One advantage to using a next-generation firewall (NGFW) is improved application awareness and granularity in setting...
and managing policy for particular application elements.
In contrast, older firewalls rely on ports and protocols to specify rule sets. For example, it is possible to create a firewall rule that blocks incoming packets via ports 20 and 21 so that users can't use any File Transfer Protocol clients, but that could be too draconian for an IT department that uses such tools. So then it's necessary to write another rule to allow FTP use by anyone from IT, and then a few additional exceptions arise, and you can see how one simple action can turn into a complex mess of rules.
That is where the granular applications control comes into play. NGFW products have extensive applications databases that they can draw on to model particular behaviors so that network administrators can craft fine-grained access policies. How extensive are these application databases? Take a look at Palo Alto Networks' Applipedia (Figure 1), where you can look at specific applications for their relative risk, how they can evade typical security products and what kind of technology they employ.
Cisco's SenderBase and McAfee's TrustedSource have similar databases that are also freely available for browsing and educational purposes, and also serve as the basis for their next-gen application-awareness engines.
As an example, let's review how application awareness works with the Cisco ASA firewall line.
The first step is to actually implement an application-aware policy. We want to be able to block certain Facebook application functions, like message posting and game playing, but still allow users to view their wall posts.
We start out with the screen in Figure 2, where we first create our policy. In the Application/Service box, we start by typing Facebook, and you can see the number of different preset Facebook policy templates that are available, including for specific content such as sports or events.
Let's say we choose to focus our policy on Facebook messaging. We then come to the screen in Figure 3, where you can use simple slider controls to enable various policy variables, such as to allow attachments to be uploaded or downloaded, or to block the posting of photos to anyone's Facebook account.
Setting up these application-specific policies is a lot easier with the next-gen firewalls than with the old ports-and-protocols methods. With the older firewalls, you typically had to experiment with rules through mostly trial and error before you could be sure that they were blocking or allowing particular behaviors. Most of today's next-gen firewalls operate similarly to what we have shown with the Cisco ASA line and have easy-to-use graphical interfaces.
As another example, Figure 4 is a dashboard that shows you at a glance what kinds of exploits have been reported across an example network.
With the range of application-specific policies comes the responsibility of understanding what you are allowing or blocking across your network. You should also coordinate any policy with your human resources or other departments to ensure that you are consistently applying them and meeting your particular corporate standards and practices.
About the author:
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor-in-chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at David Strom's Web Informant.