2012年4月18日星期三

The new generation of firewall policies and new definitions


We have entered the era of applications, although they bring a lot of productivity gains in most companies, also entail risks. In addition to the increased use of applications, a more mobile workforce and more sophisticated threats are changing the way the walkways must be secured.

This is where the new generation of firewall (NGFWs) comes in. However, while you NGFWs provide greater granularity of control, they can, also, in turn, increase the complexity of your policies and require planning and additional considerations.

The advent of firewall next generation

The traditional firewall, which block the source IP, destination IP and ports were positioned on the runways since their inception. Although they continue to play an important role in the security of your network, attackers target and uses the application layer in order to get them. The new generation of firewall filtering goes beyond the ports 80 or 443 and allows you more control by giving you the opportunity to perform filtering depending on the type of application and user identity . With this greater granularity, you can specify that certain groups of users can do with a particular application, thereby achieving better security and therefore a competitive advantage (eg, the marketing team must be able to post to Facebook, but not a developer).

Considerations for firewall policies

Greater granularity of control brings more complexity. Over your network policies are complex, the greater the possibility of having improperly configured firewall. And according to Gartner, 95% of firewall breaches are caused by configuration errors - and not by defects in these Firewalls. If you set policies at the application level, you must understand each application, its added value for different users and potential risks associated with it.

The policy decisions of firewall are no longer completely black or completely white. As sets of rules and numbers of features increase, the complexity also increases. Here are some questions you should ask yourself (and that need you to bring the answers!) Before operating policies by application type and by type of user identities that enable the firewall next generation:

• How many change requests per week should you expect to have to deal with?

• Your existing team can it absorb the additional load without degradation of the turnaround?

• Will you need additional staff?

• What is the impact if you set the policy by rules such as "block social networks, file sharing and streaming video, and allow all web traffic remaining"?

Your IT needs to understand what applications are needed for which users and shall provide access - without slowing productivity and without opening security holes that could cause data loss or malware intrusion.

Here are some recommendations to keep in mind when deploying policies firewall new generation finer granularity:

• Run your NGFWs in a "learning mode" so that you can see why the applications are used in your environment and by whom. This can, for starters, you provide information essential to define more granular policies.

• Simplify and automate the management of your firewall policy next generation in tandem with your traditional policies. While NGFWs provide more details and more control, you want to make sure that you can add, update, modify, delete policies throughout your domain protected by the firewall in a standardized way to ensure productivity and operational efficiency.

• Run queries at risk against specific applications, as another security check, and third in the risk Multiply your databases to obtain accurate information.

The new generation of firewall provides, without doubt, additional benefits compared to traditional firewalls. But to really take advantage of these benefits without adding complexity and therefore risk elements, you must, in advance, develop a plan for implementation and a process allowing you to manage these policies over time and in the part of your network environment at large says Marc-Henri Guy, Regional Director of AlgoSec.

没有评论:

发表评论