Next-generation firewalls go beyond filtering traffic from port 80 or 443 and deliver more control by providing the ability to filter by application type and user identity, among all the other features that are being built into one box. With this added policy granularity you can define what groups of users can do with a particular application, which allows for better security and ultimately a business advantage (i.e. the marketing team needs to be able to post to Facebook, but a developer does not).
But with more granular control also comes more complexity and in turn the greater opportunity there is for misconfigured firewalls. According to a recent Gartner report, 95% of firewall breaches are due to misconfigurations – as opposed to flaws with the firewalls. If policies are set at an application level, you must understand each application, its business value to different users and any potential risks that come with it.
Some questions to think about before leveraging the application and user-aware policies available to you in a next-gen firewall include:
• How many more change requests per week should you expect to process?
• Can your existing team handle the extra load without degradation to turnaround time?
• Will you require additional headcount?
• What is the impact if you define policy via rules like “block social networks, file sharing and video streaming, and allow all other web traffic”?
Once you have your core policies defined, optimizing them and maintaining them over time become the next step. Here are six tips for managing next-generation firewall policies:
1. Tune Your Policies. Run regular reports to spot new applications in use on the network and understand any trends and impact from a security and performance perspective. Actionable intelligence regarding application usage is extremely helpful in optimizing policies and removing unused applications from policies. Identify rules that can be tightened based on application and user/user group needs. For example, if an application is only required by one group of users (i.e. marketing team needs access to Facebook) then that application can be opened up to that specific group and can be restricted from others.
2. Reorder Rules to Improve Performance. Since firewalls sequentially sift through endless rule sets to identify the rule that matches every packet, another way to optimize your next-generation firewall policy is to reorder rules based on throughput (rules where there is heavier application usage should be on top). This can help address any potential performance issues and delay what otherwise would be necessary hardware purchases.
3. Identify Rules to Remove from the Rule Base. Oftentimes firewall rules are forgotten about and even duplicated through change requests. Being able to identify these types of rules can significantly help you reduce the overhead on your admin team and on the firewall.
4. Run Regular Risk Queries. Whether running a query from your DMZ to Internal or against specific applications, there are a lot of known risks and configuration best practices you can leverage (i.e. NIST, PCI, etc.) to identify vulnerable rules and understand the remedies. You should also define acceptable applications for your organization and then create exceptions or segment by users/user groups as needed. Additionally, recent research has shown that common risks in firewall policies are lax outbound policies.
5. Ensure Continuous Compliance. Run reports to ensure that your policies are in compliance with regulatory requirements such as PCI DSS, SOX, etc. and also your own internally defined standards.
6. Automate the Firewall Change Request Process. Maintain your optimized and risk-free policy over time by automating the firewall change request process. With traditional firewalls, the primary fields for change management consist of source, destination and port, but with NGFWs it expands to source, destination, port AND users and applications, creating more opportunities for change requests to pile up very quickly.
Another point to remember is that most likely, you have traditional firewalls in the environment and you want to streamline policy management across ALL of the firewalls, not just your traditional or NGFWs.
Next-generation firewalls certainly provide some additional benefits over traditional firewalls, but in order to truly reap the benefits without adding complexity and in turn risk, you must map out a plan in advance of your implementation and have a process to manage these policies over time in the context of your broader network environment.
