Re: Firewall Policy in the Age of NGFW

["King, Ronald A." <raking () NSU EDU>]

* Do you use a default deny for your trusted network to the Internet? 
        -No
        * If no, and you allow anything out, why did you make that choice, and how has this been working for you?
        - We have a policies that blocks blacklisted IPs, certain URLs, Wins, MSRPC, DHCP, Malware, TOR, BitTorrent, 
Proxies, (Non-Enterprise) VPNs and other malicious or should not be on the internet traffic. Then we allow end user 
devices to the Internet. With so many potential applications that one type of devices uses (such as Apple everything 
and game consoles), we didn't have the resources to get that granular. Servers are a different story.
* Have you converted your entire FW rule base to application aware rules, or are you using a mix?
-Most are. We did have challenges with streaming content from Inside to the Internet. So those are old fashioned Port 
based policies.
* Are you using the PA feature, where it can automatically allow applications that PA deems low risk?
-Nope. Thanks. I just learned something new.

SSL decryption takes some getting used to. Once you decrypt, you now see the app within the tunnel and have to allow it 
too.

Good luck!
Ron

Ronald King
Chief Information Security Officer
 
Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu
www.nsu.edu
@NSUCISO (Twitter)



-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hahues, Sven
Sent: Tuesday, July 2, 2019 8:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Firewall Policy in the Age of NGFW

Hi everyone,

I wanted to get a feel for what everyone is doing these days.  Before moving to our current PAs we used to write 
firewall rules specifically for TCP/UDP ports.  With moving to the PAs we are now running into some philosophical 
questions as to how to manage this moving forward.  I wanted to collect some feedback on the following:

* Do you use a default deny for your trusted network to the Internet?
        * If yes, do you manually add new applications when people call and say an app stopped working after your 
vendor releases an application signature?
        * If no, and you allow anything out, why did you make that choice, and how has this been working for you?
* Have you converted your entire FW rule base to application aware rules, or are you using a mix?
* Are you using the PA feature, where it can automatically allow applications that PA deems low risk?

We are currently running a mixed environment, but find ourselves chasing our tail quite a bit when it comes to them 
adding new applications.  Suddenly apps that previously worked under SSL will no longer work, due to the fact that a 
new application has been created.  This can get a bit tricky because we did not know the app was being used and now we 
have to make a decision on whether it is okay or not.

Thanks in advance and any feedback is much appreciated.

Sven

Sven Hahues
Florida Gulf Coast University
Tel: (239) 590 1337
E-Mail: shahues () fgcu edu