Upload
algosec
View
35
Download
0
Embed Size (px)
Citation preview
Network Security Policy ManagementAutomation for Transformation
Yonatan Klein, Director Product Management
WHAT WE’LL COVER TODAY
Managing Network Connectivity throughout the application lifecycle
Managing Disaster Recovery – automatically and securely
01
02
03
Mapping rules and flows to business processes and applications
Making rule recertification an efficient, application-centric process04
Summary and Q&A05
2
WHAT IS NETWORK SECURITY POLICY MANAGEMENT
3 | Confidential
4 | Confidential
GETTING STARTED WITH NETWORK SECURITY POLICY MANAGEMENT:Map applications and connectivity needs
MAP YOUR DATA-CENTER ASSETS: GETTING A SINGLE SOURCE OF TRUTH
• CMDB?
• Excel Spreadsheet?
• Firewall Rules?
5 | Confidential
APPLICATION & CONNECTIVITY AUTO-DISCOVERY
6 | Confidential
• Various sources: network mirroring, PCAP files, NetFlow, sFlowNetwork sensing
• Determine hosts• Determine active flows
Analyze network traffic
• Smart heuristics to identify web services, data bases, applications• Application identity “hints”
Identify business applications
THE MAPPED BUSINESS APPLICATIONS
7 | Confidential
DISCOVERED APPLICATIONS
8 | Confidential
DISCOVERED APPLICATION FLOWS
9 | Confidential
OPTIMIZED FLOWS
10 | Confidential
APPLICATION AND CONNECTIVITY DISCOVERY
Manual Process
Reliable, complete single source of truth?
Otherwise manual process to identify each host and flow
Manage information in excel ?
With Automation
Flows identified automatically
Heuristics and hints help identify matching applications
Integrated into Algosec BusinessFlow
AlgoSec BusinessFlow manages application information and corresponding flows and network rules
11 | Confidential
Connectivity needs identified, optimized
12 | Confidential
APPLICATION MIGRATION - AUTOMATED
APPLICATION MIGRATION
Data center migration
13 | Confidential
App migration to the public cloud
App migration between data centers
Consolidation due to M&A
Application lifecycle: Test -> Pre-Production -> Production
Which Application Migration Projects Are You Undertaking In Your Organization?
• Data Center Migration • Application Migrations To The Public Cloud• Application Migrations Between Data Centers• Application Life-cycle (e.g. Dev/Test->Pre-Prod->Prod)• Other
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
14
APP. MIGRATION AUTOMATED WORKFLOW
15 | Confidential
Create a migration workflow
Map source to target IPs
Evaluate potential vulnerability and risk impact
Apply the changes
01 02 03 04
Migration Done!
05
App DecomissionWorkflow
Mark flow to decomission
ABF automatically validates no impact on other apps
Apply the changes Decommission Done!
01 02 03 04 05
CALCULATE REQUIRED FLOW CHANGES
16 | Confidential
AUTOMATICALLY IDENTIFY DEVICES IN PATH
PROJECT DASHBOARD
18 | Confidential
APPLICATION MIGRATION
19 | Confidential
Manual Process
Find all flows related to application
Locate all effected firewalls
Find all relevant rules
With Automation
Start a migration workflow - Match source network object with target
Execute changes: create new flows
Execute changes: decommission old flows
Change management process for new rules
Repeat process for old rule decommission
20 | Confidential
DISASTER RECOVERY DEVICE PAIRS
DISASTER RECOVERY DEVICES / PATHS
• Firewalls may be deployed in a geographic redundancy model to ensure reliable and secure connectivity.
• For devices without a central management system, maintaining the pair synced is a real challenge
• AlgoSec allows you to define DR-Sets: groups of devices that must always share the same policy
• Maintain consistency without any manual work and human errors
21| Confidential
CM
RA1
Device A
Geographical distribution architecture
Device B
DR SETS – HOW IT LOOKS
22 | Confidential
23 | Confidential
APPLICATION-CENTRIC RULE RE-CERTIFICATION
How many times a year do you recertify your firewall rules?• On a project basis• Once a year• Twice a year• Once every 2 years• Other
POLL
Please vote using the “votes from audience” tab in your BrightTALK panel
24
1.On a project basis
WHY FIREWALL RULES BECOME REDUNDANT
An application is decommissioned
An application is upgraded and uses
different services/ ports
An endpoint is moved to a different datacenter
Decommissioning of outdated rules is best practice:• Security: reduce attack surface and risk• Compliance: periodic reviews are mandated
26 | Confidential
TRADITIONAL METHODOLOGY
REVIEWthe firewall logs and determine
when the rule was last used
READthe comments to
see who requested the rule
and which application it
serves
VALIDATEthat the
application is not in use with the
relevant contact
REMOVEthe rule or extend
the expiration date
FIREWALL RULE BASE
AN APPLICATION CENTRIC APPROACH
28 | Confidential
AN APPLICATION CENTRIC APPROACH
29 | Confidential
Application Telepresence has expired
Telepresence
Dear Yonatan,
AN APPLICATION CENTRIC APPROACH
30 | Confidential
RULE DECOMMISSIONING
Manual Process
Manage each rule separately
Bombarded by rule recertification notifications
Problematic to track rules to originating purpose
With Automation
Business application expiration date
Timely configured notification – per application
Single click to decommission or extend expiration date
SUMMARY
• Identifying assets and their connectivity is not trivial• Auto-discovery is key for informed connectivity management
• Network security operations are complex • Automation helps meet customers needs and ensures a secure network
• A high-end solution is designed to automate key use-cases with business-centric security policy management capabilities
• Example for common use-cases managed by Algosec:• Firewall devices in DR mode
• Application life-cycle and migration
• Application-centric approach to rule recertification
32 | Confidential
MORE RESOURCES
www.algosec.com/resources
WHITEPAPERS
DATASHEET
33
Thank you!
Questions can be emailed to [email protected]