Upload
pandianmca
View
217
Download
0
Embed Size (px)
Citation preview
8/3/2019 10 Cool Things Your Firewall Should Do E Book
1/16
A frewall that blocks threats is only the beginning
10 Cool Things Your Firewall Should Do
8/3/2019 10 Cool Things Your Firewall Should Do E Book
2/16
Table o Contents
The Firewall Grows Up 1
The Application Firewall 2
1st Cool Thing: Managing Streaming Video 3
2nd Cool Thing: Per Group Bandwidth Management 4
3rd Cool Thing: Web-mail and Data Loss 54th Cool Thing: Application Use Enorcement 6
5th Cool Thing: Deny FTP Upload 7
6th Cool Thing: Keep P2P Apps Under Control 8
7th Cool Thing: Manage Streaming Music 9
8th Cool Thing: Prioritize Application Bandwidth 10
9th Cool Thing: Blocking Confdential Documents 11
10th Cool Thing: Block Forbidden Files and Notiy 12
When You Add It All Up 13
8/3/2019 10 Cool Things Your Firewall Should Do E Book
3/16
Traditional rewalls ocus on blocking simple threats and intrusions.
Business grade Firewalls have added Unied Threat Management
(UTM) services such as anti-virus, anti-spyware, intrusion prevention,
content ltering and even some anti-spam services to enhance to
threat protection.
The Firewall Grows Up
1
...but blocking threats
is just the beginning
Most trac passing through aFirewall is not threat-based, but is
instead applications and data. This
gave rise to the Application Firewall
which can manage and control data
and applications that pass through
the Firewall.
8/3/2019 10 Cool Things Your Firewall Should Do E Book
4/16
What does it do?
An Application Firewall provides bandwidth
management and control, application level access
controls, data leakage control unctionality, restrictions
on the transer o specic les and documents, and
much more.
How does it work?An Application Firewall allows custom access controls
based upon user, application, schedule or IP subnet
level. This allows an administrator the ability to create
polices that address the ull range o applications that
are available or access and or the rst time truly
manage them.
2
The Application Firewall
Allows you to classiy, control and manageapplications and data that pass through your frewall.
Good
n Protectedn Productive
Threats
n
Compromisedn Wasteul
Data and Applications
8/3/2019 10 Cool Things Your Firewall Should Do E Book
5/16
Access to streaming video sites, such as youtube.com is sometimes useul but oten
abused. Blocking the site might work, but the best answer could be to limit the
bandwidth given to streaming video sites.
Create a Policy to limit streaming videon Use the Deep Packet Inspection (DPI) engine to look or HTTP Host =
www.youtube.com in HTTP header
n Apply bandwidth restrictions to trac with that header
1st Cool Thing: Managing Streaming Video
3
You can limit bandwidth or applicationsover specifed times o day say rom 9:00am to 5:00pm
Streaming Video Bandwidth Desired Streaming Video Bandwidth Provided
8/3/2019 10 Cool Things Your Firewall Should Do E Book
6/16
In the 1st Cool Thing, we applied bandwidth restrictions or streaming video sites like
youtube.com. Now your CEO and CFO are complaining that the business news videos
they review each day are too slow. You could ease of on the bandwidth restrictions or
everyone, but now there is a better answergroup-based bandwidth management.
Create a Policy to not limit streaming video or the executivesn Apply this Policy to the executive group imported rom your LDAP server
n Use the Deep Packet Inspection (DPI) engine to look or HTTP Host = www.youtube.comin HTTP header
n Apply bandwidth guarantee to trac with that header
2nd Cool Thing: Per Group Bandwidth Management
4
Streaming Video Bandwidth Desired Executive Streaming Video Bandwidth Provided
Everyone Elses Streaming Video Bandwidth Provided
8/3/2019 10 Cool Things Your Firewall Should Do E Book
7/16
3rd Cool Thing: Web-mail and Data Loss
Lets assume your existing anti-spam protection can detect and block a
normal outbound e-mail that contains Company Condential inormation.
But, what i an employee uses a Web-mail service such as Yahoo or
Gmail to send out a Company Confdential inormation?
Create a Policy to block Company Confdential e-mailn
Deep Packet Inspection (DPI) engine looks or E-mail Body =Company Confdential
n Block message and notiy the sender that the message is
Company Condential
5
From: badguy@your_company.com
Subject: Design road mapHere is the Roadmap
Jan 09 Release 7.0
This document is Company Confdential
STOP
From: goodguy@your_company.com
Subject: Time Card Approval Jim,
I approve your time card hours or this week.
Joe
GO
8/3/2019 10 Cool Things Your Firewall Should Do E Book
8/16
4th Cool Thing: Application Use Enorcement
Your Boss: Wants to use Internet Explorer (IE) 7.0 as the standard browser.
Your Mission: Ensure all company systems are using IE 7.0nothing else!
Your Possible Solutions
1. Physically check everyones system each day or Foreign browsers
2. Set-up some type o script to check everyones system or Foreign browsers
and make sure it checks everyones system everyday3. Set up a policy in the Application Firewall and stop worrying
Create a Ive got better things to do Policyn Deep Packet Inspection (DPI) engine looks or User Agent = MSIE 7.0
in HTTP header
n Allows IE 7.0 trac and blocks other browsers
6
8/3/2019 10 Cool Things Your Firewall Should Do E Book
9/16
5th Cool Thing: Deny FTP Upload
You set up an FTP site or the exchange o large les with one o your business partners
and you want to make sure that only the project manager at the partner and no one else
can upload les.
Create a Policy to allow FTP uploads, but only or certain people
n Deep Packet Inspection (DPI) engine looks or FTP Command = PUT
n DPI engine looks or Authenticated User Name = pm_partner
n I both are True then allow PUT
You can also disallow any FTP commandsyou think are unnecessary or a given FTP server
sales_partner: put fle
mktg_partner: put fle
sales_partner: put fle
pm_partner: put fle
7
8/3/2019 10 Cool Things Your Firewall Should Do E Book
10/16
6th Cool Thing: Keep P2P Apps Under Control
Problem 1: Peer-To-Peer (P2P) applications such as BitTorrent can steal bandwidth
and bring with them all kinds o mischievous les.
Problem 2: The creation o new P2P applications or simple changes to the existing P2P
applications, like a version number changes, happen all the time.
Create a Policy to detect P2P applications
Deep Packet Inspection (DPI) engine looks or a P2P Application signature on theIPS signature list
P2P applications can be blockedor just limitedthrough bandwidth and time-based restrictions
IPS Signature List
BitTorrent-6.1
BitTorrent-6.0.3
BitTorrent-6.0.2
BitTorrent-6.0.1
hundreds more
IPS Signature List
Updates rom
SonicWALL are
received and applied
IPS Signature List
BitTorrent-6.1.1
BitTorrent-6.1
BitTorrent-6.0.3
BitTorrent-6.0.2
hundreds more
+ =The Results
nYou can manage andcontrol P2P applications
nYou dont have to spend timeupdating IPS signature rules
8
8/3/2019 10 Cool Things Your Firewall Should Do E Book
11/16
7th Cool Thing: Manage Streaming Music
Streaming audio sites and streaming radio sites consume precious bandwidth, but
there are legitimate business reasons to access such sites. There are two ways to
manage this challenge.
Control by Web Site
Create a list o streaming audio sites youd like to manage
Create a Policy to detect streaming audio sites
n Use the Deep Packet Inspection (DPI) engine to look for HTTP Host =Streaming Audio Site block list in HTTP header
Control by File Extension
Create a list o audio fle extensions youd like to manage
Create a Policy to detect streaming audio content
n Use the Deep Packet Inspection (DPI) engine to look for File extension =
Streaming Audio Extensions block list in HTTP header
Once detected
you can block or just bandwidthmanagethe streaming audio.
9
8/3/2019 10 Cool Things Your Firewall Should Do E Book
12/16
8th Cool Thing: Prioritize Application Bandwidth
Today many mission-critical applications, such as SAP, Salesorce.com and SharePoint,
are cloud-based or they are running across geographically dispersed networks. Ensuring
these applications have priority to get the network bandwidth they need to operate can
improve business productivity.
Create a Policy to give bandwidth priority to the SAP applicationn Deep Packet Inspection (DPI) engine looks or the application signature or
application namen Assign the SAP application a higher bandwidth priority
Application priority can be date based(think end-o-quarter priority or sales applications)
SAPSalesorce.comSharePoint
Others
10
8/3/2019 10 Cool Things Your Firewall Should Do E Book
13/16
In some companies, outbound e-mail does not pass through their E-mail Security
system or that system does not check the content o e-mail attachments. In either
case Company Confdential attachments can easily leave the organization.
Since outbound network trac goes through your rewall, you can detect
and block this data-in-motion.
Create a Policy to block e-mail attachments which contain theCompany Confdential watermarkn Deep Packet Inspection (DPI) engine looks or
E-mail Content = Company Confdential and also
E-mail Content = Company Proprietary and also
E-mail Content = Private Proprietary and
9th Cool Thing: Blocking Confdential Documents
This can also be done orFTP-based content!
11
8/3/2019 10 Cool Things Your Firewall Should Do E Book
14/16
10th Cool Thing: Block Forbidden Files and Notiy
DOWNLOAD
Security RiskActivity: You are attempting todownload or receive a fle with aorbidden fle extension (.exe,.pi, .src or .vbs).
Action: Per corporate policy,this fle has been blocked.
More ino: Please reer to theSecurity section o the corporateintranet or a complete list o thefles which are orbidden.
FTP
Website
Bad .pi
FTP
Bad .vbs
Bad .exe
SonicWALL NSA with
Application Firewall
Create a Forbidden File Extensions list
Create a Policy to block orbidden fle extensionsn Deep Packet Inspection (DPI) engine looks or File Extension in HTTP,
Email Attachment or FTP = Forbidden File Extensions
I fle blocked, send Notifcation
12
Can your Firewall block any o the ollowing?
n An EXE le rom being downloaded rom a web page
n An EXE le as an e-mail attachment
n An EXE le rom being transerred via FTP
How about PIF, SRC or VBS fles?
8/3/2019 10 Cool Things Your Firewall Should Do E Book
15/16
When You Add it All Up
13
High Perormance Firewall
+ Unifed Threat Management
+ Application Firewall
SonicWALL Network Security Appliance
Perormance, Protection and Pin-Point Control
8/3/2019 10 Cool Things Your Firewall Should Do E Book
16/16
2008 SonicWALL, the SonicWALL logo and Protection at the Speed o Business a re registered trademarks o SonicWALL, Inc. Other product names mentioned herein may betrademarks and/or registered trademarks o their respective companies. Specifcations and descriptions subject to change without notice. 10/08 SW 466
How Can I Learn More?
n For a comparison o the SonicWALL NSA models which include the Application Firewalln To download the datasheetn Practical examples o the Application Firewall with product examplesn Application Firewall user guide
For eedback on this e-book or other SonicWALL e-books or whitepapers, please send an e-mail to
About SonicWALL
SonicWALL is a recognized leader in comprehensive inormation security solutions. SonicWALL
solutions integrate dynamically intelligent services, sotware and hardware that engineer the risk, cost
and complexity out o running a high-perormance business network. For more inormation, visit the
company Web site atwww.sonicwall.com.
http://www.sonicwall.com/http://www.sonicwall.com/http://www.sonicwall.com/http://www.sonicwall.com/