10 Cool Things Your Firewall Should Do E Book

8/3/2019 10 Cool Things Your Firewall Should Do E Book

1/16

A frewall that blocks threats is only the beginning

10 Cool Things Your Firewall Should Do


2/16

Table o Contents

The Firewall Grows Up 1

The Application Firewall 2

1st Cool Thing: Managing Streaming Video 3

2nd Cool Thing: Per Group Bandwidth Management 4

3rd Cool Thing: Web-mail and Data Loss 54th Cool Thing: Application Use Enorcement 6

5th Cool Thing: Deny FTP Upload 7

6th Cool Thing: Keep P2P Apps Under Control 8

7th Cool Thing: Manage Streaming Music 9

8th Cool Thing: Prioritize Application Bandwidth 10

9th Cool Thing: Blocking Confdential Documents 11

10th Cool Thing: Block Forbidden Files and Notiy 12

When You Add It All Up 13


3/16

Traditional rewalls ocus on blocking simple threats and intrusions.

Business grade Firewalls have added Unied Threat Management

(UTM) services such as anti-virus, anti-spyware, intrusion prevention,

content ltering and even some anti-spam services to enhance to

threat protection.

The Firewall Grows Up

1

...but blocking threats

is just the beginning

Most trac passing through aFirewall is not threat-based, but is

instead applications and data. This

gave rise to the Application Firewall

which can manage and control data

and applications that pass through

the Firewall.


4/16

What does it do?

An Application Firewall provides bandwidth

management and control, application level access

controls, data leakage control unctionality, restrictions

on the transer o specic les and documents, and

much more.

How does it work?An Application Firewall allows custom access controls

based upon user, application, schedule or IP subnet

level. This allows an administrator the ability to create

polices that address the ull range o applications that

are available or access and or the rst time truly

manage them.

2

The Application Firewall

Allows you to classiy, control and manageapplications and data that pass through your frewall.

Good

n Protectedn Productive

Threats

n

Compromisedn Wasteul

Data and Applications


5/16

Access to streaming video sites, such as youtube.com is sometimes useul but oten

abused. Blocking the site might work, but the best answer could be to limit the

bandwidth given to streaming video sites.

Create a Policy to limit streaming videon Use the Deep Packet Inspection (DPI) engine to look or HTTP Host =

www.youtube.com in HTTP header

n Apply bandwidth restrictions to trac with that header

1st Cool Thing: Managing Streaming Video

3

You can limit bandwidth or applicationsover specifed times o day say rom 9:00am to 5:00pm

Streaming Video Bandwidth Desired Streaming Video Bandwidth Provided


6/16

In the 1st Cool Thing, we applied bandwidth restrictions or streaming video sites like

youtube.com. Now your CEO and CFO are complaining that the business news videos

they review each day are too slow. You could ease of on the bandwidth restrictions or

everyone, but now there is a better answergroup-based bandwidth management.

Create a Policy to not limit streaming video or the executivesn Apply this Policy to the executive group imported rom your LDAP server

n Use the Deep Packet Inspection (DPI) engine to look or HTTP Host = www.youtube.comin HTTP header

n Apply bandwidth guarantee to trac with that header

2nd Cool Thing: Per Group Bandwidth Management

4

Streaming Video Bandwidth Desired Executive Streaming Video Bandwidth Provided

Everyone Elses Streaming Video Bandwidth Provided


7/16

3rd Cool Thing: Web-mail and Data Loss

Lets assume your existing anti-spam protection can detect and block a

normal outbound e-mail that contains Company Condential inormation.

But, what i an employee uses a Web-mail service such as Yahoo or

Gmail to send out a Company Confdential inormation?

Create a Policy to block Company Confdential e-mailn

Deep Packet Inspection (DPI) engine looks or E-mail Body =Company Confdential

n Block message and notiy the sender that the message is

Company Condential

5

From: badguy@your_company.com

To: [email protected]

Subject: Design road mapHere is the Roadmap

Jan 09 Release 7.0

This document is Company Confdential

STOP

From: goodguy@your_company.com

To: [email protected]

Subject: Time Card Approval Jim,

I approve your time card hours or this week.

Joe

GO


8/16

4th Cool Thing: Application Use Enorcement

Your Boss: Wants to use Internet Explorer (IE) 7.0 as the standard browser.

Your Mission: Ensure all company systems are using IE 7.0nothing else!

Your Possible Solutions

1. Physically check everyones system each day or Foreign browsers

2. Set-up some type o script to check everyones system or Foreign browsers

and make sure it checks everyones system everyday3. Set up a policy in the Application Firewall and stop worrying

Create a Ive got better things to do Policyn Deep Packet Inspection (DPI) engine looks or User Agent = MSIE 7.0

in HTTP header

n Allows IE 7.0 trac and blocks other browsers

6


9/16

5th Cool Thing: Deny FTP Upload

You set up an FTP site or the exchange o large les with one o your business partners

and you want to make sure that only the project manager at the partner and no one else

can upload les.

Create a Policy to allow FTP uploads, but only or certain people

n Deep Packet Inspection (DPI) engine looks or FTP Command = PUT

n DPI engine looks or Authenticated User Name = pm_partner

n I both are True then allow PUT

You can also disallow any FTP commandsyou think are unnecessary or a given FTP server

sales_partner: put fle

mktg_partner: put fle

sales_partner: put fle

pm_partner: put fle

7


10/16

6th Cool Thing: Keep P2P Apps Under Control

Problem 1: Peer-To-Peer (P2P) applications such as BitTorrent can steal bandwidth

and bring with them all kinds o mischievous les.

Problem 2: The creation o new P2P applications or simple changes to the existing P2P

applications, like a version number changes, happen all the time.

Create a Policy to detect P2P applications

Deep Packet Inspection (DPI) engine looks or a P2P Application signature on theIPS signature list

P2P applications can be blockedor just limitedthrough bandwidth and time-based restrictions

IPS Signature List

BitTorrent-6.1

BitTorrent-6.0.3

BitTorrent-6.0.2

BitTorrent-6.0.1

hundreds more

IPS Signature List

Updates rom

SonicWALL are

received and applied

IPS Signature List

BitTorrent-6.1.1

BitTorrent-6.1

BitTorrent-6.0.3

BitTorrent-6.0.2

hundreds more

+ =The Results

nYou can manage andcontrol P2P applications

nYou dont have to spend timeupdating IPS signature rules

8


11/16

7th Cool Thing: Manage Streaming Music

Streaming audio sites and streaming radio sites consume precious bandwidth, but

there are legitimate business reasons to access such sites. There are two ways to

manage this challenge.

Control by Web Site

Create a list o streaming audio sites youd like to manage

Create a Policy to detect streaming audio sites

n Use the Deep Packet Inspection (DPI) engine to look for HTTP Host =Streaming Audio Site block list in HTTP header

Control by File Extension

Create a list o audio fle extensions youd like to manage

Create a Policy to detect streaming audio content

n Use the Deep Packet Inspection (DPI) engine to look for File extension =

Streaming Audio Extensions block list in HTTP header

Once detected

you can block or just bandwidthmanagethe streaming audio.

9


12/16

8th Cool Thing: Prioritize Application Bandwidth

Today many mission-critical applications, such as SAP, Salesorce.com and SharePoint,

are cloud-based or they are running across geographically dispersed networks. Ensuring

these applications have priority to get the network bandwidth they need to operate can

improve business productivity.

Create a Policy to give bandwidth priority to the SAP applicationn Deep Packet Inspection (DPI) engine looks or the application signature or

application namen Assign the SAP application a higher bandwidth priority

Application priority can be date based(think end-o-quarter priority or sales applications)

SAPSalesorce.comSharePoint

Others

10


13/16

In some companies, outbound e-mail does not pass through their E-mail Security

system or that system does not check the content o e-mail attachments. In either

case Company Confdential attachments can easily leave the organization.

Since outbound network trac goes through your rewall, you can detect

and block this data-in-motion.

Create a Policy to block e-mail attachments which contain theCompany Confdential watermarkn Deep Packet Inspection (DPI) engine looks or

E-mail Content = Company Confdential and also

E-mail Content = Company Proprietary and also

E-mail Content = Private Proprietary and

9th Cool Thing: Blocking Confdential Documents

This can also be done orFTP-based content!

11


14/16

10th Cool Thing: Block Forbidden Files and Notiy

DOWNLOAD

Security RiskActivity: You are attempting todownload or receive a fle with aorbidden fle extension (.exe,.pi, .src or .vbs).

Action: Per corporate policy,this fle has been blocked.

More ino: Please reer to theSecurity section o the corporateintranet or a complete list o thefles which are orbidden.

Email

FTP

Website

Bad .pi

FTP

Bad .vbs

Bad .exe

SonicWALL NSA with

Application Firewall

Create a Forbidden File Extensions list

Create a Policy to block orbidden fle extensionsn Deep Packet Inspection (DPI) engine looks or File Extension in HTTP,

Email Attachment or FTP = Forbidden File Extensions

I fle blocked, send Notifcation

12

Can your Firewall block any o the ollowing?

n An EXE le rom being downloaded rom a web page

n An EXE le as an e-mail attachment

n An EXE le rom being transerred via FTP

How about PIF, SRC or VBS fles?


15/16

When You Add it All Up

13

High Perormance Firewall

+ Unifed Threat Management

+ Application Firewall

SonicWALL Network Security Appliance

Perormance, Protection and Pin-Point Control


16/16

2008 SonicWALL, the SonicWALL logo and Protection at the Speed o Business a re registered trademarks o SonicWALL, Inc. Other product names mentioned herein may betrademarks and/or registered trademarks o their respective companies. Specifcations and descriptions subject to change without notice. 10/08 SW 466

How Can I Learn More?

n For a comparison o the SonicWALL NSA models which include the Application Firewalln To download the datasheetn Practical examples o the Application Firewall with product examplesn Application Firewall user guide

For eedback on this e-book or other SonicWALL e-books or whitepapers, please send an e-mail to

[email protected].

About SonicWALL

SonicWALL is a recognized leader in comprehensive inormation security solutions. SonicWALL

solutions integrate dynamically intelligent services, sotware and hardware that engineer the risk, cost

and complexity out o running a high-perormance business network. For more inormation, visit the

company Web site atwww.sonicwall.com.
http://www.sonicwall.com/http://www.sonicwall.com/http://www.sonicwall.com/http://www.sonicwall.com/