Planning Security Policies

This section describes how to plan security policies.

Security policies aim to reduce the intrusion success rate and discover attackers. To achieve this goal, you can configure application-based security policy rules to allow users to access whitelisted applications, scan all traffic to detect and block all known threats, and send the files with unknown threats to the sandbox to identify new threats, so that threats can be detected and prevented during the entire life cycle of an attack. The method is specifically as follows:

Basic Method	Description
Traffic visibility	The prerequisite for security policy-based control is to fully understand the applications, users, and content of the network. Through user identification and SSL decryption, the FW can learn about the traffic of all users and applications to check the traffic of all users.
Reduced attack surface	After learning about applications, users, and contents on the network, you can create application-based security policies to allow key services and block risky applications. To further reduce the attack surface, enable functions such as URL filtering and file blocking in addition to the security policy that permits the access to an application to prevent users from accessing high-risk websites or downloading high-risk files.
Defense against known threats	Reference the content security profile in all security policy rules whose action is permit to prevent known threats.
Detection of unknown threats	Files with unknown threats are sent to the sandbox. The FW periodically reads the sandbox inspection result and blocks subsequent traffic based on the inspection result.

Security Policy Planning Guide

Multiple types of service traffic may exist on the network. Security policies are configured based on the service traffic. To ensure that security policies are correctly configured, you need to plan security policies before the configuration. Security policies are planned in accordance with the following principles:

Understand the information assets and services of the enterprise and evaluate possible risks.

Before configuring security policies, you need to understand services, identify the information assets to be protected, and determine the threats to the assets. For example, intellectual property is the most valuable asset of a scientific and technical company. One of the biggest threats to the asset is source code theft.
Use security zones to divide the network to simplify management.

To use interfaces and security zones to divide the network, you should first determine how to create security zones and assign interfaces to them. For example, interface1 is connected to the Internet and can be assigned to the untrust zone, interface2 is connected to the server farm and can be assigned to the dmz, and interface3 is connected to the office network and can be assigned to the trust zone.

Traffic cannot flow between security zones unless the action of the matched security policy is permit. This mechanism prevents attackers from entering the network. By deploying security policies based on security zones, users, and applications, you can prevent attackers from moving laterally. That is, you can define fine-grained zones that allow only specific users to access specific applications and resources.
Identify services and applications, and determine the blacklist and whitelist of services.
- Identify the whitelist of applications that can be accessed, classify the applications based on services, and apply them to different policies.
- Identify the blacklist of applications that cannot be accessed and apply them to different policies.
- The grey list contains legitimate applications that are detected during the operation of the enterprise, for example, applications using non-well-known ports or applications developed by the enterprise.
At the beginning of the planning, you do not need to know all the applications. Instead, you should focus on the whitelist and leave other applications to the grey list to avoid service interruption.

For example, the application whitelist that a company allows to access includes common commercial office software and personal applications in addition to officially approved applications. For other unknown applications, you can start from learning about the application usage and gradually sort out the application permissions. For example, permit official approved applications and gradually eliminate or prohibit other applications. That is, the policy action can be changed from permit to alert and finally deny. In addition, you can reserve the use rights for a certain type of users.
Determine the access relationships and rules between users and services/applications.

Determine the users or user groups that are allowed to access each application. It is the simplest means to enter an intranet by infecting endpoints. To reduce the attack surface, only users or user groups with legitimate service requirements are allowed to access the intranet.

For example, you can configure policies so that R&D employees can access the Internet only during non-working hours and cannot access applications in the Entertainment category; marketing employees can access the Internet any time, but cannot access applications in the Game category; Managers (privileged users) have full Internet access.
Decrypt traffic to reduce the attack surface.

With the development of encrypted traffic, more attackers use encrypted traffic to transmit threats. For example, attackers may use web applications based on SSL encryption, such as Gmail, to send vulnerabilities via emails to employees who access the applications. If SSL decryption is unavailable, the traffic cannot be detected, resulting in the expansion of the attack surface.

To reduce the attack surface, you are advised to decrypt all traffic unless special circumstances such as key applications affected by decryption and specific users excluded due to regulatory or legal causes.
Determine the content security check items to be deployed.

All attack activities are transmitted through legal applications. To prevent known and unknown threats, you need to reference the content security profiles in all the security policies whose action is permit. For example, to ensure that the source code of a company is not infected by viruses, you can reference the antivirus profile in the security policy whose action is permit.
Create initial security policies.
Define the initial security policies based on the planned application and user information.
- Security policies that allow users' IP address segments or users/user groups to access the application whitelist.
- Security policies that prevent the access to known malicious IP addresses and applications.
- Temporary security policies used to further optimize policies.
  Temporary security policies used to discover unknown applications and services. If you are not familiar with applications and services, plan temporary security policies as follows:
  1. Set the action of default security policy to permit and debug services to ensure service operating.
  2. View the log or session table and configure the information recorded in the log or session table as match criteria for security policies.
  3. Restore the default security policy configuration and debug services again to verify the correctness of security policies.
  After the action of the default security policy is set to permit, the firewall allows all packets to pass. This setting brings security risks. Therefore, you must restore the action to deny after debugging.
Monitor and adjust policies based on logs.

For a temporary security policy, you need to monitor and evaluate the traffic matching the policy to further adjust the application whitelist and optimize security policies.

After a period of time, if the traffic no longer matches the temporary security policy, you can delete the policy.
Pay attention to application changes for a long time and analyze possible impacts.

Applications are constantly changing, and the service awareness signature database is continuously updated. Therefore, you need to analyze the impact of applications and adjust the corresponding security policies.