8 Things your firewall must do.
An edge assessment.
A firewall is a firewall is a firewall, right?
No...
Most firewall acquisitions traditionally started with these 3 considerations.
1. Performance - Does the firewall have enough throughput for the business needs?
2. Operations - How complex is the firewall to manage?
3. Security functions - What's the efficacy of the security controls and will the team be able to manage risks associated with the applications on the environment?
Then?
The waters became muddied.
FW vs. UTM vs. NGFW
Those considerations are now impacted by differing ideals and by different vendors, on how to protect your edge.
A traditional firewall (FW) is a device that is able to control traffic allowed to enter or exit a point in the network. This is usually done using a stateful (is it starting, is it being used, is it closing down?) or stateless method, depending on the type of protocol being run. A firewall that can track the state of traffic will be more effective than a stateless firewall. Most traditional firewalls are also limited to levels 2 to 4 of the OSI model, which in today's environment, is no longer enough.
Unified threat management (UTM) is an appliance which starts out as a stateful firewall, but has services like Anti-virus, Content Filtering and Anti-spam bolted on. Some devices monitor up to layer 7 on the OSI model. Most appliances are signature based.
Next Generation Firewall (NGFW) is an appliance architectured from scratch with control and visibility of applications, regardless of port, protocol, evasive tactics or decryption, offering protection against known and unknown threats. These devices also operate up to layer 7 in the OSI model.
Needless to say, that if anyone reading this is still using a traditional firewall, no need to read any further, it is time for an upgrade.
Let's muddy the water a little more.
Architectural approaches.
As security vendors build their next generation firewalls and UTMs, they have taken one of two architectural approaches:
The application identification is built into the firewall as the primary classification engine.
or,
An application signature pattern engine added to a port based firewall.
Both these approaches recognise applications with varying degrees of success, usability and relevance. These architectural approaches however, importantly dictate the security model for application policies.
Positive application policies - define what is allowed, deny everything else, or
Negative application policies - define what to block, and allow everything else.
A positive application policy forces the traffic to be proactively classified at the firewall to ensure that the appropriate traffic is allowed. You then have full visibility into the network traffic, policy management making easier incident investigation, improving protection against known and unknown cyber-attacks. As you allow more known applications in your network, there is control over unknown applications with the deny all else premise.
We believe a positive application policy is the right way to go.
Enough mud, what is best for your business?
A firewall assessment based on business needs.
Due to the changes in cyber-attacks, different vendor approaches, and varying architecture, you should ask the following 8 questions of your firewall:
1. Does your firewall identify and control applications, and their functions, on all ports all the time?
More and more applications are port hopping, which means they are able to operate on non-standard ports. Your firewall should assume that applications can run on any port, and continuously track applications states based on risk and user requirements.
2. Does your firewall identify and control users reliably?
As users connect to different repositories within your network, and out to the internet, using a myriad of devices, it is important to your risk posture to identify who they are beyond their IP address. Your firewall should be able to track a user and allow user groups to use different applications based on their job requirement.
3. Does your firewall identify and control security evasion tools?
Some users will require to use tools like TeamViewer, encrypted tunnels and remote desktop services in order to fulfill their job requirements. Unfortunately, some unauthorised users will also use such applications to bypass the firewall. Some users will also use public proxies to circumvent the same firewall policies. Your firewall must have specific techniques to identify and control these applications regardless whether they are allowed in your network or not.
4. Does your firewall decrypt and inspect SSL and control SSH traffic?
As more and more network traffic is encrypted, it becomes important that there is an ability to decrypt certain SSL and SSH traffic. If there is no ability to decrypt SSL and SSH activity, encrypted traffic on non-standard ports and from geographical locations known to have malicious IP's, will not be detected. Your firewall must be able to recognise legitimate SSL and SSH traffic and leave it alone, and have the ability to recognise and decrypt suspicious encrypted packets.
5. Does your firewall systematically manage unknown traffic?
Every network has small amounts of unknown traffic being transmitted. This unknown traffic can represent a risk as this traffic can be tied to threats in the network. Attackers often are forced to modify a protocol in order to exploit a target application. Your firewall must be able to classify all traffic on all ports in one management location, for your team to quickly analyse the traffic and determine if it is an internal application, an unknown commercial application, or a threat.
6. Does your firewall protect your network from known and unknown threats?
Businesses continue to adopt a wide range of applications such as SharePoint, Google Docs, Office 365 or other externally hosted solutions to enable business. These application are now essential for the business, but they are susceptible to cyber-attacks, as many of these applications rely on IIS and SQL, which are regularly exploited. Your firewall must identify the applications, determine the functions you may want to allow or deny and above all, protect the organisation from viruses, malware and spyware, known or unknown, from attacking those applications.
7. Does your firewall simplify network security with the addition of application control?
Most organisation IT teams, that are not relying on an external managed security service provider, are already overloaded. Your team can't manage what they already have to deal with, slowing down response times. Your business is based on applications, therefore your firewall must allow you to build policies that support your business initiatives and applications. A firewall policy based on port and IP address, followed by separate policies for applications, anti-malware, only complicates the policy management process.
8. Does your firewall deliver the same throughput and performance with application control fully activated?
Many businesses end up compromising between performance and security. Often, turning up the security features on your firewall means accepting the degradation of performance and throughput. Your firewall must have hardware specifically dedicated to specific tasks like networking, security and content scanning.
PaloAlto Networks
Here at Secure-ISS, we have undertaken a long and thorough review of the best Next Generation Firewalls for our own organisation. We also asked the above questions of our own infrastructure, and came up with one answer. PaloAlto Networks ticks all the boxes.
PaloAlto Networks and Pulse Secure
We have recently partnered with Pulse Secure to enhance our VPN capabilities, but additionally, we added even more strength in our depth in defense approach. These two technologies working together, offer even more flexibility and advantages for your business.
Pulse Secure enhances real time user identity and endpoint compliance for guests and employees using remote devices, complementing PaloAlto Networks context-aware offerings.
Endpoint Compliance
Enhanced host-checking capabilities for mobile devices.
Authentication
Flexible, Industry grade authentication.
Transparent Session Migration
Seamless user roaming between remote and onsite locations.