10 Things

Your Next Firewall Must Do

Stop Thinking: Start Thinking:

Traditional firewall. Next-generation firewall.

An Introduction
Choosing a next-generation firewall is more than a simple comparison of technical features. Its about embracing a change in your role as an enabler of business rather than being a blocker. Its about balancing the needs of the business with the risks associated with modern applications. Its about acknowledging that the world has changed around you and you can no longer protect yourself with an approach that worked well when web browsing and email were the only two applications on the internet. Its about the 10 things we describe in this booklet we believe your next firewall must do.

Stop Thinking: Start Thinking:

Bricks. Open air, everywhere.

Identify and control applications on any port

Application developers no longer adhere to standard port / protocol / application mapping. More and more applications are capable of operating on non-standard ports or can hop

Identify and control circumventors

Most organizations have security policies and controls designed to enforce those policies. Proxies, remote access, and encrypted tunnel applications are specifically used

ports (e.g., instant messaging applications, peer-to-peer file sharing, or VOIP). Additionally, users are increasingly savvy enough to force applications to run over non-standard ports (e.g., MS RDP, SSH). In order to enforce application-specific policies where ports are increasingly irrelevant, your next firewall must assume that any application can run on any port.

to circumvent security controls like firewalls. Without the ability to control these circumventors, organizations cannot enforce their security policies, and expose themselves to the very risks they thought their controls mitigated. Your next firewall must be capable of dealing with these circumventors while also ensuring the application intelligence is regularly updated.

Stop Thinking:
Closed doors.

Start Thinking:
Freedom.

Decrypt outbound SSL

Today, more than 15% of network traffic is SSL-encrypted. In

Provide application function control

Many applications have significantly different functions,

3
via policy.

some industries (e.g., financial services), its more than 50%. Given the increasing adoption of HTTPS for many high-risk, high-reward applications and users ability to enable SSL on many websites, network security teams have a large and growing blind spot. A modern firewall must be capable of decrypting and inspecting SSL traffic and be flexible enough to bypass selected segments of SSL traffic (e.g., web traffic from health care organizations)

presenting different risk profiles and value. Good examples of this include WebEx vs. WebEx Desktop Sharing and Yahoo Instant Messaging vs. the file transfer feature. In regulated environments, or in organizations heavily dependent on intellectual property, this is a significant issue. Your next firewall must continually evaluate the traffic and watch for changes if a different function or feature is introduced in the session, the firewall should note it and perform a policy check.

Stop Thinking: Start Thinking:

One or the other. Both. Scan for viruses and malware in allowed applications
Enterprises continue to adopt collaborative applications hosted outside their physical locations. Whether its hosted

Deal with unknown traffic by policy

There will always be unknown traffic and it will always represent significant risks to any organization. There are several important elements to consider with unknown traffic minimizing it, easily characterizing custom applications so

Sharepoint, Box.net, Google Docs, or Microsoft Office Live, many organizations have a requirement to use an application that shares files a potential high-risk threat vector. Many infected documents are stored in collaboration applications, along with some documents that contain sensitive information (e.g., customers personal information). Your next firewall should be capable of safely enabling these collaborative applications, which means allowing an application while scanning it for threats and malware.

they are known in network security policy, and having predictable visibility and policy control over traffic that remains unknown. Your next firewall should attempt to classify all traffic, which provides a positive enforcement model (default deny). A negative (default allow) model allows all unknown traffic so what you dont know will hurt you.

Stop Thinking: Start Thinking:

Restricted. Free to go, go, go.

Identify and control applications sharing the same connection

Applications share sessions. To ensure users are continuously

Enable the same visibility and control for remote users

Users are increasingly outside the four walls of the enterprise. A significant portion of the enterprise user population is now capable of working remotely and they expect to connect

using an application platform, whether its Google, Facebook, Microsoft, or Salesforce, application developers integrate many different applications which often have very different risk profiles and business value. Lets look at Gmail as an example it has the ability to spawn a Google Talk session from within the Gmail UI. These are fundamentally different applications, and your next firewall should recognize that, and enable the appropriate policy response for each.

to their applications via WiFi, wireless broadband, or any means necessary. Regardless of where the user is, or even where the application theyre employing might be, the same standard of control should apply. If your next firewall enables application visibility and control over traffic inside the four walls of the enterprise, but not outside, it misses the mark on some of the riskiest traffic.

Stop Thinking: Start Thinking:

Complexity. Simplicity. Make network security simpler
Many enterprises struggle with incorporating more information feeds and more policies, and more management into already overloaded security processes and people. In

Deliver the same throughput and performance with application control fully activated
Many enterprises struggle with the forced compromise between performance and security. All too often, enabling network security features means turning down throughput

other words, if teams cannot manage what theyve already got, adding more management, policies, and information doesnt help. Given that typical firewall installations have thousands of rules, adding thousands of application signatures across tens of thousands of ports is going to increase complexity by several orders of magnitude. Your next firewall should apply policy based on user and application, which significantly simplifies policy modeling and management.

10
security, and content scanning.

and performance. If your next firewall is built the right way, this compromise is unnecessary. Given the requirement for computationally intensive tasks (e.g. application identification) performed on high traffic volumes with low latency, you next firewall should have hardware optimized for specific tasks such as networking,

Stop Thinking: Start Thinking:

Them.

In Conclusion
We continue to adopt new applications and technologies and the threats carried by them. Often times, obstructing their adoption can be a career-limiting move. Even when it isnt, applications are how we get our jobs done, or maintain productivity in the face of competing personal and professional priorities. Because of this, safe enablement is increasingly the correct policy stance. To do this, you need to put in place the appropriate policies governing use, but also controls capable of enforcing them. The 10 critical capabilities we outlined here help you put the necessary controls in place especially in the face of a more varied and rich application and threat landscape. Without the network security infrastructure to cope with such variety and depth, you cant safely enable the necessary applications and manage risk. A next-generation firewall that delivers on these 10 capabilities is really all it takes.

Us.

the network security company

tm

Ready to Learn More?

Join one of our weekly Jumpstart Webinars: http://www.paloaltonetworks.com/jumpstart Request a free network security assessment: http://www.paloaltonetworks.com/avr

2011 Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks and the Palo Alto Networks Logo are trademarks or registered trademarks of Palo Alto Networks, Inc. Other company and product names may be trademarks of their respective owners. Specifications are subject to change without notice. PAN_10TBKLT_052311