capabilities.
- Threat Intelligence ingestion
Multiple Vendors and the “platform” sales pitch
Having multiple firewall vendors in a business can add to the complexity of the overall infrastructure and erode any savings initially delivered by the hardware mix. In most respects Secure-ISS recommends that businesses focus on one or two vendors for ease of management, monitoring and orchestration.
Having said that, we would also caution businesses in relation to the current platform pitch. Many vendors now look to sell an entire security operations platform. From a marketing and operational sense this is a great goal, however, the reality at the present time is that not all components within the platform are best of breed and have been bolted onto the platform.
How many Next Generation Features do you use?
Sales pitches aside, how many features are applicable to your business’s workloads and use cases. When considering a Firewall vendor; be sure to document your use cases and overlay the requirements with the remainder of your security architecture and solution set. In our experience businesses are not using all of the Next Generation features and should ensure that they are not purchasing subscriptions or features that have little or no value to the business or that are not understood by the team deploying, managing and monitoring the solution.
Firewall as a Service
A trending approach to firewalls for branches, small offices and remote/ mobile workers is a “Firewall as a Service” approach. This service provides a similar consumption-based model (with little or no physical hardware) with the goal to provide simple and more flexible architecture, leveraging centralised policy management, multiple enterprise firewall features and traffic tunnelling to partially or fully move security inspections to a cloud infrastructure.
When evaluating these services, organisations should note where the services are delivered from as some vendors still don’t deliver services out of Australia or the greater Asia Pacific region.
Firewall Management Services
Including Firewall management within a “Managed Security Services Framework” provides a number of advantages to businesses of all sizes. These include access to skilled resources (addressing the current Cyber skills shortage); ensuring your infrastructure is protected; the solutions in place are working effectively across the business; all incidents are responded to, monitored and maintained on a timely basis.
Secure-ISS provides a range of managed services for your edge and perimeter protection requirements. To discuss your Edge protection requirements or overall security strategy, reach out to one of our team today.