Solution Providers for Retail: A Better Firewall Can Help Protect Your Retailer’s Network

In the past, if you had a problem on your network, you had to look through mountains of log data with lots of patience and skill. If you wanted to figure out if your clients were spending too much time checking their Facebook accounts, or if they have sufficient network bandwidth to handle video conferencing, or why certain business apps were slowing down recently, it was an effort. Today’s retail business is more online and uses more connected applications, and that means finding a better firewall and knowing how to use it. And if you can develop this particular practice, you can become a trusted advisor and add value to your consulting services that you offer your clients.

The firewalls of yesteryear were relatively simple devices: you specified a series of firewall rules that listed particular ports and protocols, and whether you wanted to block or allow network traffic through them. That worked fine when applications were well behaved and used predictable ports, such as file transfer on ports 20 and 21 and email on ports 25 and 110. Those days seem like a fond memory now. With the rise of Web-based applications, ports and protocols don’t work any longer. Everyone is running their apps across ports 80 and 443, and it is hard to distinguish between apps that are mission-critical and someone who is running a rogue peer-to-peer file service that needs to be shut down.

The newer firewalls from Cisco, Intel/McAfee and Palo Alto Networks can gather deeper insights because they are applications-aware. They understand the way applications interact with the network and the Internet, and can report back to you in near real time with easy to view graphical representations of your network traffic.

Here is an example from Cisco’s ASA CX firewall configuration screen. You can see that there is a lot of granularity when it comes to monitoring and controlling how your users interact with Facebook, just one of thousands of applications that it can handle.

Palo Alto Networks has its “applipedia” reference of more than 1500 applications behaviors catalogued. You can look up whether the app is prone to misuse, can evade standard firewall ports, and is employed by malware.

 Another aspect of advanced firewalls is being able to look at changes to the network and see what were the root causes, or time-series effects as your traffic patterns differ from when things were working yesterday and are broken today. Finally, you want to drill down to particular users, or particular aspects of an application, such as allowing all users to read their Facebook wall posts but not necessarily send out any Facebook messages during working hours. (Not to keep picking on them, but they are a nice illustration.)

The goal is to quickly learn about your client’s traffic patterns and translate them into implemented and useful policies. Most of the newer firewall products offer this ability, but you will want to check out how easy it is to create and modify a policy from the automated start-up wizards that they provide. In some cases, you will need to use command-line parameters to fine-tune the policies that are created by the wizards.

Another good place to start is to read up on these products from OWASP here. This is a consortium of vendors and leading Web security developers who have tried to put down in one place what you need to know to build the best possible Web applications and protect them from harm. They have a comprehensive vendor list, a collection of best practices, sample “top-ten” attacks that you can use to harden your own applications and an evaluation guide.

Finally, when you are ready to spec out a unit for your client, look closely at how much inbound and outbound capacity you need. Firewall vendors offer different-sized models to match your bandwidth and throughput requirements. What will these firewalls cost? Most of them start somewhere north of $20,000. While this seems steep, given the consequences of an exploit raging through your client’s network, it could be money well spent.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.