Stop Thinking: Traditional firewall.
Start Thinking: Next-generation firewall
In the face of today’s complex cybersecurity landscape, choosing your next firewall is more than a simple comparison of technical features. It’s about embracing a change in your role as an enabler of business rather than a blocker. It’s about balancing the needs of the company with the business and security risks associated with modern applications. It’s about acknowledging that the world has changed around you and you can no longer protect yourself with an approach to cyber security that worked well when web browsing and email were the only two applications on the Internet. It’s about the 10 things we describe in this booklet that we believe your next firewall must do.
Stop Thinking: Bricks.
Start Thinking: Open air, everywhere.
Identify and control applications on any port
Application developers no longer adhere to standard port/protocol/application mapping. More and more of the applications on your network are capable of operating on non-standard ports or can hop ports (e.g., instant messaging applications, peer-to-peer file sharing, or VoIP). Additionally, users are increasingly savvy enough to force applications to run over non-standard ports (e.g., RDP, SSH). In order to enforce application-specific policies where ports are increasingly irrelevant, your next firewall must assume that any application can run on any port.
Identify and control circumventors
Most organizations have security policies along with controls designed to enforce those policies. External proxies, remote server/desktop management tools, and encrypted tunnel applications are being used to circumvent security controls like firewalls. Without the ability to identify and control these tools, your organization cannot enforce your security policies, exposing the business to the very Cyberattacks the security controls were designed to mitigate. Your next firewall must be capable of dealing with these circumvention tools.
Stop Thinking: Closed doors.
Start Thinking: Freedom.
Decrypt SSL and control SSH usage
The number of commonly used applications on your network that have adopted SSL as a means of encrypting traffic currently hovers at around 25%. The increased use of HTTPS for many high-risk, high-reward applications and users’ ability to manually enable SSL on many websites means your network security team has a large and growing blind spot. As SSH is used more commonly by tech-savvy employees, the encryption blind spot may be even larger than you thought. Your next firewall must be capable of decrypting and inspecting SSL traffic on any port; be flexible enough to bypass selected segments of SSL traffic (e.g., web traffic from health care organizations) and enforce the native use of SSH via policy.
Provide application function control
Many applications have significantly different functions, presenting your organization with different risk profiles and value. Many business focused as well as end-user focused examples exist. WebEx vs. WebEx Desktop Sharing and GoogleMail vs. Google Talk. If your organization is heavily dependent on intellectual property, then external desktop sharing and file transfer applications may represent security and regulatory risks. Your next firewall must continually evaluate the traffic and watch for changes—if a different function or feature is introduced in the session, the firewall must recognize the shift and perform a policy check.
For the complete list download Palo Alto Network’s free guide to the ’10 Things Your Next Firewall Must Do’.
If you have any questions, please email firstname.lastname@example.org or contact your account manager directly.