Things Your Next Firewall Must Do



Similar documents
Authentication - Access Control Default Security Active Directory Trusted Authentication Guest User or Anonymous (un-authenticated) Logging Out

Configuring Additional Active Directory Server Roles

10 REQUIREMENTS FOR YOUR NEXT GENERATION MANAGED CLOUD FIREWALL WHITE PAPER

Securing the Virtualized Data Center with Next-Generation Firewalls

ODBC. Getting Started With Sage Timberline Office ODBC

Domain 1 Components of the Cisco Unified Communications Architecture

Security Functions and Purposes of Network Devices and Technologies (SY0-301) Firewalls. Audiobooks

Domain 1: Designing a SQL Server Instance and a Database Solution

*The most important feature of MRP as compared with ordinary inventory control analysis is its time phasing feature.

Requirements for Your Next Generation Managed Cloud Firewall

Domain 1: Identifying Cause of and Resolving Desktop Application Issues Identifying and Resolving New Software Installation Issues

IT Support n n support@premierchoiceinternet.com. 30 Day FREE Trial. IT Support from 8p/user

The Modern Malware Review. Analysis of New and Evasive Malware in Live Enterprise Networks 1st Edition, March 2013

A GUIDE TO BUILDING SMART BUSINESS CREDIT

(VCP-310)

ContactPro Desktop for Multi-Media Contact Center

Supply Chain Management

INVESTMENT PERFORMANCE COUNCIL (IPC) Guidance Statement on Calculation Methodology

Extending Your Management Reach to Remote Users

Domain 1: Configuring Domain Name System (DNS) for Active Directory

InventoryControl. The Complete Inventory Tracking Solution for Small Businesses

Enhancing Oracle Business Intelligence with cubus EV How users of Oracle BI on Essbase cubes can benefit from cubus outperform EV Analytics (cubus EV)

optimise your investment in Microsoft technology. Microsoft Consulting Services from CIBER

Agenda. Outsourcing and Globalization in Software Development. Outsourcing. Outsourcing here to stay. Outsourcing Alternatives

Online Banking. Internet of Things

E-Plex Enterprise Access Control System

client communication

FortiGuard Fortinet s Global Security Research and Protection

Things Your Next Firewall Must Do

Engineering Data Management

Domain 1 - Describe Cisco VoIP Implementations

3G Security VoIP Wi-Fi IP Telephony Routing/Switching Unified Communications. NetVanta. Business Networking Solutions

Digital Enterprise Unit. White Paper. Web Analytics Measurement for Responsive Websites

PENSION ANNUITY. Policy Conditions Document reference: PPAS1(7) This is an important document. Please keep it in a safe place.

QUADRO tech. PST Flightdeck. Put your PST Migration on autopilot

How to use what you OWN to reduce what you OWE

Unicenter TCPaccess FTP Server

Document Control Solutions

A Network Monitoring System with a Peer-to- Peer Architecture

CREATIVE MARKETING PROJECT 2016

iprox sensors iprox inductive sensors iprox programming tools ProxView programming software iprox the world s most versatile proximity sensor

The Forgotten Middle. research readiness results. Executive Summary

QUADRO tech. FSA Migrator 2.6. File Server Migrations - Made Easy

LEASE-PURCHASE DECISION

GOOD PRACTICE CHECKLIST FOR INTERPRETERS WORKING WITH DOMESTIC VIOLENCE SITUATIONS

Professional Networking

FPO. A global telecom s strategy. for Canada

To c o m p e t e in t o d a y s r e t a i l e n v i r o n m e n t, y o u n e e d a s i n g l e,

One Goal. 18-Months. Unlimited Opportunities.

Handling. Collection Calls

Trustwave Leverages OEM Partnerships to Deepen SIEM Market Penetration

Desktop Management. Desktop Management Tools

Tradigms of Astundithi and Toyota

Discrete Mathematics and Probability Theory Spring 2014 Anant Sahai Note 13

Full Lifecycle Project Cost Controls

For customers Key features of the Guaranteed Pension Annuity

A Balanced Scorecard

Business Application Services. Business Applications that provide value to your enterprise.

Baan Service Master Data Management

Determining the sample size

Advanced Protection for Web Services

CCH Accountants Starter Pack

leasing Solutions We make your Business our Business

AGC s SUPERVISORY TRAINING PROGRAM

BaanERP 5.0c. EDI User Guide

BaanERP. BaanERP Windows Client Installation Guide

An Introduction to Logistics and the Supply Chain. An Introduction To Logistics And The Supply Chain

Total Program Management for High-Tech

FIRE PROTECTION SYSTEM INSPECTION, TESTING AND MAINTENANCE PROGRAMS

Your organization has a Class B IP address of Before you implement subnetting, the Network ID and Host ID are divided as follows:

The ERP Card-Solution. The power, control and efficiency of ERP combined with the ease-of-use and financial benefits of a P-Card.

PUBLIC RELATIONS PROJECT 2016

CCH CRM Books Online Software Fee Protection Consultancy Advice Lines CPD Books Online Software Fee Protection Consultancy Advice Lines CPD

Flood Emergency Response Plan

LECTURE 13: Cross-validation

A Guide to Better Postal Services Procurement. A GUIDE TO better POSTAL SERVICES PROCUREMENT

Investing in Stocks WHAT ARE THE DIFFERENT CLASSIFICATIONS OF STOCKS? WHY INVEST IN STOCKS? CAN YOU LOSE MONEY?

Putting Cloud security in perspective

Message Exchange in the Utility Market Using SAP for Utilities. Point of View by Marc Metz and Maarten Vriesema

INVESTMENT PERFORMANCE COUNCIL (IPC)

How To Get A Kukandruk Studetfiace

Managed File Transfer. Managed File Transfer. express [enterprise] file delivery

Research Method (I) --Knowledge on Sampling (Simple Random Sampling)

Predictive Modeling Data. in the ACT Electronic Student Record

Creating an Agile BI Environment

ANALYTICS. Insights that drive your business

U.S.-Based Project Centers Offer Superior Effectiveness Over Offshore in CRM Implementations

Skytron Asset Manager

ADAPTIVE NETWORKS SAFETY CONTROL ON FUZZY LOGIC

Baan Finance Accounts Payable

Evaluating Model for B2C E- commerce Enterprise Development Based on DEA

France caters to innovative companies and offers the best research tax credit in Europe

TruStore: The storage. system that grows with you. Machine Tools / Power Tools Laser Technology / Electronics Medical Technology

Saudi Aramco Suppliers Safety Management System

The Canadian Council of Professional Engineers

Information about Bankruptcy

Consider these sobering statistics

Ken blanchard college of business

The Big Picture: An Introduction to Data Warehousing

Verizon Wireless Broadband Network Connectivity and Data Transport Solutions. Verizon Wireless White Paper

Transcription:

10 Thigs Your Next Firewall Must Do

Itroductio: 10 Thigs Your Next Firewall Must Do Much has bee made about brigig applicatio visibility ad cotrol ito etwork security. The reaso is obvious: applicatios ca easily slip by traditioal port-based firewalls. Ad the value is obvious: employees use ay applicatio they eed to get their job doe ofte idifferet to the risk that use poses to the busiess. Nearly every etwork security vedor has ackowledged that applicatio cotrol is a icreasigly critical part of etwork security. While the ext-geeratio firewall (NGFW) is well defied by Garter as somethig ew, eterprisefocused, ad distict, may etwork security vedors are claimig NGFW is a subset of other fuctios (e.g., UTM or IPS). Most traditioal etwork security vedors are attemptig to provide applicatio visibility ad cotrol by usig a limited umber of applicatio sigatures supported i their IPS or other exteral database. But udereath, these capabilities are poorly itegrated ad their products are still based o legacy port-blockig techology, ot NGFW techology. Perhaps most importatly, these folks are missig the poit it s ot about blockig applicatios, but safely eablig them. Ufortuately, the products proffered by traditioal etwork security vedors igore much of what eterprises do with applicatios today they use them to eable their busiess ad as such, eed to make sure that those applicatios ru securely. It is obvious that a ext-geeratio firewall is a differet ad revolutioary class of product, but the iterest from eterprise customers is so strog that vedors of traditioal products are tryig to subvert the Defiitio: Next-geeratio firewall. iterest of eterprise etwork security team by attemptig to look like a NGFW. 5 Requiremets: 1. Idetify applicatios regardless of port, protocol, evasive tactic or SSL For eterprises lookig at NGFWs, the most importat cosideratio is: Will this ew techology empower security teams to securely eable applicatios to the beefit of the orgaizatio? Key questios to ask iclude: 2. Idetify users regardless of IP address 3. Protect i real-time agaist threats embedded across applicatios 4. Fie-graied visibility ad policy cotrol over applicatio access / fuctioality 5. Multi-gigabit, i-lie deploymet with o performace degradatio Will it icrease visibility ad uderstadig of applicatio traffic? Will it expad traffic cotrol optios beyod blut allow/dey? Will it help prevet threats? Will it elimiate the eed to compromise betwee performace ad security? Will it reduce costs for my orgaizatio? Will it make the job of risk maagemet easier or simpler? If the aswers to the above questios are yes, the trasitio is easy to justify. Page 2

There are substatial differeces betwee NGFWs ad UTM-style devices i terms of the kids of orgaizatio each targets, ad i terms of architecture ad security model. These differeces have dramatic impacts o real-world fuctios/features, operatios, ad performace as we ve attempted to capture i the te thigs sectio below. Architecture ad Security Model: Traffic is Best Classified i the Firewall I buildig ext-geeratio firewalls, security vedors have take oe of two architectural approaches: 1. Build applicatio idetificatio ito the firewall as the primary classificatio egie 2. Add applicatio sigatures to a IPS or IPS-like patter matchig egie which is the added to a port-based firewall Both ca recogize applicatios but with varyig degrees of success, usability, ad relevace. Most importatly, these architectural approaches dictate a specific security model for applicatio policies either positive (default dey), or egative (default allow). Firewalls use a positive security model. Aother term for it is default dey. Which meas that admiistrators write policies to ALLOW traffic (e.g., allow WebEx) ad the everythig else is deied or blocked. Negative policies (e.g., block Limewire) ca be used i this model, but the most importat fact is that the ed of the policy i a positive security model says, all else dey. Oe of the key implicatios of this approach is that all traffic must be classified i order to allow the appropriate traffic. So visibility of traffic is easy ad complete. Policies eable applicatios. Aother key result of this approach is that ay ukow traffic is, by default, deied. I other words, the best ext-geeratio firewall is a firewall. Itrusio prevetio systems (IPS) typically employ a egative security model, or default allow. Which meas that IPS idetifies ad blocks specific traffic (traditioally threats) ad everythig else is passed through. Traditioal etwork security vedors are addig applicatio sigatures to a IPS-style egie ad boltig it oto a traditioal port-based firewall. The result is a applicatio prevetio system. The applicatio cotrol is i a egative security model i other words, it s ot i a firewall. Implicatio: oe oly sees what is expressly looked for, ad ukow traffic is, by default, allowed. Page 3

While this paper is focused o the 10 specific thigs your ext (geeratio) firewall must do, kowledge of the architecture ad model as outlied above are prerequisites to uderstadig the differet capabilities of the differet products o the market ad their ability to deliver these fuctios. The te thigs discussed below represet some of the critical, specific requiremets we ve gathered from thousads of IT orgaizatios sice we bega sellig ext-geeratio firewalls i 2007. These are all real-world examples of requiremets that make the job of securig eterprise etworks easier, better, or simpler marketig hype aside. The 10 Thigs Your Next (Geeratio) Firewall Must Do There are three areas of differece security fuctios, operatios, ad performace. The security fuctioal elemets correspod to the efficacy of the security cotrols, ad the ability for eterprises to maage risk associated with etwork traffic. From a operatios perspective, the big questio is: where does applicatio policy live, ad how hard or complex is it to maage? The performace differece is simple: ca the firewall do what it s supposed to do at the throughput it s supposed to do it? The Te Thigs Your Next (Geeratio) Firewall Must Do are: 1. Idetify ad cotrol applicatios o ay port 2. Idetify ad cotrol circumvetors 3. Decrypt outboud SSL 4. Provide applicatio fuctio cotrol 5. Sca for viruses ad malware i allowed collaborative applicatios 6. Deal with ukow traffic by policy 7. Idetify ad cotrol applicatios sharig the same coectio 8. Eable the same applicatio visibility ad cotrol for remote users 9. Make etwork security simpler, ot more complex with the additio of applicatio cotrol. 10. Deliver the same throughput ad performace with applicatio cotrol active Page 4

1Your ext firewall must idetify ad cotrol applicatios o ay port, ot just stadard ports (icludig applicatios usig HTTP or other protocols) Busiess case: Applicatio developers o loger adhere to stadard port/protocol/applicatio mappig. More ad more applicatios are capable of operatig o o-stadard ports or are ca hop ports (e.g., istat messagig applicatios, peer-to-peer file sharig, or VOIP). Additioally, users are icreasigly savvy eough to force applicatios to ru over o-stadard ports (e.g., MS RDP, SSH). I order to eforce applicatio-specific policies where ports are icreasigly irrelevat, your ext firewall must assume that ay applicatio ca ru o ay port. This is oe of the fudametal chages i techology that made the NGFW a absolute ecessity. It was this chage to applicatios that made the positive cotrol of traditioal port-based firewalls obsolete. It also uderscores why a egative cotrol model ca t solve the problem. If a applicatio ca move to ay port, a product based o egative cotrol would have to ru all sigatures o tes of thousads of ports. Requiremets: This oe is simple if ay applicatio ca ru o ay port your ext firewall must classify traffic, by applicatio, o all ports all the time (see #4 ad #7). Otherwise, security cotrols will cotiue to be outwitted by the same techiques that have plagued them for years. 2 Your ext firewall must idetify ad cotrol circumvetors: proxies, remote access, ad ecrypted tuel applicatios Busiess case: Most orgaizatios have security policies ad cotrols desiged to eforce those policies. Proxies, remote access, ad ecrypted tuel applicatios are specifically used to circumvet security cotrols like firewalls, URL filterig, IPS, ad secure web gateways. Without the ability to cotrol these circumvetors, orgaizatios caot eforce their security policies, ad expose themselves to the very risks they thought their cotrols mitigated. To be clear, ot all of these types of applicatios are the same remote access applicatios have legitimate uses, as do some ecrypted tuel applicatios. But exteral aoymous proxies that commuicate over SSL o radom ports, or applicatios like Ultrasurf ad Tor have oly oe real purpose to circumvet security cotrols. Requiremets: There are differet types of circumvetio applicatios each usig slightly differet techiques. There are both public ad private exteral proxies (see proxy.org for a large database of public proxies) that ca use both HTTP ad HTTPS. Private proxies are ofte set up o uclassified IP addresses (e.g., home computers) with applicatios like PHProxy or CGIProxy. Remote access applicatios like MS RDP or GoToMyPC ca have legitimate use but due to the associated risk, should be maaged. Most other circumvetors, (e.g., Ultrasurf, Tor, Hamachi) do t have busiess uses. There are, of course, ukow circumvetors see #6 below. Regardless Page 5

of the policy stace, your ext firewall eeds to have specific techiques to deal with all of these applicatios, regardless of port, protocol, ecryptio, or other evasive tactic. Oe more cosideratio: these applicatios are regularly updated to make them harder to detect ad cotrol. So it is importat to uderstad ot oly that your ext firewall ca idetify these circumvetio applicatios, but also how ofte that firewall s applicatio itelligece is updated ad maitaied. 3Your ext firewall must decrypt outboud SSL Busiess case: Today, more tha 15% of etwork traffic is SSL-ecrypted (accordig to more tha 2,400 eterprise etwork traffic samples see Palo Alto Networks Applicatio Usage ad Risk Report for details). I some idustries (e.g., fiacial services), it s more tha 50%. Give the icreasig adoptio of HTTPS for may high-risk, high-reward applicatios that ed-users employ (e.g., Gmail, Facebook), ad users ability to force SSL o may websites, etwork security teams have a large ad growig blid spot without decryptig, classifyig, cotrollig, ad scaig SSL-ecrypted traffic. Certaily, a NGFW must be flexible eough that certai types of SSLecrypted traffic ca be left aloe (e.g., web traffic from fiacial services or health care orgaizatios) while other types (e.g., SSL o o-stadard ports, HTTPS from uclassified websites i Easter Europe) ca be decrypted via policy. Requiremets: The ability to decrypt outboud SSL is a foudatioal elemet ot just because it s a icreasigly sigificat percetage of eterprise traffic, but also because it eables a few other key features that would ed up icomplete or ieffective without the ability to decrypt SSL (e.g., cotrol of circumvetors - #2, applicatio fuctio cotrol - #4, scaig allowed applicatios - #5, ad cotrol of applicatios sharig the same coectio - #7). Key elemets to look for iclude recogitio ad decryptio of SSL o ay port, policy cotrol over decryptio, ad the ecessary hardware ad software elemets to perform SSL decryptio across tes of thousads of simultaeous SSL coectios with good performace ad high throughput. Page 6

4 Your ext firewall must provide applicatio fuctio cotrol (e.g., SharePoit Admi vs. SharePoit Docs) Busiess case: May applicatios have sigificatly differet fuctios, presetig differet risk profiles ad value to both the user, ad the orgaizatio. Good examples of this iclude WebEx vs. WebEx Desktop Sharig, Yahoo Istat Messagig vs. the file trasfer feature, ad regular Gmail vs. sedig attachmets. I regulated eviromets, or i orgaizatios heavily depedet o itellectual property this is a sigificat issue. Requiremets: Cotiuous classificatio ad fie-graied uderstadig of each applicatio. Your ext firewall has to cotiually evaluate the traffic ad watch for chages if a differet fuctio or feature is itroduced i the sessio, the firewall should ote it ad perform a policy check. Uderstadig the differet fuctios of each applicatio ad the differet associated risks is equally importat. Ufortuately, may firewalls classify a traffic flow oce, ad the fast path it (read: ever look at that flow agai) for better performace. This method pre-dates moder applicatios ad prevets those firewalls from meetig this requiremet. 5Your ext firewall must sca for threats i allowed collaboratio applicatios e.g., Sharepoit, Box.et, MS Office Olie Busiess case: Eterprises cotiue to adopt collaborative applicatios hosted outside their physical locatios. Whether it s hosted Sharepoit, Box.et, Google Docs, or Microsoft Office Live, or eve a extraet applicatio hosted by a parter, may orgaizatios have a requiremet to use a applicatio that shares files i other words, is a high-risk threat vector. May ifected documets are stored i collaboratio applicatios, alog with some documets that cotai sesitive iformatio (e.g., customers persoal iformatio). Furthermore, some of these applicatios (e.g., Sharepoit) rely o supportig techologies that are regular targets for exploits (e.g., IIS, SQL Server). Blockig the applicatio is t appropriate, but either is allowig a threat ito the orgaizatio. Requiremets: Part of safe eablemet is allowig a applicatio ad scaig it for threats. These applicatios ca commuicate over a combiatio of protocols (e.g., Sharepoit HTTPS ad CIFS, see requiremet #3), ad require a more sophisticated policy tha block applicatio. First step is to idetify the applicatio (regardless of port or ecryptio), allow it, ad the sca it for ay of the appropriate threats exploits, viruses/malware, or spyware or eve cofidetial, regulated, or sesitive iformatio. Page 7

6Your ext firewall must deal with ukow traffic by policy, ot by just lettig it through. Busiess case: There will always be ukow traffic ad it will always represet sigificat risks to ay orgaizatio. There are several importat elemets to cosider with ukow traffic miimizig it, easily characterizig custom applicatios so they are kow i etwork security policy, ad havig predictable visibility ad policy cotrol over traffic that remais ukow. Requiremets: First, by default, your ext firewall should attempt to classify all traffic this is oe area where the earlier architecture ad security discussio becomes very importat. Positive (default dey) models classify everythig, egative (default allow) models classify oly what they re told to classify. Secod, for custom developed applicatios, there should be a way to develop a custom idetifier so that traffic is couted amog the kow. Third, the security model plays ito these requiremets agai a positive (default dey) model ca dey all ukow traffic so what you do t kow ca t hurt you. A egative (default allow) model allows all ukow traffic so what you do t kow will hurt you. For example, may botets will use port 53 (DNS) for commuicatio back to their cotrol servers. If your ext firewall lacks the ability to see ad cotrol ukow traffic, bots will be able to drive right through, uimpeded. 7Your ext firewall must idetify ad cotrol applicatios sharig the same coectio Busiess case: Applicatios share sessios. To esure users are cotiuously usig a applicatio platform, whether it s Google, Facebook, Microsoft, salesforce, LikedI, or Yahoo, applicatio developers itegrate may differet applicatios which ofte have very differet risk profiles ad busiess value. Let s look at our earlier example of Gmail which has the ability to spaw a Google Talk sessio from withi the Gmail UI. These are fudametally differet applicatios, ad your ext firewall should recogize that, ad eable the appropriate policy respose for each. Requiremets: Simple classificatio of the platform or website does t work. I other words, fast path is ot a optio oce ad doe classificatio igores the fact that applicatios share sessios. Traffic must be cotiuously evaluated to uderstad the applicatio, its chages (see #5), whe the user chages to a completely differet applicatio usig the same sessio, ad eforce the appropriate policy cotrols. Lookig briefly at the techical requiremets usig our Gmail/Google Talk example: Gmail is by default HTTPS (see #3) so the first step is to decrypt but it has to be cotiuous, as does the applicatio classificatio, because at ay time, the user ca start a chat which may have a completely differet policy associated with it. Page 8

8Your ext firewall must eable the same applicatio visibility ad cotrol for remote users as for o-premise users Busiess case: Users are icreasigly outside the four walls of the eterprise. Oce the domai of road warriors, ow a sigificat portio of the eterprise user populatio is capable of workig remotely. Whether workig from a coffee shop, home, or a customer site, users expect to coect to their applicatios via WiFi, wireless broadbad, or ay meas ecessary. Regardless of where the user is, or eve where the applicatio they re employig might be, the same stadard of cotrol should apply. If your ext firewall eables applicatio visibility ad cotrol over traffic iside the four walls of the eterprise, but ot outside, it misses the mark o some of the riskiest traffic. Requiremets: Coceptually, this is simple your ext firewall must have cosistet visibility ad cotrol over traffic regardless of where the user is iside or outside. This is ot to say that eterprises will have the exact same policy for both some orgaizatios might wat employees to use Skype whe o the road, but ot iside headquarters, where others might have a policy that says if outside the office, users may ot dowload salesforce.com attachmets uless they have hard disk ecryptio tured o. This should be achievable o your ext firewall without itroducig sigificat latecy for the ed user, or udue operatioal hassle for the admiistrator, or sigificat cost for the orgaizatio. 9Your ext firewall must make etwork security simpler, ot more complex with the additio of applicatio cotrol. Busiess case: May eterprises struggle with icorporatig more iformatio feeds ad more policies, ad more maagemet ito already overloaded security processes ad people. I other words, if teams caot maage what they ve already got, addig more maagemet, policies, ad iformatio does t help. Furthermore, the more distributed the policy is (e.g., port-based firewall allows port 80 traffic, IPS looks for/blocks threats ad applicatios, secure web gateway eforces URL filterig) the harder it is to maage that policy. Where do admis go to eable WebEx? How do they resolve policy coflicts across these differet devices? Give that typical port-based firewall istallatios have rulebases that iclude thousads of rules, addig thousads of applicatio sigatures across tes of thousads of ports (see #3 above) is goig to icrease complexity by several orders of magitude. Requiremets: Firewall policy should be based o user ad applicatio. Subsequet cotet aalysis ca be performed o allowed traffic, but fudametal access cotrol should be based o relevat elemets (i.e., applicatio ad user or group). This ca have a sigificat simplifyig effect. Firewall policy based o port ad IP address, followed by subsequet aalysis to uderstad the applicatio makes thigs more complicated tha they are today. Page 9

10 Your ext firewall must deliver the same throughput ad performace with applicatio cotrol fully activated Busiess case: May eterprises struggle with the forced compromise betwee performace ad security. All too ofte, turig up security features i the etwork security realm meas turig dow throughput ad performace. If your ext-geeratio firewall is built the right way, this compromise is uecessary. Requiremets: The importace of architecture is obvious here too i a differet way. Cobblig together a port-based firewall ad other security fuctios from differet techology origis usually meas there are redudat etworkig layers, scaig egies ad policies which traslates to poor performace. From a software perspective, the firewall must be desiged to do this from the begiig. Furthermore, give the requiremet for computatioally itesive tasks (e.g., applicatio idetificatio) performed o high traffic volumes ad with the low tolerace for latecy associated with critical ifrastructure, your ext firewall should have hardware desiged for the task as well meaig dedicated, specific processig for etworkig, security (icludig SSL termiatio see #3), ad cotet scaig. Coclusio: Your Next Firewall Should Safely Eable Applicatios ad Busiess Users cotiue to adopt ew applicatios ad techologies ad the threats carried by them. I some orgaizatios, obstructig the adoptio of ew techologies ca be a career-limitig move. Eve whe it is t, applicatios are how employees get their jobs doe, or maitai productivity i the face of competig persoal ad professioal priorities. Because of this, safe eablemet is icreasigly the correct policy stace. But to safely eable these applicatios ad techologies, ad the busiess that rides atop them, etwork security teams eed to put i place the appropriate policies goverig use, but also cotrols capable of eforcig them. The te thigs described here are critical capabilities for puttig the ecessary cotrols i place especially i the face of a more varied ad rich applicatio ad threat ladscape. Without the etwork security ifrastructure to cope with that variety ad depth, security teams caot safely eable the ecessary applicatios ad maage risk for their eterprises. Page 10 Palo Alto Networks 232 E. Java Drive Suyvale, CA. 94089 Sales 866.320.4788 408.738.7700 www.paloaltoetworks.com Copyright 2012, Palo Alto Networks, The Network Security Compay, the Palo Alto Networks Logo, ad App-ID are trademarks of Palo Alto Networks, Ic. i the Uited States. All other trademarks, trade ames or service marks used or metioed herei belog to their respective owers. Palo Alto Networks reserves the right to chage, modify, trasfer, or otherwise revise this publicatio without otice. PAN_10T_031312

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information