How Do I Deploy a Best Practice Internet Gateway Security Policy?

Assess your business and identify what you need to protect
—The first step in deploying a security architecture is to assess your business and identify what your most valuable assets are as well as what the biggest threats to those assets are. For example, if you are a technology company, your intellectual property is your most valuable asset. In this case, one of your biggest threats would be source code theft.
Segment Your Network Using Interfaces and Zones—Traffic cannot flow between zones unless there is a security policy rule to allow it. One of the easiest defenses against lateral movement of an attacker that has made its way into your network is to define granular zones and only allow access to the specific user groups who need to access an application or resource in each zone. By segmenting your network into granular zones, you can prevent an attacker from establishing a communication channel within your network (either via malware or by exploiting legitimate applications), thereby reducing the likelihood of a successful attack on your network.
Identify Your Application Allow List—Before you can create an internet gateway best practice security policy, you must have an inventory of the applications you want to allow on your network, and distinguish between those applications you administer and officially sanction and those that you simply want users to be able to use safely. After you identify the applications (including general types of applications) you want to allow, you can map them to specific best practice rules.
Create User Groups for Access to Allowed Applications—After you identify the applications you plan to allow, you must identify the user groups that require access to each one. Because compromising an end user’s system is one of the cheapest and easiest ways for an attacker to gain access to your network, you can greatly reduce your attack surface by only allowing access to applications to the user groups that have a legitimate business need.
Decrypt Traffic for Full Visibility and Threat Inspection—You can’t inspect traffic for threats if you can’t see it. And today SSL/TLS traffic flows account for 40% or more of the total traffic on a typical network. This is precisely why encrypted traffic is a common way for attackers to deliver threats. For example, an attacker may use a web application such as Gmail, which uses SSL encryption, to email an exploit or malware to employees accessing that application on the corporate network. Or, an attacker may compromise a web site that uses SSL encryption to silently download an exploit or malware to site visitors. If you are not decrypting traffic for visibility and threat inspection, you are leaving a very large surface open for attack.
Create Best Practice Security Profiles for the Internet Gateway—Command and control traffic, CVEs, drive-by downloads of malicious content, phishing attacks, APTs are all delivered via legitimate applications. To protect against known and unknown threats, you must attach stringent security profiles to all Security policy allow rules.
Define the Initial Internet Gateway Security Policy—Using the application and user group inventory you conducted, you can define an initial policy that allows access to all of the applications you want to allow by user or user group. The initial policy rulebase you create must also include rules for blocking known malicious IP addresses, as well as temporary rules to prevent other applications you might not have known about from breaking and to identify policy gaps and security holes in your existing design.
Monitor and Fine Tune the Policy Rulebase—After the temporary rules are in place, you can begin monitoring traffic that matches to them so that you can fine tune your policy. Because the temporary rules are designed to uncover unexpected traffic on the network, such as traffic running on non-default ports or traffic from unknown users, you must assess the traffic matching these rules and adjust your application allow rules accordingly.
Remove the Temporary Rules—After a monitoring period of several months, you should see less and less traffic hitting the temporary rules. When you reach the point where traffic no longer hits the temporary rules, you can remove them to complete your best practice internet gateway security policy.
Maintain the Rulebase—Due to the dynamic nature of applications, you must continually monitor your application allow list and adapt your rules to accommodate new applications that you decide to sanction as well to determine how new or modified App-IDs impact your policy. Because the rules in a best practice rulebase align with your business goals and leverage policy objects for simplified administration, adding support for a new sanctioned application or new or modified App-ID oftentimes is as simple as adding or removing an application from an application group or modifying an application filter.