Application Security Detects Hard-to-Find Threats

Challenge

Port-based security groups implemented by cloud service providers (CSPs) lack application-level visibility into network traffic and have few threat prevention capabilities. As a result, native cloud security groups will not discover threats that exploit open ports (e.g., 80/443) or target vulnerabilities in non-web apps, such as the well-known ones in Apache Struts.

Solution

VM-Series firewalls inspect every inbound packet and block suspicious traffic based on application type or user identity, going beyond simple port blocking to protect traffic over open ports. The VM-Series also provides advanced security capabilities, such as intrusion prevention system (IPS) and sandboxing, to defend against both known and unknown vulnerabilities at the edge of a public cloud environment

Outbound Traffic Protection Stops Exfiltration

Challenge

If attackers make it past perimeter controls, they still need a way to exfiltrate data from the environment. Often, they take advantage of allowed encrypted traffic flows, such as domain name system (DNS) traffic, to hide data as it leaves the environment.

Example

An attacker gains access to your environment by stealing a user’s credentials. After conducting reconnaissance and identifying valuable information, the attacker executes a DNS tunneling technique to exfiltrate it from the compromised application by hiding the data in encrypted DNS traffic.

Solution

VM-Series firewalls can decrypt traffic for outbound content inspection. The DNS Security service on the VMSeries ensures that even allowed encrypted traffic flows are inspected and protected

Filtering and Inspection Boost Developer Security

Challenge

Native CSP firewalls have limited capabilities to filter and inspect outbound traffic leaving the cloud environment. As a result, if developers download compromised open source code from a public code repository, they may unwittingly allow malware to penetrate the security perimeter. Once inside, threats can move laterally to locate information for exfiltration.

Solution

VM-Series firewalls provide URL Filtering to ensure that developers can only access known good repositories that are maintained and secured internally

Comprehensive Control Across Multiple Clouds Makes Security Consistent

Challenge

As organizations divide application hosting between multiple public and private clouds, overall security posture becomes more fragmented and difficult to manage. Each part of the environment requires its own policy model and security controls, which increases operational complexity, creates security gaps, and causes delays for cloud migration initiatives.

Example

A large enterprise has critical applications hosted on a private cloud and two different public cloud environments. To enforce consistent security policies across all three parts of this hybrid environment, the security team must duplicate policies across three clouds using the native controls in each—a labor-intensive and error-prone task. Managing overall security posture requires the team to develop expertise in each cloud’s controls and management interface.

Solution

VM-Series virtual firewalls deployed in multiple public and private cloud environments can all still be managed from the same console. This lets security teams deliver the same best-in-class security capabilities to each environment and extend a uniform policy model across the entire ecosystem to ensure consistency and simplification of overall security posture