Step 1: Create the Application Whitelist Rules
After you Identify Whitelist Applications you are ready to create the first part of the best practice internet gateway security policy rulebase: the application whitelist rules. Every whitelist rule you create must allow traffic based on application (not port) and, with the exception of certain infrastructure applications that require user access before the firewall can identify the user, must only allow access to known users. Whenever possible, Create User Groups for Access to Whitelist Applications so that you can limit user access to the specific users or user groups who have a business need to access the application.
When creating the application whitelist rules, make sure to place more specific rules above more general rules. For example, the rules for all of your sanctioned and infrastructure applications would come before the rules that allow general access to certain types of business and personal applications. This first part of the rulebase includes the allow rules for the applications you identified as part of your application whitelist:
- Sanctioned applications you provision and administer for business and infrastructure purposes
- General business applications that your users may need to use in order to get their jobs done
- General applications you may choose to allow for personal use
Every application whitelist rule also requires that you attach the best practice security profiles to ensure that you are scanning all allowed traffic for known and unknown threats. If you have not yet created these profiles, see Create Best Practice Security Profiles. And, because you can’t inspect what you can’t see, you must also make sure you have configured the firewall to Decrypt Traffic for Full Visibility and Threat Inspection.
- Allow access to your corporate DNS servers.Why do I need this rule?
- Access to DNS is required to provide network infrastructure services, but it is commonly exploited by attackers.
- Allowing access only on your internal DNS server reduces your attack surface.
- Because this rule is very specific, place it at the top of the rulebase.
- Create an address object to use for the destination address to ensure that users only access the DNS server in your data center.
- Because users will need access to these services before they are logged in, you must allow access to any user.
- Allow access to other required IT infrastructure resources.Why do I need this rule?
- Enable the applications that provide your network infrastructure and management functions, such as NTP, OCSP, STUN, and ping.
- While DNS traffic allowed in the preceding rule is restricted to the destination address in the data center, these applications may not reside in your data center and therefore require a separate rule.
- Because these applications run on the default port, allow access to any user (users may not yet be a known-user because of when these services are needed), and all have a destination address of any, contain them in a single application group and create a single rule to enable access to all of them.
- Users may not have logged in yet at the time they need access to the infrastructure applications, so make sure this rule allows access to any user.
- Allow access to IT sanctioned SaaS applications.Why do I need this rule?
- With SaaS applications, your proprietary data is in the cloud. This rule ensures that only your known users have access to these applications (and the underlying data).
- Scan allowed SaaS traffic for threats.
- Group all sanctioned SaaS applications in an application group.
- SaaS applications should always run on the application default port.
- Allow access to IT provisioned on-premise applications.Why do I need this rule?
- Business-critical data center applications are often leveraged in attacks during the exfiltration stage, using applications such as FTP, or in the lateral movement stage by exploiting application vulnerabilities.
- Many data center applications use multiple ports; setting the Service to application-default safely enables the applications on their standard ports. You should not allow applications on non-standard ports because it is often associated with evasive behavior.
- Group all data center applications in an application group.
- Create an address group for your data center server addresses.
- Allow access to applications your administrative users need.Why do I need this rule?
- Because administrators often need access to sensitive account data and remote access to other systems (for example RDP), you can greatly reduce your attack surface by only allowing access to the administrators who have a business need.
- This rule restricts access to users in the IT_admins group.
- Create custom applications for internal applications or applications that run on non-standard ports so that you can enforce them on their default ports rather than opening additional ports on your network.
- If you have different user groups for different applications, create separate rules for granular control.
- Allow access to general business applications.Why do I need this rule?
- Beyond the applications you sanction for use and administer for your users, there are a variety of applications that users may commonly use for business purposes, for example to interact with partners, such as WebEx, Adobe online services, or Evernote, but which you may not officially sanction.
- (Optional) Allow access to personal applications.Why do I need this rule?
- As the lines blur between work and personal devices, you want to ensure that all applications your users access are safely enabled and free of threats.
- By using application filters, you can safely enable access to personal applications when you create this initial rulebase. After you assess what applications are in use, you can use the information to decide whether to remove the filter and allow a smaller subset of personal applications appropriate for your acceptable use policies.
- Allow general web browsing.Why do I need this rule?
- While the previous rule allowed access to personal applications (many of them browser-based), this rule allows general web browsing.
- This rule uses the same best practice security profiles as the rest of the rules, except for the File Blocking profile, which is more stringent because general web browsing traffic is more vulnerable to threats.
- This rule allows only known users to prevent devices with malware or embedded devices from reaching the internet.
- use application filters to allow access to general types of applications.
- Make sure you also explicitly allow SSL as an application here if you want to allow users to be able to browse to HTTPS sites. that are excluded from decryption.