3. Network controls
Network controls minimize the possibility of threats and disruptions stemming from the use of Enterprise 2.0 applications. There are three possible control mechanisms that can be used at the network level, each of which carries certain drawbacks that reduce their effectiveness. First, a stateful firewall can be used as a first line of defense, providing coarse filtering of traffic and segmenting the network into different, password-protected zones. Its port-centric design is ineffective when faced with Enterprise 2.0 applications that hop from port to port until they find an open connection to the network.
Second, intrusion prevention system (IPS) enhances the network threat prevention capability by looking at a subset of traffic and blocking known threats or bad applications. It lacks the understanding of applications and the performance required to look at all traffic across all ports, and is only a partial solution.
Third, proxy server offers traffic control but looks at a limited set of applications or protocols and only see a partial set of the traffic that needs to be monitored.
The challenge with any of these network controls is that they do not have the ability to identify Enterprise 2.0 applications, look only at a portion of the traffic, and suffer from performance issues. Even combined, they can't offer the right network protection. Next-generation firewalls, however, have proven to be the right approach. They combine application awareness with consolidated management against threats, vulnerabilities and fine-grained controls that allow for policies to be based on applications, users and content.
The question is not whether to block or not. Rather, the question is how can companies define and enforce policies that allow for smart and safe enablement, as there is ample evidence of the productivity and cost benefits of Enterprise 2.0 adoption around the world. IT executives need to act now and show leadership.
Lee Klarich is Vice President of Product Management at Palo Alto Networks. Lee brings a strong track record in network security product management to Palo Alto Networks. Previously, Lee was director of product management for Juniper Networks where he was responsible for firewall/VPN platforms and software. Lee joined Juniper Networks through the NetScreen Technologies acquisition where he managed the same product line. Prior to NetScreen Technologies, Lee held various positions at Excite@Home and Packard Bell NEC. He can be reached at firstname.lastname@example.org.