Firewall Policy in the Age of NGFW

["Hahues, Sven" <shahues () FGCU EDU>]

Hi everyone,

I wanted to get a feel for what everyone is doing these days.  Before moving to our current PAs we used to write 
firewall rules specifically for TCP/UDP ports.  With moving to the PAs we are now running into some philosophical 
questions as to how to manage this moving forward.  I wanted to collect some feedback on the following:

* Do you use a default deny for your trusted network to the Internet?
        * If yes, do you manually add new applications when people call and say an app stopped working after your 
vendor releases an application signature?
        * If no, and you allow anything out, why did you make that choice, and how has this been working for you?
* Have you converted your entire FW rule base to application aware rules, or are you using a mix?
* Are you using the PA feature, where it can automatically allow applications that PA deems low risk?

We are currently running a mixed environment, but find ourselves chasing our tail quite a bit when it comes to them 
adding new applications.  Suddenly apps that previously worked under SSL will no longer work, due to the fact that a 
new application has been created.  This can get a bit tricky because we did not know the app was being used and now we 
have to make a decision on whether it is okay or not.

Thanks in advance and any feedback is much appreciated.

Sven

Sven Hahues
Florida Gulf Coast University
Tel: (239) 590 1337
E-Mail: shahues () fgcu edu