Key Policy Considerations When Implementing

Next-Generation Firewalls

Hosted by:

Agenda

• Why next-generation firewalls (NGFWs)?

• How to manage NGFW policies in a mixed

environment

• NGFW deployment best practices

• Examine a real-life use case

Today’s Panelists

Josh Karp Director, Business Development

AlgoSec

Jared Beck Sr. Solutions Architect

Dimension Data

Ben Dimmitt Sr. Corporate Solutions Specialist

Palo Alto Networks

Understanding Next-Generation Firewalls

Applications Have Changed; Firewalls Have Not

Need to restore visibility and control in the firewall

BUT…applications have changed

•Ports ≠ Applications

•IP Addresses ≠ Users

•Packets ≠ Content

The firewall is the right place to enforce policy control

• Sees all traffic

• Defines trust boundary Enables access via positive

control

5

Applications Carry Risk Applications can be “threats”

• P2P file sharing, tunneling applications, anonymizers, media/video

Applications carry threats

• SANS Top 20 Threats – majority are application-level threats

Applications & application-level threats result in major breaches – Pfizer, VA, US Army

6

The Right Answer: Make the Firewall Do Its Job

Next Generation Firewall (NGFW)

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect real-time against threats embedded across applications

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

7

ID Technologies / Architecture -Transform the Firewall •App-ID™

•Identify the application

•User-ID™

•Identify the user

•Content-ID™

•Scan the content

•SP3 Architecture

•Single-Pass Parallel Processing

8

Comprehensive View of Applications, Users & Content

Filter on Facebook-base Filter on Facebook-base

and user cook Remove Facebook to expand view of cook

• Application Command Center (ACC)

– View applications, URLs, threats, data filtering activity

• Add/remove filters to achieve desired result

9

Fewer Policies, Greater Control

• Very simple, yet very

powerful, control of

applications, users, and

content

10

Unprecedented Levels of Enterprise 2.0 Control

• Now you can minimize risks, maximize rewards:

- Block bad apps to reduce attack surface

- Allow all application functions

- Allow, but only certain functions

- Allow, but scan to remove threats

- Allow, but only for certain users

- Allow, but only for certain time periods

- Decrypt where appropriate

- Shape (QoS) to optimize use of bandwidth

…and various combinations of the above

11

Managing Next-Generation Firewall Policies in a Defense-in-

Depth Network

What’s in Your Network? • Multiple firewall vendors?

• Different firewall models?

• Numerous firewall types

(traditional, NGFW, etc.)?

• Vendor-specific firewall

management consoles?

• Other security devices (routers,

SWGs, etc.)?

Today’s Network is a Complex Maze

13

55.6% of Challenges Lie with Problematic Internal Processes

Time-consuming manual processes,

30.0%

Lack of visibility into network security policies, 21.7%

Poor change management

processes, 15.6%

Preventing insider threats, 13.3%

Error-prone processes cause risk, 10.0%

Tension between IT admin and InfoSec

teams, 9.4%

"What is the greatest challenge when it comes to managing network security devices in your organization?”

Network Security Challenges

Source: State of Network Security, AlgoSec, 2012

14

Holistic Visibility of Firewall Policies in a Defense-in-Depth Setup

15

16

• Analyze all possible traffic variations

based on dynamic network simulation

• Understand the network with topology

awareness that accounts for various

firewall technologies

• Analyze how traffic flows through

multiple firewalls

• Aggregate findings from firewall

groups

Analyze Firewall Policies Across the Entire Network

Use this information to optimize policies, reduce risk

and ensure compliance

• Optimize policies by eliminating unused rules or objects, consolidating

similar rules, etc.

• Re-order rules for optimal firewall performance

• Tighten overly permissive rules based on historical usage patterns

Optimize Your Rule Base

17

Assess Firewall Policies for Risk

18

• Leverage database of industry best-practices and known risks

• Identify and quantify risky rules

Simplify Audit and Compliance

• Auto-generate

compliance reports

• Consolidate compliance

view with device-

specific drill downs

• Out-of-box regulation

support for PCI DSS,

SOX, ISO 27001, Basel II,

NERC CIP, J-SOX

19

Keep Up With Changes

• 20-30% of changes are unneeded

• 5% implemented incorrectly

Does your firewall change process look like this?

20

Automate the Firewall Change Workflow

21

Request Analysis

Proactive Risk Assessment

Optimal Implementation

Design

Verify Correct Execution

Audit the Change Process

Recertify Rules

Measure SLAs Security Operations

Compliance Executive

Operations

AlgoSec Security Management Suite

22

• 60% reduction in change management costs

• 80% reduction in firewall auditing costs

• Improved security posture

• Improved troubleshooting and network availability

• Improved organizational alignment and accountability

Business Impact

Managing Firewall Policies Across Diverse Network Environments

23

• Non-Intrusive

• Topology-aware analysis

• Single device , group, or “matrix” analysis

• Patented algorithms analyze all traffic variations

• Near real-time change monitoring

• Broadest knowledgebase for risk and compliance

More Results. Better Accuracy.

Automation that Delivers

Security and Operational Value and Helps You:

• Make the business more agile

• Refocus efforts on more strategic tasks

• Minimize misconfigurations/human errors

• Ensure continuous compliance

• Reduce operational and security costs

Firewall Policy Management Checklist

24

Firewall Management Best Practices from the Field

Next Generation Firewalls and their Applications

• Defining, validating, and enforcing access policy

allowing the right content at the right time for

the right users are critical for the success of an

organization’s infrastructure security model.

• Organizations need to rethink security strategy at

a much higher layer in the OSI model…

• Palo Alto Firewalls deployed in one of two ways:

• Inline behind current enterprise firewall to augment

existing stateful policies as a “Virtual Wire”. Often done

to prove out the power of Palo Alto’s AppID and UserID.

• Replacement of existing enterprise firewalls through

migration. Existing rule bases need to be analyzed and

cleaned up before migrating, and AlgoSec ensures a

smooth process.

26

Firewall Management Tips

Four Keys: 1. Be diligent in patching your firewalls

2. Regularly monitor configuration

3. Assess your rule base

4. Automate and centralize – Obstacle to effectively managing security controls and network policies

is the disparate nature of point products. – Managing firewalls with different configurations and interfaces is

cumbersome and prone to human error. – Compliance with regulations requires robust security policies, which

requires mapping 1000s of security controls to the required network policies – a daunting and potentially resource-draining task.

27

Firewall Assessment Approach

• Firewall Assessment

• Governance

• Risk

• Compliance

• Workshops

• Policies and Procedure Review/Design

• Firewall Design

• Network segmentation

• Implementation Services

• Product Integration

• Ongoing Firewall Management Services

• Monitoring

• Change Control

• Audit

28

Dimension Data’s Firewall Assurance Approach

• Firewall Policy and Risk Management: – Monitor firewall policy changes, report them in real time and

maintaining a comprehensive, accurate audit trail for full accountability – Provide analysis and clean-up of complex rule bases and objects to

eliminate potential security breaches and improve performance – Perform powerful simulation and risk analysis to identify potential

security risks, ensure compliance with organizational security standards, and prevent service interruptions

• Firewall Threat Management: – Provide regulatory compliance validation and auditing – Perform rule-based egress and regress testing – Signature development and fine-tuning – Advanced penetration testing – Application protocol and threat traffic scanning

29

Case Study: Large Financial Institution

• Public banking security breaches raised concerns

about security posture and compliance status

Dimension Data Solution

• Able to perform firewall assessment using AlgoSec

to determine strength of existing firewall policies

• Deployed Palo Alto 5060 firewalls to protect critical

infrastructure

Benefits • Compliance audit requirements are met consistently

• Ability to report accurately on security posture

• Processes and systems ensure proactive and effective

management of security infrastructure

• System and process automation lowers TCO

Challenge

• The business was susceptible to a security breach

• Non-compliance to audit requirements could result in

financial penalties

Business Impact

30

Case Study: Firewall Assessment Sample Content

31

Case Study: Palo Alto Deployment Example

32

• AlgoSec-Palo Alto Networks Solution Brief http://media.paloaltonetworks.com/documents/algosec.pdf

• Case Studies – AlgoSec:

http://www.algosec.com/en/customers/testimonials

– Palo Alto Networks:

http://www.paloaltonetworks.com/literature/customers/Reed-Customer-Video.html

• AlgoSec Security Management Suite Evaluation AlgoSec.com/eval

Q&A and Additional Resources