Lesson 3: Managing Your Security Policy in a Mixed Next Gen and Traditional Firewall Environment

Prof Wool: Next Generation Firewalls | Lesson 3: Managing Your Security Policy in a Mixed Next Gen and Traditional Firewall Environment Subscribe

Next Generation Firewalls: Lesson 3
Next generation firewalls (NGFWs) allow you to manage security policies with much greater granularity, based on specific applications and users, which provides much greater control over the traffic you want to allow or deny. Today, NGFWs are usually deployed alongside traditional firewalls. Therefore change requests need to be written using each firewall type’s specific terminology; application names and default ports for NGFWs, and actual protocols and ports for traditional firewalls. This new lesson explains some of challenges of writing firewall rules for a mixed firewall environment, and how to address them.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to our lesson 9 professor world today we're going to be talking about managing your security policy in a mixed next generation and traditional firewall environment so a quick reminder in one of our previous lessons we looked at next-generation firewalls and the capabilities that they provide us in managing security policy at a much greater granularity so for instance using a next-gen firewall you can say things like that you want to block the BitTorrent application from anywhere to anywhere regardless of which particular service protocol imports that application uses so you can block it specifically and the fire wall itself knows the default ports that that application might use or it may may even have no default ports it might use all ports so this gives us much greater control over what we want to allow and deny but now let's take a look at this in terms of managing these policies when we have a mixed environment so imagine a situation like what you have over here where you have a mixture of next-generation firewalls like over this one and you also have traditional firewalls or filtering routers in your environment and they all have to work in a consistent manner to allow and deny the things that you need to allow and deny in particular let's imagine that our general policy in the organization is does not allow social media so there is going to be a rule on the next-generation firewall saying that from any weight when we're social media type services and applications are denied that's just our corporate policy in the organization of course we can do that on a next-gen firewall because we can specify the category without specifying precise services and that's that's very convenient but now we have a situation where the marketing department needs access to facebook which is one of the social media services so we want to allow this type of traffic and notice that this traffic has to go through both a traditional device and the next generation device both have to be configured so on the next gen device the way you would write such a such a rule you would say from let's say the marketing department to facebook.com and you'd use the predefined application that is defined there you would use the Facebook application with the default settings and allow that traffic so you can write that in the next generation firewall because it already has a predefined application called Facebook and it knows how to identify that particular traffic and allow it as opposed to general social media which it does not allow but what do you do with the traditional fire wall behind it you need to configure it as well and the traditional firewall does not even have an application column in the policy it only has the traditional source destination and service in action so you need to do something here so obviously you can say that you want to allow traffic from marketing to facebook.com but you need to put something in the service you can't just put Facebook because that's not something that the traditional firewall knows so you would have to really put something like HTTP and HTTPS which are the default protocols and ports that Facebook uses so when you but notice that these two rules look quite different even though they're trying to honor the same request and the point is that somebody or some system has to know what to put here and what to put here so the request came in from the using the terminology allow access to Facebook but when we come to implement this change request on a next-gen firewall we have to specify the request in in terms of an application name which is predefined and the default ports but on the traditional firewall we have to specify the actual ports even this is much wider than this but we have to know which ports the place here now Facebook was an easy example because it uses very well-known ports but other applications might be more obscure so the engineers configuring this environment would need to know this or have systems to a system so this is something that you need to bear in mind when you have a mixed environment these kinds of differences in terminology do affect how people do their work when you're configuring the devices thank you for your attention

Videos

Prof Wool: Next Generation Firewalls | Lesson 3: Managing Your Security Policy in a Mixed Next Gen and Traditional Firewall Environment Subscribe

Related videos

Lesson 4: Using Next Generation Firewalls for Cyber...

Lesson 2: NGFWs - Whitelisting & Blacklisting Policy...

Lesson 1: Next-Generation Firewalls: Overview of...