The Big Collection of Next-Generation Firewall Policy Management Tips

795 views

Published on

The evolution of sophisticated threats and the increased dependence on web applications and virtualization has driven the demand for Next-Generation Firewalls (NGFWs). According to a recent AlgoSec survey, more organizations are adopting NGFWs - nearly 57% in 2013, up from 41.2% in 2012. But while NGFWs provide new-found levels of policy granularity and controls,
they also introduce more complexity that if not managed properly can cause more harm than good. In exchange for the increased security of NGFWs, IT professionals often must work harder as the majority of responding organizations (56%) that had adopted NGFWs said they added more work to the firewall management process. To help you obtain all of the value out of your NGFWs without the complexity, we’ve compiled these tips from practitioners and vendors.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
795
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
31
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

The Big Collection of Next-Generation Firewall Policy Management Tips

  1. 1. The Big Collection of Next-Generation Firewall Policy Management Tips Share this eBook
  2. 2. Share this eBook About This eBook The evolution of sophisticated threats and the increased dependence on web applications and virtualization has driven the demand for Next-Generation Firewalls (NGFWs). According to a recent AlgoSec survey, more organizations are adopting NGFWs - nearly 57% in 2013, up from 41.2% in 2012. But while NGFWs provide newfound levels of policy granularity and controls, they also introduce more complexity that if not managed properly can cause more harm than good. In exchange for the increased security of NGFWs, IT professionals often must work harder as the majority of responding organizations (56%) that had adopted NGFWs said they added more work to the firewall management process. To help you obtain all of the value out of your NGFWs without the complexity, we’ve compiled these tips from practitioners and vendors. We hope you enjoy. The AlgoSec Team Watch this video to learn Next-Generation Firewall basics: Share this video
  3. 3. Share this eBook Sizing
  4. 4. Share this eBook Sizing A next-generation firewall is not an all-or-nothing decision. You need to determine what capabilities you need and size your implementation appropriately.” Anonymous When deploying a NGFW, decide first, where and how it will be used? Will it be a border firewall? Will it be used in an extranet setting? Will you need VPN or DDoS protection in the case of a border firewall? Or will you need to detect threats coming from your partner’s network? Not every feature a NGFW provides needs to be used, so take a pragmatic approach to the goals you are trying to achieve.” Edgar Cooke, Manager of Security and Compliance, USAN, US
  5. 5. Share this eBook Sizing Make sure you have enough resources to support all the new features in a NGFW, like URL-filtering, IPS, etc., or consider not enabling all of them.” Bjorn Lofman, Consultant, Sony Mobile, Sweden Calculate the size capabilities (such as IPS, application control, identity awareness, URL filtering, and e-mail security) as necessary and understand the performance impact if you decide to turn on additional features later. As part of a firewall refresh, one capability that is typically considered is intrusion prevention.” Ivona Oancea, Product Manager, Electronic Arts, US
  6. 6. Share this eBook Deployment
  7. 7. Share this eBook Deployment Network To deploy a firewall, it is advsiable to deploy anti-spoofing for each firewall zone interface. Take some time to define the network profile that stays behind the firewall interface. Also, firewalls are not designed to handle routing. In the case where a firewall must handle thousands or hundreds of thousands of dynamic routing entries, its CPU resources will be heavily consumed and end up not being able to do its main job which is stateful inspection.” Security Consultant, Malaysia If your management is hesitant to adopt a NGFW on the perimeter, first deploy it internally between your user network and your server network - the increased visibility over protocols and applications should open their eyes.” John Stockman, Information Security, IBX, US
  8. 8. Share this eBook Deployment Identify the optimal places in your network where the next-generation capabilities will provide you with the best return. Determine and plan for the NGFW features you plan to use for your environment.” Henry Ge, Security, NSWPF - NSW Police, Australia It’s good to deploy a NGFW inline with your traditional firewall to add a second layer of security. Use port-based firewalling on both and the application control on the NGFW.” Tomasz Fabisiak, Systems Engineer, NGE Polska Poland Watch this video to learn NGFW policy considerations Share this video
  9. 9. Share this eBook Deployment NGFW Start in “monitor”/allow first to see how the firewall reacts and then fine tune from there.” David Krel, ThoughtWorks, Inc., Sr. Network Engineer, US Before deploying the NGFW install aTAP on the switch where the current FW is installed and let it run in passive mode. After a set time analyze what was triggered as a violation on the NGFW and check to see if this was caught on the current firewall. This will ensure NGFW justification and assist in configuration of the setup of the firewall minimizing setup time of the NGFW when it finally replaces the current FW appliance.” Security Architect, US
  10. 10. Share this eBook Deployment Deploy your NGFW with a firewall compliance/cleanup tool. By cleaning up existing firewall rules and flows, and documenting active applications, transitioning to a NGFW is much easier. Starting a NGFW transition is difficult enough, without a bloated, inaccurate and non optimized firewall ruleset.” Melissa Mccoy, Information Assurance Director, Kaizen Approach, US Build and deploy “for-purpose” specific security gateways based on a security zones approach taking in zones’ access of greater trust the deeper one gets into the architecture. Look for and implement monitoring of these gateways from security / compliance posture (status) in a 24x7 paradigm with alerting and reporting capabilites. Only deploy specific functional protections - thus eliminating over-use of resources, etc...” Charles Riordan, Managing Consultant, Check Point, US
  11. 11. Share this eBook Implement
  12. 12. Share this eBook Implement If creating a new group with lots of new members, it is faster to do it inside the group itself by clicking new > Node > Host.” Dawin Chandra, Security Specialist, IBM, Australia Define a dedicated scheme to configure access. For instance, general rules for all users, location related rules, rules for groups of users/IPs and then single user/IP rules. This helps your colleagues to find rules. Above all we use a section “most used rules” to improve firewall performance.” Security Architect, Germany
  13. 13. Share this eBook Implement Always start your rulebase with the basics. From, to and how. Apply the who and with what afterwards.” Phil Williams, MIS/IS/IT Vice President, Security Matterz, Saudi Arabia
  14. 14. Share this eBook Management
  15. 15. Share this eBook 0100 1010 0101 10 0100 1010 0101 10 1 Management To manage firewall zones and traffic directional flow from zone to zone, compile a policy zone matrix and define what traffic is supposed to exist for each direction. For example, in the policy matrix,“A”willrepresenttrafficfromUntrusttoDMZ,whichnormally will only allow http and https. If there is a change request for new policy that does not match this definition, the request should be rejected, unless the policy requestor presents a specific reason. However, the policy shall be opened for a specific time only.” Security Consultant, Malaysia
  16. 16. Share this eBook Management Isolation remains fundamental in any firewall. There are many deployment and support issues with even the most meticulous virtualized architecture (VMWare, HyperV, etc.). A preferred alternative for firewalls as well as a DMZ is an LPARS on a x86 environment for those areas. Many of the virtualization benefits with far fewer security pitfalls.” Kevin Stay, Network Manager, Varian Medical Systems, Inc. US Disable any services that the firewall doesn’t need to run (for example: if you are running Cisco ASA and don’t plan on using ASDM, then don’t enable http service.)” Anonymous
  17. 17. Share this eBook Management All firewall rulesets should always have a default “deny any any” as the last rule.” Anonymous IPv6 should be specificallyblocked, if it is not being used,and if it is possible on thefirewall.” Anonymous “Any” should not be used, unless necessary.” Anonymous
  18. 18. Share this eBook Management For HA management, active-standby is better than active-active deployment generallybecauseactive-activewillincrease the troubleshooting and management complexity. It is fine to use the active- active method if the purpose is to increase the number of sessions the firewall can handle. However bear in mind it does not increase the network bandwidth because everytime the firewall receives the traffic via its dedicated interface link only.” Security Consultant, Malaysia If your firewall supports zones (E.g.: Juniper) use them. Zones make it far easier to manage complex policies.” Anonymous
  19. 19. Share this eBook Optimization
  20. 20. Share this eBook Optimization Standardise your object naming conventions. This is highly useful when reusing objects and troubleshooting.” Security Architect, Australia Define everything as much as you can, Source, Dest, Service. Commenting the policy and placing rules into groups will save TONS of time and effort in the future and may preserve the sanity of the next admin. Use a ticketing system for change requests, put the ticket number and implementation date into the comments so there is a reference for all policy changes.” Anonymous See how you can more effectively manage NGFW security policies Share this video
  21. 21. Share this eBook Optimization Sun Mon Tue Wed Thu F Monitor those firewall rules which are never used to optimize the firewall’s performance.” Frankie Leung, Director, UDS Data Systems Ltd, Hong Kong Don’t be afraid to take your time tuning your IPS policy, especially when it comes to blocking traffic. Some business processes only run monthly, or quarterly, or on demand, and can end up being blocked unintentionally.” Megan Benoit, Network Security Engineer, Racetrac Petroleum, Inc., US
  22. 22. Share this eBook Optimization Order your policy so the most commonly hit rules appear near the top for better performance (you can utilizethefeaturesetofvariousvendor firewalls to discover which rules have the most hits in a given time frame). Be careful as to how you implement a blacklist, doing it as a policy object group can be easy and effective, but it’s still going through order of operations. Typically if it’s aggressive traffic, I place the blacklist in the the pre-route ACL in order to reduce resource usage.” Anonymous Tune your policies. If you are upgrading,thenprunethepolicies to just what you need and build the rest as the time arises. Less is more.” Jamison Moklak, IT Smart Devine, US
  23. 23. Share this eBook Signatures
  24. 24. Share this eBook Signatures Be sure your NGFW has up to date application signatures tailored for your infrastructure, otherwise desired need of application visibility and control will turn into next-gen blindness.” Enrico Sorge, Product Manager, Italtel SPA, Italy If you have a software asset system it could tell you which signatures should be activated in the whole IPS system. For example, if you don’t have any IBM Tivoli or Novell system in your environment why you sould scan these signatures? It cold be automatically turned off.” Attila Peter Korosi, IT Security Consultant, TR Consult Kft., Hungary
  25. 25. Share this eBook Process
  26. 26. Share this eBook Process In many organizations, network operations teams manage firewalls without much security involvement, and network security teams optimize and manage the IPS. Before integrating these technologies through the use of a NGFW, make sure both groups are on board and working together to solve issues.” Anonymous Many of the firewall rule requests we get are vague and unclear. The requesters often do not know what factors beyond the ports and IP addresses are present in their situation. My tip is to not be afraid to initially create several ‘rules’ that work using different filter criterion to support the requests. This allows us to eventually craft a robust rule that allows the traffic it should without being too strict or too open.” Michael Foster, Technical Security Specialist, Providence Health & Services, US
  27. 27. Share this eBook Just for Laughs
  28. 28. Share this eBook Just for Laughs Even though you managea next-generation firewall,don’t refer to yourself as“Captain Picard”. “ Anonymous Make sure it’s plugged in.” Information Technology Security Manager, US
  29. 29. Share this eBook Like this ebook? Check out the original Big Collection of Firewall Policy Management Tips Share this ebook

×