So you’ve been tasked with implementing your company’s next‐gen firewall – now what? Whether you’re considering a Palo Alto or another next-gen firewall, the ability to truly defend your confidential data often comes down to the basics: an optimized network design.
To help get your next‐gen firewall implementation project on the right track from the start, factor the following into your network design plan:
Architectural Requirements
Before you begin whiteboarding a network design, there are a few decisions you have to make upfront. Does the next‐gen firewall need to support High Availability? Are you building redundancy and fault tolerance into the solution? How will you handle failovers? These answers will dictate whether or not there will be primary/secondary appliances and how the network should handle traffic in the event that an individual firewall fails (shut down link v skip over while remaining active).
In‐line or out‐of‐band
Will your next‐gen firewall be deployed to support active traffic inspection and threat blocking capabilities or will it remain in listen only mode? While most companies prefer in‐line configurations, it is important to include a method for handling patching and updates without disrupting traffic flows throughout the organization.
Network Speed vs Appliance Speed
Understanding the speed at which the next‐gen firewall can process data as compared to the speed at which the network sends data is critical to the design process. If the network feed is too fast for the appliance, packets will be lost and it will not function properly. Luckily, most next‐gen firewalls live up to their throughput specifications in the real world. However, your internal network specifications may have changed especially if you are constantly upgrading to support high speed data access, cloud connectivity and more.
When preparing a network design diagram, it is important to fully specify the wiring (copper, fiber, fiber size, etc.) to ensure that the correct connections are available at installation.
Physical Connections
The way in which a firewall is connected to the network has implications for both security and network performance. For most companies, connecting the firewall directly to the network WAN or LAN seems like the most secure approach – after all there is no closer connection. However this approach may actually end up clogging the network, overwhelming other monitoring systems and interfering with policy control.
Consider using a network TAP instead. You still have access to a clear stream of network data – every bit, byte, and packet®. In this network design, next‐gen firewalls do not impact speeds and feeds for the mission critical applications the business supports. More importantly, should the firewall itself be altered remotely (a favorite move of the more sophisticated hacker), datastream from a TAP cannot be breached because the TAP has no IP address. In this design, the diagnosis and containment of issues can happen faster and more easily. Additionally, TAPs allow you to take appliances offline to install patches or troubleshoot issues without interrupting data traffic flows.
* * *
Knowing how to properly optimize design and connect a next gen firewall to the network from the start can mean the difference between a quiet, vigilant defense system and a very public apology to customers.
Are you tasked with deploying your company’s next‐gen firewall? Need help with network design? The designers at Garland are ready to jump in and assist.
Want to learn more about how to maximize your Palo Alto Networks investment by having the right network Access.
