Why
Do I Need a Best Practice Internet Gateway Security Policy?
Unlike legacy port-based security policies that either
block everything in the interest of network security, or enable
everything in the interest of your business, a best practice security
policy allows you to safely enable applications by classifying all traffic,
across all ports, all the time, including encrypted traffic. By
determining the business use case for each application, you can
create security policy rules to allow and protect access to relevant
applications. Simply put, a best practice security policy is a policy
that leverages the next-generation technologies—App-ID, Content-ID,
and User-ID—on the Palo Alto Networks enterprise security platform
to:
Identify applications regardless of port, protocol, evasive
tactic or encryption
Identify and control users regardless of IP address, location,
or device
Protect against known and unknown application-borne threats
Provide fine-grained visibility and policy control over application
access and functionality
A best practice security policy uses a layered approach to ensure
that you not only safely enable sanctioned applications, but also
block applications with no legitimate use case. To mitigate the
risk of breaking applications when moving from a port-based enforcement
to an application-based enforcement, the best-practice rulebase
provides built-in mechanisms to help you identify gaps in the rulebase
and detect alarming activity and potential threats on your network.
These temporary best practice rules ensure that applications your
users are counting on don’t break, while allowing you to monitor
application usage and craft appropriate rules. You may find that
some of the applications that were being allowed through existing port-based
policy rules are not necessarily applications that you want to continue
to allow or that you want to limit to a more granular set of users.
Unlike a port-based policy, a best-practice security policy is
easy to administer and maintain because each rule meets a specific
goal of allowing an application or group of applications to a specific
user group based on your business needs. Therefore, you can easily
understand what traffic the rule enforces by looking at the match
criteria. Additionally, a best-practice security policy rulebase
leverages tags and objects to make the rulebase more scannable and
easier to keep synchronized with your changing environment.
