Something Old, Something New: Managing Security Policies in Mixed Firewall Environments

Next generation firewalls (NGFWs) allow security to be managed with much greater granularity than traditional firewalls – based on specific applications and user groups – providing much greater control over the traffic that organizations want to allow or deny across their networks.

So, for example, with NGFW, an organization can choose to block the BitTorrent application from anywhere to anywhere on the network, regardless of which particular service, protocol and ports it uses. The specific application can be blocked by name, and the NGFW automatically understands the default ports that the application will use in order to control BitTorrent traffic.

However, in a majority of cases NGFWs are not deployed in isolation – rather, they are part of a mixed environment, deployed alongside traditional firewalls and they both have to work in a consistent manner to control traffic according to the organization’s security policies.

What does this mean in practice?  Let’s look at a specific example of an organization using both traditional and NGFWs to secure its network, which has a company-wide policy of blocking access to social media sites. Now, however, the organization’s marketing department needs to be able to access Facebook.

Facebook will need to be accessed through both the NGFW and traditional firewalls – which means that new security policies need to be written for both.  As we saw earlier, in the sophisticated, granular world of the NGFW, this is simple and intuitive. Along the marketing > facebook.com traffic path, Facebook can be set as a predefined, allowed application in the firewall rulesets, while access to other social media sites is blocked.

But what about configuring traditional firewalls to handle the same traffic?  The term ‘Facebook’ isn’t something that the traditional firewall can understand.  It needs to be provided with the default ‘source’, ‘destination’, ‘service’ and ‘action’ protocols that Facebook uses – http and https. So the security policy changes look very different between the NGFW and traditional firewall.  Http: and https: are, of course, well-known protocols; the difficulty comes when the ports and protocols used by an application are less well-known and understood.

This presents a real challenge for IT teams when they need to provision access to applications in heterogeneous environments, which include both NGFWs and traditional devices.  The engineers configuring the devices have to be able to understand the mapping between the applications (as they are defined in the NGFW), and their respective services, protocols and ports (as defined in the traditional firewall), so that the rules can be set properly across both environments.

To work around this, the network operations staff sometimes resort to the lowest common security denominator– that is, using the familiar traditional firewall protocols in both traditional and NGFW devices. To follow the example we used earlier, the security team would say that “access to Facebook is done through to http, therefore it’s good enough to allow http across all of our firewalls, both traditional and next-generation.”

At a stroke, this means some of the key security advantages of NGFWs – application awareness and precise, granular control over the access and use of those applications – are not being utilized, simply because it’s too difficult for some security teams to implement application control across all their firewalls.  It’s like using a surgeon’s scalpel as a kitchen knife.  What’s worse is the company risks compromising its security through the use of overly-permissive, broad policies, simply because of the difficulties of managing security in a mixed firewall estate.

To help manage these complexities, what’s needed is a vendor-agnostic security policy management solution that can import and understand the mapping between the port, protocol and service definitions used by traditional firewalls, and the application-aware definitions used by the NGFW.  So when it comes to enabling access to an application, security teams use the solution to implement the appropriate rules on both types of firewall automatically, and utilize the enhanced features of the NGFW to ensure that security is optimized across their infrastructure – with no need to resort to ‘lowest common denominator’ policies.  This way, organizations can ensure they get the best from their older, traditional firewalls, and newer NGFWs.

If you going to the Palo Alto Networks Ignite conference in Las Vegas next week , feel free to stop by AlgoSec’s booth #203. I’ll be there and it would be great to show you how AlgoSec can intelligently automate application and user-aware security policy management across your on-premise and cloud environment.