Welcome!

Microservices Expo Authors: Madhavan Krishnan, VP, Cloud Solutions, Virtusa, Jason Bloomberg, Pat Romanski, Elizabeth White, Liz McMillan

Related Topics: Cloud Security, Java IoT, Microservices Expo, Open Source Cloud, @CloudExpo

Cloud Security: Article

Why Your NGFW Needs Granular and Contextual Access Control

understand how these evolving feature sets can help contain costs while reducing management complexity

Global information technology networks that are rich in services are typically complex and require hard-to-manage security solutions. The latest versions of next-generation firewalls now offer multiple security layers that can complicate management, particularly as more and more features are added. This complexity can also serve to reduce the effectiveness of controls by obscuring noteworthy events or failing to recognize trends detected by multiple security systems integrated into the overall system. The answer is a common, unified management approach with granular and contextual access control.

Instead of employing multiple and distinct dashboards offering minimal if any integration to manage network security, administrators should be able to access a single dashboard to gain a consistent, unified view across all firewall protected segments. The data must be granular and contextual, empowering IT and network security administrators to execute and control all NGFW operations from a single perspective. And to assure logging of all actions taken and events observed, without regard to operator location.

Consistency is key. This level of administrative awareness and control should be available regardless of modality (physical or virtual) or configuration. Here are five critical control features to look for when evaluating a next generation firewall.

1. Integrated VPN
Secure virtual private network (VPN) connections provide for inter-office and mobile user connectivity to corporate resources. First-tier NGFWs typically provide high-performance remote access with integrated management supporting the use of multiple ISPs to ensure access in the event of link failure. Such solutions typically offer VPN client software to take full advantage of various deployment options. Look for the capability to cluster the firewall configuration to assure availability and session survivability in the event of a firewall appliance update or failure. Flexibility in licensing is also necessary to address burst utilization or pandemic usage requirements. Additionally, support for deep inspection is highly recommended as a necessary precursor to support DLP requirements.

2. Email and Web Security
Email advertising and social media services can flood a network with traffic of little to no business value. And this traffic stream can be a wide conduit for malware. One response is to deploy your NGFWs with additional services such as deep-inspection, web filtering, anti-virus, and anti-spam services. Combining these services under one NFGW umbrella ensures that they are available (especially if the firewall solution is clustered for high availability) and implemented at all relevant chokepoints within an organization. Superior traffic control based on users and groups, as well as contextual awareness of attacks and their use by would-be attackers across the entirety of an organization, improves an organization's resistance to a breach. Furthermore, solutions that support contextual awareness may be able to share details on detected attacks across all firewalls under the same management control, and take broad actions. For example, the actions of an attacker against one firewall may be used to blacklist that attacker across all firewalls of the organization. This amplifying effect is particular pronounced if the NFGW management solution is multi-tenant capable and used to protect multiple divisions or firms.

3. Precise Security Policies
Control over traffic based on a variety of options will enable Network security administrators need great flexibility in granting privileges to employees to perform their jobs. In addition to typical firewall IP Address and port filtering, NGFW solutions also typically support the control of traffic by service (protocol), application, user identity, group affiliation, URL categorization, site reputation, time of day, method(s) of authentication, and context. Precise security policies can provide QoS directives so access control is governed by dynamic business requirements or the availability of underlying communications resources. For example, transaction traffic may be given preferential treatment over social media access by employees, and lower priority traffic is automatically shed if a circuit failure reduces available bandwidth.

4. Integrated Authentication Services
Independent authentication mechanisms often lack integration with the firewall. However, the integration of authentication services with NGFW policies can allow administrators to constrain, track, and log access to services. Such access controls often use a variety of authentication methods including token and virtual token systems. Virtual token applications for mobile phones and tablets reduce costs over traditional key fob tokens. In addition, integration to the NGFW unifies the management of how an individual or members of a group are authenticated.

5. Traffic Management and QoS
Firewalls that feature traffic management and quality of service (QoS) can provide detailed control on what traffic is permitted and at what priority, while assuring end-to-end capacity to meet session requirements. QoS selections such as bandwidth floors and ceilings help to differentiate traffic streams, assuring the streams are treated fairly and not inadvertently precluded in their entirety, or allowed to consume bandwidth to the detriment of other business activities. For isochronous (time sensitive) traffic such as VoIP or video conferencing, the proper handling of long-haul priority directives is necessary to ensure that in-band traffic with specific bandwidth and jitter requirements is accommodated on an as-needed basis.

In addition, traffic management can help triage traffic if sufficient networking bandwidth is unavailable to meet all approved needs. For example, transactions take priority over backups or social media access.

The NGFW can improve the utilization effectiveness of the network and its security posture. It is also a network chokepoint of access from WAN connectivity to remote facilities, mobile employees, and the Internet. Pay attention to all options available with NGFW products and understand how these evolving feature sets can help contain costs while reducing management complexity.

More Stories By Darren Suprina

Darren Suprina is an IT systems designer and security professional with more than 30 years of experience. This has included intellectual property creation, research, development, software and infrastructure design and validation, systems auditing, work as a professional witness, and author.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
"This all sounds great. But it's just not realistic." This is what a group of five senior IT executives told me during a workshop I held not long ago. We were working through an exercise on the organizational characteristics necessary to successfully execute a digital transformation, and the group was doing their ‘readout.' The executives loved everything we discussed and agreed that if such an environment existed, it would make transformation much easier. They just didn't believe it was reali...
The cloud revolution in enterprises has very clearly crossed the phase of proof-of-concepts into a truly mainstream adoption. One of most popular enterprise-wide initiatives currently going on are “cloud migration” programs of some kind or another. Finding business value for these programs is not hard to fathom – they include hyperelasticity in infrastructure consumption, subscription based models, and agility derived from rapid speed of deployment of applications. These factors will continue to...
"Opsani helps the enterprise adopt containers, help them move their infrastructure into this modern world of DevOps, accelerate the delivery of new features into production, and really get them going on the container path," explained Ross Schibler, CEO of Opsani, and Peter Nickolov, CTO of Opsani, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We're developing a software that is based on the cloud environment and we are providing those services to corporations and the general public," explained Seungmin Kim, CEO/CTO of SM Systems Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"CA has been doing a lot of things in the area of DevOps. Now we have a complete set of tool sets in order to enable customers to go all the way from planning to development to testing down to release into the operations," explained Aruna Ravichandran, Vice President of Global Marketing and Strategy at CA Technologies, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The nature of test environments is inherently temporary—you set up an environment, run through an automated test suite, and then tear down the environment. If you can reduce the cycle time for this process down to hours or minutes, then you may be able to cut your test environment budgets considerably. The impact of cloud adoption on test environments is a valuable advancement in both cost savings and agility. The on-demand model takes advantage of public cloud APIs requiring only payment for t...
Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing. Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By dr...
Let's do a visualization exercise. Imagine it's December 31, 2018, and you're ringing in the New Year with your friends and family. You think back on everything that you accomplished in the last year: your company's revenue is through the roof thanks to the success of your product, and you were promoted to Lead Developer. 2019 is poised to be an even bigger year for your company because you have the tools and insight to scale as quickly as demand requires. You're a happy human, and it's not just...
Many enterprise and government IT organizations are realizing the benefits of cloud computing by extending IT delivery and management processes across private and public cloud services. But they are often challenged with balancing the need for centralized cloud governance without stifling user-driven innovation. This strategy requires an approach that fundamentally reshapes how IT is delivered today, shifting the focus from infrastructure to services aggregation, and mixing and matching the bes...
identify the sources of event storms and performance anomalies will require automated, real-time root-cause analysis. I think Enterprise Management Associates said it well: “The data and metrics collected at instrumentation points across the application ecosystem are essential to performance monitoring and root cause analysis. However, analytics capable of transforming data and metrics into an application-focused report or dashboards are what separates actual application monitoring from relat...
The benefits of automation are well documented; it increases productivity, cuts cost and minimizes errors. It eliminates repetitive manual tasks, freeing us up to be more innovative. By that logic, surely, we should automate everything possible, right? So, is attempting to automate everything a sensible - even feasible - goal? In a word: no. Consider this your short guide as to what to automate and what not to automate.
DevOps teams have more on their plate than ever. As infrastructure needs grow, so does the time required to ensure that everything's running smoothly. This makes automation crucial - especially in the server and network monitoring world. Server monitoring tools can save teams time by automating server management and providing real-time performance updates. As budgets reset for the New Year, there is no better time to implement a new server monitoring tool (or re-evaluate your current solution)....
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
We just came off of a review of a product that handles both containers and virtual machines in the same interface. Under the covers, implementation of containers defaults to LXC, though recently Docker support was added. When reading online, or searching for information, increasingly we see “Container Management” products listed as competitors to Docker, when in reality things like Rocket, LXC/LXD, and Virtualization are Dockers competitors. After doing some looking around, we have decided tha...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
While we understand Agile as a means to accelerate innovation, manage uncertainty and cope with ambiguity, many are inclined to think that it conflicts with the objectives of traditional engineering projects, such as building a highway, skyscraper or power plant. These are plan-driven and predictive projects that seek to avoid any uncertainty. This type of thinking, however, is short-sighted. Agile approaches are valuable in controlling uncertainty because they constrain the complexity that ste...
Digital transformation has changed the way users interact with the world, and the traditional healthcare experience no longer meets rising consumer expectations. Enterprise Health Clouds (EHCs) are designed to easily and securely deliver the smart and engaging digital health experience that patients expect today, while ensuring the compliance and data integration that care providers require. Jikku Venkat