THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NEXT-GENERATION FIREWALLS

An AlgoSec Whitepaper

MANAGE SECURITY AT THE SPEED OF BUSINESS

AlgoSec Whitepaper

The Evolves

Ever since “Stateful Inspection” was introduced in the late 1990’s, firewall administrators and officers have been defining security policies based primarily on a connection’s source IP address, destination IP address, and service. However, today we live in an application-centric business environment (“there’s an app for that”) and applications are intertwined with our professional and personal lives. But along with their associated benefits come risks.

Increased use of applications, mobility, virtualization, and consolidation as well as the evolution of sophisticated threats has driven requirements for new features and capabilities all built into one firewall. Enter Next Generation Firewalls (NGFWs).

While NGFWs provide newfound levels of policy granularity and controls - Application Control, IPS, antimalware, email security and more - they also introduce more complexity that can cause more harm than good. Without proper sizing of capabilities for the environment, firewall performance can drop off significantly. And without careful design and maintenance, a poorly optimized NGFW policy could take what was a single rule allowing http, and become a policy that includes 10,000 new rules, one per application – creating more opportunity for error and risk.

This paper will highlight tips to effectively implement next-generation firewalls and optimize policies so that you can enjoy the clear benefits without falling into overly complex, unmanageable and risky policy traps.

Next-Generation Firewalls Exposed – Improved Security at a Cost if Not Managed Properly

In a recent survey, 68% of respondents reported to have adopted NGFWs to improve protection from cyber-attacks. 31.2% of those who adopted NGFWs stated that they faced challenges when defining NGFW policies.

Therefore, organizations considering adopting NGFWs would be well advised to focus their efforts on centralizing and automating their firewall policy management processes across their entire estate. Automating these processes can help organizations reap the full benefits that next-generation firewalls provide - without increasing the operational workload, decreasing firewall performance, introducing risk and/or slowing down the business.

Source: The State of Network Security 2014

THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NGFWs | 2

Getting the Value of NGFWs Policy is NOT a Black or without the Risk and Overhead White Decision

Security policy typically falls into a Before you can address these challenges, you must keep whitelisting or blacklisting bucket. in mind that your organization’s network almost Whitelisting provides more security, but certainly has other devices (and in turn other policies) more operational burden, while that must be managed as well, including traditional blacklisting is easier to manage, but firewalls, routers, Secure Web Gateways and more. inherently less secure. Additionally there are more specific questions you must answer first in order to address the bigger picture Firewalls have traditionally used a question, such as: whitelisting strategy which puts a significant workload on firewall  What NGFW features do you want to size for your administrators as every new connection environment (i.e. IPS, Application Control, Identity potentially requires another firewall rule Awareness, URL Filtering, Email Security, etc.)? – which has to be planned, approved,  If you decide to whitelist at the application level implemented, and validated. Some (i.e. block outbound TCP/80 and only allow those organizations process 100s of rule web applications you know about)… change requests every week - and suffer  How many more change requests per week will turnaround times of several weeks you be processing? between change request and  Can your existing team handle the extra load implementation. without degradation to turnaround time? Additionally, the more rules in the  Does your existing team need any new training firewall, especially if not optimally to properly define/enforce this type of policy? ordered, the more processing power  Will you require additional headcount? needed. A firewall with 100 rules  What is the impact if you define policy via a processes traffic requests more quickly blacklisting approach, via rules like “block social than a firewall with 1,000 rules because networks, file sharing and video streaming, and it must parse through the list of rules to allow all other web traffic”? get to the one that allows or denies a  What about the challenges of managing such specific route. Oftentimes, this leads policies alongside traditional firewall policies organizations to invest in more that are based on Source, Destination and hardware, which isn’t always necessary. Service? Next-Generation Firewalls exacerbate

this challenge but what NGFWs also IT must clearly define the NGFW capabilities that are allow you to do is to leverage a hybrid required and properly size the deployment for their policy approach. environment. Additionally, IT must understand which Watch the video applications are needed by which users and provide below to learn more.\ access - without slowing down business productivity and without opening security gaps for data leakage or .

THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NGFWs | 3

Next Generation Firewall Deployment Scenarios

There are certain places within the network where it NGFW Do’s & Don’ts may be particularly beneficial to deploy NGFWs. Some Here are some things to keep in mind options and examples (depending on your needs and when deploying next-generation environment) include: firewalls:  Filtering Web-based Traffic at the Edge. The first Do: and primary point to consider when deploying a • Size your implementation for all of NGFW is filtering external internet traffic. This is the capabilities you will be using. where NGFWs can significantly improve your • Assess the quality of your Active security if the right policies are applied. Directory (AD). A poorly configured  Dedicated Segments of the Network. Deploy AD will impact the NGFW’s identity NGFWs where you have separate and dedicated awareness capability. locations for servers and gateways. Examples • Keep your current IPS configuration include: information – regardless of if your  PCI DSS Segmentation. For organizations that IPS is standalone or integrated with must comply with PCI DSS, you may want to your NGFW. segment your PCI environment from the rest of • Educate your users about application your network. NGFWs can help here because control and what is allowed/not they provide deeper policy granularity at an allowed per policy. application and user level. Don’t:  Remote/mobile User Segmentation. With increased user mobility (i.e. the same person • Turn on every NGFW capability appearing in different places with different IP unless you’ve properly sized the addresses, and policy needs to be applied to a firewall capabilities - unless you’re ok device tied to a person as opposed to IP with performance dropping off a address), routing this traffic through a NGFW cliff! may make sense. One example would be to • Recreate the wheel by starting from conduct user-based filtering where mobile scratch with your IPS configuration. users are connecting through VPN, or for WiFi • Enforce application control without traffic. starting out in a monitoring mode.

THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NGFWs | 4

Considerations for Building NGFW Policies

Typically a next-generation firewall is implemented into a defense-in-depth architecture (i.e. an environment that also has traditional firewalls, Secure Web Gateways, IPS, etc.), and the policy enforcement capabilities within each device type are not equal. When replacing a traditional firewall with a NGFW there are two approaches you can take:

1. Migrate the stateful firewall policy into the NGFW.

This commonly used approach is where the original policy is converted into a NGFW policy. While different vendors have their own homegrown tools for conversion, you want to also leverage a firewall policy management solution which can compare the policies between the two different firewalls to ensure that the NGFW is properly configured.

Once this is done, you can remove the original stateful firewall from the network and rely upon the NGFW which will be working as if it were a stateful firewall (at this point the NGFW isn’t leveraging application or identity awareness). Or you can leave the original firewall in place, as many organizations prefer a defense-in-depth approach where the next-generation firewall runs behind the traditional firewall to provide an additional layer of security.

Once running, the NGFW will pull in application, user and group information that can be analyzed to build out more granular NGFW policies. For example, if the old rule number 14 is frequently used, but it only supports the Sharepoint application, you can fine-tune the rule to allow only this application. This limits the exposure without impacting the business.

2. Build the rule base from scratch.

This approach is not as commonly used, but depending on your environment it may make sense. In this case, the original stateful firewall should remain in place while the NGFW runs essentially in a “learning mode” to gain visibility of applications, users and groups. This information can then be used to understand who is using what and provide the starting point for building your new NGFW policy.

With either approach, it makes sense to gradually build out your more granular policies to improve security without impacting business productivity. If after 30, 60, 90, 120 days (adjust interval to your business, don’t forget anything used annually) you’re only using 10 of 100 applications, you have some decisions to make and you should continue to monitor usage (more on this below). Leverage the application categories that come with next-generation firewalls (different categories/information depending on the vendor in use) and which are also updated by the firewall vendor to facilitate the process of managing policy. If one category has 273 applications in it, but you only want to provide access to 5 specific applications of this type, you can block the category and add exceptions for those 5 in use.

THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NGFWs | 5

7 Steps to Optimize and Manage Your NGFW Policies

Once your NGFW policies are deployed, how you optimize and manage these policies over time is of great importance, especially within the context of your entire network.

1. Gain Visibility of Your Policies. Optimize your policies by looking at what applications are used, by whom and how often. Run regular reports to spot new applications in use on the network and to understand any trends and impact from a security and performance perspective. Such actionable intelligence regarding application usage is extremely helpful in optimizing policies and removing unused applications from policies. Identify rules that can be tightened based on application and user/user group needs. For example, if an application is only required by one group of users (i.e. marketing team needs access to Facebook), that application can be opened up to that specific group and restricted from others.

2. Reorder Rules to Improve Performance. Since firewalls sequentially sift through endless rule sets to identify the rule that matches every packet, another way to optimize your next-generation firewall policy is to reorder rules based on throughput (rules where there is heavier application usage should be on top). This can help address any potential performance issues and help delay hardware purchases.

3. Identify Rules to Remove from the Rule Base. Oftentimes firewall rules are forgotten about and even duplicated through change requests. Being able to identify the following types of rules can significantly help you reduce the overhead on your admin team and on the firewall:

 Unused rules

 Covered or duplicated rules

 Disable rules

 Time-inactive rules

 Rules with empty or non-compliant comments

 And more…

A more in-depth examination of optimization methods can be learned by reading AlgoSec's paper on Cleaning up Your Firewall Policy Clutter.

4. Run Regular Risk Queries. Whether running a query from your DMZ to Internal or against specific applications, there are a lot of known risks and configuration best practices you can leverage (i.e. NIST, PCI, etc.) to identify vulnerable rules and understand the remedies. You should also define acceptable applications for your organization and then create exceptions or segment by users/user groups as needed. Some examples of different applications include:

 Business appropriate applications

 Productivity apps such as Dropbox, RDP and TeamViewer which can open security gaps

THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NGFWs | 6

 Inappropriate file-swapping applications

 Vectors for sensitive data loss like personal network storage

 Bandwidth hogs such as streaming video applications

 Malicious applications - cyber-warfare tools, corporate espionage trojans, identity-stealing ‘bots, viruses and worms, etc.

A misconfigured rule, some kind of , or a temporary rule that gets forgotten about and stays in place are all risks that you should be tracking. Another example is a remote access control application, which enables IT and support to remotely address computer and networking issues. While this type of application has a real business need for specific users, it can also be used to bypass security policies and create exposures for cyber attackers.

5. Ensure Continuous Compliance. Once you have created your baseline, you should be able to run reports to ensure that your policies are in compliance with regulatory requirements such as PCI DSS, SOX, etc. and also your own internally defined standards. When it comes to optimization and risk, detail and accuracy is also very important as you want to avoid making decisions based on inaccurate information. For example, if you have a rule that allows Skype, you should not receive a risk alert that says you have “any service” or ALL-TCP or ALL-UDP open.

6. Automate the Firewall Change Request Process. Maintain your optimized and secure policy over time by automating the firewall change request process. With traditional firewalls, the primary fields for change management consist of source, destination and port. With next generation firewalls, it expands to source, destination, port AND users and applications. With this improved granularity comes more opportunities for change requests to quickly pile up.

7. Manage ALL of Your Firewall Policies. Finally, remember that it’s not just the next-generation firewall policy that you have to analyze and manage, you most likely have other devices as well, some of which include but are not limited to traditional firewalls, hypervisor-level firewalls, routers, secure web gateways, proxies, VPNs and other related security devices. Managing your security policy across all of these devices (which in addition to being different device types can also be from multiple vendors and different models) is a major challenge.

Ensuring policy management efficiency through standardized rule interpretation, centralized management and reporting across ALL of your firewalls is key to improving operations, simplifying audits and reducing risk.

THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NGFWs | 7

Conclusion

NGFWs deliver much more granular control than traditional firewalls by being application and user aware, which is a boon for IT security professionals AND business users to ensure better security without impacting user productivity.

However, that is not to say that next-generation firewalls don't come with their own set of challenges. Just as standard firewalls need to be managed due to the complexity of having thousands of rule sets and the potential for errors, the need increases greatly with NGFWs and their application control/whitelisting capabilities which introduce new layers of policy, and new security tools that must be managed in the context of the broader network.

Next Generation Firewalls are a great technological advance for network security, but without properly sizing them for your environment, without thinking through their optimal place in your network and without sound automated firewall policy management, they can introduce new levels of complexity.

]

THE PRACTITIONER’S GUIDE TO DEPLOYING, OPTIMIZING AND MANAGING NGFWs | 8

About AlgoSec

AlgoSec simplifies, automates and orchestrates security policy management to enable enterprise organizations and service providers to manage security at the speed of business. Over 1,500 of the world’s leading organizations, including 15 of the Fortune 50, rely on AlgoSec to optimize the network security policy throughout its lifecycle, to accelerate application delivery while ensuring security and compliance. AlgoSec is committed to the success of each and every customer, and provides the industry’s only money-back guarantee.

For more information visit http://www.AlgoSec.com or visit our blog.

Global Headquarters EMEA Headquarters APAC Headquarters AlgoSec.com 65 Challenger Road, 80 Coleman Street 10 Anson Road, #14-06 Suite 320 London EC2R 5 BJ International Plaza Ridgefield Park United Kingdom Singapore 079903

NJ 07660, USA Tel: +44 207-099-7545 +65-3158-2120 +1-888-358-3696

© Copyright 2015, AlgoSec Inc. All rights reserved. WP-NGFW-EN-1