hello I'm professor wolf they will
discuss the benefits of mapping firewall
rules to business applications so
imagine you're a firewall administrator
working at a bank and it's time for the
annual rural recertification effort so
you need to go over all the firewall
rules and decide whether those rules
deserve to remain where they are or
maybe they need to be retired so your
starting point is something like this
you have your green firewall with its
rules your blue firewall with its rules
and if you look at one of these
firewalls you can see rules saying from
sources to destinations with certain
services and you're asked your task to
find out whether some of these rules can
be finally retired and at this point you
don't know too much what you do know is
some of the network segmentation so
possibly you know that the green
firewall is actually the firewall
protecting the one of the DMZ s from the
outside internet and the blue firewall
is protecting the data center over here
from and separating it from the various
DM Z's in the organization so you are
aware of the networking segmentation but
you still don't know what each of these
rules is really for why it's there who
put it there and maybe you can get rid
of it let's contrast this level of
information with what's going on in the
application repository so the
application owners in the organization
have an application repository system in
which they have a record of a trading
application that belongs to the
professional banking line of business
and supports the European region and is
structured more or less like this there
is a trading system the traders connect
to it using HTTPS there is a foreign
exchange feed and both of these systems
connect to the database sitting behind
all this so this is the view point for
the application owners now if this
system the application repository system
is properly integrated with the network
security policy management system that
is aware of these rules
a good system where well-integrated
system can map the applications to the
firewall rules automatically imagine
that such a system would automatically
annotate all of these rules and add a
comment here saying that this rule is
really part of the trading application
and these two rules are also part of the
trading business application and there
are such systems that can achieve this
annotation for you if you have these
annotations on the rules then when it
comes time to recertify the rule you're
no longer in the NARC you can look at
the rule and say ah this rule belongs to
or supports the trading application and
then you can go talk to the people in
charge of the trading application and
find out whether the rule is still
necessary and what it's for and so forth
and this could also apply to rules it
might belong to multiple applications so
such a rule allowing traffic from
anywhere to this destination might in
fact support additional applications not
just the trading application so you'd
have an annotation with multiple
business applications supported by that
one rule so the takeaway point here is
that a good network security policy
management system that integrates
between the application repository and
the firewall rules is a tremendous value
to people managing the firewall rules
and empowers them to know what these
rules are really for thank you for your
attention
