Banking on policy in next-generation firewall |
 |
By Marcia Savage, features editor, Information Security magazine
10 Apr 2008 | SearchFinancialSecurity.com |
|
|
When Jon Biskner, assistant vice president of information technology and security officer at Nicolet National Bank, saw a demonstration of a new type of firewall from Palo Alto Networks Inc., he was intrigued by its application-centric approach.
Since the bank was looking to replace its firewall, he and his team decided to put Palo Alto's PA-4020 appliance to the test, a suggestion from their security VAR. The device provided visibility into the bank's network traffic like he'd never seen. By identifying applications beyond just ports and protocols as a traditional firewall does, it offers a granular view to spot potential threats, Biskner said: "We realized this next-generation firewall could do a lot of things for us."
Nicolet National Bank, a five-branch bank headquartered in Green Bay, Wis., is in the process of a phased implementation that will eventually replace its current Check Point Software Technologies Ltd. firewall with the PA-4020.
While the Check Point firewall provides a lot of traffic data, the PA-4000 series uses packet inspection to identify it, Biskner said. "Think of a highway with all Toyota Corollas on it. Tell me which one is the bad guy; that's what I want to know."
By taking a packet apart and providing information about what's in it, the bank can tighten its policies on what's allowed and what's not, he said. For example, through Active Directory integration it will be able to restrict use of applications like WebEx and Web-based email to only certain groups of employees.
"There's a business need for a lot of things, but not for everyone," said Biskner. "My IT guys use WebEx; there's a business need. However, a teller probably doesn't need it."
Putting the firewall in its place
In March, Nicolet National Bank deployed the PA-4020 directly behind its Check Point firewall and converted the old firewall rules to the new device. It was confirming the validity of those rules and preparing to tighten controls on applications that utilize different ports.
Palo Alto Networks' App-ID traffic-classification technology uses packet inspection and a library of application signatures to identify applications crossing the network, irrespective of the ports, protocols or SSL encryption used. That allows administrators to catch security evasion tactics such as the use of non-standard ports, dynamically changing ports and protocols, emulating other applications and tunneling to bypass existing firewalls.
The Palo Alto Networks' firewall comes in two models: the PA-4020, which provides 2Gbps firewall throughput and the PA-4050, which provides 10 Gbps firewall throughput. The PA-4000 Series starts at $35,000.
Biskner isn't sure whether the PA-4020 will also replace the bank's Blue Coat Systems Inc. appliance, which provides Web filtering and has management and caching features his team likes. The bank uses a variety of security tools, and several pieces, such as its multilayered antivirus protection, will stay put. Palo Alto Networks' PA-4000 series comes with add-on software options for URL filtering and real-time threat prevention, which Nicolet National Bank plans to use.
The PA-4020 will also help the bank stay ahead of the curve when it comes to compliance. It also provides Biskner's team with the ability to break down data into report formats that executives want. Said Biskner, "I don't have to show them the bits and bytes or the logs."
There are a couple capabilities Biskner would like to see in future versions of the firewall, such as VPN access and load balancing. But for now, he's excited about the security benefits the new device promises to bring Nicolet National Bank.
|
|
|
|
