We more or less abandoned pagers more than 15 years ago. Fax machines have gone from ubiquity to near obsolescence. And floppy disks? Many of the most recent generation of tech users have never even held—let alone inserted—one.

And yet, when it comes to cybersecurity, we still see all too many organizations relying on the same firewall technology they implemented in the 1990s. And while these legacy technologies may still remain functional on the most basic level, they have limitations and weaknesses that restrict their effectiveness—especially in a technology landscape that grows more threatening by the day.

Port and protocol firewalls, for example, can only detect known malware and fail to protect against zero-day vulnerabilities. In addition, many traditional firewalls have reached their end-of-life and are no longer supported by manufacturers.

It makes sense, then, that companies hoping to move past decades-old technology and better protect their IT environments are migrating to next-generation firewalls (NGFWs). NGFWs move beyond port and protocol inspection, adding application-level inspection and intrusion prevention. While traditional firewalls have limited visibility, NGFWs can look at the entire system and all traffic moving through it. Further still, the can analyze applications, detect anomalous behavior and make intelligent decisions based on that traffic.

A common misconception, however, is a next-generation firewall will protect an organization’s network out-of-the-box. In truth, simply implementing this technology is not enough to protect your data. Here are three ways to maximize the potential of your NGFW and stop threats in their tracks.

 

1. Don’t just move your legacy system rules

The biggest mistake IT security pros make with NGFWs is applying the same rules of legacy firewalls to this new technology. This is akin to buying a top-of-the-line 4K ultra HD television and then connecting it to an old-school antenna. Sure, you’ll get a great picture, sometimes. But you get none of the benefits of a $3,000 television—and when the weather’s bad, you may get nothing at all.

Taking advantage of your new NGFW’s capabilities requires making adjustments to your traditional port and protocol rule set. For example, you can add application rule sets that specify how your users can use certain applications—like allowing access to Facebook, for instance, but not Facebook chat.

You can also configure your NGFW to send samples of zero-day exploits to another system for analysis and sandboxing. It will run the file, provide a report, create a signature for the exploit and prevent it from entering your network in the future. NGFWs can complete this process within five to 15 minutes of an exploit finding its way onto your network.

Some NGFW vendors also compile exploit-related data from all of their customers. This data can then be used to inform future upgrades and advancements to the technology, allowing them to automatically prevent that same exploit from penetrating the networks of other organizations—including your own. Moreover, the larger your vendor’s customer base, the more data they can pull from to protect you from exploits.

 

2. Take advantage of your NGFW’s powerful capabilities

NGFWs offer a number of advanced security tools that provide a higher level of protection against attackers. Make sure you’re taking advantage of these key features:

  • The ability to secure applications and force them to use correct ports. For example, Skype will search for an open port until it finds one and can send traffic out. Your NGFW can ensure that applications use only their known ports.
  • Sandboxing to isolate your systems and programs from untrusted code. If a piece of malware enters your network, your NGFW’s sandboxing abilities will prevent it from infiltrating and harming your mission-critical systems and applications.
  • URL-filtering to block website categories, such as gambling sites and other inappropriate or threatening sites. If an employee tries to access a site in a restricted category, your NGFW will add the site to its blocked list.
  • Domain name service (DNS) filtering to prevent users from accessing specific IP addresses. This prevents malware from using DNS to communicate with host servers to gain access to your data.

 

3. Protect yourself before, during and after an attack

Traditional firewalls offer little protection during and after a breach. With a NGFW, however, you can protect your environment across all phases of an attack.

Before an attack, your NGFW will fortify your security using many of the features mentioned above. During an attack, your NGFW will identify what’s happening. Next, it will tell you which machines are affected and the websites with which they’re communicating. Within minutes, your NGFW can also tell you the scope of the breach.

After an attack, your NGFW offers remediation. It will identify patient zero and other affected systems. An NGFW also allows you to set additional rules or signatures to prevent others from using those communication channels.

A firewall is just one measure of protection in a comprehensive cybersecurity program. Even when you take proactive steps to protect your company with a NGFW, you still won’t catch every email that enters your network. Your NGFW should work in tandem with other solutions, such as email security and SSL decryption tools. A layered defense plan gives you the highest level of security.

Do you want to better protect your network against attacks?
Sign up here for a free two-week threat scan trial of Cisco Firepower NGFW.

Related Blog Posts

See All Blogs

4 Security Lessons Federal IT Pros Can Teach the Private Sector

Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an…

Protecting your Agency from Phishing

As we spend an increasingly large percentage of our time online, we’ve become aware of the malicious tactics used to trick us into downloading malware or betraying our credentials. Even as our built-in threat detection improves, we risk letting it…

NextGov: Security Doesn’t Have to Be a Sticking Point in Cloud Migration

Despite the innovations and efficiencies that come with cloud migration, only about 20 percent of federal agencies have migrated their applications and data to the cloud. Why such a low adoption rate? One reason is the challenge of securing data.…

Fifth Domain: How Agencies Can Protect Legacy IT As They Modernize

Cybersecurity threats grow more sophisticated every year. And while the federal government has pushed forward with efforts to modernize IT, some legacy systems pose unique challenges. Often, these systems remain static even as the landscape around them continues to change.…

What You Need to Know about Data Privacy

Data privacy is the crossroads of confidentiality and integrity. When data is shared, either voluntarily or involuntarily, there’s an expectation that the collected information will be kept confidential. In general, data privacy is really about identity—social security numbers, credit card…

Cyberattacks and the DHS Directive – It’s Time for your Agency to Improve Your Authentication Protocols

By now CIOs across the federal government have seen Emergency Directive 19-1 issued by the Department of Homeland Security, which was issued in response to cyberattacks on DNS infrastructure for several executive branch agency domains. In these attacks, outsiders compromised…

NextGov: The Boldest Predictions for Federal Technology in 2019

Everyone is talking about artificial intelligence right now—it’s the buzz of the industry. But not many people fully understand what AI and machine learning can do. Jason Parry, our VP of Client Solutions, shares his prediction on the impact artificial…

Covering Your Blind Spots

Visibility and security are paramount to a network because you can’t have one without the other. As technology develops, and our reliance on internet connectivity grows, new road blocks appear that make visibility harder to achieve. How can CSOs adapt…

Keeping Your Agency Secure in the Cloud

Like it or not, no government is permanently safe from cyberthreats. The agencies that protect their citizen data the longest are the ones that best assess the risks facing them daily. It’s a situation that doesn’t change after organizations adopt…

GCN: Securing Data in the Cloud Requires Planning, Constant Vigilance

Government agencies know -- and have largely accepted the fact -- that moving to the cloud is inevitable. Where many start struggling is with the “how.”  How do they move legacy systems to the cloud? How do they choose the…

NextGov: It’s Time to Tackle the Problem of Unapproved Cloud Apps to Keep your Agency Secure

It’s a problem seen across all federal agencies: Employees are using cloud-based applications that aren’t approved or protected by IT teams. These apps range from sharing tools, such as cloud storage platforms, to social media sites or personal email accounts…

GCN: Why Blockchain Belongs in Government

Anyone with a finger on the pulse of the latest cybersecurity trends has probably noticed an increasing number of contributions to the blockchain conversation. The dialogue around blockchain, while loud, clear and growing, has been largely undirected for the past…

Federal Times: Can Industry Bridge the Government Cyber Skills Gap?

Federal agencies have until April 2019 to identify critical work roles and skill shortages in IT and cybersecurity as part of the Federal Cybersecurity Workforce Assessment Act. While this is a first step in determining a holistic approach to address…

CSO: Getting the Most out of Your Security Budget

There may be no more pressing need in today’s online world than quality cybersecurity, making it a top-line item for just about everyone. But even as the need builds, the salaries rise, and the expectations heighten, resources remain scarce. Security…

NextGov: The Time to Automate Security is Now

Cybersecurity threats are constantly evolving. Unfortunately, federal IT teams often find themselves low on resources, which means being proactive to combat them is a pipe dream. So how can leadership focus on strengthening their agency’s security posture when they spend…

CSO: Ways to Improve Your Security Team’s Response Time

When it comes to incident response, every second counts. The severity of breaches varies, but since damage done directly correlates to the time a malicious actor has access to your systems, it’s paramount that all threats are discovered and remediated…

Cisco Live 2018: Vendor Opens Management Console to Partners

In this article for TechTarget, Force 3's VP of Client Solutions Jason Parry weighs in on the new opportunities arising from Cisco DNA Center. In Cisco's latest nod to software, the company has opened its Cisco DNA Center to developers,…

NextGov: How to Integrate TIC Security with the Federal Cloud-First Mandate

When the Trusted Internet Connections (TIC) initiative was first introduced more than a decade ago, the goal was to improve security in government IT systems by limiting the number of individual external network connections to the internet. Before implementing TIC security…

CSO: Security Metrics You Need for the Board

No one wants to show up to an important meeting empty-handed. But with so many analytics right at their fingertips, how can CSOs pick the right numbers to reflect their work? Here are three imperative security metrics to have in…

Preventing Ransomware Attacks the Right Way

Ransomware attacks continue to be a major threat with no sign of slowing down. Here are some lessons organizations can learn from federal agencies to better prevent them. While ransomware is hardly a new threat, it’s far from being obsolete.…

Anomaly Detection: Stop Threats Before They Hit Your Network

In today’s IT environment, endpoint monitoring is fairly standard procedure. Most organizations have at least some sort of system in place allowing them to collect network monitor firewalls and collect network usage data to for network anomaly detection. But, by…

5 Reasons Why Vulnerability Management Is No Longer Optional

For agencies determined to create the most effective network security strategy possible, vulnerability management is no longer optional—it’s a necessity.  If there’s anything we’ve learned in recent years, it’s that cyber threats just keep coming. Thwart one and a new…

Best Practices for Thwarting Insider Threats

Testing the excerpt override field.

Dark Reading: 3 Tips to Keep Cybersecurity Front & Center

In today’s environment, a focus on cybersecurity isn’t a luxury. It’s a necessity, and making sure that focus is achieved starts with the company’s culture. For IT departments — especially in large organizations — daily operations are complex, multifaceted, and…

IoT & The Intelligent Edge: Defending Outside The Firewall

The Internet of Things, though still evolving, has pushed its way into the workplace. The result? CSOs are working overtime to keep up. What’s the protocol for these connected devices, and how do they fit into the existing security infrastructure?…

GCN: The Hidden Challenges of Federal IT Modernization

In the next three years, an estimated $3 billion worth of federal IT equipment will reach end-of-life status, according to former U.S. Federal CIO Tony Scott. It’s an intimidating number, and one that indicates just how far-reaching the need is…

Stealthwatch vs. Insider Threats

In an evermore threatening cybersecurity landscape, how can organizations protect themselves from one of the greatest security risks of all: The Insider Threat. Did you know? 66% of cyber attacks in 2015 were carried out by insiders. 74% of organizations…

Insider threats: 4 vulnerabilities you’re missing

Here are four insider threat vulnerabilities that are undervalued and what we can do about them.

NextGov: How Endpoint Security Helps Secure Humans

Humans: We’re impulsive, we’re fallible, we make bad decisions, and sometimes we do so on purpose. And yet, when it comes to cybersecurity, we too often focus on securing the network, without fully considering the role of the actual network…

Beyond Prevention: Cisco’s Next-Generation Endpoint Security

When it comes to endpoint security, Advanced Malware Protection is critical. The only way to defeat today’s security threats is to address them holistically across the full attack continuum—before, during and after an attack. The Cisco approach of continuous endpoint…

How can we help your agency achieve its mission?

Maximize your IT investments. Learn more about solutions and services from Force 3.