Getting the Most Out of Your Next-Generation Firewall

Similar documents
Cisco ASA Next-Generation Firewall Services

Best Practices in Securing a Multicloud World

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

NetDefend Firewall UTM Services

AKAMAI CLOUD SECURITY SOLUTIONS

10 Hidden IT Risks That Might Threaten Your Business

The McGill University Health Centre (MUHC)

Next Generation Privilege Identity Management

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Securing Today s Mobile Workforce

Cisco Network Admission Control (NAC) Solution

CISCO SHIELDED OPTICAL NETWORKING

SIEM: Five Requirements that Solve the Bigger Business Issues

Keys to a more secure data environment

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Integrated Access Management Solutions. Access Televentures

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

BUILDING A NEXT-GENERATION FIREWALL

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Cisco s Appliance-based Content Security: IronPort and Web Security

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

TREND MICRO SMART PROTECTION SUITES

Office 365 Buyers Guide: Best Practices for Securing Office 365

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

CA Security Management

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

A Guide to Closing All Potential VDI Security Gaps

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

DDoS MITIGATION BEST PRACTICES

Overcoming Business Challenges in WAN infrastructure

align security instill confidence

90 % of WAN decision makers cite their

The Top 6 WAF Essentials to Achieve Application Security Efficacy

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

THALES DATA THREAT REPORT

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Defend Against the Unknown

Secure Access for Microsoft Office 365 & SaaS Applications

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

The Honest Advantage

Putting people first: Future-ready meetings and teamwork. Next-generation meeting solutions

Table of Content. Market Trend

IBM Next Generation Intrusion Prevention System

GLBA. The Gramm-Leach-Bliley Act

Streamline IT with Secure Remote Connection and Password Management

Take Back Control: Increase Security, Empower Employees, Protect the Business

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

with Advanced Protection

Build Your Zero Trust Security Strategy With Microsegmentation

CLOUD REPORT LITTLE CHANGE IN GDPR-READINESS LEVELS WITH MAY 2018 DEADLINE LOOMING. 24.6% of cloud services rated high on GDPR-readiness

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

RHM Presentation. Maas 360 Mobile device management

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

THALES DATA THREAT REPORT

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

Achieving End-to-End Security in the Internet of Things (IoT)

Overview of Akamai s Personal Data Processing Activities and Role

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Keep the Door Open for Users and Closed to Hackers

Five Reasons It s Time For Secure Single Sign-On

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

TREND MICRO SMART PROTECTION SUITES

Cisco Start. IT solutions designed to propel your business

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

McAfee Endpoint Threat Defense and Response Family

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Overview. Business value

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Balancing BYOD and Security. A Guide for Secure Mobility in Today s Digital Era

mhealth SECURITY: STATS AND SOLUTIONS

Total Threat Protection. Whitepaper

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

PCI DSS Compliance. White Paper Parallels Remote Application Server

An ICS Whitepaper Choosing the Right Security Assessment

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Go mobile. Stay in control.

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Achieve deeper network security

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Transcription:

White Paper Getting the Most Out of Your Next-Generation Firewall Comprehensive network visibility and control increases business efficiency and enables business growth while maximizing security. To address this business challenge: Maintain regulatory compliance Provide deep visibility and control The next-generation firewall must: Perform deterministic, stateful inspection Identify and control applications and micro-applications, regardless of which ports and protocols are used Identify users through passive and active authentication methods Support business needs while restricting risky behavior Authorize appropriate use of personal devices Protect against Internet threats Identify and control specific behaviors within allowed micro-applications Enable legitimate Internet access while blocking undesirable web categories Support differentiated access for a wide range of mobile devices Control websites and web-based applications based on dynamic reputation analysis Protect against zero-day threats in near-real time Enable safe use of encryption Balance security and performance requirements Decrypt and inspect encrypted traffic based on policies Maintain performance expectations when multiple security services are enabled Network administrators are encountering the highest levels of change in history as they attempt to balance security with productivity. Rapidly evolving business trends are challenging them to provide widespread but safe Internet access, allowing employees to use legitimate business applications while using their device of choice. Applications have evolved to be highly dynamic and multifaceted, blurring the line between legitimate business applications and those that waste time and increase a company s exposure to Internet-based threats. In the past, acceptable usage was relatively clear-cut, but social media, file sharing, and Internet communications applications have evolved to serve just as many business use cases as strictly personal ones; these applications are now widely used throughout all levels of an organization. Further complicating the situation, today s workforce is becoming increasingly mobile, with users requiring anywhere, anytime access to the network from a variety of company-owned and personal mobile devices. This has prompted businesses of all sizes and types to embrace bring your own device (BYOD) policies to increase employee productivity and satisfaction. Due to these and other business trends, network administrators face a mounting challenge: to enforce the acceptable usage policies required to protect the network while enabling the flexibility to achieve and maintain the level of productivity required to promote business growth. A new approach to security is required - without abandoning time-tested methods - to enhance network visibility and control, accelerate business innovation, and proactively protect against new and emerging threats. Rather than abandon their existing stateful inspection firewalls, however, administrators need to supplement this proven security device with additional network-based security controls - for end-to-end network intelligence and streamlined security operations. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 6

Business Challenges As discussed earlier, social media, file sharing, and Internet communications applications that were once banned from corporate networks are now being embraced as legitimate, efficient, cost-effective methods of reaching customers and partners around the world. According to the Cisco 2013 Annual Security Report, 22 percent of all at-work web requests are to view online video and an additional 20 percent are visits to social network sites. As a result, organizations of all sizes are embracing social media and online video; most major brands have a presence on Facebook and Twitter, and many are integrating social media into their actual products. Similarly, while the devices touching the network were once limited to devices that were owned and tightly controlled by IT, now a wide range of personal devices can also gain secure access. Despite their business productivity benefits, these network trends also introduce serious new security risks. As a result, the primary business challenges facing organizations today are how to enforce acceptable usage policies, control evasive applications, authorize personal devices, and protect against Internet threats. Enforcing Acceptable Usage Policies Two of the primary business issues organizations need to resolve center around acceptable usage policies. First, robust content-based URL filtering is required to block offensive, inappropriate, and possibly illegal websites such as those with adult, violent, or racial hatred content; those that reduce productivity or consume exorbitant amounts of bandwidth, such as YouTube; and those that can jeopardize a company s legal compliance, such as BitTorrent and edonkey. Similarly, deep application inspection is required to block known malicious software such as proxy anonymizers, which can be used by employees to bypass IT controls. Acceptable usage enforcement has been further complicated by applications such as Facebook, Twitter, LinkedIn, and Skype. These have evolved into legitimate business applications, but many organizations are reluctant to allow them on the network because their use can lead to widespread bandwidth misuse and lost employee productivity. Controlling Evasive Applications Related to this challenge is gaining visibility into, and control of, port- and protocol-hopping applications such as Skype and BitTorrent. Since the nature of these applications is to find a way through, irrespective of what is happening with the network, they can present unique challenges to administrators who are attempting to block their usage. In fact, administrators can write dozens of policies that attempt to block just one of these evasive applications, yet still fail to adequately control them. Authorizing Personal Devices The Cisco 2011 Annual Security Report found that 81 percent of college students believe that they should be able to choose the devices they need to do their jobs. 77 percent of employees surveyed worldwide use multiple devices to access the corporate network, and more than one third of them use at least three devices for work. As a result, according to the Cisco 2012 Global IBSG Horizons Report, 84 percent of IT leaders report that IT in their companies is becoming more consumerized. The Cisco 2013 Annual Security Report supports these findings, noting that in just the past two years Cisco has seen a 79 percent increase in the number of mobile devices in use by its employees - and that the vast majority of those devices are bring your own. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 6

These trends have caused BYOD to become a priority for most organizations, with mobility initiatives expected to consume an average of 23 percent of IT budgets by 2014, compared to 18 percent in 2012. While just a few years ago an organization needed only to determine who would have access to the network and sensitive corporate data, BYOD has added new layers of complexity to those decisions. Now organizations must determine if employees who are granted access to such data will only have access while using devices that are corporate-owned and maintained, or if their personal devices may also be used. If personal devices are acceptable, are all devices acceptable, or just some? Need employees be located within the corporate LAN, or do remote VPN connections also provide the appropriate level of security? Protecting Against Internet Threats Internet threats are another concern for organizations of all sizes. While tools such as file sharing and social media applications have had a positive effect on employee productivity, they carry inherent risks: They can be exploited by hackers and other malicious authors to gain unauthorized access to or spread malware across the network. Remote control applications such as TeamViewer and PC Anywhere can dramatically enhance individual and team productivity, but malware writers can use vulnerabilities in these applications to take control of network assets. In addition, the use of file sharing applications such as Dropbox and icloud open the possibility that sensitive company data can be uploaded to the cloud, where the organization no longer has control over its distribution. Malware can also masquerade as well-known applications that run on open ports; can be embedded in legitimate applications where vulnerabilities have been discovered; or can be installed as a drive-by download from fraudulent websites - or legitimate ones that have been infected. Social engineering techniques that target users of social media have also proven to be effective; these applications have taught employees that it is perfectly normal to click on embedded email links and download content from unknown websites, despite longstanding warnings from IT to abstain from such behavior. A Proactive, Comprehensive Approach to Network Security Is Required Business leaders understand that flexibility is essential to maximizing productivity. But how do they take advantage of the productivity and cost benefits provided by business and technology trends while protecting themselves from the security challenges these trends present? The answer lies in the ability to maximize an organization s visibility into its network traffic through full context awareness. When administrators can clearly see the details of the network traffic, they can make more intelligent decisions. Visibility into applications and user ID, though valuable, do not provide the full context awareness required to safely enable new applications, devices, and business cases. Full context awareness includes these, as well as enterprise-class URL filtering, dynamic web reputation, device awareness, and an understanding of where the user and device are located. Application Visibility and Control As mentioned earlier, application awareness is a core requirement for any next-generation firewall. However, it is crucial for the firewall to recognize more than just the applications themselves; it must also recognize and provide the capability to block the micro-applications that comprise that application. This is particularly important for social media applications such as Facebook and LinkedIn. Merely recognizing these applications only provides the ability to block or allow the application in its entirety. For example, an organization may want to provide access to Facebook to enable sales and marketing personnel to post to the company s corporate Facebook page and communicate with customers and partners, while denying access to Facebook Games. By recognizing each microapplication separately, administrators can grant different access privileges to each. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 6

In addition, by recognizing specific behaviors within those micro-applications, the firewall can provide administrators with even more granular control. For example, the specific behaviors within the Facebook Messages and Chat micro-application are attachment upload, attachment download, and video chat. While most of those behaviors may be deemed appropriate business activities, the behavior attachment download is likely to be viewed by security personnel as inherently risky. Using a firewall that can recognize specific behaviors within a micro-application, administrators can allow Facebook Messages and Chat, while denying attachment download. Evasive applications such as Skype can also be effectively controlled if the firewall can monitor all ports and protocols and enable policy definition to be based solely on the identification of the application itself. Since applications such as Skype always carry the same application ID, irrespective of what port or protocol they are using to exit the network, adding a policy to Block Skype can provide more effective enforcement while requiring fewer policies, compared with writing dozens of stateful firewall policies to block every possible combination. This saves administrators time in the initial development and the ongoing management of the policies, which translates into operational efficiencies for the business. Finally, by controlling who has access to file sharing applications, as well as which application behaviors are allowed to be utilized, administrators can protect the organization s critical data while enabling employees to leverage powerful business tools. Advanced User Identification User awareness is another core component of any next-generation firewall; most provide passive authentication via a corporate directory service such as Active Directory (AD).This capability allows administrators to enforce policies based on who a user is or to what group or groups he belongs. While this identification on its own holds relatively little value, when paired with the application awareness highlighted above, administrators can use it to enable differentiated access to certain applications. For example, marketing and sales may have a legitimate business need to access social media tools, while finance does not. In addition to passive authentication, some next-generation firewalls have extended this capability to include support for active authentication for business use cases that require stronger security measures. Whereas passive authentication relies on a simple lookup of the directory service and trusts that it has properly identified the user through username-ip address mapping, active authentication requires an additional layer of security using mechanisms like Kerberos and NT LAN Manager (NTLM). This can be performed by either asking the browser, which in turn sends a seamless response based on the user s login credentials, or challenging the user with an authorization prompt. In either case, the security administrator is authenticating the user rather than relying on the username-ip address mapping. This is important for organizations that need to provide access to sensitive information such as customer credit card data or a database containing healthcare information. Device Awareness For organizations that have embraced BYOD as a business reality, striking a balance between productivity and security requires granular visibility into the specific devices that are attempting to access the network, enabling administrators to enforce differentiated policies based on each device used. For example, an organization can decide to allow iphone 4 devices to gain access to most network resources while denying or restricting access to earlier versions of the iphone, or can give access to an iphone 4 but not a 4S. Similarly, the organization can grant access to Windows-based PCs while denying access to Macs. In addition, if the firewall is equipped with location awareness, different policies can be enforced based on whether the device is located inside the LAN or is logging in remotely. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 6

Web Security URL and web filtering capabilities permit access to appropriate applications and content while preventing the use of those that might increase risk, drain productivity, or cause a loss of confidential information. Most web security appliances provide basic web filtering based on broad categories, as well as the capability to white- and black-list specific sites. Many vendors will also include a database of known bad URLs on the appliance itself. However, due to the dynamic nature of the Internet, these capabilities are not enough. According to the non-profit organization stopbadware.org, more than one million websites currently deliver malware and other software that takes action without a user s permission (also often referred to as greyware ). Because thousands of new URLs are added to the list each week, web security that is limited to a static on-box list will never be able to keep pace. Therefore, in addition to these capabilities, organizations require URL filtering that is continuously updated for nearreal-time protection from the ever-evolving threat landscape. In addition, the firewall must be capable of identifying and stopping malware that masquerades as well-known applications that run on open ports, without inhibiting the business value of legitimate business tools that utilize those ports. This capability can be further strengthened by using global data and application traffic to provide nearreal-time threat landscape information, including reputation analysis that is based on the behavior exhibited by a specific site or web application. If a provider is receiving traffic from a large number of sources from throughout the world and providing updates with a high enough frequency, the global data can also help protect the organization from zero-day threats. To enable these use cases without jeopardizing security, some IT organizations have replaced their stateful firewall product lines with those that provide additional levels of visibility - and therefore superior control. Though additional visibility is rarely considered a bad thing, most of these next-generation firewalls come with tradeoffs, which are important for administrators and business leaders to understand prior to making a purchase decision. Limited Visibility: A Problem Half-Solved There is little doubt that delivering additional visibility into network traffic carries enormous security advantages. Enhanced network visibility provides administrators with the ability to develop and enforce more granular security policies for superior protection of corporate assets. This is why application and user ID awareness capabilities are core to next-generation firewalls. However, many next-generation firewalls center the entire solution exclusively on these two elements at the expense of everything else. Certainly, any visibility is better than no visibility, but, as discussed throughout this paper, there is so much more going on in a typical corporate network that application and user ID awareness alone fall short of what is required to provide sufficient visibility to make intelligent security decisions. In addition to these capabilities, a comprehensive security solution must provide administrators with the ability to control specific behaviors within allowed micro-applications, restrict web and web application usage based on reputation of the site, proactively protect against Internet threats, and enforce differentiated policies based on the user, device, role, and application type. Seek the Best of Both Worlds Despite the many benefits of employing a next-generation firewall, there are also some drawbacks to consider. Therefore, business leaders should fully assess their options prior to making a purchase decision. Many nextgeneration firewall vendors force customers to abandon their existing firewalls and all associated security policies so that they may start fresh with all new security policies that are written specifically for the next-generation firewall platform. This rip and replace is necessary because most next-generation firewalls are fundamentally different than existing classic or stateful firewalls, working on a completely different computing layer. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 6

While stateful firewalls work on the network and transport layers of the computing architecture, next-generation firewalls work on the application layer. As a result, the organization s existing firewall policies will be useless in the new paradigm and therefore must be completely rewritten. This is by no means a quick, easy task - most organizations have thousands of policies, and larger organizations can have tens of thousands. It can take months of time and significant budget allocation to get it done. In addition, security performed at the application layer is, by its nature, a deeper level of inspection, and can cause network performance to degrade. Replacing an organization s stateful inspection firewall with one that is built exclusively for the application layer can also potentially jeopardize the organization s compliance with industry regulations, as many regulatory bodies specifically stipulate the need for stateful inspection. Since application- and user-id-based firewall policies are nondeterministic, relying solely on a next-generation firewall may put the organization at risk for a failed audit. However, some firewall vendors provide a hybrid approach, in which the stateful and next-generation firewall capabilities work together. Since these firewalls support both stateful and next-generation capabilities, organizations can continue to use their existing policies while they develop new next-generation rules; they are not forced to abandon one for the other, so they can replace the old policies over time, as it makes the most sense for their security needs. In addition, not all traffic requires the deeper level of inspection conducted by next-generation firewalls, so the hybrid model enables organizations to preserve more of their network performance by only performing the deeper level of inspection on traffic and use cases that require it. In this way, organizations can achieve a superior level of security while maximizing business flexibility. Conclusion Trends such as BYOD and the adoption of social media and other grey applications as legitimate business tools have had profound effects on organizations of all sizes. However, next-generation firewalls that only provide application and user ID awareness fall short of providing the level of network visibility required to safely enable them. Instead, by looking at the full context of the network traffic, administrators are empowered with actionable security enforcement based on a high level of network visibility and intelligence. By employing a firewall that combines stateful capabilities with full context awareness, organizations can strike a balance between the high level of network security required to support these new business cases and the flexibility they require to maximize their business agility. Printed in USA C11-726002-00 02/13 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback