Moving Network Security from Black and White to Color Refocusing on Safely Enabling Applications



Similar documents
App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

REPORT & ENFORCE POLICY

May Palo Alto Networks 232 E. Java Drive Sunnyvale, CA

Preventing Data Leaks At The Firewall A Simple, Cost-Effective Way To Stop Social Security and Credit Card Numbers From Leaving Your Network

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

The Application Usage and Threat Report

A Modern Framework for Network Security in the Federal Government

What s Next for Network Security - Visibility is king! Gøran Tømte March 2013

Reinventing Network Security, One Firewall at a Time. Chris King Director, Product Marketing

What s Next for the Next Generation Firewall Vendor Palo Alto Networks Overview. October 2010 Matias Cuba - Regional Sales Manager Northern Europe

Palo Alto Networks Gets Top Marks for Solving Bandwidth and Security Issues for School District

Things Your Next Firewall Must Do

Moving Beyond Proxies

Prioritize Access to Business Applications With Cyberoam s Application Visibility & Control

10 REQUIREMENTS FOR YOUR NEXT GENERATION MANAGED CLOUD FIREWALL WHITE PAPER

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Firewall Feature Overview

Next-Generation Firewall Overview

Palo Alto Networks Next-Generation Firewall Overview

Requirements for Your Next Generation Managed Cloud Firewall

CASE STUDY. AUSTRIAN AIRLINES Modernizes Network Security for First Class Performance

How to Dramatically Reduce the Cost and Complexity of PCI Compliance

Controlling SSL Decryption. Overview. SSL Variability. Tech Note

PALO ALTO SAFE APPLICATION ENABLEMENT

FROM PRODUCT TO PLATFORM

Controlling Peer-to-Peer Applications

Using Palo Alto Networks to Protect the Datacenter

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Firewall Testing Methodology W H I T E P A P E R

Enterprise Security Platform for Government

White Paper. Consolidate Network Security to Reduce Cost and Maximise Enterprise Protection

Breaking the Cyber Attack Lifecycle

Networking for Caribbean Development

Reducing Costs With Next- generation Network Security Investing in Innovation Pays Cost Savings Dividends

Content-ID. Content-ID URLS THREATS DATA

Still Using Proxies for URL Filtering? There s a Better Way

Next Generation Enterprise Network Security Platform

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

June Palo Alto Networks 3300 Olcott Street Santa Clara, CA

Securing the Virtualized Data Center With Next-Generation Firewalls

Reducing Costs With Next-generation Firewalls. Investing in Innovation Pays Cost Savings Dividends

Get In Control: Introducing XTM 11.4

Next-Generation Firewall Overview

Next-Generation Firewall Overview

WildFire. Preparing for Modern Network Attacks

Introducing IBM s Advanced Threat Protection Platform

Deployment Guide for Microsoft Lync 2010

11 THINGS YOUR FIREWALL SHOULD DO. a publication of 2012 INVENIO IT A SMALL BUSINESS WHITEPAPER

Defending Against Cyber Attacks with SessionLevel Network Security

How To Control Your Network With A Firewall On A Network With An Internet Security Policy On A Pc Or Ipad (For A Web Browser)

Beyond the Hype: Advanced Persistent Threats

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Firewalls Aren t Just About Security

Best Practices for Controlling Skype within the Enterprise > White Paper

Next-Generation Firewalls: Critical to SMB Network Security

How To Control Your Computer With Watchguard Application Control

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

How to Gain Visibility and Control of Encrypted SSL Web Sessions >

Deployment Guide for Citrix XenDesktop

PREVENTIA. Skyhigh Best Practices and Use cases. Table of Contents

8 Steps For Network Security Protection

CASE STUDY. RHEINLAND VERSICHERUNGSGRUPPE Who Ensures Security for The Insurers? RHEINLAND VERSICHERUNGSGRUPPE Who Ensures Security for The Insurers?

Best Practices for Controlling Skype within the Enterprise. Whitepaper

How Palo Alto Networks Can Help With ASD's Top Cyber Intrusion Mitigation Strategies

Significance of the Entrepreneurial Company of the Year Award

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Outbound and Data Loss Prevention in Today s Enterprise, 2010

Protect your internal users on the Internet with Secure Web Gateway. Richard Bible EMEA Security Solution Architect

The Benefits of SSL Content Inspection ABSTRACT

Data Center Micro-Segmentation

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

A Websense White Paper Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway

Mobility, Security Concerns, and Avoidance

The Next Generation Firewall The Policy and Security Control Point

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Securing Endpoints without a Security Expert

1110 Cool Things Your Firewall Should Do. Extending beyond blocking network threats to protect, manage and control application traffic

Network Security for Mobile Users

Take Back Control: Increase Security, Empower Employees, Protect the Business

Cybersecurity Imperatives: Reinvent Your Network Security With Palo Alto Networks

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper

FIREWALL BUYERS GUIDE

APERTURE. Safely enable your SaaS applications.

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

Secure Cloud-Ready Data Centers Juniper Networks

Palo Alto Networks Next-generation Firewall Overview

Application Intelligence, Control and Visualization

CMPT 471 Networking II

On and off premises technologies Which is best for you?

Palo Alto Networks. October 6

GlobalProtect Overview

Palo Alto Networks Overview

A HELPING HAND TO PROTECT YOUR REPUTATION

Finding Network Security Breaches Using LiveAction Software to detect and analyze security issues in your network

Bring Your Own Device:

Transcription:

Moving Network Security from Black and White to Color Refocusing on Safely Enabling Applications July 2009 Palo Alto Networks 232 E. Java Drive Sunnyvale, CA 94089 408-738-7700 www.paloaltonetworks.com

Table of Contents Less About Threats, More About Safely Enabling Applications...3 Many Types of Applications...3 Dictate a Variety of Responses...4 Applications Aren t Threats It s Time to Fix the Firewall...6 Copyright 2009, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, and App-ID are trademarks of Palo Alto Networks, Inc. in the United States. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2009 Palo Alto Networks Page 2

Less About Threats, More About Safely Enabling Applications The old model of security was simple there was good traffic (business application traffic) and bad traffic (threats). Network security was a simple affair stop the threats, allow application traffic. Black and white. But the landscape is now different the number, types, and nature of applications have changed tremendously. Many applications are hosted outside the enterprise enterprise users employ a mix of business-focused and consumer-focused applications for a variety of business and personal reasons. All of these applications carry risk (some carry threats), but also, in most cases, these applications have substantial benefits. Accordingly, simply blocking, or allowing these applications does harm to the business either by slowing business down, or by taking on too much risk. Network and information security professionals need to shift their focus from treating applications as threats, to working towards the safe enablement of applications. It s time to add some sophistication to our thinking about network security. But what kind of sophistication? And how to incorporate without adding expensive complexity? Here s what organizations need to do: 1. See what applications are running on the enterprise network 2. Decide which applications are desirable from a risk/benefit perspective 3. Exert fine-grained control over application traffic allow the beneficial applications for the right users, disallow risky applications or functions, and mitigate the risk associated with beneficial, high-risk applications Doing this requires some changes a shift in policy, and some additional requirements for the network security infrastructure. Palo Alto Networks next-generation firewalls enable both first by offering enterprises unprecedented visibility into which applications are running on their networks, and second by enabling fine-grained control over those applications well beyond simple allow or block enforcement. Many Types of Applications But let s step back from a business perspective, there are three classes of applications: Corporate productivity applications automate a business process Personal productivity applications make individual users more productive Lifestyle or consumer-oriented applications enable users to maintain their online life Many examples of all of the above types are hosted outside the enterprise, and as stated above, all of which carry risk. Some of these applications have business value, some do not, and some are outright harmful to the enterprise. So many of these applications might be desirable for different reasons. Corporate and personal productivity applications have a well-established place in the workplace (although often, IT is not aware of the number and variety of applications in use for personal productivity). Even reasonable use of some lifestyle applications is often allowed, for cultural reasons. All of these types of applications, however, carry risk. They transfer files, consume bandwidth, carry malware, tunnel other applications, have vulnerabilities associated with them, are prone to misuse, and/or are evasive. These application behaviors impact serious business issues, including compliance, operations costs, data loss, business continuity, and productivity. 2009 Palo Alto Networks Page 3

Accordingly, organizations need to weigh risk/benefit for applications. Given that most organizations want the benefit of all of these applications, but don t want to carry undue risk, IT security organizations must safely enable use by allowing the application, but somehow mitigating the risk associated with the application. Dictate a Variety of Responses Because applications aren t threats, the new set of responses to application traffic should include: Deny Allow Limit (by user, group, time of day, or application function) Scan Shape Deny and allow are well understood as policy actions. They are the basis for the old model of security (the black and white, to use the picture analog above). Organizations will deny known undesirable applications (e.g., peer-to-peer file sharing applications). Or allow known approved applications (with some conditions, as noted below. Obviously, deny and allow have a place in our new color model. But safe enablement requires more, as stated above. Limiting applications to certain users or groups of users is one way organizations might consider reducing their exposure to risk. Other types of limitations include by schedule or time of day or by application function (e.g., allow Webex, but not the desktop sharing function). Scanning applications for threats is another way to mitigate risk for an allowed application and should include scanning for exploits, malware and potentially confidential data. Incorporating traffic shaping and quality of service (QoS) as a policy response is a way to ensure that critical business applications aren t negatively impacted by less critical applications Many enterprises are trying to expand beyond the simplistic deny/allow paradigm for network security, but the mix of enforcement points and the limitations of existing security infrastructure prohibit doing this in any effective fashion. Firewalls, proxies, IPS, and QoS technologies all have some ability to help with this task, but none can do it comprehensively. To use QoS/traffic shaping as an example, many components of network infrastructure have the capacity to perform QoS, but lack the intelligence to do so meaningfully. There are dedicated traffic shaping products that have good application knowledge, but they lack the performance to keep up with the requirements for high speed queue management and perhaps more importantly, are completely disconnected from the other types of policy enforcement (e.g., scan, limit, allow, deny) that might be performed in a variety of other devices, as mentioned above. Palo Alto Networks next-generation firewalls recognize your network applications, regardless of port, protocol, SSL encryption, or other evasive tactics, and can apply all of the relevant 2009 Palo Alto Networks Page 4

controls required by enterprises allow, deny, limit, scan, or shape. These firewalls enable organizations to better, and more completely manage risk, but also reduce costs due to the simplification of security infrastructure, and the integration of all of the appropriate policy responses to applications into the firewall. Here s an example: Let s say an organization wants to enable all users to employ an externally hosted salesforce automation application (Salesforce.com), along with an externally hosted collaboration application (Sharepoint). These are corporate productivity applications. The organization also wants to enable Webex and Skype for sales and customer support people, and Google Docs for the manufacturing team collaborating with partners. Obviously, these fall more into the personal productivity applications but clearly provide business value. As experiments, the organization wants to enable IT folks to use Bittorrent (but no other filesharing applications) to swap Linux binaries and 2 social networking applications for marketing people (Facebook and LinkedIn). Finally, for cultural reasons, the organization wants to open up IM (but eliminate file transfer capabilities) for all users, as well as enable limited, approved audio streaming (lifestyle applications). So, we will set policy to enable those corporate productivity applications, and give them high priority and bandwidth. But we re going scan the Sharepoint traffic for threats. Then, we ll enable the personal productivity applications for the sales, customer support, and the manufacturing team but scan the Google Apps traffic for confidential data. For these personal productivity applications, we ll give them medium priority and bandwidth. For our experiment applications, we will allow for the right people (IT and marketing), and we ll assign low priority, but medium bandwidth. For our lifestyle applications, we ll allow for all, eliminate file transfers on IM, and assign low priority and bandwidth. All of this can be done with Palo Alto Networks next-generation firewall. The above example illustrates the power, and risk management capabilities of fine-grained policy responses for a wide variety of applications. 2009 Palo Alto Networks Page 5

Applications Aren t Threats It s Time to Fix the Firewall Application controls used to be in the firewall, but that was back in the days of applications respecting their assigned port numbers. That was also back in the days of a simpler black and white security model. Given today s application and threat landscape, enterprises need to adopt a new model for security. Each application has benefits; whether they are the automation of a business process, a productivity enhancement, or simply help make the workplace more pleasant for employees. But each application also carries risk tunneling other applications, consuming bandwidth, carrying threats, transferring files, or impacting productivity. So applications aren t threats. Enterprises will have different perspectives on which applications are beneficial and appropriate to have on the network, and need a variety of responses (allow, deny, limit, scan, and shape) to mitigate the risk each allowed application carries. With its next-generation firewalls, Palo Alto Networks delivers the required application visibility, the application intelligence to make policy decisions, and the fine-grained controls to enforce those policies empowering IT organizations to safely enable applications for their users. 2009 Palo Alto Networks Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information