Application next-generation firewall to determine application access policies

Translator: Liu Daning

One advantage of application next-generation firewall (NGFW) is that it can improve Application Awareness and granularity when setting and managing policies for specific application elements.

In contrast, the old-generation firewall relies on the ports and protocols of specific rule sets. For example, if the created firewall rules Block incoming packets through ports 20 and 21, you cannot use any other file transfer protocol, however, this is not suitable for IT departments that use the file transfer protocol. In this way, it is necessary to create another rule set for users using the FTP protocol, and there are some additional special cases. A simple problem becomes a series of complicated and troublesome rules.

Figure 1 a large number of application databases can help Administrators determine the relative risks of specific software

In this case, granular application control comes in handy. A new generation of firewall products have a wide range of application databases, which can be used by network administrators to model specific behaviors and elaborate fine-grained access policies. How widely are these application databases? Let's take a look at Palo Alto Network's Applipedia (figure 1 ). In Figure 1, you can see the relative risks of specific applications. The typical security detection products that can be avoided also have the technologies they use.

Cisco's SenderBase and McAfee's TrustedSource share similar databases, which are free for browsing and educational purposes and serve as the basis for their next-generation application perception engine.

We can review how the Cisco ASA firewall line puts application awareness into practice.

The first step is to set an application awareness policy. Just like we want to block certain Facebook app features, such as posting information and playing games, but still allow users to browse their graffiti walls.

Figure 2 create an application awareness policy for Facebook

Create an application awareness policy from the content displayed on the screen in Figure 2. In the Application/service box, we first enter text on Facebook, so you can see different preset Facebook policy templates available for selection, including specific content such as sports or events.

Figure 3 simple slider control allows you to implement multiple Facebook policies

In this case, we should focus on the created policies. Next, see Figure 3. The content in Figure 3 shows that you can use simple slider control to implement various policies, such as allowing attachments to be uploaded or downloaded, to prevent anyone's Facebook account from uploading photos.

Using the next-generation firewall to set these application-oriented policies is much easier than using the old-generation port-Protocol method. With the old generation firewall, You need to conduct a large number of experiments on the rule set before you are sure to block or allow specific behaviors. Most of today's next-generation firewall operations are similar to the Cisco ASA that has been displayed and have a user-friendly graphical interface.

Figure 4 the control panel of the Next Generation firewall shows the security vulnerabilities of the entire network

Figure 4 is the control panel of the Next Generation firewall, which clearly shows various security vulnerabilities that have been discovered in the sample network.

With the advent of specific application policies, you have the responsibility to understand what you allow or block from passing through the network. You should also coordinate any strategy with your human resources department or other departments to ensure that you can consistently apply these policies and meet your company's specific standards and practical needs.