Background
From the previous article, I already define what do you need to plan before start to utilize NGWF box. Set of requirements must be clearly define, be documented and be approved by internal team. This process should be define as mandatory because this will be come internal justification and evaluation in the future. For example, if there's an audit activity which focusing on this area then the enterprise could safe their spot when auditor questioning their decision. So start documenting your activities!
Back to business, do the enterprise need to enable all features in single box firewall / divided into specific security devices solutions?
Main Course
Once you already created the set of requirements, next step is inviting the vendors to demonstrate their solutions. This is called as Proof of Concept (PoC) activity. You can distribute your requirements to them. This to ensure are they products fit with your requirements or not. If they confirm it, then you should ensure it. Ask them to setup a demo environment / you can provide it for them.
Keep in mind more features that you need to enable, more resource to consume and it will impact to Firewall performance. The feature that might be consume more NGFW resources is IPS (Intrusion Prevention System). It will drop the NGFW throughput dramatically. When the enterprise need more throughput and take this as mandatory requirement, then IPS features should not be enable. But, when throughput not a concern, then you can enable it. Packet inspection which perform by Firewall will be consumed NGFW resources because it will inspect the packet one by one which allowed by Firewall rules.
Then, other consideration is customization IPS functional. Single box NGFW (Firewall + IPS) have limitation compared to separate box Firewall and IPS. For basic functional such as inspect, allow and block packet, you can find it in single box NGFW. But if you want more customization such as automatic quarantine packet, multiple attack correlations, self learning, etc then you need an dedicated IPS. More visibility to the enterprise security posture achievable by divided them.
Scalability to support future needs of security also need to be considered. NGFW have many security features beside Firewall and IPS, such as Data Lost Prevention (DLP), Sandboxing, Antivirus, Web Filtering, etc. When Firewall + IPS enable in single box, throughput drop dramatically. Suddenly, there's a security needs to enable Web Filtering, DLP and Sandboxing. Is the existing NGFW throughput could fulfill it? Is the hardware resources have more free space to process the packets? This could be forced to existing devices, but do the enterprise will accept the risk if their business might be affected by this decision? Do they have a contingency plan if there's something wrong? Do they already calculate business loss? If they already prepare enough, then go ahead.
Advantages to utilize security features in single box is simplicity. The internal only need to manage single devices compared to divided into many box. And it also save more physical space in rack. Nowday, it need to divide functional devices between management and operational box. Let's imagine, for management device need 1 RU space, for 1 operational box need 2 RU space. To mount them in rack you will need minimum 3 RU space in rack. This not yet calculate space for another operational box used to High Availability option.
Conclusion
To close this article, herewith I define the parameters to help you to considered before make decision to utilize full security features on NGFW in single box or divided box. They are:
Thank you for reading,
- EJ
From the previous article, I already define what do you need to plan before start to utilize NGWF box. Set of requirements must be clearly define, be documented and be approved by internal team. This process should be define as mandatory because this will be come internal justification and evaluation in the future. For example, if there's an audit activity which focusing on this area then the enterprise could safe their spot when auditor questioning their decision. So start documenting your activities!
Back to business, do the enterprise need to enable all features in single box firewall / divided into specific security devices solutions?
Main Course
Once you already created the set of requirements, next step is inviting the vendors to demonstrate their solutions. This is called as Proof of Concept (PoC) activity. You can distribute your requirements to them. This to ensure are they products fit with your requirements or not. If they confirm it, then you should ensure it. Ask them to setup a demo environment / you can provide it for them.
Keep in mind more features that you need to enable, more resource to consume and it will impact to Firewall performance. The feature that might be consume more NGFW resources is IPS (Intrusion Prevention System). It will drop the NGFW throughput dramatically. When the enterprise need more throughput and take this as mandatory requirement, then IPS features should not be enable. But, when throughput not a concern, then you can enable it. Packet inspection which perform by Firewall will be consumed NGFW resources because it will inspect the packet one by one which allowed by Firewall rules.
Then, other consideration is customization IPS functional. Single box NGFW (Firewall + IPS) have limitation compared to separate box Firewall and IPS. For basic functional such as inspect, allow and block packet, you can find it in single box NGFW. But if you want more customization such as automatic quarantine packet, multiple attack correlations, self learning, etc then you need an dedicated IPS. More visibility to the enterprise security posture achievable by divided them.
Scalability to support future needs of security also need to be considered. NGFW have many security features beside Firewall and IPS, such as Data Lost Prevention (DLP), Sandboxing, Antivirus, Web Filtering, etc. When Firewall + IPS enable in single box, throughput drop dramatically. Suddenly, there's a security needs to enable Web Filtering, DLP and Sandboxing. Is the existing NGFW throughput could fulfill it? Is the hardware resources have more free space to process the packets? This could be forced to existing devices, but do the enterprise will accept the risk if their business might be affected by this decision? Do they have a contingency plan if there's something wrong? Do they already calculate business loss? If they already prepare enough, then go ahead.
Advantages to utilize security features in single box is simplicity. The internal only need to manage single devices compared to divided into many box. And it also save more physical space in rack. Nowday, it need to divide functional devices between management and operational box. Let's imagine, for management device need 1 RU space, for 1 operational box need 2 RU space. To mount them in rack you will need minimum 3 RU space in rack. This not yet calculate space for another operational box used to High Availability option.
Conclusion
To close this article, herewith I define the parameters to help you to considered before make decision to utilize full security features on NGFW in single box or divided box. They are:
- Physical space.
- Easiness to maintain.
- Performance optimization.
- More security visibility and analysis.
- Fail-open features.
- Layer 2 implementation.
- Layer 3 implementation.
- Log retention period.
- Scalability architecture.
- Security in depth.
- TCO (Total Cost Ownership) calculation.
Thank you for reading,
- EJ