One Firewall Platform is Best Practice. Really?!?

You may have seen the Gartner report, One Brand of Firewall Is a Best Practice for Most Enterprises, where the virtue of a single vendor was extolled. Special attention is given to the greater security risk and complexity from having multiple firewall platforms. This statement, though obvious, has a tone of idealism and fails to appreciate the reality of real-world enterprise environments.

To Gartner’s credit, the research affirms security and network teams are not acting irrationally when deploying multiple firewall platforms. However, what their research does not fully value is how organizations are doing everything possible to stay ahead of business demands, evolving security threats and the hyper-drive of DevOps.

Real-life network security teams are overwhelmed with changes, access requests, audits, compliance mandates and a mutating infrastructure puzzle. These heroes of network security do not have the luxury of ruminating about perfect worlds. 

I want to address some key challenges in the analysis and make the case that “should” is a corrosive notion and interferes with progress in Network Security Policy Management.  “Should” implies an air of judgment and does not offer tangible solutions for how the world is and thus, cannot meet the needs of a 21st century enterprise. This is the only world we’ve got, so we better make network security more practicable for any situation.

Let’s turn our attention to the key challenges mentioned in the Gartner research and how world-class Network Security Policy Management (NSPM) can address these challenges – without forklifting in-or-out a single firewall.

Key Challenges

  1. Having two (or more) different firewall platforms greatly increases the chances of configuration and management problems, and will increase training, deployment and problem-solving costs.
  2. The increasingly complex demilitarized zone (DMZ) and the rise of the hybrid cloud are raising the complexity in firewall rule bases.
  3. Two or more firewall vendor relationships can yield potentially lesser discounts and higher contract administration overhead.
  4. The additional procurement cost and management expense that are required for multiple firewalls decreases available budget for other network security technologies.

If all of this seems obvious to you, you are likely to be a realist firmly rooted in the present. You are probably taking time away from your regular hair-pulling to read this. You are likely to be overworked, seemingly out of options, and ready to throw in the towel…maybe, considering going back to dental school.

But if you continue reading, let me urge you to consider how Network Security Policy Management is well-suited to solve these riddles of a contemporary network.

First, let us look at the statement that multiple firewalls “greatly increases the chances of configuration and management problems.” Of course it does! Any time you add any variable to another you increase the probability of failure. These are links in the chain and any single point that fails can leave an enterprise in a tough spot.

Idealism would say: “Move to a single vendor for your firewalls.”

Realism says: “Manage all those heterogeneous firewalls from a single console.”

It’s the result that we’re going for here. The result we want is a streamlined way of managing the litany of rules and policies that keep our networks secure. If the result we want is fewer configuration missteps and network problems, then organizations can solve this with better network security policy management. NSPM allows staff to centrally manage the policies and rules that govern the traffic in our networks, irrespective of the firewall vendor. 

Idealism would suggest moving all firewalls to a single vendor platform, but unfortunately this is impractical for most organizations. Too many networks have morphed so much during the last 20 years that they are now unrecognizable to the original designers. 

Realism takes note of this situation and pursues solutions to the problem of complexity, rather than the problem of multiple vendors. We are aiming for reduced risk and complexity, not simply removing heterogeneous firewalls. If you are looking to bring down complexity, you need a smarter way to manage the existing environment without changing any of your thoughtfully invested infrastructure.

On to the next…

Related to the first charge, the second key challenge claims that new complexities to the DMZ and cloud environments will force organizations to standardize on a single vendor for policy controls. Please, demonstrate your evidence for this claim.

Organizations the world over are meeting and exceeding the demands of rapidly changing environments, DMZ mutations and cloud adoption all from the comfort of their single console.  The suggestion that the best way forward is to standardize on a single firewall does not take into account break-neck speed of business. These changes to the network do not politely sit tight while security teams solicit, vet, select and implement a new firewall architecture. The world does this routinely annoying thing…it keeps moving. 

Idealism would say: “Move to a single vendor for your DMZ evolution and cloud adoption.”

Realism says: “Choose what you wish, manage the policies regardless.”

NSPM allows organizations to take on new workload types, data warehousing and asset protection that was the stuff of science fiction only a few years ago. With an NSPM, organizations can quickly adopt whatever workloads distribution or data storage (think: AWS S3) without having to change a single firewall. I’ve seen it with my own eyes. We call these people “FireMon customers”. 

Third time is the charm, right?

The third key challenge informs us of the negotiation and administrative benefits of moving to a single vendor. What does this have to do with security? The opening statement in this research topic is that multiple firewalls creates complexity and increases risk. “Using firewalls from multiple vendors increases complexity, not security.” 

This idea places administrative management and contracting above the (correct) practice of finding the best-of-breed. Organizations have adopted a method of selecting that which best fits their own needs: Want a good cloud document management system? Try Box or Dropbox.  Want a superior HR platform? Try Workday or Utlipro or Paycom. Want a good ITSM? Try ServiceNow or Cherwell or BMC Remedy? 

Organizations need choices that address their requirements. Network security teams do not select multiple vendors in a masochistic attempt to create havoc in their lives. They choose the appropriate security enforcement for the given context.

Idealism would say: “Forget what meets your requirements, standardize on one.”

Realism says: “Go for best-of-breed, be a policy hero no matter what is selected.”

NSPM is an enabler of businesses to make the right decision for their specific needs. By consolidating policy design, implementation and compliance into a single console, organizations get the versatility to adapt to their security needs without compromising on any requirement.

Okay, surely the last one is applicable…

This key challenge makes the claim that by consolidating to a single vendor, you will have more dollars freed up to pursue other technologies. Now, this may be accurate, but is it a good practice in reality? Besides, isn’t purchasing the single vendor’s firewalls a, you know, technology purchase? The last I checked, each time an enterprise purchases additional firewalls, they are purchasing additional technology. Most organizations cannot free up the budget dollars necessary to consolidate to a single vendor – we are talking about hundreds, if not thousands, of firewalls. 

Idealism would say: “Consolidate. It costs you now, but you’ll thank yourself later.”

Realism says: “Yes, consolidate…the policies. That’s the endgame.”

No matter what security products you are looking to purchase, they are beholden to security policy. Think about it, every kernel of security comes down to policy: this is allowed, that is not.

NSPM appreciates this reality and works with network security teams to harness the policies that need consolidating. Of course, consolidation is necessary, but not the firewalls. It is the policy management that needs a single view.

What is NSPM?

In the diatribe above, I have attempted to call attention to the idealistic suggestions that having a single-vendor for firewalls is not practicable. Organizations cannot swiftly jettison their infrastructure or simply open a bidding war for vendors to compete for a sole-sourced opportunity.

Realism takes all this into account, applies reasonable decisions to the existing world and keeps the goal in mind. The goal is to consolidate our firewall policies into a single view, analyze where they are effective and take appropriate action when policies need to change. This is the stock-and-trade of NSPM.

Network Security Policy Management closes the complexity gap, enhances security and removes the burdensome task of compliance attestation. There are four critical capabilities for any NSPM. Thank you for asking…they are:

  1. Security Policy Controls
  2. Change Management
  3. Risk and Vulnerability Analysis
  4. Application Connectivity Management

FireMon customers get to experience all four. By having a holistic approach with integrations to any security device, we tame the policy management puzzle with automation and orchestration. 

This is the realist’s approach. The realist wants to achieve security agility, reduce security risk, maintain compliance and respond rapidly to threats. The realist sees through the veil and understands that consolidating their policies and rules is achievable with existing firewalls. This allows organizations to keep business continuity, adapt to DevOps speed and keep an eye on any and all network devices (e.g. firewalls) irrespective of make or model.