The Big Collection of

Next-Generation Firewall Policy Management Tips

Share this eBook

Share this eBook

About This eBookThe evolution of sophisticated threats and the increased dependence on web applications and virtualization has driven the demand for Next-Generation Firewalls (NGFWs). According to a recent AlgoSec survey, more organizations are adopting NGFWs - nearly 57% in 2013, up from 41.2% in 2012. But while NGFWs provide newfound levels of policy granularity and controls, they also introduce more complexity that if not managed properly can cause more harm than good. In exchange for the increased security of NGFWs, IT professionals often must work harder as the majority of responding organizations (56%) that had adopted NGFWs said they added more work to the firewall management process.

To help you obtain all of the value out of your NGFWs without the complexity, we’ve compiled these tips from practitioners and vendors. We hope you enjoy.

The AlgoSec Team

Watch this video to learnNext-Generation Firewall basics:

Share this video

Share this eBook

Sizing

Share this eBook

Sizing

A next-generation firewall is not an all-or-nothing decision. You need to determine what capabilities you need and size your implementation appropriately.”Anonymous

When deploying a NGFW, decide first, where and how it will be used? Will it be a border firewall? Will it be used in an extranet setting? Will you need VPN or DDoS protection in the case of a border firewall? Or will you need to detect threats coming from your partner’s network?Not every feature a NGFW provides needs to be used, so take a pragmatic approach to the goals you are trying to achieve.”Edgar Cooke, Manager of Security and Compliance, USAN, US

Share this eBook

Sizing

Make sure you have enough resources to support all the new features in a NGFW, like URL-filtering, IPS, etc., or consider not enabling all of them.”Bjorn Lofman, Consultant, Sony Mobile, Sweden

Calculate the size capabilities (such as IPS, application control, identity awareness, URL filtering, and e-mail security) as necessary and understand the performance impact if you decide to turn on additional features later. As part of a firewall refresh, one capability that is typically considered is intrusion prevention.”

Ivona Oancea, Product Manager,Electronic Arts, US

Share this eBook

Deployment

Share this eBook

Deployment

Network

To deploy a firewall, it is advsiable to deploy anti-spoofing for each firewall zone interface. Take some time to define the network profile that stays behind the firewall interface. Also, firewalls are not designed to handle routing. In the case where a firewall must handle thousands or hundreds of thousands of dynamic routing entries, its CPU resources will be heavily consumed and end up not being able to do its main job which is stateful inspection.”Security Consultant, Malaysia

If your management is hesitant to adopt a NGFW on the perimeter, first deploy it internally between your user network and your server network - the increased visibility over protocols and applications should open their eyes.”

John Stockman, Information Security, IBX, US

Share this eBook

DeploymentIdentify the optimal places in your network where the next-generation capabilities will provide you with the best return. Determine and plan for the NGFW features you plan to use for your environment.”Henry Ge, Security, NSWPF - NSW Police,Australia

It’s good to deploy a NGFW inline with your traditional firewall to add a second layer of security. Use port-based firewalling on both and the application control on the NGFW.”

Tomasz Fabisiak,Systems Engineer, NGE PolskaPoland

Watch this video to learn NGFW policy considerations

Share this video

Share this eBook

Deployment

NGFWStart in “monitor”/allow first to see how the firewall reacts and then fine tune from there.”

David Krel, ThoughtWorks, Inc., Sr. Network Engineer, US

Before deploying the NGFW install a TAP on the switch where the current FW is installed and let it run in passive mode. After a set time analyze what was triggered as a violation on the NGFW and check to see if this was caught on the current firewall. This will ensure NGFW justification and assist in configuration of the setup of the firewall minimizing setup time of the NGFW when it finally replaces the current FW appliance.”Security Architect, US

Share this eBook

Deployment

Deploy your NGFW with a firewall compliance/cleanup tool. By cleaning up existing firewall rules and flows, and documenting active applications, transitioning to a NGFW is much easier. Starting a NGFW transition is difficult enough, without a bloated, inaccurate and non optimized firewall ruleset.”

Melissa Mccoy,Information Assurance Director, Kaizen Approach,US

Build and deploy “for-purpose” specific security gateways based on a security zones approach taking in zones’ access of greater trust the deeper one gets into the architecture. Look for and implement monitoring of these gateways from security / compliance posture (status) in a 24x7 paradigm with alerting and reporting capabilites. Only deploy specific functional protections - thus eliminating over-use of resources, etc...”Charles Riordan, Managing Consultant, Check Point, US

Share this eBook

Implement

Share this eBook

ImplementIf creating a new group with lots of new members, it is faster to do it inside the group itself by clicking new > Node > Host.”

Dawin Chandra, Security Specialist,IBM, Australia

Define a dedicated scheme to configure access. For instance, general rules for all users, location related rules, rules for groups of users/IPs and then single user/IP rules. This helps your colleagues to find rules. Above all we use a section “most used rules” to improve firewall performance.”Security Architect, Germany

Share this eBook

Implement

Always start your rulebase with the basics. From, to and how.Apply the who and with what afterwards.”Phil Williams, MIS/IS/IT Vice President,Security Matterz, Saudi Arabia

Share this eBook

Management

Share this eBook

0100 1010 0101 101

0100 1010 0101 101Management

To manage firewall zones and traffic directional flow from zone to zone, compile a policy zone matrix and define what traffic is supposed to exist for each direction. For example, in the policy matrix, “A” will represent traffic from Untrust to DMZ, which normally will only allow http and https. If there is a change request for new policy that does not match this definition, the request should be rejected, unless the policy requestor presents a specific reason. However, the policy shall be opened for a specific time only.”

Security Consultant, Malaysia

Share this eBook

Management

Isolation remains fundamental in any firewall. There are many deployment and support issues with even the most meticulous virtualized architecture (VMWare, HyperV, etc.). A preferred alternative for firewalls as well as a DMZ is an LPARS on a x86 environment for those areas. Many of the virtualization benefits with far fewer security pitfalls.”

Kevin Stay, Network Manager,Varian Medical Systems, Inc. US

Disable any services that the firewall doesn’t need to run (for example: if you are running Cisco ASA and don’t plan on using ASDM, then don’t enable http service.)”Anonymous

Share this eBook

Management

All firewall rulesets should always have a default “deny any any” as the last rule.”Anonymous

IPv6 should be specifically blocked, if it is not being used, and if it is possible on the firewall.”Anonymous

“Any” should not be used, unless necessary.”Anonymous

Share this eBook

Management

For HA management, active-standby is better than active-active deployment generally because active-active will increase the troubleshooting and management complexity. It is fine to use the active-active method if the purpose is to increase the number of sessions the firewall can handle. However bear in mind it does not increase the network bandwidth because everytime the firewall receives the traffic via its dedicated interface link only.”Security Consultant, Malaysia

If your firewall supports zones

(E.g.: Juniper) use them. Zones make it far easier to manage

complex policies.”Anonymous

Share this eBook

Optimization

Share this eBook

Optimization Standardise your object naming conventions. This is highly useful when reusing objects and troubleshooting.”Security Architect, Australia

Define everything as much as you can, Source, Dest, Service. Commenting the policy and placing rules into groups will save TONS of time and effort in the future and may preserve the sanity of the next admin. Use a ticketing system for change requests, put the ticket number and implementation date into the comments so there is a reference for all policy changes.”Anonymous

See how you can more effectively manage NGFW security policies

Share this video

Share this eBook

OptimizationSun Mon Tue Wed Thu Fri Sat

Monitor those firewall rules which are never used to optimize the firewall’s performance.”Frankie Leung, Director,UDS Data Systems Ltd, Hong Kong

Don’t be afraid to take your time tuning your IPS policy, especially when it comes to blocking traffic. Some business processes only run monthly, or quarterly, or on demand, and can end up being blocked unintentionally.”Megan Benoit, Network Security Engineer,Racetrac Petroleum, Inc., US

Share this eBook

Optimization

Order your policy so the most commonly hit rules appear near the top for better performance (you can utilize the feature set of various vendor firewalls to discover which rules have the most hits in a given time frame). Be careful as to how you implement a blacklist, doing it as a policy object group can be easy and effective, but it’s still going through order of operations. Typically if it’s aggressive traffic, I place the blacklist in the the pre-route ACL in order to reduce resource usage.”Anonymous

Tune your policies. If you are upgrading, then prune the policies to just what you need and build the rest as the time arises.Less is more.”Jamison Moklak, ITSmart Devine, US

Share this eBook

Signatures

Share this eBook

Signatures

Be sure your NGFW has up to date application signatures tailored for your infrastructure, otherwise desired need of application visibility and control will turn into next-gen blindness.”

Enrico Sorge, Product Manager,Italtel SPA, Italy

If you have a software asset system it could tell you which signatures should be activated in the whole IPS system. For example, if you don’t have any IBM Tivoli or Novell system in your environment why you sould scan these signatures? It cold be automatically turned off.”Attila Peter Korosi, IT Security Consultant,TR Consult Kft., Hungary

Share this eBook

Process

Share this eBook

Process In many organizations, network operations teams manage firewalls without much security involvement, and network security teams optimize and manage the IPS. Before integrating these technologies through the use of a NGFW, make sure both groups are on board and working together to solve issues.”Anonymous

Many of the firewall rule requests we get are vague and unclear. The requesters often do not know what factors beyond the ports and IP addresses are present in their situation. My tip is to not be afraid to initially create several ‘rules’ that work using different filter criterion to support the requests. This allows us to eventually craft a robust rule that allows the traffic it should without being too strict or too open.”

Michael Foster, Technical Security Specialist, Providence Health & Services, US

Share this eBook

Just for Laughs

Share this eBook

Just for Laughs

Even though you manage a next-generation firewall, don’t refer to yourself as “Captain Picard”. “Anonymous

Make sure it’s plugged in.”

Information Technology Security Manager, US

Share this eBook

Like this ebook?Check out the original Big Collection of Firewall Policy Management Tips

Share this ebook