Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Five tips to tame oversized security policies: Fortinet

Caroline Ng | July 12, 2013
The morass of policy accumulation can throw security management in disarray for organisations. Here are some ways to streamline security policies.

Organisations today are struggling to apply a secure unified access across the bring-your-own-device (BYOD) phenomenon without leaving a morass of duplicated and often contradictory security policies, according to a latest white paper released by Fortinet.

The quagmire from such a snowball has handicapped many to effectively manage in a changing threat landscape due to the difficulties faced when troubleshooting an oversized policy list, the network security provider said in a statement.

"Rules are constantly added to security devices, but seldom removed, and this complexity is spiraling out of control," said George Chang, vice president, Southeast Asia and Hong Kong at Fortinet.

"The risk is that security holes open up amid the chaos. The answer to complexity is not more complexity," he added.

The following are Fortinet's top five tips to rein in "policy accumulation":

1.  Drive Application Awareness: The process of simplifying security policies is challenged by the introduction of application-aware security, a key tenet of next-generation firewall technology. Critical, however, is the ability to attach this to individual user-IDs in one place, and enforce it throughout the network and across network security functions.

2.  Enable Single-Sign On: In reality, the added granularity that arises from running distinct security policies according to each different authentication environment can be burdensome to security management. Applying Single Sign On (SSO) is another instance where (when implementing the correct approach) simplified security policy need not be at the cost of losing valuable context about the user's location or device. 

3.  Unify Wired and Wireless Network Visibility & Control: Runaway policy accumulation invariably occurs where wired and wireless network access is entirely separate for management purposes. Where both coexist, wireless is typically the more dynamic environment with similar levels of traffic as wired infrastructure; compounding the rationale for integrating both (including user-centric policies) for easier oversight and simplified monitoring and compliance. 

4.  Rationalise Network Security: Managing a large estate of specialised security devices from many different manufacturers is a sure fire way of multiplying the number of live security policies. Deploying a suite of complementary systems from the same vendor reduces operating costs by enabling easier and more responsive management with less policies, higher performance and better overall security. It also enables network access policies to be integrated with all other security policies.

5.  Focus Smart Policies by Users and Devices: iOS, MacOS, Windows, RIM, Android, Ubuntu, Unix, Linux all require policy differentiation at some level, which can have a huge drain on management time. Combined with a SSO approach to policy enforcement at a unified ingress point onto the wired/wireless network, all policies can be determined according user ID, device type and location.

The new white paper, "Making Smart Policies with FortiOS 5," aims to help security administrators to better implement ID-based 'smart policies' across their wired and wireless network infrastructures.


Sign up for CIO Asia eNewsletters.