2Alexey 10 Things Your Next Firewall Must Do

8/12/2019 2Alexey 10 Things Your Next Firewall Must Do

1/9

10 ThingsYour Next Firewall Must Do


2/9

Stop Thinking:

Traditional firewall.

Start Thinking:

Next-generation firewall.

An Introduction

In the face of todays complex cybersecurity landscape,

choosing your next firewall is more than a simple comparison

of technical features. Its about embracing a change in your

role as an enabler of business rather than a blocker. Its about

balancing the needs of the company with the business and

security risks associated with modern applications. Its about

acknowledging that the world has changed around you and you

can no longer protect yourself with an approach to cybersecurity

that worked well when web browsing and email were the only

two applications on the Internet. Its about the 10 things we

describe in this booklet that we believe your next firewall must do.


3/9

Identify and control circumventorsMost organizations have security policies along with controls

designed to enforce those policies. External proxies, remote

server/desktop management tools, and encrypted tunnel

applications are being used to circumvent security controls

like firewalls. Without the ability to identify and control these

tools, your organization cannot enforce your security policies,

exposing the business to the very cyberattacks the security

controls were designed to mitigate. Your next firewall must

be capable of dealing with these circumvention tools.

Stop Thinking:

Bricks.

Start Thinking:

Open air, everywhere.

Identify and control applicationson any port

Application developers no longer adhere to standard port/

protocol/application mapping. More and more of the applications

on your network are capable of operating on non-standard

ports or can hop ports (e.g., instant messaging applications,

peer-to-peer file sharing, or VoIP). Additionally, users are

increasingly savvy enough to force applications to run over

non-standard ports (e.g., RDP, SSH). In order to enforce

application-specific policies where ports are increasingly

irrelevant, your next firewall must assume that any application

can run on any port.


4/9

Decrypt SSL and control SSH usage

The number of commonly used applications on your network

that have adopted SSL as a means of encrypting traffic currently

hovers at around 25% . The increased use of HTTPS for many

high-risk, high-reward applications and users ability to

manually enable SSL on many websites means your network

security team has a large and growing blind spot. As SSH is

used more commonly by tech-savvy employees, the encryption

blind spot may b e even larger than you thought. Your next

firewall must be capable of decrypting and inspecting SSL

traffic on any port; be flexible enough to bypass selected

segments of SSL traffic (e.g., web traffic from health care

organizations) and enforce the native use of SSH via policy.

Provide application function control

Many applications have significantly different functions,

presenting your organization with different risk profiles and

value. Many business focused as well as end-user focused

examples exist. WebEx vs. WebEx Desktop Sharing and Google

Mail vs. Google Talk. If your organization is heavily dependent

on intellectual property, then external desktop sharing a nd

file transfer applications may represent security and regulatory

risks. Your next firewall must continually evaluate the traffic

and watch for changesif a different function or feature is

introduced in the session, the firewall must recognize the

shift and perform a policy check.

Stop Thinking:

Closed doors.

Start Thinking:

Freedom.


5/9

Systematically manage unknown traffic

A small amount of unknown traffic exists on every network.

It may be a custom application, an unidentified commercial

application or a threat. Whatever the unknown traffic is, it

represents significant business and security risks. Blocking

all unknown traffic will inhibit the business. Allowing it blindly

is very high risk. The balanced approach is one of applying

classification, analysis and policy control to the traffic in a

systematic manner to reduce the risk but enable the business.

Your next firewall must classify all traffic, easily characterize

custom applications so they are known in your network

security policy, analyze traffic to see if it is a threat and provide

predictable visibility and policy control over traffic that

remains unknown.

Block known and unknown threatsin allowed applications

Enterprises continue to adopt a wide range of applications

to enable the businesseither hosted internally, or outside

of your physical location. Whether its hosted SharePoint,

Box.com, Google Docs, Microsoft Office365, or even an extranet

application hosted by one of your partners, your organization

may be using an application that operates on non-standard

ports, uses SSL or shares files. These applications enable the

business, but represent business and security risks. Your next

firewall must be capable of safely enabling applications, which

means allowing an application while controlling the transfer

of files by type, and scanning the application for threats, both

known and unknown, across all ports.

Stop Thinking:

Whats on the network?

Start Thinking:

The network is safe.


6/9

Enable consistent security for all

users and devicesA significant number of your users are now working remotely

and they expect to connect to their applications via WiFi,

wireless broadband, or any means necessaryseamlessly

and consistently. Regardless of where the user is or the type

of device they are using, the same standard of network

application control must apply, regardless of location or device.

If your next firewall enables application visibility and control

over traffic inside the four walls of the enterprise, but not

outside, it misses the mark on some of the riskiest traffic.

Make network security simpler

Your security team is overloaded with managing multiple

information feeds, a range of security policies, and associated

device management interfaces. Adding more to an overloaded

team will not help. Given that typical firewall installations

have thousands of rules, your next firewall must ma ke your

security teams life easier with the ability to identify, control,

investigate and report on applications, users and content

traversing your network.

Stop Thinking:

Restricted.

Start Thinking:

Free to go, go, go.


7/9

Deliver the same throughput andperformance with application control

fully activatedMany enterprises struggle with the forced compromise

between performance and security. All too often, enabling

network security features means turning down throughput

and performance. If your next firewall is b uilt the right way,

this compromise is unnecessary. Given the requirement for

computationally intensive tasks (e.g. application identification)

performed on high traffic volumes with low latency, your next

firewall must have hardware optimized for specific tasks

such as networking, security, and content scanning.

Support the same features in bothhardware and virtualized form factors

The benefits of virtualization are significant, but so too are

the security challenges. Traditional firewalls struggle with

the automatic establishment and tear-down of virtual machine

instances due to their reliance on ports and protocols. The

dynamic nature of the virtualized datacenter dictates that

traffic flowing within the virtual environment (east-west traffic)

must be secured in the same dynamic and automated manner.

Your next firewall must support the same feature set in both

hardware and virtual form factors and it must integrate with

the virtualization environment to streamline the creation of

application-centric policies as new virtual machines and

applications are established and taken down.

Stop Thinking:

Complexity.

Start Thinking:

Simplicity.


8/9

In Conclusion

Applications are how your users get their jobs done in the face

of competing personal and professional priorities. As your

users continue to adopt new applications and technologies,

they inadvertently introduce new cybersecurity risks. Allowing

them all is unreasonable and obstructing their adoption may

inhibit your business. Because of this, safe application enable-

ment is increasingly the correct policy stance. Safe application

enablement is best implemented using a systematic approach

of determining the usage patterns, the business case, then

documenting the appropriate use as policy moving forward,

and enforcing the use with technology. The 10 Things Your Next

Firewall Must Do can help you put the necessary controls in

placeespecially in the face of a more varied and rich application

and threat landscape. Without the network security infrastructure

to cope with such variety and depth, you cant safely enable the

necessary applications and manage risk. A next-generation

firewall that delivers on these 10 capabilities is really all it takes.

Stop Thinking:

Them.

Start Thinking:

Us.


9/9

Ready to Learn More?

View a demonstration:

www.paloaltonetworks.com/demo

Request a network security assessment:www.paloaltonetworks.com/avr

Download a Buyers Guide:

www.paloaltonetworks.com/buyersguide

2013 Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks and the Palo Alto NetworksLogo are trademarks or registered trademarks of Palo Alto Networks, Inc. Other company and productnames may be trademarks of their respective owners. Specifications are subject to change withoutnotice. PAN_10TBKLT_072613

Documents

2Alexey 10 Things Your Next Firewall Must Do