Next-Gen Firewall Offers Positive Approach in Setting Policies on Social Networking
“Social networking and collaborative applications are increasingly considered to be Enterprise 2.0 applications. These business-enabling applications are not threats, yet they pose risks to enterprise networks,” said Tom Olson, Senior Security Engineer at Milestone Systems. “Palo Alto Networks firewalls take a ‘positive’ approach to security that gives organizations the flexibility to embrace Web 2.0 applications, yet still manage risk. These solutions go beyond the outmoded ‘block or allow’ model used by many other security technologies.”
The use of social networking and collaborative applications for business purposes skyrocketed between March and September 2009, according to a recent study by Palo Alto Networks. With increased adoption of Web 2.0 applications comes new business and security risks that reach far beyond potential productivity losses. Yet many companies have outdated IT infrastructures and usage policies that may fail to protect them. Gartner, Inc. estimates that, through 2012, enterprises that take a “block or ignore” stance toward employee use of consumer IT will incur security incident costs 2 to 4 times those of enterprises that use “embrace or contain” strategies.
What’s Going On?
Unlike other industry reports that are based on behavioral surveys, Palo Alto Networks’ semi-annual Application Usage and Risk Report looks at which applications are in use, identifies emerging trends, and discusses the associated business benefits and risks. Some specific findings from the Fall 2009 report include:
• Twitter use grew more than 250 percent from the Spring 2009 edition of the Application Usage and Risk Report, published in April.
• Facebook use increased 192 percent while Facebook Chat (released in April 2008) was the fourth-most commonly detected chat application, ahead of Yahoo! IM and AIM.
• Blogging and wiki editing increased by a factor of 39, while total bandwidth consumed increased by a factor of 48.
“Despite many enterprises attempting to block these applications, the rate at which they are making the crossover from personal to business use is happening faster than previous crossovers, such as instant messaging,” said Olson. “The use of social networking applications can bring measurable business benefits, but not without introducing business and security risks. These applications can transfer files, propagate malware, and have known vulnerabilities that can be exploited.”
Milestone has partnered with Palo Alto Networks to provide next-generation firewalls that enable unprecedented visibility and granular policy control of applications and content with no performance degradation.
Palo Alto Networks firewalls accurately identify and control applications — regardless of port, protocol, evasive tactic or SSL encryption — and scan content to stop threats and prevent data leakage. For the first time, enterprises can embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation.
Command and Control
Organizations are using Web 2.0 applications for cultural reasons, to improve efficiency, to foster customer intimacy, and to speed up business processes. At the same time, security technologies have retained an outmoded “block or allow” model, lacking the granularity and intelligence to recognize and appropriately control these new applications.
Traditional firewalls block or allow network traffic based on ports and IP addresses —they cannot distinguish among the many Web applications running through ports 80 and 443. However, Palo Alto Networks firewalls can distinguish particular applications within Web traffic and filter them. This allows organizations to create granular, business-relevant security policies and safely control new applications.
Establishing Priorities
Quality of Service (QoS) is also impacted by Web 2.0. PAN-OS 3.0, the latest version of the operating system software for Palo Alto Networks firewalls, introduces traffic shaping in the firewall, enabling enterprises to ensure that priority is given to business-critical functions. The QoS features in PAN-OS 3.0 enable organizations to shape and prioritize traffic based on application with multi-gigabit throughput due to the single-pass software married to hardware-accelerated queuing.
“According to the Palo Alto Networks’ Spring 2009 Application Usage and Risk Report, more than half of the bandwidth in a sample of actual application traffic from more than 900,000 users was being consumed by 28 percent of the applications, most of which were consumer-oriented,” said Olson. “Palo Alto Networks’ application visibility and fine-grained control capabilities offer organizations flexible policy responses to applications — including allow, deny, allow for certain users or functions, threat scanning, and now shape. Administrators are able to manage the bandwidth consumed by applications, as well as their priority — all in firewall policy — instead of simply killing applications or having no visibility or control over them.”
The analysis discovered 255 Enterprise 2.0 applications — of which 70 percent are capable of transferring files, 64 percent have known vulnerabilities, 28 percent are known to propagate malware, and 16 percent can tunnel other applications. Examples of new threats introduced to enterprise networks by applications such as Facebook include Koobface, Fbaction and Boface, which all target social networking applications to hijack accounts and personal data.
“We know that workers are using these applications to help them get their jobs done, with or without approval from their IT departments. And now we know this is happening much faster than anticipated. It’s naïve to think that old-school security practices can handle this deluge,” said Rene Bonvanie, Palo Alto Networks vice president of worldwide marketing. “Organizations must realize that banning or allowing specific applications in a black-and-white fashion is bad for business. They need a new approach that allows for shades of gray by enforcing appropriate application usage policies tailored for their workforce. This is a radical and necessary shift for today’s IT security professionals.”
JUST FOR FUN -- Take the "Block or Not" Challenge!
Visit the Palo Alto Networks site to play an online game called "Block or Not" (based on the legendary "Hot or Not" website) where you can decide whether a specific application should be allowed on the network. www.paloaltonetworks.com/cam/enterprise20/blockornot/
The Application Usage and Risk Report is available for download. Additional information on the more than 900 applications identified by Palo Alto Networks can be found in Applipedia, part of the company’s Application and Threat Research Center. To learn how Milestone can help you fight back, call 866.646.9211 or email info@milestonesystems.com. ##
