Getting the Most Out of Your Next-Generation Firewall

Transcription

1 White Paper Getting the Most Out of Your Next-Generation Firewall Comprehensive network visibility and control increases business efficiency and enables business growth while maximizing security. To address this business challenge: Maintain regulatory compliance Provide deep visibility and control The next-generation firewall must: Perform deterministic, stateful inspection Identify and control applications and micro-applications, regardless of which ports and protocols are used Identify users through passive and active authentication methods Support business needs while restricting risky behavior Authorize appropriate use of personal devices Protect against Internet threats Identify and control specific behaviors within allowed micro-applications Enable legitimate Internet access while blocking undesirable web categories Support differentiated access for a wide range of mobile devices Control websites and web-based applications based on dynamic reputation analysis Protect against zero-day threats in near-real time Enable safe use of encryption Balance security and performance requirements Decrypt and inspect encrypted traffic based on policies Maintain performance expectations when multiple security services are enabled Network administrators are encountering the highest levels of change in history as they attempt to balance security with productivity. Rapidly evolving business trends are challenging them to provide widespread but safe Internet access, allowing employees to use legitimate business applications while using their device of choice. Applications have evolved to be highly dynamic and multifaceted, blurring the line between legitimate business applications and those that waste time and increase a company s exposure to Internet-based threats. In the past, acceptable usage was relatively clear-cut, but social media, file sharing, and Internet communications applications have evolved to serve just as many business use cases as strictly personal ones; these applications are now widely used throughout all levels of an organization. Further complicating the situation, today s workforce is becoming increasingly mobile, with users requiring anywhere, anytime access to the network from a variety of company-owned and personal mobile devices. This has prompted businesses of all sizes and types to embrace bring your own device (BYOD) policies to increase employee productivity and satisfaction. Due to these and other business trends, network administrators face a mounting challenge: to enforce the acceptable usage policies required to protect the network while enabling the flexibility to achieve and maintain the level of productivity required to promote business growth. A new approach to security is required - without abandoning time-tested methods - to enhance network visibility and control, accelerate business innovation, and proactively protect against new and emerging threats. Rather than abandon their existing stateful inspection firewalls, however, administrators need to supplement this proven security device with additional network-based security controls - for end-to-end network intelligence and streamlined security operations Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 6

2 Business Challenges As discussed earlier, social media, file sharing, and Internet communications applications that were once banned from corporate networks are now being embraced as legitimate, efficient, cost-effective methods of reaching customers and partners around the world. According to the Cisco 2013 Annual Security Report, 22 percent of all at-work web requests are to view online video and an additional 20 percent are visits to social network sites. As a result, organizations of all sizes are embracing social media and online video; most major brands have a presence on Facebook and Twitter, and many are integrating social media into their actual products. Similarly, while the devices touching the network were once limited to devices that were owned and tightly controlled by IT, now a wide range of personal devices can also gain secure access. Despite their business productivity benefits, these network trends also introduce serious new security risks. As a result, the primary business challenges facing organizations today are how to enforce acceptable usage policies, control evasive applications, authorize personal devices, and protect against Internet threats. Enforcing Acceptable Usage Policies Two of the primary business issues organizations need to resolve center around acceptable usage policies. First, robust content-based URL filtering is required to block offensive, inappropriate, and possibly illegal websites such as those with adult, violent, or racial hatred content; those that reduce productivity or consume exorbitant amounts of bandwidth, such as YouTube; and those that can jeopardize a company s legal compliance, such as BitTorrent and edonkey. Similarly, deep application inspection is required to block known malicious software such as proxy anonymizers, which can be used by employees to bypass IT controls. Acceptable usage enforcement has been further complicated by applications such as Facebook, Twitter, LinkedIn, and Skype. These have evolved into legitimate business applications, but many organizations are reluctant to allow them on the network because their use can lead to widespread bandwidth misuse and lost employee productivity. Controlling Evasive Applications Related to this challenge is gaining visibility into, and control of, port- and protocol-hopping applications such as Skype and BitTorrent. Since the nature of these applications is to find a way through, irrespective of what is happening with the network, they can present unique challenges to administrators who are attempting to block their usage. In fact, administrators can write dozens of policies that attempt to block just one of these evasive applications, yet still fail to adequately control them. Authorizing Personal Devices The Cisco 2011 Annual Security Report found that 81 percent of college students believe that they should be able to choose the devices they need to do their jobs. 77 percent of employees surveyed worldwide use multiple devices to access the corporate network, and more than one third of them use at least three devices for work. As a result, according to the Cisco 2012 Global IBSG Horizons Report, 84 percent of IT leaders report that IT in their companies is becoming more consumerized. The Cisco 2013 Annual Security Report supports these findings, noting that in just the past two years Cisco has seen a 79 percent increase in the number of mobile devices in use by its employees - and that the vast majority of those devices are bring your own Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 6

3 These trends have caused BYOD to become a priority for most organizations, with mobility initiatives expected to consume an average of 23 percent of IT budgets by 2014, compared to 18 percent in While just a few years ago an organization needed only to determine who would have access to the network and sensitive corporate data, BYOD has added new layers of complexity to those decisions. Now organizations must determine if employees who are granted access to such data will only have access while using devices that are corporate-owned and maintained, or if their personal devices may also be used. If personal devices are acceptable, are all devices acceptable, or just some? Need employees be located within the corporate LAN, or do remote VPN connections also provide the appropriate level of security? Protecting Against Internet Threats Internet threats are another concern for organizations of all sizes. While tools such as file sharing and social media applications have had a positive effect on employee productivity, they carry inherent risks: They can be exploited by hackers and other malicious authors to gain unauthorized access to or spread malware across the network. Remote control applications such as TeamViewer and PC Anywhere can dramatically enhance individual and team productivity, but malware writers can use vulnerabilities in these applications to take control of network assets. In addition, the use of file sharing applications such as Dropbox and icloud open the possibility that sensitive company data can be uploaded to the cloud, where the organization no longer has control over its distribution. Malware can also masquerade as well-known applications that run on open ports; can be embedded in legitimate applications where vulnerabilities have been discovered; or can be installed as a drive-by download from fraudulent websites - or legitimate ones that have been infected. Social engineering techniques that target users of social media have also proven to be effective; these applications have taught employees that it is perfectly normal to click on embedded links and download content from unknown websites, despite longstanding warnings from IT to abstain from such behavior. A Proactive, Comprehensive Approach to Network Security Is Required Business leaders understand that flexibility is essential to maximizing productivity. But how do they take advantage of the productivity and cost benefits provided by business and technology trends while protecting themselves from the security challenges these trends present? The answer lies in the ability to maximize an organization s visibility into its network traffic through full context awareness. When administrators can clearly see the details of the network traffic, they can make more intelligent decisions. Visibility into applications and user ID, though valuable, do not provide the full context awareness required to safely enable new applications, devices, and business cases. Full context awareness includes these, as well as enterprise-class URL filtering, dynamic web reputation, device awareness, and an understanding of where the user and device are located. Application Visibility and Control As mentioned earlier, application awareness is a core requirement for any next-generation firewall. However, it is crucial for the firewall to recognize more than just the applications themselves; it must also recognize and provide the capability to block the micro-applications that comprise that application. This is particularly important for social media applications such as Facebook and LinkedIn. Merely recognizing these applications only provides the ability to block or allow the application in its entirety. For example, an organization may want to provide access to Facebook to enable sales and marketing personnel to post to the company s corporate Facebook page and communicate with customers and partners, while denying access to Facebook Games. By recognizing each microapplication separately, administrators can grant different access privileges to each Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 6

4 In addition, by recognizing specific behaviors within those micro-applications, the firewall can provide administrators with even more granular control. For example, the specific behaviors within the Facebook Messages and Chat micro-application are attachment upload, attachment download, and video chat. While most of those behaviors may be deemed appropriate business activities, the behavior attachment download is likely to be viewed by security personnel as inherently risky. Using a firewall that can recognize specific behaviors within a micro-application, administrators can allow Facebook Messages and Chat, while denying attachment download. Evasive applications such as Skype can also be effectively controlled if the firewall can monitor all ports and protocols and enable policy definition to be based solely on the identification of the application itself. Since applications such as Skype always carry the same application ID, irrespective of what port or protocol they are using to exit the network, adding a policy to Block Skype can provide more effective enforcement while requiring fewer policies, compared with writing dozens of stateful firewall policies to block every possible combination. This saves administrators time in the initial development and the ongoing management of the policies, which translates into operational efficiencies for the business. Finally, by controlling who has access to file sharing applications, as well as which application behaviors are allowed to be utilized, administrators can protect the organization s critical data while enabling employees to leverage powerful business tools. Advanced User Identification User awareness is another core component of any next-generation firewall; most provide passive authentication via a corporate directory service such as Active Directory (AD).This capability allows administrators to enforce policies based on who a user is or to what group or groups he belongs. While this identification on its own holds relatively little value, when paired with the application awareness highlighted above, administrators can use it to enable differentiated access to certain applications. For example, marketing and sales may have a legitimate business need to access social media tools, while finance does not. In addition to passive authentication, some next-generation firewalls have extended this capability to include support for active authentication for business use cases that require stronger security measures. Whereas passive authentication relies on a simple lookup of the directory service and trusts that it has properly identified the user through username-ip address mapping, active authentication requires an additional layer of security using mechanisms like Kerberos and NT LAN Manager (NTLM). This can be performed by either asking the browser, which in turn sends a seamless response based on the user s login credentials, or challenging the user with an authorization prompt. In either case, the security administrator is authenticating the user rather than relying on the username-ip address mapping. This is important for organizations that need to provide access to sensitive information such as customer credit card data or a database containing healthcare information. Device Awareness For organizations that have embraced BYOD as a business reality, striking a balance between productivity and security requires granular visibility into the specific devices that are attempting to access the network, enabling administrators to enforce differentiated policies based on each device used. For example, an organization can decide to allow iphone 4 devices to gain access to most network resources while denying or restricting access to earlier versions of the iphone, or can give access to an iphone 4 but not a 4S. Similarly, the organization can grant access to Windows-based PCs while denying access to Macs. In addition, if the firewall is equipped with location awareness, different policies can be enforced based on whether the device is located inside the LAN or is logging in remotely Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 6

5 Web Security URL and web filtering capabilities permit access to appropriate applications and content while preventing the use of those that might increase risk, drain productivity, or cause a loss of confidential information. Most web security appliances provide basic web filtering based on broad categories, as well as the capability to white- and black-list specific sites. Many vendors will also include a database of known bad URLs on the appliance itself. However, due to the dynamic nature of the Internet, these capabilities are not enough. According to the non-profit organization stopbadware.org, more than one million websites currently deliver malware and other software that takes action without a user s permission (also often referred to as greyware ). Because thousands of new URLs are added to the list each week, web security that is limited to a static on-box list will never be able to keep pace. Therefore, in addition to these capabilities, organizations require URL filtering that is continuously updated for nearreal-time protection from the ever-evolving threat landscape. In addition, the firewall must be capable of identifying and stopping malware that masquerades as well-known applications that run on open ports, without inhibiting the business value of legitimate business tools that utilize those ports. This capability can be further strengthened by using global data and application traffic to provide nearreal-time threat landscape information, including reputation analysis that is based on the behavior exhibited by a specific site or web application. If a provider is receiving traffic from a large number of sources from throughout the world and providing updates with a high enough frequency, the global data can also help protect the organization from zero-day threats. To enable these use cases without jeopardizing security, some IT organizations have replaced their stateful firewall product lines with those that provide additional levels of visibility - and therefore superior control. Though additional visibility is rarely considered a bad thing, most of these next-generation firewalls come with tradeoffs, which are important for administrators and business leaders to understand prior to making a purchase decision. Limited Visibility: A Problem Half-Solved There is little doubt that delivering additional visibility into network traffic carries enormous security advantages. Enhanced network visibility provides administrators with the ability to develop and enforce more granular security policies for superior protection of corporate assets. This is why application and user ID awareness capabilities are core to next-generation firewalls. However, many next-generation firewalls center the entire solution exclusively on these two elements at the expense of everything else. Certainly, any visibility is better than no visibility, but, as discussed throughout this paper, there is so much more going on in a typical corporate network that application and user ID awareness alone fall short of what is required to provide sufficient visibility to make intelligent security decisions. In addition to these capabilities, a comprehensive security solution must provide administrators with the ability to control specific behaviors within allowed micro-applications, restrict web and web application usage based on reputation of the site, proactively protect against Internet threats, and enforce differentiated policies based on the user, device, role, and application type. Seek the Best of Both Worlds Despite the many benefits of employing a next-generation firewall, there are also some drawbacks to consider. Therefore, business leaders should fully assess their options prior to making a purchase decision. Many nextgeneration firewall vendors force customers to abandon their existing firewalls and all associated security policies so that they may start fresh with all new security policies that are written specifically for the next-generation firewall platform. This rip and replace is necessary because most next-generation firewalls are fundamentally different than existing classic or stateful firewalls, working on a completely different computing layer Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 6

6 While stateful firewalls work on the network and transport layers of the computing architecture, next-generation firewalls work on the application layer. As a result, the organization s existing firewall policies will be useless in the new paradigm and therefore must be completely rewritten. This is by no means a quick, easy task - most organizations have thousands of policies, and larger organizations can have tens of thousands. It can take months of time and significant budget allocation to get it done. In addition, security performed at the application layer is, by its nature, a deeper level of inspection, and can cause network performance to degrade. Replacing an organization s stateful inspection firewall with one that is built exclusively for the application layer can also potentially jeopardize the organization s compliance with industry regulations, as many regulatory bodies specifically stipulate the need for stateful inspection. Since application- and user-id-based firewall policies are nondeterministic, relying solely on a next-generation firewall may put the organization at risk for a failed audit. However, some firewall vendors provide a hybrid approach, in which the stateful and next-generation firewall capabilities work together. Since these firewalls support both stateful and next-generation capabilities, organizations can continue to use their existing policies while they develop new next-generation rules; they are not forced to abandon one for the other, so they can replace the old policies over time, as it makes the most sense for their security needs. In addition, not all traffic requires the deeper level of inspection conducted by next-generation firewalls, so the hybrid model enables organizations to preserve more of their network performance by only performing the deeper level of inspection on traffic and use cases that require it. In this way, organizations can achieve a superior level of security while maximizing business flexibility. Conclusion Trends such as BYOD and the adoption of social media and other grey applications as legitimate business tools have had profound effects on organizations of all sizes. However, next-generation firewalls that only provide application and user ID awareness fall short of providing the level of network visibility required to safely enable them. Instead, by looking at the full context of the network traffic, administrators are empowered with actionable security enforcement based on a high level of network visibility and intelligence. By employing a firewall that combines stateful capabilities with full context awareness, organizations can strike a balance between the high level of network security required to support these new business cases and the flexibility they require to maximize their business agility. Printed in USA C / Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 6