see more


Get to know us better! Gain valuable insights into how we think by visiting our blog, or take a look at the industry events we're frequenting on our events page. You can also geek out with us by attending one of our security management webinars, or dive head first into the products and solutions we provide in our Resource Library. There's lots to keep you busy! 



Why GDPR Is Nothing to Fear
Jan 11, 2018
The General Data Protection Regulation (GDPR) has organizations scrambling to improve their existing network infrastructures to meet the new standards. On May 25, 2018, GDPR…
Microsegmentation: Great idea, but how?
Dec 14, 2017
In the last few years, microsegmentation has become an increasing promise of network security for organizations in search of Zero Trust. As a framework, Zero…
Securing the Supply Chain with Security Policy Management
Dec 11, 2017
With the latest BCI Supply Chain Resiliency Report revealing that some of the top causes of supply chain disruption are cyberattacks and data breaches, and with global supply…
Why FireMon Continues to Dominate NPSM - Part 2: Real-Time Monitoring
Dec 05, 2017
In Part 1, we looked at how any solution that closes the Complexity Gap require Performance At Scale. If an organization is going to wrap…

One Firewall Platform is Best Practice. Really?!?

You may have seen the Gartner report, One Brand of Firewall Is a Best Practice for Most Enterprises, where the virtue of a single vendor was extolled. Special attention is given to the greater security risk and complexity from having multiple firewall platforms. This statement, though obvious, has a tone of idealism and fails to appreciate the reality of real-world enterprise environments.

To Gartner’s credit, the research affirms security and network teams are not acting irrationally when deploying multiple firewall platforms. However, what their research does not fully value is how organizations are doing everything possible to stay ahead of business demands, evolving security threats and the hyper-drive of DevOps.

Real-life network security teams are overwhelmed with changes, access requests, audits, compliance mandates and a mutating infrastructure puzzle. These heroes of network security do not have the luxury of ruminating about perfect worlds. 

I want to address some key challenges in the analysis and make the case that “should” is a corrosive notion and interferes with progress in Network Security Policy Management.  “Should” implies an air of judgment and does not offer tangible solutions for how the world is and thus, cannot meet the needs of a 21st century enterprise. This is the only world we’ve got, so we better make network security more practicable for any situation.

Let’s turn our attention to the key challenges mentioned in the Gartner research and how world-class Network Security Policy Management (NSPM) can address these challenges – without forklifting in-or-out a single firewall.

Key Challenges

  1. Having two (or more) different firewall platforms greatly increases the chances of configuration and management problems, and will increase training, deployment and problem-solving costs.
  2. The increasingly complex demilitarized zone (DMZ) and the rise of the hybrid cloud are raising the complexity in firewall rule bases.
  3. Two or more firewall vendor relationships can yield potentially lesser discounts and higher contract administration overhead.
  4. The additional procurement cost and management expense that are required for multiple firewalls decreases available budget for other network security technologies.

If all of this seems obvious to you, you are likely to be a realist firmly rooted in the present. You are probably taking time away from your regular hair-pulling to read this. You are likely to be overworked, seemingly out of options, and ready to throw in the towel…maybe, considering going back to dental school.

But if you continue reading, let me urge you to consider how Network Security Policy Management is well-suited to solve these riddles of a contemporary network.

First, let us look at the statement that multiple firewalls “greatly increases the chances of configuration and management problems.” Of course it does! Any time you add any variable to another you increase the probability of failure. These are links in the chain and any single point that fails can leave an enterprise in a tough spot.

Idealism would say: “Move to a single vendor for your firewalls.”

Realism says: “Manage all those heterogeneous firewalls from a single console.”

It’s the result that we’re going for here. The result we want is a streamlined way of managing the litany of rules and policies that keep our networks secure. If the result we want is fewer configuration missteps and network problems, then organizations can solve this with better network security policy management. NSPM allows staff to centrally manage the policies and rules that govern the traffic in our networks, irrespective of the firewall vendor. 

Idealism would suggest moving all firewalls to a single vendor platform, but unfortunately this is impractical for most organizations. Too many networks have morphed so much during the last 20 years that they are now unrecognizable to the original designers. 

Realism takes note of this situation and pursues solutions to the problem of complexity, rather than the problem of multiple vendors. We are aiming for reduced risk and complexity, not simply removing heterogeneous firewalls. If you are looking to bring down complexity, you need a smarter way to manage the existing environment without changing any of your thoughtfully invested infrastructure.

On to the next…

Related to the first charge, the second key challenge claims that new complexities to the DMZ and cloud environments will force organizations to standardize on a single vendor for policy controls. Please, demonstrate your evidence for this claim.

Organizations the world over are meeting and exceeding the demands of rapidly changing environments, DMZ mutations and cloud adoption all from the comfort of their single console.  The suggestion that the best way forward is to standardize on a single firewall does not take into account break-neck speed of business. These changes to the network do not politely sit tight while security teams solicit, vet, select and implement a new firewall architecture. The world does this routinely annoying thing…it keeps moving. 

Idealism would say: “Move to a single vendor for your DMZ evolution and cloud adoption.”

Realism says: “Choose what you wish, manage the policies regardless.”

NSPM allows organizations to take on new workload types, data warehousing and asset protection that was the stuff of science fiction only a few years ago. With an NSPM, organizations can quickly adopt whatever workloads distribution or data storage (think: AWS S3) without having to change a single firewall. I’ve seen it with my own eyes. We call these people “FireMon customers”. 

Third time is the charm, right?

The third key challenge informs us of the negotiation and administrative benefits of moving to a single vendor. What does this have to do with security? The opening statement in this research topic is that multiple firewalls creates complexity and increases risk. “Using firewalls from multiple vendors increases complexity, not security.” 

This idea places administrative management and contracting above the (correct) practice of finding the best-of-breed. Organizations have adopted a method of selecting that which best fits their own needs: Want a good cloud document management system? Try Box or Dropbox.  Want a superior HR platform? Try Workday or Utlipro or Paycom. Want a good ITSM? Try ServiceNow or Cherwell or BMC Remedy? 

Organizations need choices that address their requirements. Network security teams do not select multiple vendors in a masochistic attempt to create havoc in their lives. They choose the appropriate security enforcement for the given context.

Idealism would say: “Forget what meets your requirements, standardize on one.”

Realism says: “Go for best-of-breed, be a policy hero no matter what is selected.”

NSPM is an enabler of businesses to make the right decision for their specific needs. By consolidating policy design, implementation and compliance into a single console, organizations get the versatility to adapt to their security needs without compromising on any requirement.

Okay, surely the last one is applicable…

This key challenge makes the claim that by consolidating to a single vendor, you will have more dollars freed up to pursue other technologies. Now, this may be accurate, but is it a good practice in reality? Besides, isn’t purchasing the single vendor’s firewalls a, you know, technology purchase? The last I checked, each time an enterprise purchases additional firewalls, they are purchasing additional technology. Most organizations cannot free up the budget dollars necessary to consolidate to a single vendor – we are talking about hundreds, if not thousands, of firewalls. 

Idealism would say: “Consolidate. It costs you now, but you’ll thank yourself later.”

Realism says: “Yes, consolidate…the policies. That’s the endgame.”

No matter what security products you are looking to purchase, they are beholden to security policy. Think about it, every kernel of security comes down to policy: this is allowed, that is not.

NSPM appreciates this reality and works with network security teams to harness the policies that need consolidating. Of course, consolidation is necessary, but not the firewalls. It is the policy management that needs a single view.

What is NSPM?

In the diatribe above, I have attempted to call attention to the idealistic suggestions that having a single-vendor for firewalls is not practicable. Organizations cannot swiftly jettison their infrastructure or simply open a bidding war for vendors to compete for a sole-sourced opportunity.

Realism takes all this into account, applies reasonable decisions to the existing world and keeps the goal in mind. The goal is to consolidate our firewall policies into a single view, analyze where they are effective and take appropriate action when policies need to change. This is the stock-and-trade of NSPM.

Network Security Policy Management closes the complexity gap, enhances security and removes the burdensome task of compliance attestation. There are four critical capabilities for any NSPM. Thank you for asking…they are:

  1. Security Policy Controls
  2. Change Management
  3. Risk and Vulnerability Analysis
  4. Application Connectivity Management

FireMon customers get to experience all four. By having a holistic approach with integrations to any security device, we tame the policy management puzzle with automation and orchestration. 

This is the realist’s approach. The realist wants to achieve security agility, reduce security risk, maintain compliance and respond rapidly to threats. The realist sees through the veil and understands that consolidating their policies and rules is achievable with existing firewalls. This allows organizations to keep business continuity, adapt to DevOps speed and keep an eye on any and all network devices (e.g. firewalls) irrespective of make or model.

Josh Mayfield serves as FireMon's Director of Product Marketing.



Jan 11, 2018 The Value of Using Security Policy Orchestration and Automation for Improving Change Management and SecOps

Join David Monahan, managing research director at leading IT analyst firm Enterprise Management Associates (EMA), and discover the difference between organizations using an SPOA solution to manage their firewall environments versus those not using one of these solutions.

Dec 06, 2017 6 Ways to Evaluate Firewall Change Requests to Ensure Security and Compliance and Prevent Risk Creep
Firewalls are like Roach Motels – rules check in but they don’t checkout. When you look at a firewall with thousands (or tens of thousands) of rules you have to wonder if they are all still needed. Join Ultimate Windows Security and FireMon to find out how to automate the work flow of firewall change requests, capture and document rule changes, evaluate the impact of rules and compare rules to the characteristics of the actual packets being passed by those rules.
Nov 09, 2017 6 Steps for Firewall Assessment for Compliance and Security
Don’t let the pendulum swings fool you; firewalls are not dead, and the perimeter still matters. But in addition to the perimeter we recognize the need for more internal segmentation to limit lateral movement and protect segregated zones like the red forest. So, we need and probably should have more firewalls than ever.
Oct 31, 2017 Think GDPR Doesn't Impact You? Think Again...
Companies across the globe are scrambling to meet the new compliance directives that are imposed by the European Union’s General Data Protection Regulation (GDPR) set to go into effect in 2018. If you’re thinking, “I’m not in the EU, so it doesn’t matter”, think again.


Sep 05, 2017
SAO v. SIEM Security Suites: And the winner is...
Aug 30, 2017
Jimmy Nukebot Explodes on the Scene, Transforming NeutrinoPOS
Info Security
Aug 17, 2017
The Top Security Challenges for 2017
SC Magazine
Aug 14, 2017
Creditseva, KS Enterprises Breaches Highlight Need for Improved Cloud Security
eSecurity Planet
Jul 31, 2017
What is IT governance? A formal way to align IT & business strategy
Jul 28, 2017
How organizations can work toward GDPR compliance
Information Management
Jul 09, 2017
4 Signs Check Point Software's Best Days Are Ahead
Motley Fool
Jun 07, 2017
Qakbot malware from 2009 returns, causes Active Directory lockouts
SC Magazine UK
Jun 06, 2017
Botched security: Celebrities, other patients, affected after plastic surgery files are breached and stolen
SC Magazine
Jun 06, 2017
Election cyberattack proves people are still the biggest flaw
Jun 01, 2017
250K Photos Leaked in Cosmetic Surgery Extortion Attack
Info Security
Jun 01, 2017
OneLogin Breach Reignites Concerns over Password Managers
Dark Reading
Jun 01, 2017
OneLogin Breach Reignites Concerns over Password Managers
Dark Reading
May 29, 2017
How to manage the Complexity Gap
IT Pro Portal
May 26, 2017
Hackers upgrading malware to 64-bit code to evade detection
SC Magazine UK
May 25, 2017
83 percent of security staff waste time fixing other IT problems
May 24, 2017
Unsanctioned Computer Support Costs Companies $88K per Year
Dark Reading
May 23, 2017
WannaCry Successor Is New ‘Doomsday’ SMB Worm That Uses 7 NSA Hacking Tools
Information Security Buzz
May 23, 2017
WannaCry? Not really. A report from the 11th Eskenzi PR IT Analyst and CISO Forum
Computer Weekly
May 18, 2017
Cisco Warns Of Un-Patchable WannaCrypt Vulnerabilities
Information Security Buzz
May 16, 2017
Here comes the cloud...and it's all right
SC Magazine
May 15, 2017
10 ways cyber security will evolve in the face of growing threats
Information Age
May 12, 2017
Managing Complexity Is No. 1 Security Challenge in FireMon’s Annual State of the Firewall Report
Computing Security
May 12, 2017
Sabre Breach
Information Security Buzz
May 12, 2017
FireMon Announces Industry’s First Intelligent Cloud Security Management Solution
IT Security Guru
May 12, 2017
FireMon Releases Third Annual State of the Firewall Report
Dark Reading
May 12, 2017
WikiLeaks drops 'Grasshopper' documents, part four of its CIA Vault 7 files
  See all news from 2017

Resource Library

Audit Compliance


Policy Change

Solution Briefs

Policy Change

White Papers

Visibility Monitoring Management

Analyst Reports

Policy Change

Case Studies

Security Manager
Overview of FireMon’s Flagship Firewall Management Solution
Policy Planner
Overview of FireMon’s Change Automation Solution
Policy Optimizer
Overview of FireMon’s Rule Recertification Automation Solution
Risk Analyzer
Overview of FireMon’s Attack Simulation and Risk Measurement Solution
Immediate Insight
Overview of FireMon’s Immediate Insight Solution
Intelligent Security Management
Delivering next-generation security management that boosts productivity and accelerates the agility of business
Intelligent Policy Automation
Intelligent Policy Automation: Orchestrating Change Management with Speed and Security.
Hybrid Cloud Management
Visibility into and control over Cloud Services, including AWS and OpenStack Platforms
Accelerated Incident Response
Immediate Insight in action - Orchestration, automation and analytics for data assembly and discovery
Change Simulation & Risk Scoring
Proactively reduce risk based upon network exposure and host accessibility
Check Point Solution Brief
FireMon solutions and Check Point
Cisco Solution Brief

FireMon’s Intelligent Security Management platform enables users with Cisco Systems switches, routers and firewalls (Pix, ASA, FirePower) to work smarter, applying intelligence to the entire security program

Fortinet Solution Brief
FireMon solutions for Fortinet
Juniper Solution Brief
FireMon solutions for Juniper
NSX Solution Brief
FireMon solutions for NSX
Palo Alto Solution Brief
FireMon Solutions for Palo Alto
Top 5 Requirements for Your NSPM Solution
Network Security Policy Management (NSPM) continues to be a difficult practice for organizations the world over. In the last 20 years, network security policies (e.g. firewall rules) have grown by more than 3,500%. Yes, you read that number correctly. Why is that?
Achieving Gartner's Recommendations for Secure Policy Configuration Assessment
Gartner research has uncovered a number of security policy challenges for enterprises. Among these challenges are the typical assessments necessary to fortify policy for compliance and improved security posture.
The Top 4 Myths of Policy Compliance
Welcome to the world of overflowing regulations and compliance standards, of evolving infrastructure and the ever-present breach. It's a world where 72% of security and compliance personnel say their jobs are more difficult today than just two years ago.
Planning Considerations for Compliance with GDPR
The GDPR deadline is approaching quickly. If you haven’t started your GDPR journey yet, now is the time.
2017 State of the Firewall
Networking continues to evolve, yet the firewall remains critical to securing today’s enterprises. FireMon is proud to present its 3rd Annual State of the Firewall Report
Firewall Cleanup Recommendations
The implications of firewall policy complexity, why it remains a problem today and how to resolve it.
Risk Solved: Automated, Real-Time Risk Analysis & Remediation
Risk analysis with real-time change configuration is key to managing security risks in your IT infrastructure.
Real-Time Data Triage
Our Immediate Insight platform from FireMon can help organizations overcome the limitations and gaps inherent to the current analytic market.
Bridging the SIEM Alert Triage Gap
Immediate Insight enables security teams to improve event triage and incident response, extending the value of your existing full-featured SIEM.
Automation Isn't One-Size-Fits-All
Intelligent Policy Automation
Intelligent Security Management

Helping Enterprise Security Teams Improve Resource Efficiency & Reduce Overall Risk Exposure

The Top 5 Myths of Data Breaches
Five of the biggest myths that exist about data breaches, and explain how and why they occur.
Firewall Sprawl: Top Four Security Gaps Exposed

Firewall technology has come a long way since its initial, most rudimentary forms. Next-Generation Firewalls (NGFW) are the latest development, and organizations are accelerating adoption to the new technology. But NGFWs aren’t a fix-all solution.

2016 State of the Firewall
2nd Annual State of the Firewall Report based on survey of 600 IT security practitioners.
Avoid These 'Bottom Ten' Networking Worst Practices
Overcoming the Complexity Gap
When You Can't Patch It, Protect It from the Network
Firewall Sprawl
Aberdeen Group
Quantifying the Value of Intelligent Security Management
Aberdeen Group
Security Analytics Brings Data-Driven Security Into the 21st Century
Automate Zero Trust Policy and Enforcement
The Return on Security of FireMon’s Security Manager
Large Healthcare Provider
The customer sought a data analysis tool to correlate application data with network and security data to spot service-impacting anomalies. They did not have an accurate picture of interoperability between applications and the underlying infrastructure.
Major Airline
Following a merger with another airline, this customer was left managing a large number of firewalls and routers from different security vendors using a home-grown application.
National Insurance Provider
This national insurance provider had three problems to tackle regarding their firewall policies. First, the number of rules under management was overwhelming staff and processes. They needed to increase visibility and effectiveness of their firewall change request/workflow ticketing process. And they also need help maintaining compliance PCI DSS requirements.
Managed Service Provider
Each time this Global MSP engaged a new customer, they had to onboard the firewalls – sometimes hundreds per engagement – into their network. Part of the onboarding process required assessing the policies against internal best practices – a manual, line-by-line process that took an average of 16 hours/firewall and was extremely error-prone.