Palo Alto 10 Things

8/3/2019 Palo Alto 10 Things

1/9

10 ThingsYour Next Firewall Must Do


2/9

Stop Thinking:

Traditional frewall.

Start Thinking:

Next-generation frewall.

An Introduction

Choosing a next-generation rewall is more than a simple

comparison o technical eatures. Its about embracing a

change in your role as an enabler o business rather than being

a blocker. Its about balancing the needs o the business with

the risks associated with modern applications. Its about

acknowledging that the world has changed around you and

you can no longer protect yoursel with an approach that

worked well when web browsing and email were the only

two applications on the internet. Its about the 10 things we

describe in this booklet we believe your next rewall must do.


3/9

Identiy and control circumventors

Most organizations have security policies and controlsdesigned to enorce those policies. Proxies, remote access,

and encrypted tunnel applications are specically used

to circumvent security controls like rewalls. Without the

ability to control these circumventors, organizations cannot

enorce their security policies, and expose themselves to

the very risks they t hought their controls mitigated.

Your next rewall must be capable o dealing with these

circumventors while also ensuring the application intelli-

gence is regularly updated.

Stop Thinking:

Bricks.

Start Thinking:

Open air, everywhere.

Identiy and control applicationson any port

Application developers no longer adhere to standard port /protocol / application mapping. More and more applications

are capable o operating on non-standard ports or can hop

ports (e.g., instant messaging applications, peer-to-peer

le sharing, or VOIP). Additionally, users are increasingly

savvy enough to orce applications to run over non-standard

ports (e.g., MS RDP, SSH).

In order to enorce application-specic policies where ports

are increasingly irrelevant, your next rewall must assume

that any application can run on any port.


4/9

Decrypt outbound SSL

Today, more than 15% o network trac is SSL-encrypted. Insome industries (e.g., nancial services), its more than 50%.

Given the increasing adoption o HTTPS or many high-risk,

high-reward applications and users ability to enable SSL on

many websites, network security teams have a large and

growing blind spot.

A modern rewall must be capable o decrypting and inspecting

SSL trac and be fexible enough to bypass selected segments

o SSL trac (e.g., web trac rom health care organizations)

via policy.

Provide application unction control

Many applications have signicantly dierent unctions,presenting dierent risk proles and value. Good examples

o this include WebEx vs. WebEx Desktop Sharing and Yahoo

Instant Messaging vs. the le transer eature. In regulated

environments, or in organizations heavily dependent on

intellectual property, this is a signicant issue.

Your next rewall must continually evaluate the trac and

watch or changes i a dierent unction or eature is

introduced in the session, the rewall should note it and

perorm a policy check.

Stop Thinking:

Closed doors.

Start Thinking:

Freedom.


5/9

Scan or viruses and malware inallowed applications

Enterprises continue to adopt collaborative applications

hosted outside their physical locations. Whether its hostedSharepoint, Box.net, Google Docs, or Microsot Oce Live,

many organizations have a requirement to use an application

that shares les a potential high-risk threat vector. Many

inected documents are stored in collaboration applications,

along with some documents that contain sensitive inormation

(e.g., customers personal inormation).

Your next rewall should be capable o saely enabling these

collaborative applications, which means allowing an application

while scanning it or threats and malware.

Deal with unknown trafc by policy

There will always be unknown trac and it will always

represent signicant risks to any organization. There areseveral important elements to consider with unknown trac

minimizing it, easily characterizing custom applications so

they are known in network security policy, and having

predictable visibility and policy control over traic that

remains unknown.

Your next rewall should attempt to classiy all trac, which

provides a positive enorcement model (deault deny). A

negative (deault allow) model allows all unknown trac

so what you dont know will hurt you.

Stop Thinking:

One or the other.

Start Thinking:

Both.


6/9

Identiy and control applications sharingthe same connection

Applications share sessions. To ensure users are continuouslyusing an application platorm, whether its Google, Facebook,

Microsot, or Salesorce, application developers integrate

many dierent applications which oten have very dierent

risk proles and business value.

Lets look at Gmail as an example it has the ability to spawn

a Google Talk session rom within the Gmail UI. These are

undamentally dierent applications, and your next rewall

should recognize that, and enable the appropriate policy

response or each.

Enable the same visibility and control orremote users

Users are increasingly outside the our walls o the enterprise.A signicant portion o the enterprise user population is

now capable o working remotely and they expect to connect

to their applications via WiFi, wireless broadband, or any

means necessary.

Regardless o where the user is, or even where the application

theyre employing might be, the same standard o control should

apply. I your next rewall enables application visibility and

control over trac inside the our walls o the enterprise, but

not outside, it misses the mark on some o the riskiest trac.

Stop Thinking:

Restricted.

Start Thinking:

Free to go, go, go.


7/9

Make network security simpler

Many enterprises struggle with incorporating more

inormation eeds and more policies, and more management

into already overloaded security processes and people. Inother words, i teams cannot manage what theyve already

got, adding more management, policies, and inormation

doesnt help. Given that ty pical rewall installations have

thousands o rules, adding thousands o application signatures

across tens o thousands o ports is going t o increase

complexity by several orders o magnitude.

Your next rewall should apply policy based on user and

application, which signicantly simplies policy modeling

and management.

Deliver the same throughput andperormance with applicationcontrol ully activated

Many enterprises struggle with the orced compromisebetween perormance and security. All too oten, enabling

network security eatures means turning down throughput

and perormance. I your next rewall is built the right way,

this compromise is unnecessary.

Given the requirement or computationally intensive tasks

(e.g. application identication) perormed on high trac

volumes with low latency, you next rewall should have

hardware optimized or specic tasks such as networking,

security, and content scanning.

Stop Thinking:

Complexity.

Start Thinking:

Simplicity.


8/9

In Conclusion

We continue to adopt new applications and technologies

and the threats carried by them. Oten times, obstructing

their adoption can be a career-limiting move. Even when it

isnt, applications are how we get our jobs done, or maintain

productivity in the ace o competing personal and proessional

priorities. Because o this, sae enablement is increasingly

the correct policy stance. To do this, you need to put in place

the appropriate policies governing use, but also controls

capable o enorcing them. The 10 critical capabilities we

outlined here help you put the necessary controls in place

especially in the ace o a more varied and rich application and

threat landscape. Without the network security inrastructure

to cope with such variety and depth, you cant saely enable the

necessary applications and manage risk. A next-generation

rewall that delivers on these 10 capabilities is really all it takes.

Stop Thinking:

Them.

Start Thinking:

Us.


9/9

Ready to Learn More?

Join one of our weekly Jumpstart Webinars:

http://www.paloaltonetworks.com/jumpstart

Request a free network security assessment:

http://www.paloaltonetworks.com/avr

the network security companytm

2011 Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks and the Palo Alto NetworksLogo are trademarks or registered trademarks o Palo Alto Networks, Inc. Other company and productnames may be trademarks o their respective owners. Specications are subject to change withoutnotice. PAN_10TBKLT_052311

Documents

Palo Alto 10 Things