Stop Thinking: Traditional firewall.
Start Thinking: Next-generation firewall

An Introduction
In the face of today’s complex cybersecurity landscape, choosing your next firewall is more than a simple comparison of technical features. It’s about embracing a change in your role as an enabler of business rather than a blocker. It’s about balancing the needs of the company with the business and security risks associated with modern applications. It’s about acknowledging that the world has changed around you and you can no longer protect yourself with an approach to cyber security that worked well when web browsing and email were the only two applications on the Internet. It’s about the 10 things we describe in this booklet that we believe your next firewall must do.

Stop Thinking: Bricks.
Start Thinking: Open air, everywhere.

Identify and control applications on any port

Application developers no longer adhere to standard port/protocol/application mapping. More and more of the applications on your network are capable of operating on non-standard ports or can hop ports (e.g., instant messaging applications, peer-to-peer file sharing, or VoIP). Additionally, users are increasingly savvy enough to force applications to run over non-standard ports (e.g., RDP, SSH). In order to enforce application-specific policies where ports are increasingly irrelevant, your next firewall must assume that any application can run on any port.

Identify and control circumventors

Most organizations have security policies along with controls designed to enforce those policies. External proxies, remote server/desktop management tools, and encrypted tunnel applications are being used to circumvent security controls like firewalls. Without the ability to identify and control these tools, your organization cannot enforce your security policies, exposing the business to the very Cyberattacks the security controls were designed to mitigate. Your next firewall must be capable of dealing with these circumvention tools.

Stop Thinking: Closed doors.
Start Thinking: Freedom.

Decrypt SSL and control SSH usage

The number of commonly used applications on your network that have adopted SSL as a means of encrypting traffic currently hovers at around 25%. The increased use of HTTPS for many high-risk, high-reward applications and users’ ability to manually enable SSL on many websites means your network security team has a large and growing blind spot. As SSH is used more commonly by tech-savvy employees, the encryption blind spot may be even larger than you thought. Your next firewall must be capable of decrypting and inspecting SSL traffic on any port; be flexible enough to bypass selected segments of SSL traffic (e.g., web traffic from health care organizations) and enforce the native use of SSH via policy.

Provide application function control

Many applications have significantly different functions, presenting your organization with different risk profiles and value. Many business focused as well as end-user focused examples exist. WebEx vs. WebEx Desktop Sharing and GoogleMail vs. Google Talk. If your organization is heavily dependent on intellectual property, then external desktop sharing and file transfer applications may represent security and regulatory risks. Your next firewall must continually evaluate the traffic and watch for changes—if a different function or feature is introduced in the session, the firewall must recognize the shift and perform a policy check.

For the complete list download Palo Alto Network’s free guide to the ’10 Things Your Next Firewall Must Do’.

If you have any questions, please email ma[email protected] or contact your account manager directly.

Predictive, Pre-Deployment, Post Installation and Health Check Wireless Surveys carried out by certified wireless engineers.

We look at Wi-Fi fundamentals, explore the benefits of and technology behind Wi-Fi 6, Wi-Fi 6E and what the future holds for Wi-Fi 7

Net-Ctrl provide network and structured cabling solutions as either a stand-alone installation, or to compliment products and solutions that we offer.

Connect-the-Classroom scheme  is allowing schools to upgrade their infrastructure to a solution that should last 10 years

Net-Ctrl provides two excellent support packages in addition to any equipment purchased. Find out about our Silver or Gold support package

IP-CCTV site survey to assess camera locations and requirement and existing Mobotix solution health checks.

Net-Ctrl offers our Cloud WLAN. Delivering market-leading patented technology managed by the Net-Ctrl engineering team.

We provide an automated Cybersecurity awareness training solution covering both simulated phishing and training courses.

Net-Ctrl offers a range of wireless network solutions. We explore some common questions related to these solutions.

Offering end-to-end, affordable and competitive financing solutions to help you achieve your business goals.