Upload
itamar-riebenfeld
View
219
Download
0
Embed Size (px)
Citation preview
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
1/9
10 ThingsYour Next Firewall Must Do
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
2/9
Stop Thinking:
Traditional firewall.
Start Thinking:
Next-generation firewall.
An Introduction
In the face of todays complex cybersecurity landscape,
choosing your next firewall is more than a simple comparison
of technical features. Its about embracing a change in your
role as an enabler of business rather than a blocker. Its about
balancing the needs of the company with the business and
security risks associated with modern applications. Its about
acknowledging that the world has changed around you and you
can no longer protect yourself with an approach to cybersecurity
that worked well when web browsing and email were the only
two applications on the Internet. Its about the 10 things we
describe in this booklet that we believe your next firewall must do.
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
3/9
Identify and control circumventorsMost organizations have security policies along with controls
designed to enforce those policies. External proxies, remote
server/desktop management tools, and encrypted tunnel
applications are being used to circumvent security controls
like firewalls. Without the ability to identify and control these
tools, your organization cannot enforce your security policies,
exposing the business to the very cyberattacks the security
controls were designed to mitigate. Your next firewall must
be capable of dealing with these circumvention tools.
Stop Thinking:
Bricks.
Start Thinking:
Open air, everywhere.
Identify and control applicationson any port
Application developers no longer adhere to standard port/
protocol/application mapping. More and more of the applications
on your network are capable of operating on non-standard
ports or can hop ports (e.g., instant messaging applications,
peer-to-peer file sharing, or VoIP). Additionally, users are
increasingly savvy enough to force applications to run over
non-standard ports (e.g., RDP, SSH). In order to enforce
application-specific policies where ports are increasingly
irrelevant, your next firewall must assume that any application
can run on any port.
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
4/9
Decrypt SSL and control SSH usage
The number of commonly used applications on your network
that have adopted SSL as a means of encrypting traffic currently
hovers at around 25% . The increased use of HTTPS for many
high-risk, high-reward applications and users ability to
manually enable SSL on many websites means your network
security team has a large and growing blind spot. As SSH is
used more commonly by tech-savvy employees, the encryption
blind spot may b e even larger than you thought. Your next
firewall must be capable of decrypting and inspecting SSL
traffic on any port; be flexible enough to bypass selected
segments of SSL traffic (e.g., web traffic from health care
organizations) and enforce the native use of SSH via policy.
Provide application function control
Many applications have significantly different functions,
presenting your organization with different risk profiles and
value. Many business focused as well as end-user focused
examples exist. WebEx vs. WebEx Desktop Sharing and Google
Mail vs. Google Talk. If your organization is heavily dependent
on intellectual property, then external desktop sharing a nd
file transfer applications may represent security and regulatory
risks. Your next firewall must continually evaluate the traffic
and watch for changesif a different function or feature is
introduced in the session, the firewall must recognize the
shift and perform a policy check.
Stop Thinking:
Closed doors.
Start Thinking:
Freedom.
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
5/9
Systematically manage unknown traffic
A small amount of unknown traffic exists on every network.
It may be a custom application, an unidentified commercial
application or a threat. Whatever the unknown traffic is, it
represents significant business and security risks. Blocking
all unknown traffic will inhibit the business. Allowing it blindly
is very high risk. The balanced approach is one of applying
classification, analysis and policy control to the traffic in a
systematic manner to reduce the risk but enable the business.
Your next firewall must classify all traffic, easily characterize
custom applications so they are known in your network
security policy, analyze traffic to see if it is a threat and provide
predictable visibility and policy control over traffic that
remains unknown.
Block known and unknown threatsin allowed applications
Enterprises continue to adopt a wide range of applications
to enable the businesseither hosted internally, or outside
of your physical location. Whether its hosted SharePoint,
Box.com, Google Docs, Microsoft Office365, or even an extranet
application hosted by one of your partners, your organization
may be using an application that operates on non-standard
ports, uses SSL or shares files. These applications enable the
business, but represent business and security risks. Your next
firewall must be capable of safely enabling applications, which
means allowing an application while controlling the transfer
of files by type, and scanning the application for threats, both
known and unknown, across all ports.
Stop Thinking:
Whats on the network?
Start Thinking:
The network is safe.
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
6/9
Enable consistent security for all
users and devicesA significant number of your users are now working remotely
and they expect to connect to their applications via WiFi,
wireless broadband, or any means necessaryseamlessly
and consistently. Regardless of where the user is or the type
of device they are using, the same standard of network
application control must apply, regardless of location or device.
If your next firewall enables application visibility and control
over traffic inside the four walls of the enterprise, but not
outside, it misses the mark on some of the riskiest traffic.
Make network security simpler
Your security team is overloaded with managing multiple
information feeds, a range of security policies, and associated
device management interfaces. Adding more to an overloaded
team will not help. Given that typical firewall installations
have thousands of rules, your next firewall must ma ke your
security teams life easier with the ability to identify, control,
investigate and report on applications, users and content
traversing your network.
Stop Thinking:
Restricted.
Start Thinking:
Free to go, go, go.
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
7/9
Deliver the same throughput andperformance with application control
fully activatedMany enterprises struggle with the forced compromise
between performance and security. All too often, enabling
network security features means turning down throughput
and performance. If your next firewall is b uilt the right way,
this compromise is unnecessary. Given the requirement for
computationally intensive tasks (e.g. application identification)
performed on high traffic volumes with low latency, your next
firewall must have hardware optimized for specific tasks
such as networking, security, and content scanning.
Support the same features in bothhardware and virtualized form factors
The benefits of virtualization are significant, but so too are
the security challenges. Traditional firewalls struggle with
the automatic establishment and tear-down of virtual machine
instances due to their reliance on ports and protocols. The
dynamic nature of the virtualized datacenter dictates that
traffic flowing within the virtual environment (east-west traffic)
must be secured in the same dynamic and automated manner.
Your next firewall must support the same feature set in both
hardware and virtual form factors and it must integrate with
the virtualization environment to streamline the creation of
application-centric policies as new virtual machines and
applications are established and taken down.
Stop Thinking:
Complexity.
Start Thinking:
Simplicity.
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
8/9
In Conclusion
Applications are how your users get their jobs done in the face
of competing personal and professional priorities. As your
users continue to adopt new applications and technologies,
they inadvertently introduce new cybersecurity risks. Allowing
them all is unreasonable and obstructing their adoption may
inhibit your business. Because of this, safe application enable-
ment is increasingly the correct policy stance. Safe application
enablement is best implemented using a systematic approach
of determining the usage patterns, the business case, then
documenting the appropriate use as policy moving forward,
and enforcing the use with technology. The 10 Things Your Next
Firewall Must Do can help you put the necessary controls in
placeespecially in the face of a more varied and rich application
and threat landscape. Without the network security infrastructure
to cope with such variety and depth, you cant safely enable the
necessary applications and manage risk. A next-generation
firewall that delivers on these 10 capabilities is really all it takes.
Stop Thinking:
Them.
Start Thinking:
Us.
8/12/2019 2Alexey 10 Things Your Next Firewall Must Do
9/9
Ready to Learn More?
View a demonstration:
www.paloaltonetworks.com/demo
Request a network security assessment:www.paloaltonetworks.com/avr
Download a Buyers Guide:
www.paloaltonetworks.com/buyersguide
2013 Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks and the Palo Alto NetworksLogo are trademarks or registered trademarks of Palo Alto Networks, Inc. Other company and productnames may be trademarks of their respective owners. Specifications are subject to change withoutnotice. PAN_10TBKLT_072613