10 Things Your Next Firewall Must Do


Your users continue to adopt new applications and technologies, often times to get their jobs done but with little regard to the associated business and security risks. In some case, if your security team blocks these applications, it may hinder your business.

Applications are how your employees get their jobs done and maintain productivity in the face of competing personal and professional priorities. Because of this, safe application enablement is increasingly the correct policy stance. To safely enable applications and technologies on your network and the business that rides atop them, your network security teams need to put in place the appropriate policies governing use, and also the controls capable of enforcing them.

Palo Alto Networks is the leading next-generation network security company. Its innovative platform allows enterprises, service providers, and government entities to secure their networks by safely enabling the increasingly complex and rapidly growing number of applications running on their networks and by providing prevention against cyberthreats. The core of the Palo Alto Networks platform is its Next-Generation Firewall, which delivers application, user, and content visibility and control integrated within the firewall through its proprietary hardware and software architecture.


  1. Your next firewall must identify and control applications on all ports, all the time.
    Application developers no longer adhere to standard port/protocol/application development methodology. More and more applications are capable of operating on non-standard ports or can hop ports (e.g., instant messaging applications, peer-to-peer file sharing, or VoIP). Additionally, users are increasingly savvy enough to force applications to run over non-standard ports (e.g., RDP, SSH). In order to enforce application specific firewall policies where ports are increasingly irrelevant, your next firewall must assume that any application can run on any port.
  2. Your next firewall must identify and control security evasion tools. 
    A small number of the applications on your network may be used to purposely evade the very security policies you have in place to protect your organizations digital assets. Two classes of applications fall
    into the security evasion tools—those that are expressly designed to evade security (e.g., external proxies, non-VPN related encrypted tunnels) and those that can be adapted to easily achieve the same goal (e.g., remote
    server/desktop management tools).
    Cyberattackers know these applications are commonly used and there are publicly documented cases where these remote access tools were executed in one or more of the attack phases.
    To be clear, not all of these applications carry the same risks—remote access applications have legitimate uses, as do many encrypted tunnel applications. Without the ability to control these security evasion tools, organizations cannot enforce their security policies, exposing themselves to the very risks they thought their controls mitigated. It is important to understand not only that your next firewall can identify these circumvention
    applications, but, it is also important to know how often that firewall’s application intelligence is updated and maintained.
  3. Your next firewall must decrypt and inspect SSL and control SSH.
    The ability to decrypt SSL is a foundational element—not just because it’s an increasingly significant percentage of enterprise traffic, but also because it enables a few other key features that would end up incomplete or ineffective without the ability to decrypt SSL. Key elements to look for include recognition and decryption of SSL on any port, inbound and outbound; policy control over decryption, and the necessary hardware and software elements to perform SSL decryption across tens of thousands of simultaneous SSL connections with predictable performance. Additional requirements to consider are the ability to identify and control the use of SSH. Specifically, SSH control should include the ability to determine if it is being used for port forwarding (local, remote, X11) or native use (SCP, SFTP and shell access). Knowledge of how SSH is being used can then be translated into appropriate security policies.
  4. Your next firewall must provide application function control.
    Application platform developers such as Google, Facebook, Salesforce.com or Microsoft provide users with a rich set of features and functions that help to ensure user loyalty but may represent very different risk profiles.
    For example, allowing Webex is a valuable business tool, but using Webex Desktop Sharing to take over your employees’ desktop from an external source may be an internal or regulatory compliance violation. Another example may be Google Mail (Gmail) and Google Talk (Gtalk). Once a user is signed into Gmail, which may be allowed by policy, they can easily switch context to Gtalk, which may not be allowed. Your next firewall must be able to recognize and delineate individual features and functions so that an appropriate policy response can be implemented.
  5. Your next firewall must systematically manage unknown traffic.
    There are several important elements to consider with unknown traffic—is it categorized, can you minimize it through policy control, can your firewall easily characterize custom applications so they are “known” within your security policy, and does your firewall help you determine if the unknown traffic is a threat?
    Unknown traffic is also strongly tied to threats in the network. Attackers are often forced to modify a protocol in order to exploit a target application. For example, to attack a webserver, an attacker may need to modify the
    HTTP header so much that the resulting traffic is no longer identified as web traffic. Such an anomaly can be an early indication of an attack. Similarly, malware will often use customized protocols as part of their command and control model, enabling security teams to root out any unknown malware infections.
  6. Your next firewall must scan for threats in all applications on all ports.
    Enterprises continue to adopt a wide range of applications to enable the business—they may be hosted internally, or outside of your physical location. Whether it’s hosted SharePoint, Box.net, Google Docs, Microsoft Office365, or even an extranet application hosted by a partner, many organizations have a requirement to use an application that may use non-standard ports, SSL or can share files. In other words, these applications may enable the business, but they can also act as a cyber-threat vector. Blocking the application isn’t appropriate, but neither is blindly allowing the applications along with the (potential) associated business and cybersecurity risks. These applications can communicate over a combination of protocols (e.g., SharePoint uses CIFS, HTTP and HTTPS, and requires a more sophisticated firewall policy than “block the application.”) The first step is to identify the application (regardless of port or encryption), determine the functions you may want to allow or deny, and then scan the allowed components for any of the appropriate threats—exploits, viruses/malware, or spyware…or even confidential, regulated, or sensitive information.
  7. Your next firewall must deliver consistent controls to all users, regardless of location or device type.
    Whether your users are accessing the corporate network from laptops, smartphones or tablets working from a coffee shop, home, or a customer site, your users expect to connect to their applications via WiFi, wireless broadband, or by any means necessary.
    Regardless of where the user is, or even where the application they’re employing might be, the same standard of firewall control should apply. If your next firewall enables application visibility and control over traffic inside the four walls of the enterprise, but not outside, it misses the mark on some of the riskiest traffic. This is not to say that your organization will have the exact same policy for both; for example, some organizations might want employees to use Skype when on the road, but not inside headquarters, where others might have a policy that says if outside the office, users may not download salesforce.com attachments unless they have hard disk encryption turned on. This should be achievable on your next firewall without introducing significant latency for the end user or undue operational hassle for the administrator, or significant cost for the organization.
  8. Your next firewall must simplify network security, not more complex, with the addition of application control.
    Your business is based on applications, users and content, and your next firewall must allow you to build policies that directly support your business initiatives. Shared context across the application, user and content in all aspects—visibility, policy control, logging and reporting—will help you simplify your security infrastructure significantly. Firewall policy based on port and IP address, followed by separate policies for application control, IPS and anti-malware will only complicate your policy management process and may end up inhibiting the business.
  9. Your next firewall must deliver the same throughput and performance with application control fully activated.
    Many organizations struggle with the forced compromise between performance and security. If your next-generation firewall is built the right way, this compromise is unnecessary. The importance of architecture is obvious here too—in a different way. Cobbling together a port-based firewall and other security functions from different technology origins usually means there are redundant networking layers, scanning engines and policies—which translates to poor performance. From a software perspective, the firewall must be designed to do this from the beginning. Furthermore, given the requirement for computationally intensive tasks (e.g., application identification, threat prevention on all ports, etc.) performed on high traffic volumes and with the low tolerance for latency associated with critical infrastructure, your next firewall must have hardware designed for the task as well—meaning dedicated, specific processing for networking, security and content scanning.
  10. Your next firewall must deliver the exact same firewall functions in both a hardware and virtualized form factor.
    It is imperative that your next firewall provide in-depth integration with the virtualization environment to streamline the creation of application-centric policies as new virtual machines and applications are established and taken down. This is the only way to ensure you can support evolving data center architectures with operational flexibility while addressing risk and compliance requirements. The explosive growth of virtualization and cloud computing introduces new security challenges that are difficult or impossible for legacy firewalls to effectively manage due to inconsistent functionality, disparate management, and a lack of integration points with the virtualization environment. In order to protect traffic flowing in and out of the data center as well as within your virtualized environments, your next firewall must support the exact same functionality in both a hardware and virtualized form factor.


Contact me and let’s discuss how Radpoint and Palo Alto Networks can help you secure your digital assets and secure your employees from the increasing amount of cyber threats.

Daniel Dukic
+46 76 004 0012