1 1 Introduction Key Next Generation Firewall Requirements Research from Gartner: Framework for Migrating to a Next-Generation Firewall About Fortinet Planning a Successful NGFW Migration A Guide to Feature Evaluation and Practical Implementation Introduction Organizations face an ever-increasing risk of data breaches in an environment rapidly demanding more connectivity and bandwidth. While improving security is necessary, simultaneously adding greater latency and complexity to the infrastructure is counterproductive. Using a highly effective, high-speed Next Generation Firewall (NGFW) is quickly becoming the standard approach for enterprise security. Key Next Generation Firewall Requirements Performance is a critical requirement for an optimal NGFW it must deliver excellent security and control at throughput speeds that will keep up with the operational demands of the business. Highly Effective Security: It should include highly effective security backed by extensive threat intelligence to reduce your risk of data breach. A fully featured NGFW includes security features such as integrated IPS, Web filtering, IP reputation, antivirus and advanced threat protection to break the kill chain of attacks. Visibility & Control: It should use deep inspection into network traffic to identify applications, users, devices, and threats enabling it to deliver better protection through granular policy controls. It should be based on a single operating system and consolidated user interface for all security and networking capabilities. It should also come with single-pane-of-glass, centralized management and reporting to inform strategic security decisions. Performance & Reliability: It should deliver highly reliable core firewall capabilities and the full range of next-generation options at high-throughput speeds to support business continuity and bandwidth requirements. Next generation capabilities are only useful if the platform s performance can keep up and the platform itself is reliable.
2 2 The Fortinet NGFW Solution Fortinet s FortiGate NGFW solution delivers better security, more control and 5x faster performance compared to other NGFW options easily meeting all the requirements of an organization for more protection, reduced complexity, and high-speed throughput. Better Security Fortinet security consistently blocks more threats than other security solutions in industry tests (NSS Labs, Virus Bulletin, and AV Comparatives). Fortinet threat intelligence and security services are provided by FortiGuard Labs Fortinet s dedicated global threat research team. Over 200 FortiGuard Labs researchers keep close watch on the threat landscape (24x365) to deliver updates to our entire security ecosystem with some of the fastest response times in the industry. More Control The Fortinet NGFW delivers a highly intuitive view of applications, users, devices, threats, and cloud service usage. It leverages deep inspection to offer a better sense of what is happening on the network. This strategic view supports the creation and management of granular policies to optimize security and allocation of network resources. Application Control identifies thousands of different applications to set up effective application-aware policy enforcement. Fortinet s NGFW also uniquely identifies the type and OS of devices being used on the network without requiring agents or additional products to set stronger security policies for riskier types of devices. Industry s Fastest Platform Fortinet delivers the fastest performing NGFW solution in the market. A FortiGate typically delivers 5x the NGFW performance when compared to similar solutions from other providers. Purpose built FortiASIC processors and the Optimum Path Processing architecture drive performance at the heart of the FortiGate platform to deliver industry-leading, high-speed processing. This level of performance is necessary to deliver on the promise of a NGFW. Deep next-generation inspection and the consolidation of multiple security functions onto a single appliance require a high-performance platform to keep up with the speed of business. Single-Pane-of-Glass Management Single-pane-of-glass visibility and highly scalable management options make it is easy to administer and adjust security postures as needed. Users can control device configurations, security policies, firmware installations, and content security updates. For large environments (especially those with compliance requirements), users can stay constantly up-to-date on what s happening in the network through logging, reporting, in-depth visibility, and event management features. Source Fortinet
3 3 Research from Gartner Framework for Migrating to a Next-Generation Firewall Changes in the threat environment, the need to renovate core networks, and existing systems coming to end of life mean that most organizations are due to refresh their perimeter firewalls. Our framework will help you to make the transition from traditional to next-generation firewall platforms. Key Challenges The biggest challenge in upgrading to a nextgeneration firewall (NGFW) is the change in scope because of new features. This involves a steep learning curve in areas such as firewall configuration and console user interface. Staffing turnover on the network and security teams leads to a loss of informal knowledge about network security and firewall configuration settings, which makes the firewall migration process difficult. Many organizations don t do regular firewall audits, which leads to overly complex configuration files with unnecessary, conflicting and unused firewall policies and other services. A communication gap between different IT teams leads to configuration and policy management challenges during the migration of firewall platforms. The labor cost in transitioning to an NGFW is significant and often not accounted for. Recommendations Security leaders should: Work with other IT operations teams to identify the new features to be used and carefully evaluate the performance impact, once they are enabled, together. Have a robust rollback strategy in case migration fails, so that you can continue to deliver business-as-usual services while doing a root cause analysis. Provide a strong foundation for migration by ensuring that RFPs include a complete list of features and steps required for conversion and installation. Request a detailed quote that includes the cost of professional services for firewall migration and training in order to gain visibility on total migration for budget allocation. Strategic Planning Assumption Less than 40% of enterprise Internet connections today are secured using next-generation firewalls (NGFWs). By year-end 2018, this will rise to at least 85% of the installed base, with 90% of new enterprise-edge purchases being NGFWs as more enterprises realize the benefits of application and user control. Introduction Migration to an NGFW is a major challenge and should be a factor in a decision for bringing a new firewall on board. Although challenging, adding new security features, sometimes combined with switching vendors during an NGFW deployment, can be made a smooth experience with minimum disruptions by identifying the technology and process changes upfront. Once the NGFW is installed, security managers should also make sure to optimize it in order to fully utilize its security features. Analysis Perform a Network and Firewall Configuration and Policy Audit Many organizations have old, dysfunctional firewall policies, routes, network objects and services in place. This clutters the network and leads to unnecessarily large firewall configurations. It also makes the behavior of the firewall less predictable and complicates the conversion and testing of policies for the new firewall. Hence, a network and firewall configuration and policy audit must be performed before the migration.
4 4 Network audit: An updated network diagram provides a clear understanding of your current network. Creating it will help you identify and rationalize removing unused elements (nodes, network connections or hosts, for example), which will help in identifying obsolete firewall rules. This helps in a smooth migration of firewalls and firewall audit as it will provide a list of active IP addresses and relevant network objects present in the network. Before the migration, make sure to update your network diagram. Involve all the related departments such as the network, security, and server teams and any other applicable area (such as application support and user administration for NGFW capabilities) to get a full view of the infrastructure. Firewall configuration and policy audit: The firewall audit documents and evaluates current policies and configuration and promotes better management of the new firewall. The audit is especially helpful if the security team is newer or recently got changed without any proper handover. Review and audit your current firewall configurations to make sure only the necessary required configuration settings and policies are migrated to the new firewall. Make sure to review each part of the firewall configuration. For an organization with multiple firewall brands in place because of acquisitions or geographical diversity, firewall policy management tools can provide a consolidated view of the various rule sets and how they will overlap, interact and conflict. Firewall policy management vendors include AlgoSec, FireMon, Tufin and Skybox Security. If a consolidation of IPS functions is part of the NGFW deployment, then create whitelists and exceptions. Identify New Features and Evaluate Their Impact on Performance Many organizations want to replace some existing security functions and implement new functions with new features of the NGFW. This will include any consolidation you are planning, such as an intrusion prevention system (IPS). It could also include new features like application control, user ID control and advanced threat prevention. Enabling additional features often leads to 40% to 80% performance decrease, hence the performance impact should be evaluated and tested. Prepare a list of functions you are currently using in your existing firewall (and possibly IPS) and the features you would like to use in the proposed next-generation firewall. Involve all the related departments such as the server team, network team, systems team and any other applicable area (such as application support and user administration for NGFW capabilities) to get a full view of the infrastructure. This should be done during the initial planning phase, so that it can be included in the RFP process. This will ensure that potential vendors only include licenses for the requested features in the quote. List of applications: If you want to use application control in the NGFW, it is highly recommended that you prepare a whitelist and blacklist of the required applications and make sure that whitelisted applications are allowed. This helps in blocking work-related applications as soon as application control is enabled. User identity control: One of the most used features of a next-generation firewall is useridentity-based control, which also enables user-based logging and reporting. This requires integration of the firewall with the organization s identity directory (often Microsoft Active Directory). This can be a bit of a challenge in cases where there are multiple domain controllers. Hence, it is recommended to first plan for integration of NGFW with the identity directory by involving the internal systems team. IPS configuration: Review your current IPS policies and filters if you have IPS blocking in-line. In case of an absence of IPS policy, configure the IPS features of the firewall in alerting mode and monitor the logs carefully to block the alerts. For a detailed research on enhancing NGFW features, please refer to How to Ensure If a Next- Generation Firewall Will Enhance Your Security. Performance Impact: Because enabling different levels of traffic inspection impacts the performance of the firewall, a performance requirement should be clearly stated at the time of RFP and carefully considered while doing a proof of concept (POC). Testing with realistic traffic will enable an organization to optimize the NGFW and evaluate any performance impact.
5 5 We have observed the following performance impacts by enabling respective traffic inspection: Enabling intrusion prevention in addition to firewall will cause a minimum 50% to 60% performance hit for http traffic. Antivirus analysis might impact the overall performance with an additional 50% hit compared to a firewall and IPS configuration. Secure Sockets Layer (SSL) encryption can impact the performance by up to 90%. Ask for a Detailed Initial Quote Getting the right quote with discounts is a concern for security managers and procurement teams. Sometimes hidden costs attached with the migration process can lead to improper budget allocation. It is very important to evaluate all the aspects of firewall migration, instead of just the equipment and licensing costs. Firewall migration has many other costs attached to it. A normal refresh cycle for a firewall is between four and five years, and full visibility of the maintenance costs through the years should also be considered. The cost of professional services for the migration and fine-tuning should always be included in the initial quote alongside the equipment and licensing cost. Make sure to get the pricing for the software subscriptions that you are planning to use in the NGFW such as IPS or advanced threat detection. Also, make sure to ask for the customized training costs for your number of staff within the same quote. For some large NGFW projects, training is included at no charge. This will give you a real cost estimate for the full migration so the budget can be allocated accordingly. Ask for an annual subscription and support cost, and bulk (three to five years) cost to get total cost of running the firewall. Understand Your Internal Training Requirements and Create a Training Agenda One challenge in moving to a next-generation firewall platform is a steep learning curve for the technical staff to manage and for the business to articulate what the outcome needs to look like. Organizations will have additional training requirements in the following cases: Current firewalls are being managed by using the command line (NGFWs have a very advanced GUI-only approach and discourage the use of a command line interface). The current firewall management is outsourced, and the service provider does not have any expertise in NGFW. The organization is using a single vendor throughout the network with its staff fully trained to manage those devices. For them, moving to a next-generation firewall will involve a steep learning curve with staff training and development. Training plays an important role in changing a firewall platform. Organizations should allow for training costs in the budget and include training and education as a part of the solution package. Prepare a customized training agenda based on the features you are finding difficult to configure during the POC. This leads to a better training program rather than going with the default standard training provided by the vendor. Working closely with vendors during migration also makes the most of your team s existing knowledge and provides better understanding of the functions of the new firewall. Carefully Evaluate New Firewall Features Using a POC Process Differences in firewall design can lead to differences in functions and features, especially as technology moves away from traditional rules based on ports and protocols, and toward rules based on applications and user IDs.
6 6 It is very important to carefully evaluate and test all the features you are planning to use in the new firewall as it is a different platform. Inadequate testing can lead to misconfiguration and interoperability issues, which can cause underperformance and dissatisfaction among users. Performing POC testing of features to be used is recommended before introducing a new firewall into the network. This also helps the team to learn the topics they lack knowledge for and can be made part of the agenda for the product training. Refer to Use Proofs of Concept to Guarantee Successful Network Security Purchases for POC best practices. Test for Interoperability Between Other Network Equipment A different firewall platform can sometimes lead to interoperability issues. Many organizations are using the same vendor for whole of their network infrastructure (including firewalls, switches, routers and proxies). Typical use cases are organizations using Cisco and Juniper network equipment. Check and compare the networking capabilities of the NGFW with your existing firewall, especially for complicated protocols like unified communications. Identify any vendor-proprietary services, check the alternate provided for it with the new NGFW and test the interoperability. Most NGFWs provide advanced networking capabilities such a dynamic routing that tend to fit and work with the other network equipment. If you are using end-of-life network equipment (such as an IPS solution), this is a good opportunity to check if those functions can be handled by the NGFW itself. If you are using security information and event management (SIEM), or any other log management solution, make sure to test the log format from the NGFW, as many firewalls produce proprietary logs and can create some compatibility issues if not tested properly. Security administrators can check the existence of connectors from the NGFW or SIEM vendor to make SIEM easier to integrate. Use Firewall Migration Tools to Replicate Existing Firewall Rules Some next-generation firewalls have a different design from that of the traditional firewalls, making the conversion difficult. A common example is a move from a zone-based firewall to network-based NGFW. This requires additional planning and testing before migration, and testing after migration. Firewall migration tools can be used to speed the translation of an existing firewall configuration file. There are many commercial firewall migration tools on the market. Many firewall vendors also provide these conversion tools. Most of these tools are not publicly available, but can be provided on demand by the vendor or system integrator. The output of these tools will still need a manual review before being applied to your working platform, but they will save considerable amounts of time and reduce the risk of critical business applications being affected during the migration process. It is highly recommended to fully test the tools before using for the actual migration. Create a Rollback Strategy to Restore Critical Services After the migration, the restoration of critical services and applications is very important in the event of a failure. Many organizations cannot afford downtime for their critical applications in some cases. Create a list of critical services that have a potentially high impact on the productivity of your organization. This might include the hosting of Web servers inside your network that are accessed by clients from Internet, site-to-site VPN tunnels, or any other service that needs high uptime. The impact of service disruption should be carefully assessed. This helps in prioritizing the migration steps.
7 7 For organizations that have public-facing websites and critical applications that cannot afford downtime, it is recommended to break the highavailability pair of the existing firewall and divert the traffic to a single firewall temporarily with a separate Internet connection. Once the NGFW is in place, and all of the connections have been tested, the main traffic can be diverted to the new firewall. This also allows for a robust rollback strategy as the old firewall can be inserted quickly back into the path in case it fails. For those sites that do not have secondary Internet access, create a testing scenario that utilizes captured network traffic to replay it on the new NGFW to validate policies. Avoid Bulk Migration in Case of Distributed Networks Migration to a new firewall can be a lot more challenging for distributed networks (for both management and logging). Recommendations: Organizations with a head office and multiple branch offices secured with separate firewall units should give priority to rollout of a single brand of firewalls for all locations for easier administration. This will provide better centralized control to all the firewalls across the network. For distributed networks, it is recommended to avoid a bulk migration, and to begin the firewall migration on a less-sensitive network. This will provide the team with experience and training. After running the new firewall for a while, the team will get a better sense of its performance and usage, and can then gradually migrate other networks. Source: Gartner Research, G , Rajpreet Kaur, 25 June 2015
8 8 About Fortinet Fortinet (NASDAQ: FTNT) protects the most valuable assets of some of the largest enterprise, service provider and government organizations across the globe. The company s fast, secure and global cyber security solutions provide broad, high-performance protection against dynamic security threats while simplifying the IT infrastructure. They are strengthened by the industry s highest level of threat research, intelligence and analytics. Unlike pure-play network security providers, Fortinet can solve organizations most important security challenges, whether in networked, application or mobile environments - be it virtualized/cloud or physical. More than 210,000 customers worldwide, including some of the largest and most complex organizations, trust Fortinet to protect their brands. Learn more at <http://www.fortinet.com>, the Fortinet Blog or FortiGuard Labs. Contact Us Fortinet Headquarters 899 Kifer Road Sunnyvale, CA USA Tel: Web: Copyright 2015 Fortinet, Inc. All rights reserved. The symbols and denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet s trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiManager, FortiMail, FortiClient, FortiCare, FortiAnalyzer, FortiReporter, FortiOS, FortiASIC, FortiWiFi, FortiSwitch, FortiVoIP, FortiBIOS, FortiLog, FortiResponse, FortiCarrier, FortiScan, FortiAP, FortiDB, FortiVoice and FortiWeb. Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, binding specification or other binding commitment by Fortinet, and performance and other specification information herein may be unique to certain environments. This news release contains forward-looking statements that involve uncertainties and assumptions, such as statements regarding product releases. Changes of circumstances, product release delays, or other risks as stated in our filings with the Securities and Exchange Commission, located at <http://www.sec.gov/>, may cause results to differ materially from those expressed or implied in this press release. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forwardlooking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Fortinet assumes no obligation to update any forward-looking statements, and expressly disclaims any obligation to update these forward-looking statements Planning a Successful NGFW Migration is published by Fortinet. Editorial content supplied by Fortinet is independent of Gartner analysis. All Gartner research is used with Gartner s permission, and was originally published as part of Gartner s syndicated research service available to all entitled Gartner clients Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner s endorsement of Fortinet s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website,