10 Things

Your Next Firewall Must Do

Stop Thinking: Start Thinking:

Traditional rewall. Next-generation rewall.

An Introduction
In the face of todays complex cybersecurity landscape, choosing your next rewall is more than a simple comparison of technical features. Its about embracing a change in your role as an enabler of business rather than a blocker. Its about balancing the needs of the company with the business and security risks associated with modern applications. Its about acknowledging that the world has changed around you and you can no longer protect yourself with an approach to cybersecurity that worked well when web browsing and email were the only two applications on the Internet. Its about the 10 things we describe in this booklet that we believe your next rewall must do.

Stop Thinking: Start Thinking:

Bricks. Open air, everywhere.

Identify and control applications on any port

Application developers no longer adhere to standard port/ protocol/application mapping. More and more of the applications on your network are capable of operating on non-standard ports or can hop ports (e.g., instant messaging applications, peer-to-peer le sharing, or VoIP). Additionally, users are increasingly savvy enough to force applications to run over non-standard ports (e.g., RDP, SSH). In order to enforce application-specic policies where ports are increasingly irrelevant, your next rewall must assume that any application can run on any port.

Identify and control circumventors

Most organizations have security policies along with controls

designed to enforce those policies. External proxies, remote server/desktop management tools, and encrypted tunnel applications are being used to circumvent security controls like rewalls. Without the ability to identify and control these tools, your organization cannot enforce your security policies, exposing the business to the very cyberattacks the security controls were designed to mitigate. Your next rewall must be capable of dealing with these circumvention tools.

Stop Thinking:
Closed doors.

Start Thinking:
Freedom.

Decrypt SSL and control SSH usage

The number of commonly used applications on your network that have adopted SSL as a means of encrypting trafc currently

Provide application function control

Many applications have signicantly different functions,

hovers at around 25% . The increased use of HTTPS for many high-risk, high-reward applications and users ability to manually enable SSL on many websites means your network security team has a large and growing blind spot. As SSH is used more commonly by tech-savvy employees, the encryption blind spot may be even larger than you thought. Your next rewall must be capable of decrypting and inspecting SSL trafc on any port; be exible enough to bypass selected segments of SSL trafc (e.g., web trafc from health care organizations) and enforce the native use of SSH via policy.

presenting your organization with different risk proles and value. Many business focused as well as end-user focused examples exist. WebEx vs. WebEx Desktop Sharing and Google Mail vs. Google Talk. If your organization is heavily dependent on intellectual property, then external desktop sharing and le transfer applications may represent security and regulatory risks. Your next rewall must continually evaluate the trafc and watch for changesif a different function or feature is introduced in the session, the rewall must recognize the shift and perform a policy check.

Stop Thinking: Start Thinking:

Whats on the network? The network is safe. Systematically manage unknown trafc
A small amount of unknown trafc exists on every network. It may be a custom application, an unidentied commercial application or a threat. Whatever the unknown trafc is, it represents signicant business and security risks. Blocking all unknown trafc will inhibit the business. Allowing it blindly is very high risk. The balanced approach is one of applying classication, analysis and policy control to the trafc in a systematic manner to reduce the risk but enable the business. Your next rewall must classify all trafc, easily characterize custom applications so they are known in your network security policy, analyze trafc to see if it is a threat and provide predictable visibility and policy control over traffic that remains unknown.

Block known and unknown threats in allowed applications

Enterprises continue to adopt a wide range of applications to enable the businesseither hosted internally, or outside of your physical location. Whether its hosted SharePoint, Box.com, Google Docs, Microsoft Ofce365, or even an extranet application hosted by one of your partners, your organization may be using an application that operates on non-standard ports, uses SSL or shares les. These applications enable the business, but represent business and security risks. Your next rewall must be capable of safely enabling applications, which means allowing an application while controlling the transfer of les by type, and scanning the application for threats, both known and unknown, across all ports.

Stop Thinking: Start Thinking:

Restricted. Free to go, go, go.

Enable consistent security for all users and devices

A signicant number of your users are now working remotely and they expect to connect to their applications via WiFi, wireless broadband, or any means necessaryseamlessly and consistently. Regardless of where the user is or the type of device they are using, the same standard of network application control must apply, regardless of location or device. If your next rewall enables application visibility and control over trafc inside the four walls of the enterprise, but not outside, it misses the mark on some of the riskiest trafc.

Make network security simpler

Your security team is overloaded with managing multiple information feeds, a range of security policies, and associated device management interfaces. Adding more to an overloaded team will not help. Given that typical rewall installations have thousands of rules, your next rewall must make your security teams life easier with the ability to identify, control, investigate and report on applications, users and content traversing your network.

Stop Thinking: Start Thinking:

Complexity. Simplicity. Support the same features in both hardware and virtualized form factors
The benets of virtualization are signicant, but so too are the security challenges. Traditional rewalls struggle with the automatic establishment and tear-down of virtual machine instances due to their reliance on ports and protocols. The dynamic nature of the virtualized datacenter dictates that trafc owing within the virtual environment (east-west trafc) must be secured in the same dynamic and automated manner. Your next rewall must support the same feature set in both hardware and virtual form factors and it must integrate with the virtualization environment to streamline the creation of application-centric policies as new virtual machines and applications are established and taken down.

Deliver the same throughput and performance with application control fully activated

Many enterprises struggle with the forced compromise between performance and security. All too often, enabling network security features means turning down throughput and performance. If your next rewall is built the right way, this compromise is unnecessary. Given the requirement for computationally intensive tasks (e.g. application identication) performed on high trafc volumes with low latency, your next rewall must have hardware optimized for specic tasks such as networking, security, and content scanning.

10

Stop Thinking: Start Thinking:

Them.

In Conclusion
Applications are how your users get their jobs done in the face of competing personal and professional priorities. As your users continue to adopt new applications and technologies, they inadvertently introduce new cybersecurity risks. Allowing them all is unreasonable and obstructing their adoption may inhibit your business. Because of this, safe application enablement is increasingly the correct policy stance. Safe application enablement is best implemented using a systematic approach of determining the usage patterns, the business case, then documenting the appropriate use as policy moving forward, and enforcing the use with technology. The 10 Things Your Next Firewall Must Do can help you put the necessary controls in placeespecially in the face of a more varied and rich application and threat landscape. Without the network security infrastructure to cope with such variety and depth, you cant safely enable the necessary applications and manage risk. A next-generation rewall that delivers on these 10 capabilities is really all it takes.

Us.

Ready to Learn More?

View a demonstration: www.paloaltonetworks.com/demo Request a network security assessment: www.paloaltonetworks.com/avr Download a Buyers Guide: www.paloaltonetworks.com/buyersguide

2013 Palo Alto Networks, Inc. All Rights Reserved. Palo Alto Networks and the Palo Alto Networks Logo are trademarks or registered trademarks of Palo Alto Networks, Inc. Other company and product names may be trademarks of their respective owners. Specications are subject to change without notice. PAN_10TBKLT_072613