How Do I Deploy a Best Practice Internet Gateway Security Policy?
Table of Contents
Expand all | Collapse all
-
- What Is a Best Practice Internet Gateway Security Policy?
- Why Do I Need a Best Practice Internet Gateway Security Policy?
- How Do I Deploy a Best Practice Internet Gateway Security Policy?
- Create User Groups for Access to Allowed Applications
- Decrypt Traffic for Full Visibility and Threat Inspection
-
- Transition Vulnerability Protection Profiles Safely to Best Practices
- Transition Anti-Spyware Profiles Safely to Best Practices
- Transition Antivirus Profiles Safely to Best Practices
- Transition WildFire Profiles Safely to Best Practices
- Transition URL Filtering Profiles Safely to Best Practices
- Transition File Blocking Profiles Safely to Best Practices
- Create Best Practice Security Profiles for the Internet Gateway
- Monitor and Fine-Tune the Policy Rulebase
- Remove the Temporary Rules
- Maintain the Rulebase
How Do I Deploy a Best Practice Internet Gateway Security Policy?
The goal is to architect an application-based best practice Security policy that aligns with your
business goals and acceptable use policies, simplifies administration, reduces the
chance of error, and applies Zero Trust principles to network access.
As with any technology, there is usually a gradual approach to a complete implementation. Plan
deployment phases carefully to make the transition as smooth as possible, with minimal
impact to end users. Generally, the workflow for implementing a best practice internet
gateway security policy is:
- Assess your business and identify what you need to protect—The first step in deploying a security architecture is to assess your business. Identify your most valuable assets and the biggest threats to those assets. For example, if you are a technology company, your intellectual property is your most valuable asset. In this case, one of your biggest threats is source code theft.
- Segment Your Network Using Interfaces and Zones—Traffic can flow between zones only if a security policy rule allows it. A strong defense to prevent an attacker who has gained access to your network from moving laterally through the network is to define granular zones and only allow access only to the specific user groups that need access to an application or a resource in each zone. Segmenting your network into granular zones prevents an attacker from establishing a communication channel within your network (either via malware or by exploiting legitimate applications), which reduces the likelihood of a successful attack.
- Identify Your Application Allow List—Before you can create an internet gateway best practice security policy, create an inventory of the applications you want to allow on your network. Separately list applications that you administer, officially sanction for business, and tolerate for employee use. After you identify the applications you want to allow, if you are migrating from a port-based rulebase, map the applications to your port based rules. If a port-based rule has no application mapped to it, you may not need that rule.
- Create User Groups for Access to Allowed Applications—After you identify the applications you plan to allow, identify the user groups that require access to each application. Compromising an end user’s system is one of the cheapest and easiest ways for an attacker to gain access to your network. To reduce your attack surface significantly, allow application access only to user groups that have a legitimate business need.
- Decrypt Traffic for Full Visibility and Threat Inspection—You can’t protect your network against threats you can’t see and inspect. Encrypted traffic is a common way for attackers to deliver threats. For example, an attacker may use a web application such as Gmail, which uses TLS encryption, to email an exploit or malware to employees accessing that application on the corporate network. Or an attacker may compromise a website that uses TLS encryption to silently download an exploit or malware to site visitors.
- Create Best Practice Security Profiles for the Internet Gateway—Legitimate applications deliver command and control traffic, CVEs, drive-by downloads of malicious content, phishing attacks, and APTs. To protect against known and unknown threats, attach strict Security profiles to all Security policy rules that allow traffic.
- Define the Initial Internet Gateway Security Policy—Using the application and user group inventory you created, define an initial policy that allows access to applications by user or user group. The initial policy rulebase also includes rules for blocking known malicious IP addresses, as well as temporary rules that prevent applications you might not know about from breaking and identify policy gaps and security holes in your existing design.
- Monitor and Fine Tune the Policy Rulebase—After the temporary rules are in place, monitor traffic that matches to them so that you can fine tune your policy. Because the temporary rules are designed to uncover unexpected traffic on the network, such as traffic running on non-default ports or traffic from unknown users, you must assess the traffic matching these rules and adjust your application allow rules accordingly.
- Remove the Temporary Rules—After a monitoring period of several months, you should see less and less traffic hitting the temporary rules. When you reach the point where traffic no longer hits the temporary rules, remove them to complete your best practice internet gateway security policy.
- Maintain the Rulebase—Due to the dynamic nature of applications, you must continually monitor your application allow list, adapt your rules to accommodate new applications, and determine how new or modified App-IDs impact policy. Because the rules in a best practice rulebase align with your business goals and leverage policy objects for simplified administration, adding support for a new application or a new or modified App-ID often is as simple as adding or removing an application from an application group or modifying an application filter.