We regularly work with clients who wish to enhance or replace their current firewall solution and perimeter network security, but they are faced with a firewall migration project.
When we embark on a project like this, we rarely approach the problem from a technical or network standpoint. To implement a solution that protects a customer network and information assets, we first need to understand the business.
What systems do they use? Where are their users located? How many sites? Do they permit remote access? Who and what applications or networks should be able to access the internet?
In these circumstances, we often use the existing policy as a baseline but not the blueprint. Using your current firewall policy is not necessarily the best foundation on which you should move forward. We develop an understanding of the organisation and identify how a network security solution can form part of the overall security and network architecture.
Our project approach
Below you can see an example of a 7-step approach to a firewall migration plan. The plan applies, whether it is an external firewall providing perimeter security or an internal firewall solution defending your internal network segments.
1 – Understand
The first step in a project such as this is to understand your business. Our consultants need to develop an understanding of your business, your customer, business processes and systems. Internet-connected devices, the cloud, mobile devices and the emergence of malware and similar threats all pose a threat to your business. The threats, risks and any regulatory obligations (e.g. PCI) will enable us to understand the level of security that is required.
Your business will need a security solution, and in particular, a firewall, due to a combination of financial or reputational risk. MTG recognises that a business case will need to underpin any security solution. You will not gain management or stakeholder support if you cannot articulate the business benefits (which are likely around security).
2 – Assessment and requirements analysis
The assessment phase comprises two stages. First, we evaluate the firewall and network security policy you currently have in place. The second phase is to understand how your current solution maps to the needs uncovered in phase 1. These steps are vital to ensure the success of the firewall migration project.
Does the existing solution provide adequate protection? Has the solution or rule-set evolved with the business and changing platforms? The findings of this phase will identify any gaps and provide inputs for the development phase.
3 – Develop
The goal of the development phase is to develop a security policy that offers adequate security for your business. This phase will include the planning, architecture and conversion of an existing security policy. The scope of this process will consist of firewall rules, IPS policies, antivirus and content filtering, web and application control, management and reporting. We pay particular attention to the intricacies such as TCP and UDP timers, ALGs, NAT behaviour and platform-specific oddities (of which there are many). This level of detail, coupled with our experience, ensure a smooth migration and switchover.
4 – Review
At this point in the project, MTG will undertake a full joint review of the proposed security solution. This phase will also provide an opportunity for an additional clean-up of the firewall rule policy and configuration.
5 – Test
Before we migrate the new firewall infrastructure into your live environment, MTG will run a series of tests to benchmark and test the solution before the migration. Our testing process would include the use of test plans, scripts and network analysis software. For example, we would check internet access, access to cloud applications determined and making sure other critical business systems are available.
We will work with the customer to ensure the test scenarios, and scripts apply to their infrastructure, systems and have incorporated any policies that we identified in phase 1.
Testing will also be undertaken at Steps 6 and 7, continuing after every change or new business requirement.
6 – Implement
We would arrange the implementation phase or “cut-over” during a maintenance window that is typically outside of regular business hours. MTG will perform sanity checks to ensure traffic is passing through the firewall, and the new solution is behaving as expected. If changes are required, we will make configuration adjustments in order to resolve any particular issues. Once in production and the configuration accepted by the customer, MTG will be contactable to resolve any migration or implementation related issues.
7 – Manage
Now the solution has been introduced into the live environment, MTG will manage the solution and day to day configuration management. The customer can submit change requests by e-mail or telephone, which will then be actioned by MTG to an agreed process. The detail of the change control process and the SLA that governs this service is available in a separate document.
Transition to a UTM/NGFW solution today
We work closely with Fortinet, a leading manufacturer of Next Generation and UTM Firewalls. We have been engaged in dozens of projects, migrating clients away from ageing Cisco ASAs, Juniper NetScreen, Sonicwalls and Watchguard. ROI is a vital component of any security project, and the technology and rich feature set make it very easy to demonstrate an ROI to key business stakeholders. Firewall migration from one firewall vendor to another may seem like a daunting task, but this is something we have undertaken countless times.
Greater insight and demonstrate ROI
Greater network insight, safeguarding against cyber-threats, integrated wireless controller, secure mobile working and high availability are key selling points. Perhaps more importantly, the reporting and MI garnered from the device can be used to demonstrate the effectiveness. That next generation firewall ceases to become that expensive box we just bought, and it can demonstrate its efficiency (and thus ROI) to the board. Protection against APTs, intrusion prevention, DLP and sandboxing are key security enablers.
Engage the experts
We have experience implementing firewalls in both small businesses, enterprise and service provider environments. Our engagement can be consultancy, firewall migration/replacement, supply only or a fully managed security service. Our IT support and managed services team support, monitor and maintain firewalls on behalf of our clients.
Manx Technology Group design, supply and manage firewall solutions throughout the UK, Europe, US and Asia. Select Request a Quote, e-mail sales@mtg.im or call +44 1624 777837 to learn more. Whether you are looking for supply only, or procurement and management – we would be glad to help.
