Key Policy Considerations

When Implementing
Next-Generation Firewalls

Hosted by:
 Agenda
• Why next-generation firewalls (NGFWs)?
• How to manage NGFW policies in a mixed
environment
• NGFW deployment best practices
• Examine a real-life use case
 Today’s Panelists

Josh Karp Ben Dimmitt Jared Beck

Director, Business Development Sr. Corporate Solutions Specialist Sr. Solutions Architect
AlgoSec Palo Alto Networks Dimension Data
Understanding Next-Generation
Firewalls
 Applications Have Changed;
Firewalls Have Not
The firewall is the right place
to enforce policy control
• Sees all traffic
• Defines trust boundary
Enables access via positive
control

BUT…applications have changed

•Ports ≠ Applications
•IP Addresses ≠ Users
•Packets ≠ Content

Need to restore visibility and control in the firewall

5
 Applications Carry Risk
Applications can be “threats” Applications carry threats
• P2P file sharing, tunneling • SANS Top 20 Threats – majority are
applications, anonymizers, application-level threats
media/video

Applications & application-level threats result in major breaches – Pfizer, VA, US Army

6
 The Right Answer:
Make the Firewall Do Its Job
Next Generation Firewall (NGFW)

1. Identify applications regardless of port,

protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect real-time against threats

embedded across applications

4. Fine-grained visibility and policy control

over application access / functionality

5. Multi-gigabit, in-line deployment with no

performance degradation

7
 ID Technologies / Architecture -Transform the Firewall
•App-ID™ •User-ID™
•Identify the application •Identify the user

•Content-ID™ •SP3 Architecture

•Scan the content •Single-Pass Parallel Processing

8
 Comprehensive View of Applications, Users & Content
• Application Command
Center (ACC)
– View applications, URLs,
threats, data filtering
activity
• Add/remove filters to
achieve desired result

Filter on Facebook-base
Filter on Facebook-base Remove Facebook to
and user cook expand view of cook
9
 Fewer Policies, Greater Control

• Very simple, yet very

powerful, control of
applications, users, and
content

10
 Unprecedented Levels
of Enterprise 2.0 Control
• Now you can minimize risks, maximize rewards:

- Block bad apps to reduce attack surface

- Allow all application functions
- Allow, but only certain functions
- Allow, but scan to remove threats
- Allow, but only for certain users
- Allow, but only for certain time periods
- Decrypt where appropriate
- Shape (QoS) to optimize use of bandwidth
…and various combinations of the above

11
 Managing Next-Generation
Firewall Policies in a Defense-in-
Depth Network
 Today’s Network is a Complex Maze
What’s in Your Network?
• Multiple firewall vendors?
• Different firewall models?
• Numerous firewall types
(traditional, NGFW, etc.)?
• Vendor-specific firewall
management consoles?
• Other security devices (routers,
SWGs, etc.)?

13
 Network Security Challenges
55.6% of Challenges Lie with Problematic Internal Processes

"What is the greatest challenge when it comes to managing

network security devices in your organization?”
Tension between IT
admin and InfoSec
teams, 9.4% Time-consuming
manual processes,
Error-prone processes 30.0%
cause risk, 10.0%

Preventing insider
threats, 13.3%

Poor change Lack of visibility into

management network security
processes, 15.6% policies, 21.7%

Source: State of Network Security, AlgoSec, 2012

14
 Holistic Visibility of Firewall Policies in
a Defense-in-Depth Setup

15
 Analyze Firewall Policies
Across the Entire Network
• Analyze all possible traffic variations
based on dynamic network simulation
• Understand the network with topology
awareness that accounts for various
firewall technologies
• Analyze how traffic flows through
multiple firewalls
• Aggregate findings from firewall
groups

Use this information to optimize policies, reduce risk

and ensure compliance

16
 Optimize Your Rule Base
• Optimize policies by eliminating unused rules or objects, consolidating
similar rules, etc.
• Re-order rules for optimal firewall performance
• Tighten overly permissive rules based on historical usage patterns

17
 Assess Firewall Policies for Risk

• Leverage database of industry best-practices and known risks

• Identify and quantify risky rules

18
 Simplify Audit and Compliance
• Auto-generate
compliance reports

• Consolidate compliance
view with device-
specific drill downs

• Out-of-box regulation
support for PCI DSS,
SOX, ISO 27001, Basel II,
NERC CIP, J-SOX

19
 Keep Up With Changes
Does your firewall change process look like this?

• 20-30% of changes are unneeded

• 5% implemented incorrectly

20
Automate the Firewall Change Workflow

Optimal
Request Proactive Risk Verify Correct Audit the
Implementation
Analysis Assessment Execution Change Process
Design

Recertify Rules

Security Operations Operations Measure SLAs

Compliance Executive

21
 AlgoSec Security Management Suite

Business Impact

• 60% reduction in change management costs

• 80% reduction in firewall auditing costs
• Improved security posture
• Improved troubleshooting and network availability
• Improved organizational alignment and accountability

22
 Managing Firewall Policies Across
Diverse Network Environments
More Results.
Better Accuracy.
• Non-Intrusive
• Topology-aware analysis
• Single device , group, or
“matrix” analysis
• Patented algorithms analyze
all traffic variations
• Near real-time change
monitoring
• Broadest knowledgebase for
risk and compliance

23
 Firewall Policy Management Checklist
Automation that Delivers
Security and Operational Value and Helps You:
• Make the business more agile

• Refocus efforts on more strategic tasks

• Minimize misconfigurations/human errors

• Ensure continuous compliance

• Reduce operational and security costs

24
Firewall Management Best
Practices from the Field
 Next Generation Firewalls
and their Applications
• Defining, validating, and enforcing access policy
allowing the right content at the right time for
the right users are critical for the success of an
organization’s infrastructure security model.
• Organizations need to rethink security strategy at
a much higher layer in the OSI model…
• Palo Alto Firewalls deployed in one of two ways:
• Inline behind current enterprise firewall to augment
existing stateful policies as a “Virtual Wire”. Often done
to prove out the power of Palo Alto’s AppID and UserID.
• Replacement of existing enterprise firewalls through
migration. Existing rule bases need to be analyzed and
cleaned up before migrating, and AlgoSec ensures a
smooth process.

26
 Firewall Management Tips
Four Keys:
1. Be diligent in patching your firewalls
2. Regularly monitor configuration
3. Assess your rule base
4. Automate and centralize
– Obstacle to effectively managing security controls and network policies
is the disparate nature of point products.
– Managing firewalls with different configurations and interfaces is
cumbersome and prone to human error.
– Compliance with regulations requires robust security policies, which
requires mapping 1000s of security controls to the required network
policies – a daunting and potentially resource-draining task.

27
 Firewall Assessment Approach
• Firewall Assessment
• Governance
• Ongoing Firewall
Management Services • Risk
• Monitoring • Compliance
• Change Control
• Audit

• Workshops
• Policies and Procedure
Review/Design

• Implementation Services
• Product Integration
• Firewall Design
• Network segmentation

28
 Dimension Data’s Firewall Assurance
Approach
• Firewall Policy and Risk Management:
– Monitor firewall policy changes, report them in real time and
maintaining a comprehensive, accurate audit trail for full accountability
– Provide analysis and clean-up of complex rule bases and objects to
eliminate potential security breaches and improve performance
– Perform powerful simulation and risk analysis to identify potential
security risks, ensure compliance with organizational security
standards, and prevent service interruptions

• Firewall Threat Management:

– Provide regulatory compliance validation and auditing
– Perform rule-based egress and regress testing
– Signature development and fine-tuning
– Advanced penetration testing
– Application protocol and threat traffic scanning

29
 Case Study: Large Financial
Institution
Challenge
• Public banking security breaches raised concerns
about security posture and compliance status
Business Impact
• The business was susceptible to a security breach
• Non-compliance to audit requirements could result in
financial penalties

Dimension Data Solution Benefits

• Able to perform firewall assessment using AlgoSec
to determine strength of existing firewall policies
• Deployed Palo Alto 5060 firewalls to protect critical
infrastructure
• Compliance audit requirements are met consistently
• Ability to report accurately on security posture
• Processes and systems ensure proactive and effective
management of security infrastructure
• System and process automation lowers TCO

30
 Case Study:
Firewall Assessment Sample Content

31
 Case Study:
Palo Alto Deployment Example

32
 Q&A and Additional Resources
• AlgoSec-Palo Alto Networks Solution Brief
http://media.paloaltonetworks.com/documents/algosec.pdf

• Case Studies
– AlgoSec:
http://www.algosec.com/en/customers/testimonials
– Palo Alto Networks:
http://www.paloaltonetworks.com/literature/customers/Reed-Customer-Video.html

• AlgoSec Security Management Suite Evaluation

AlgoSec.com/eval