key policy considerations when implementing next-generation firewalls
DESCRIPTION
This presentation examines next-generation firewalls, and provides practical advice on how to effectively and efficiently manage policies in a multi-product and even multi-vendor, defense-in-depth architecture. By watching this webcast you will learn answers to the following questions: -What constitutes a next-generation firewall and what problems does it solve? What are the deployment options for next-generation firewalls? What do policies in a defense-in-depth architecture look like? How can you efficiently manage next-generation firewalls AND traditional firewall policies? And much moreTRANSCRIPT
![Page 1: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/1.jpg)
Key Policy Considerations When Implementing
Next-Generation Firewalls
Hosted by:
![Page 2: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/2.jpg)
Agenda
• Why next-generation firewalls (NGFWs)?
• How to manage NGFW policies in a mixed
environment
• NGFW deployment best practices
• Examine a real-life use case
![Page 3: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/3.jpg)
Today’s Panelists
Josh Karp Director, Business Development
AlgoSec
Jared Beck Sr. Solutions Architect
Dimension Data
Ben Dimmitt Sr. Corporate Solutions Specialist
Palo Alto Networks
![Page 4: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/4.jpg)
Understanding Next-Generation Firewalls
![Page 5: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/5.jpg)
Applications Have Changed; Firewalls Have Not
Need to restore visibility and control in the firewall
BUT…applications have changed
•Ports ≠ Applications
•IP Addresses ≠ Users
•Packets ≠ Content
The firewall is the right place to enforce policy control
• Sees all traffic
• Defines trust boundary Enables access via positive
control
5
![Page 6: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/6.jpg)
Applications Carry Risk Applications can be “threats”
• P2P file sharing, tunneling applications, anonymizers, media/video
Applications carry threats
• SANS Top 20 Threats – majority are application-level threats
Applications & application-level threats result in major breaches – Pfizer, VA, US Army
6
![Page 7: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/7.jpg)
The Right Answer: Make the Firewall Do Its Job
Next Generation Firewall (NGFW)
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
7
![Page 8: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/8.jpg)
ID Technologies / Architecture -Transform the Firewall •App-ID™
•Identify the application
•User-ID™
•Identify the user
•Content-ID™
•Scan the content
•SP3 Architecture
•Single-Pass Parallel Processing
8
![Page 9: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/9.jpg)
Comprehensive View of Applications, Users & Content
Filter on Facebook-base Filter on Facebook-base
and user cook Remove Facebook to expand view of cook
• Application Command Center (ACC)
– View applications, URLs, threats, data filtering activity
• Add/remove filters to achieve desired result
9
![Page 10: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/10.jpg)
Fewer Policies, Greater Control
• Very simple, yet very
powerful, control of
applications, users, and
content
10
![Page 11: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/11.jpg)
Unprecedented Levels of Enterprise 2.0 Control
• Now you can minimize risks, maximize rewards:
- Block bad apps to reduce attack surface
- Allow all application functions
- Allow, but only certain functions
- Allow, but scan to remove threats
- Allow, but only for certain users
- Allow, but only for certain time periods
- Decrypt where appropriate
- Shape (QoS) to optimize use of bandwidth
…and various combinations of the above
11
![Page 12: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/12.jpg)
Managing Next-Generation Firewall Policies in a Defense-in-
Depth Network
![Page 13: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/13.jpg)
What’s in Your Network? • Multiple firewall vendors?
• Different firewall models?
• Numerous firewall types
(traditional, NGFW, etc.)?
• Vendor-specific firewall
management consoles?
• Other security devices (routers,
SWGs, etc.)?
Today’s Network is a Complex Maze
13
![Page 14: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/14.jpg)
55.6% of Challenges Lie with Problematic Internal Processes
Time-consuming manual processes,
30.0%
Lack of visibility into network security policies, 21.7%
Poor change management
processes, 15.6%
Preventing insider threats, 13.3%
Error-prone processes cause risk, 10.0%
Tension between IT admin and InfoSec
teams, 9.4%
"What is the greatest challenge when it comes to managing network security devices in your organization?”
Network Security Challenges
Source: State of Network Security, AlgoSec, 2012
14
![Page 15: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/15.jpg)
Holistic Visibility of Firewall Policies in a Defense-in-Depth Setup
15
![Page 16: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/16.jpg)
16
• Analyze all possible traffic variations
based on dynamic network simulation
• Understand the network with topology
awareness that accounts for various
firewall technologies
• Analyze how traffic flows through
multiple firewalls
• Aggregate findings from firewall
groups
Analyze Firewall Policies Across the Entire Network
Use this information to optimize policies, reduce risk
and ensure compliance
![Page 17: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/17.jpg)
• Optimize policies by eliminating unused rules or objects, consolidating
similar rules, etc.
• Re-order rules for optimal firewall performance
• Tighten overly permissive rules based on historical usage patterns
Optimize Your Rule Base
17
![Page 18: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/18.jpg)
Assess Firewall Policies for Risk
18
• Leverage database of industry best-practices and known risks
• Identify and quantify risky rules
![Page 19: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/19.jpg)
Simplify Audit and Compliance
• Auto-generate
compliance reports
• Consolidate compliance
view with device-
specific drill downs
• Out-of-box regulation
support for PCI DSS,
SOX, ISO 27001, Basel II,
NERC CIP, J-SOX
19
![Page 20: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/20.jpg)
Keep Up With Changes
• 20-30% of changes are unneeded
• 5% implemented incorrectly
Does your firewall change process look like this?
20
![Page 21: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/21.jpg)
Automate the Firewall Change Workflow
21
Request Analysis
Proactive Risk Assessment
Optimal Implementation
Design
Verify Correct Execution
Audit the Change Process
Recertify Rules
Measure SLAs Security Operations
Compliance Executive
Operations
![Page 22: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/22.jpg)
AlgoSec Security Management Suite
22
• 60% reduction in change management costs
• 80% reduction in firewall auditing costs
• Improved security posture
• Improved troubleshooting and network availability
• Improved organizational alignment and accountability
Business Impact
![Page 23: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/23.jpg)
Managing Firewall Policies Across Diverse Network Environments
23
• Non-Intrusive
• Topology-aware analysis
• Single device , group, or “matrix” analysis
• Patented algorithms analyze all traffic variations
• Near real-time change monitoring
• Broadest knowledgebase for risk and compliance
More Results. Better Accuracy.
![Page 24: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/24.jpg)
Automation that Delivers
Security and Operational Value and Helps You:
• Make the business more agile
• Refocus efforts on more strategic tasks
• Minimize misconfigurations/human errors
• Ensure continuous compliance
• Reduce operational and security costs
Firewall Policy Management Checklist
24
![Page 25: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/25.jpg)
Firewall Management Best Practices from the Field
![Page 26: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/26.jpg)
Next Generation Firewalls and their Applications
• Defining, validating, and enforcing access policy
allowing the right content at the right time for
the right users are critical for the success of an
organization’s infrastructure security model.
• Organizations need to rethink security strategy at
a much higher layer in the OSI model…
• Palo Alto Firewalls deployed in one of two ways:
• Inline behind current enterprise firewall to augment
existing stateful policies as a “Virtual Wire”. Often done
to prove out the power of Palo Alto’s AppID and UserID.
• Replacement of existing enterprise firewalls through
migration. Existing rule bases need to be analyzed and
cleaned up before migrating, and AlgoSec ensures a
smooth process.
26
![Page 27: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/27.jpg)
Firewall Management Tips
Four Keys: 1. Be diligent in patching your firewalls
2. Regularly monitor configuration
3. Assess your rule base
4. Automate and centralize – Obstacle to effectively managing security controls and network policies
is the disparate nature of point products. – Managing firewalls with different configurations and interfaces is
cumbersome and prone to human error. – Compliance with regulations requires robust security policies, which
requires mapping 1000s of security controls to the required network policies – a daunting and potentially resource-draining task.
27
![Page 28: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/28.jpg)
Firewall Assessment Approach
• Firewall Assessment
• Governance
• Risk
• Compliance
• Workshops
• Policies and Procedure Review/Design
• Firewall Design
• Network segmentation
• Implementation Services
• Product Integration
• Ongoing Firewall Management Services
• Monitoring
• Change Control
• Audit
28
![Page 29: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/29.jpg)
Dimension Data’s Firewall Assurance Approach
• Firewall Policy and Risk Management: – Monitor firewall policy changes, report them in real time and
maintaining a comprehensive, accurate audit trail for full accountability – Provide analysis and clean-up of complex rule bases and objects to
eliminate potential security breaches and improve performance – Perform powerful simulation and risk analysis to identify potential
security risks, ensure compliance with organizational security standards, and prevent service interruptions
• Firewall Threat Management: – Provide regulatory compliance validation and auditing – Perform rule-based egress and regress testing – Signature development and fine-tuning – Advanced penetration testing – Application protocol and threat traffic scanning
29
![Page 30: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/30.jpg)
Case Study: Large Financial Institution
• Public banking security breaches raised concerns
about security posture and compliance status
Dimension Data Solution
• Able to perform firewall assessment using AlgoSec
to determine strength of existing firewall policies
• Deployed Palo Alto 5060 firewalls to protect critical
infrastructure
Benefits • Compliance audit requirements are met consistently
• Ability to report accurately on security posture
• Processes and systems ensure proactive and effective
management of security infrastructure
• System and process automation lowers TCO
Challenge
• The business was susceptible to a security breach
• Non-compliance to audit requirements could result in
financial penalties
Business Impact
30
![Page 31: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/31.jpg)
Case Study: Firewall Assessment Sample Content
31
![Page 32: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/32.jpg)
Case Study: Palo Alto Deployment Example
32
![Page 33: Key Policy Considerations When Implementing Next-Generation Firewalls](https://reader033.vdocument.in/reader033/viewer/2022052822/554beeb4b4c9056b348b53fd/html5/thumbnails/33.jpg)
• AlgoSec-Palo Alto Networks Solution Brief http://media.paloaltonetworks.com/documents/algosec.pdf
• Case Studies – AlgoSec:
http://www.algosec.com/en/customers/testimonials
– Palo Alto Networks:
http://www.paloaltonetworks.com/literature/customers/Reed-Customer-Video.html
• AlgoSec Security Management Suite Evaluation AlgoSec.com/eval
Q&A and Additional Resources