Network Security Policy ManagementAutomation for Transformation

Yonatan Klein, Director Product Management

WHAT WE’LL COVER TODAY

Managing Network Connectivity throughout the application lifecycle

Managing Disaster Recovery – automatically and securely

01

02

03

Mapping rules and flows to business processes and applications

Making rule recertification an efficient, application-centric process04

Summary and Q&A05

2

WHAT IS NETWORK SECURITY POLICY MANAGEMENT

3 | Confidential

4 | Confidential

GETTING STARTED WITH NETWORK SECURITY POLICY MANAGEMENT:Map applications and connectivity needs

MAP YOUR DATA-CENTER ASSETS: GETTING A SINGLE SOURCE OF TRUTH

• CMDB?

• Excel Spreadsheet?

• Firewall Rules?

5 | Confidential

APPLICATION & CONNECTIVITY AUTO-DISCOVERY

6 | Confidential

• Various sources: network mirroring, PCAP files, NetFlow, sFlowNetwork sensing

• Determine hosts• Determine active flows

Analyze network traffic

• Smart heuristics to identify web services, data bases, applications• Application identity “hints”

Identify business applications

THE MAPPED BUSINESS APPLICATIONS

7 | Confidential

DISCOVERED APPLICATIONS

8 | Confidential

DISCOVERED APPLICATION FLOWS

9 | Confidential

OPTIMIZED FLOWS

10 | Confidential

APPLICATION AND CONNECTIVITY DISCOVERY

Manual Process

Reliable, complete single source of truth?

Otherwise manual process to identify each host and flow

Manage information in excel ?

With Automation

Flows identified automatically

Heuristics and hints help identify matching applications

Integrated into Algosec BusinessFlow

AlgoSec BusinessFlow manages application information and corresponding flows and network rules

11 | Confidential

Connectivity needs identified, optimized

12 | Confidential

APPLICATION MIGRATION - AUTOMATED

APPLICATION MIGRATION

Data center migration

13 | Confidential

App migration to the public cloud

App migration between data centers

Consolidation due to M&A

Application lifecycle: Test -> Pre-Production -> Production

Which Application Migration Projects Are You Undertaking In Your Organization?

• Data Center Migration • Application Migrations To The Public Cloud• Application Migrations Between Data Centers• Application Life-cycle (e.g. Dev/Test->Pre-Prod->Prod)• Other

POLL

Please vote using the “votes from audience” tab in your BrightTALK panel

14

APP. MIGRATION AUTOMATED WORKFLOW

15 | Confidential

Create a migration workflow

Map source to target IPs

Evaluate potential vulnerability and risk impact

Apply the changes

01 02 03 04

Migration Done!

05

App DecomissionWorkflow

Mark flow to decomission

ABF automatically validates no impact on other apps

Apply the changes Decommission Done!

01 02 03 04 05

CALCULATE REQUIRED FLOW CHANGES

16 | Confidential

AUTOMATICALLY IDENTIFY DEVICES IN PATH

PROJECT DASHBOARD

18 | Confidential

APPLICATION MIGRATION

19 | Confidential

Manual Process

Find all flows related to application

Locate all effected firewalls

Find all relevant rules

With Automation

Start a migration workflow - Match source network object with target

Execute changes: create new flows

Execute changes: decommission old flows

Change management process for new rules

Repeat process for old rule decommission

20 | Confidential

DISASTER RECOVERY DEVICE PAIRS

DISASTER RECOVERY DEVICES / PATHS

• Firewalls may be deployed in a geographic redundancy model to ensure reliable and secure connectivity.

• For devices without a central management system, maintaining the pair synced is a real challenge

• AlgoSec allows you to define DR-Sets: groups of devices that must always share the same policy

• Maintain consistency without any manual work and human errors

21| Confidential

CM

RA1

Device A

Geographical distribution architecture

Device B

DR SETS – HOW IT LOOKS

22 | Confidential

23 | Confidential

APPLICATION-CENTRIC RULE RE-CERTIFICATION

How many times a year do you recertify your firewall rules?• On a project basis• Once a year• Twice a year• Once every 2 years• Other

POLL

Please vote using the “votes from audience” tab in your BrightTALK panel

24

1.On a project basis

WHY FIREWALL RULES BECOME REDUNDANT

An application is decommissioned

An application is upgraded and uses

different services/ ports

An endpoint is moved to a different datacenter

Decommissioning of outdated rules is best practice:• Security: reduce attack surface and risk• Compliance: periodic reviews are mandated

26 | Confidential

TRADITIONAL METHODOLOGY

REVIEWthe firewall logs and determine

when the rule was last used

READthe comments to

see who requested the rule

and which application it

serves

VALIDATEthat the

application is not in use with the

relevant contact

REMOVEthe rule or extend

the expiration date

FIREWALL RULE BASE

AN APPLICATION CENTRIC APPROACH

28 | Confidential

AN APPLICATION CENTRIC APPROACH

29 | Confidential

Application Telepresence has expired

Telepresence

Dear Yonatan,

AN APPLICATION CENTRIC APPROACH

30 | Confidential

RULE DECOMMISSIONING

Manual Process

Manage each rule separately

Bombarded by rule recertification notifications

Problematic to track rules to originating purpose

With Automation

Business application expiration date

Timely configured notification – per application

Single click to decommission or extend expiration date

SUMMARY

• Identifying assets and their connectivity is not trivial• Auto-discovery is key for informed connectivity management

• Network security operations are complex • Automation helps meet customers needs and ensures a secure network

• A high-end solution is designed to automate key use-cases with business-centric security policy management capabilities

• Example for common use-cases managed by Algosec:• Firewall devices in DR mode

• Application life-cycle and migration

• Application-centric approach to rule recertification

32 | Confidential

MORE RESOURCES

www.algosec.com/resources

WHITEPAPERS

DATASHEET

33

Thank you!

Questions can be emailed to marketing@algosec.com