Security Policy Orchestration in a NGFW Deployment

Enterprise networks are complex – it's a known fact! According to the InformationWeek 2015 Strategic Security Survey results, the #1 IT security challenge is “managing the complexity of security.” Another fact is that the #1 security product used to secure the network is firewall, and as the world of firewalls evolve, next-generation firewalls (NGFWs) are the de-facto firewall of choice for most enterprises today. NGFWs include additional levels of security with application (App-ID) and user awareness and control.

Enterprises typically have tens to hundreds of firewalls to secure their networks, and the long trail of older technologies creates an environment with legacy firewalls alongside next generation firewalls. When new connectivity is required between two subnets (and there are many subnets in the network), there is a need for rules/objects changes for many devices. According to the Gartner report Effective Network Orchestration Starts by Automating Provisioning (Aug 2015), 70% of network outages are caused by human errors, so manual changes to several firewalls is certainly not a good practice.

One may wonder, why is it so complex to manage and perform changes to network security policy? Well, the answer is that today's organizations have very complex networks, with very complicated security policies, undergoing constant change every day – and with this stressful IT environment, people can make mistakes.

Security policy orchestration is the remedy to the above challenge. Enterprises should adopt a tool that can provide end-to-end visibility, control, and management and automated changes to the entire network (that nowadays is a combination of physical networks and cloud environments). Security policy orchestration methodology helps provide easy tracking and a full audit trail of security changes as required by many regulatory bodies to reduce network attack surface, simply manage multiple security polices, prevent downtime due to human errors and, of course, ensure compliance.

If we take a closer look into these domains, we will find the following capabilities:

Visibility & Security Analysis

  • Real-time visibility of changes for easy tracking and full audit trail
  • Visibility of how
    • Networks are configured and are working, including application connectivity dependencies
    • Policies are compliant with required enterprise standards and industry regulations
    • Security policies are configured and used in order to better optimize their security policies
    • Applications and users use of the network to optimize the best NGFW policy that should be in place, eg, to migrate from legacy FWs to NGFWs
  • What-if analysis

Security Automation  & Orchestration

  • Policy optimization
  • Speed up changes, implement them more accurately
  • Enterprise-wide change implementation across heterogeneous networks and technologies—including legacy firewalls and NGFWs--to enable an easy migration process (which helps security admins do more with existing resources)
  • App centric visibility, security and orchestration

This approach will enable enterprises easier adoption of the enhanced security capabilities of next-generation firewalls, while maintaining policy and regulatory compliance for the older segments of the networks that still rely on legacy technologies.

Learn more about network security for NGFWs -- read the blog by Joerg Sieber, Senior Product Marketing Manager at Palo Alto Networks.