Upload
tarek-h-foad
View
219
Download
0
Embed Size (px)
Citation preview
8/3/2019 Palo Alto 10 Things
1/9
10 ThingsYour Next Firewall Must Do
8/3/2019 Palo Alto 10 Things
2/9
Stop Thinking:
Traditional frewall.
Start Thinking:
Next-generation frewall.
An Introduction
Choosing a next-generation rewall is more than a simple
comparison o technical eatures. Its about embracing a
change in your role as an enabler o business rather than being
a blocker. Its about balancing the needs o the business with
the risks associated with modern applications. Its about
acknowledging that the world has changed around you and
you can no longer protect yoursel with an approach that
worked well when web browsing and email were the only
two applications on the internet. Its about the 10 things we
describe in this booklet we believe your next rewall must do.
8/3/2019 Palo Alto 10 Things
3/9
Identiy and control circumventors
Most organizations have security policies and controlsdesigned to enorce those policies. Proxies, remote access,
and encrypted tunnel applications are specically used
to circumvent security controls like rewalls. Without the
ability to control these circumventors, organizations cannot
enorce their security policies, and expose themselves to
the very risks they t hought their controls mitigated.
Your next rewall must be capable o dealing with these
circumventors while also ensuring the application intelli-
gence is regularly updated.
Stop Thinking:
Bricks.
Start Thinking:
Open air, everywhere.
Identiy and control applicationson any port
Application developers no longer adhere to standard port /protocol / application mapping. More and more applications
are capable o operating on non-standard ports or can hop
ports (e.g., instant messaging applications, peer-to-peer
le sharing, or VOIP). Additionally, users are increasingly
savvy enough to orce applications to run over non-standard
ports (e.g., MS RDP, SSH).
In order to enorce application-specic policies where ports
are increasingly irrelevant, your next rewall must assume
that any application can run on any port.
8/3/2019 Palo Alto 10 Things
4/9
Decrypt outbound SSL
Today, more than 15% o network trac is SSL-encrypted. Insome industries (e.g., nancial services), its more than 50%.
Given the increasing adoption o HTTPS or many high-risk,
high-reward applications and users ability to enable SSL on
many websites, network security teams have a large and
growing blind spot.
A modern rewall must be capable o decrypting and inspecting
SSL trac and be fexible enough to bypass selected segments
o SSL trac (e.g., web trac rom health care organizations)
via policy.
Provide application unction control
Many applications have signicantly dierent unctions,presenting dierent risk proles and value. Good examples
o this include WebEx vs. WebEx Desktop Sharing and Yahoo
Instant Messaging vs. the le transer eature. In regulated
environments, or in organizations heavily dependent on
intellectual property, this is a signicant issue.
Your next rewall must continually evaluate the trac and
watch or changes i a dierent unction or eature is
introduced in the session, the rewall should note it and
perorm a policy check.
Stop Thinking:
Closed doors.
Start Thinking:
Freedom.
8/3/2019 Palo Alto 10 Things
5/9
Scan or viruses and malware inallowed applications
Enterprises continue to adopt collaborative applications
hosted outside their physical locations. Whether its hostedSharepoint, Box.net, Google Docs, or Microsot Oce Live,
many organizations have a requirement to use an application
that shares les a potential high-risk threat vector. Many
inected documents are stored in collaboration applications,
along with some documents that contain sensitive inormation
(e.g., customers personal inormation).
Your next rewall should be capable o saely enabling these
collaborative applications, which means allowing an application
while scanning it or threats and malware.
Deal with unknown trafc by policy
There will always be unknown trac and it will always
represent signicant risks to any organization. There areseveral important elements to consider with unknown trac
minimizing it, easily characterizing custom applications so
they are known in network security policy, and having
predictable visibility and policy control over traic that
remains unknown.
Your next rewall should attempt to classiy all trac, which
provides a positive enorcement model (deault deny). A
negative (deault allow) model allows all unknown trac
so what you dont know will hurt you.
Stop Thinking:
One or the other.
Start Thinking:
Both.
8/3/2019 Palo Alto 10 Things
6/9
Identiy and control applications sharingthe same connection
Applications share sessions. To ensure users are continuouslyusing an application platorm, whether its Google, Facebook,
Microsot, or Salesorce, application developers integrate
many dierent applications which oten have very dierent
risk proles and business value.
Lets look at Gmail as an example it has the ability to spawn
a Google Talk session rom within the Gmail UI. These are
undamentally dierent applications, and your next rewall
should recognize that, and enable the appropriate policy
response or each.
Enable the same visibility and control orremote users
Users are increasingly outside the our walls o the enterprise.A signicant portion o the enterprise user population is
now capable o working remotely and they expect to connect
to their applications via WiFi, wireless broadband, or any
means necessary.
Regardless o where the user is, or even where the application
theyre employing might be, the same standard o control should
apply. I your next rewall enables application visibility and
control over trac inside the our walls o the enterprise, but
not outside, it misses the mark on some o the riskiest trac.
Stop Thinking:
Restricted.
Start Thinking:
Free to go, go, go.
8/3/2019 Palo Alto 10 Things
7/9
Make network security simpler
Many enterprises struggle with incorporating more
inormation eeds and more policies, and more management
into already overloaded security processes and people. Inother words, i teams cannot manage what theyve already
got, adding more management, policies, and inormation
doesnt help. Given that ty pical rewall installations have
thousands o rules, adding thousands o application signatures
across tens o thousands o ports is going t o increase
complexity by several orders o magnitude.
Your next rewall should apply policy based on user and
application, which signicantly simplies policy modeling
and management.
Deliver the same throughput andperormance with applicationcontrol ully activated
Many enterprises struggle with the orced compromisebetween perormance and security. All too oten, enabling
network security eatures means turning down throughput
and perormance. I your next rewall is built the right way,
this compromise is unnecessary.
Given the requirement or computationally intensive tasks
(e.g. application identication) perormed on high trac
volumes with low latency, you next rewall should have
hardware optimized or specic tasks such as networking,
security, and content scanning.
Stop Thinking:
Complexity.
Start Thinking:
Simplicity.
8/3/2019 Palo Alto 10 Things
8/9
In Conclusion
We continue to adopt new applications and technologies
and the threats carried by them. Oten times, obstructing
their adoption can be a career-limiting move. Even when it
isnt, applications are how we get our jobs done, or maintain
productivity in the ace o competing personal and proessional
priorities. Because o this, sae enablement is increasingly
the correct policy stance. To do this, you need to put in place
the appropriate policies governing use, but also controls
capable o enorcing them. The 10 critical capabilities we
outlined here help you put the necessary controls in place
especially in the ace o a more varied and rich application and
threat landscape. Without the network security inrastructure
to cope with such variety and depth, you cant saely enable the
necessary applications and manage risk. A next-generation
rewall that delivers on these 10 capabilities is really all it takes.
Stop Thinking:
Them.
Start Thinking:
Us.
8/3/2019 Palo Alto 10 Things
9/9
Ready to Learn More?
Join one of our weekly Jumpstart Webinars:
http://www.paloaltonetworks.com/jumpstart
Request a free network security assessment:
http://www.paloaltonetworks.com/avr
the network security companytm
2011 Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks and the Palo Alto NetworksLogo are trademarks or registered trademarks o Palo Alto Networks, Inc. Other company and productnames may be trademarks o their respective owners. Specications are subject to change withoutnotice. PAN_10TBKLT_052311