Professional Documents
Culture Documents
Contents
Palo
Alto
Networks
-
Next
Generation
Firewall
..................................................................................................
1
Enterprises
Need
Application
Visibility
and
Control
.......................................................................................
2
Key
Next-Generation
Firewall
Requirements:
................................................................................................
2
Visibility:
Turning
On
the
Lights
......................................................................................................................
2
Control:
Safe
Enablement
vs.
Blindly
Blocking
...............................................................................................
3
Specific
Examples:
Google
Talk
and
UltraSurf
................................................................................................
4
Enabling
the
Secure
Use
of
Facebook
.............................................................................................................
4
How
it
works
...................................................................................................................................................
6
App-ID:
Classifying
All
Applications,
All
Ports,
All
the
Time
............................................................................
6
User-ID:
Enabling
Applications
by
Users
and
Groups
.....................................................................................
7
Content-ID:
Protecting
Allowed
Traffic
...........................................................................................................
8
Extending
The
Network
Perimeter
...............................................................................................................
11
The
Logical
Perimeter:
A
Strategic
Solution
.................................................................................................
12
GlobalProtect
+
Next-Generation
Firewall
=
The Logical Perimeter
.........................................................
13
Enforce
Network
Controls
Based
on
User,
Role,
and
User
Profile
................................................................
14
The Information technology security has been steadily developing over past couple of
decades in a fast and evolutionary way. Every now and then, however, the evolutionary
path gets disrupted by a revolutionary change. Testimony to that are introduction of stateful
inspection on firewalls, entry and domination of easy-to-use purpose-built firewall
appliances and expansion of UTM functionality. Today again we witness a similar
revolutionary change which does away with traditional complexity and murkiness of
network traffic inspection and control, which easily identifies applications and segregates
those bad from those which are good, as well as empowering network security
administrators to identify with unprecendented ease not just what kind of traffic is flowing
across the network but also who exactly generates it. This technology enables quick
discovery and remediation of all aspects of network security issues providing not just the
adequate response to the incident itself but also almost immediate insight into most
important questions which security administrator needs answered: what the incident is,
where it comes from, what the impact would be and who exactly has done it.
By discarding the traditional traffic classification mechanisms of port and protocol, and
taking an application centric approach, the Palo Alto Networks next-generation firewall is
able to bring unparalleled application visibility and control back to the IT department.
Whether the need is to control one of the application categories such as P2P, social
networking or a more general application visibility and control requirement, the Palo Alto
Networks firewall allows administrators to define traditional firewall policies to control their
application traffic.
Finally, the visibility available in one spot has significant benefits. Usually, visibility means
reviewing multiple log files, looking for the needle in a haystack. But Palo Alto Networks
data centre customers have found that the application visibility, the traffic visibility, coupled
with the inbound URL and threat logs all available in one user interface eliminate the
either/or choice between visibility and efficiency.
Using a stateful inspection firewall plus an IPS to identify and control applications,
IT organizations must rely on simple signatures, but applications port-agility and
SSLencryption can render those signatures useless find it and kill it only works when
you can find it. Everything else gets through. And that means the ability to effectively
control applications is very limited.
Bottom line: if the firewall uses stateful inspection to classify traffic, it isnt a
next-generation firewall. If it isnt a next-generation firewall, it doesnt really
change anything for your network security.
Facebook is rapidly extending its influence from the personal world to the corporate world
as employees use these applications to get their jobs done. At the same time, many
organizations are looking at the nearly 400 million Facebook users as an opportunity to
conduct research, execute targeted marketing, gather product feedback and increase
awareness. The end result is that Facebook can help organizations improve their bottom
line. However, formally enabling the use of Facebook introduces several challenges to
organizations. Many organizations are unaware of the how heavily Facebook is being used,
or for what purpose. In most cases, policies governing specific usage are non-existent or
unenforceable. Finally, users tend to be too trusting, operating in a click now, think later
mentality which introduces significant security risks.
Like any application that is brought into the enterprise by end-users, blindly allowing
Facebook may result in propagation of threats, loss of data and damage to the corporate
reputation. Blindly blocking is also an inappropriate response because it may play an
important role in the business, and may force users to find alternative means of accessing
Facebook (proxies, circumvention tools, etc). Organizations should follow a systematic
process to develop, enable and enforce appropriate Facebook usage policies while
protecting network resources.
1. Find out whos using Facebook. There are many cases where there may already be a
corporate Facebook presence established by marketing or sales, so it is critical that IT
determine which social networking applications are in use, who is using them and the
associated business objectives. By meeting with the business groups and discussing
the common company goals, IT can use this step to move away from the image of
always saying no and towards the role of business enabler.
2. Develop a corporate Facebook policy. Once visibility into Facebook usage patterns
are determined, organizations should engage in discussions regarding what should and
should not be said or posted about the company, the competition and the appropriate
language. Educating users on the security risks associated with Facebook is another
important element to encouraging usage for business purposes. With a click first, think
later mentality, Facebook users tend to place too much trust in their friend network,
potentially introducing malware while placing personal and corporate data at risk.
3. Use Technology to Monitor and Enforce Policy. The outcome of each of these
discussions should be documented with an explanation of how IT will apply security
policies to safely and securely enable use of Facebook within enterprise environments.
Palo Alto Networks next-generation firewalls allow organizations to take a very systematic
approach to enabling the secure use of Facebook by determining usage patterns,
establishing and enforcing corporate policies that enable the business objectives in a
secure manner.
Identify Who is Using Facebook: The first step in safely enabling the use of
Facebook (or other social networking applications) is to identify which applications are
being used and which employees are using them. Facebook, along with other social
networking applications, have added companion applications like email and chat and have
opened their platform to developers with Facebook Apps.
In addition to the base Facebook application, Palo Alto Networks can identify and
control Facebook Apps, Facebook Mail, Facebook Chat, Facebook Posting (read-only) and
Facebook Social Plugins.
Define and Enforce Appropriate Usage Policies: Once the Facebook applications and
associated users have been identified (via directory services integration), administrators
can apply appropriate usage policies that support the goals and objectives. Enforcing policy
control that spans both personal and professional use of Facebook requires a delicate
balancing act. Policies must be flexible enough to enable the business and allow some
personal use (where appropriate), yet be effective enough to protect the enterprise from
security or business risks. For example, a Facebook read-only policy can be enabled to
strike a balance between block or allow. Using the identity of the specific applications
combined with the user information from directory services (Active Directory, LDAP,
eDirectory) enables administrators to apply policies that go far beyond the traditional allow
or deny. Policy options include:
Allow or deny Allow but scan
Protect the Network From Attacks Propagated Across Facebook: With nearly 400
million users exchanging images, links and documents at a breakneck pace and a click
now, think later mentality, the Facebook population represents a very target-rich
environment for cyber criminals. Studies done by Kaspersky labs show that social
networking sites are 10 times more effective at delivering malware than previous methods
of email delivery.
With a Palo Alto Networks next-generation firewall, a detailed Facebook application control
policy can be augmented with an equally detailed threat prevention policy can be enabled
using Palo Alto Networks integrated threat prevention engine. The threat prevention engine
detects and blocks a wide range of threats (spyware, Trojans, viruses, application
vulnerabilities) including Koobface.
Monitor and Control Unauthorized File and Data Transfers:
As part of the balancing act between personal and professional use, organizations must
also evaluate how best to implement policies that are designed to limit unauthorized
transfer of files and data. Taking advantage of the Palo Alto Networks data filtering
capabilities, administrators can apply policies to detect the flow of confidential data patterns
(credit card numbers, social security numbers and custom patterns) with varied response
options depending on the policy. In addition to the data filtering capabilities, file blocking by
type can also be enabled. More than 50 different file types are identified and can be
controlled with response options that include outright blocking, block and send the user a
warning message or log and send an alert to the administrator.
How it works
User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise
directory and terminal services offerings, enabling administrators to tie application activity
and security policies to users and groups not just IP addresses. When used in
conjunction with App-ID and Content-ID, IT organizations can leverage user and group
information for visibility, policy creation, forensic investigation and reporting on application,
threat, web surfing and data transfer activity.
User-ID addresses the challenge of using IP addresses to monitor and control the activity
of specific network users something that was once a fairly simple task, but has become
difficult as enterprises moved to an Internet- and web-centric model.
Compounding the visibility problem in an increasingly mobile enterprise, where employees
access the network from virtually anywhere around the world, internal wireless networks re-
assign IP addresses as users move from zone to zone, and network users are not always
company employees.
Content-ID combines a real-time threat prevention engine with a comprehensive URL
database and elements of application identification to limit unauthorized data and file
transfers, detect and block a wide range of exploits, malware, dangerous web surfing as
well as targeted and unknown threats. The application visibility and control delivered by
App-ID, combined with the content inspection enabled by Content-ID means that IT
departments can regain control over application traffic and related content.
Enterprises of all sizes are at risk from a variety of increasingly sophisticated network-borne
threats that have evolved to avoid many of the industrys traditional security measures.
Palo Alto Networks Content-ID delivers a new approach based on the complete analysis of
all allowed traffic using multiple threat prevention and data-loss prevention techniques in a
single unified engine. Unlike traditional solutions, Palo Alto Networks actually controls the
threat vectors themselves through the tight control of all types of applications. This
immediately reduces the attack surface of the network after which all allowed traffic is
analyzed for exploits, malware, dangerous URLs, dangerous or restricted files or content,
and even exposes unknown threats attempting to breach the network.
Security best practices dictate that administrators strike a balance between being
proactive, continually learning and adapting to protect the corporate assets, and
being reactive, investigating, analyzing, and reporting on security incidents. ACC and
the policy editor can be used to proactively apply application enablement policies,
while a rich set of monitoring and reporting tools provide organizations with the
necessary means to analyze and report on the application, users and content flowing
through the Palo Alto Networks next-generation firewall.
App-Scope: Complementing the real-time view of applications and content
provided by ACC, App-scope provides a dynamic, user-customizable view of
application, traffic, and threat activity over time.
Reporting: Predefined reports can be used as-is, customized, or grouped
together as one report in order to suit the specific requirements. All reports can be
exported to CSV or PDF format and can be executed and emailed on a scheduled
basis.
Logging: Real-time log filtering facilitates rapid forensic investigation into every
session traversing the network. Log filter results can be exported to a CSV file or
sent to a syslog server for offline archival or additional analysis.
Trace Session Tool: Accelerate forensics or incident investigation with a
centralized correlated view across all of the logs for traffic, threats, URLs, and
applications related to an individual session.
Such initiatives are mission-critical for the enterprise as they can directly save time,
money and manpower. Users have also migrated beyond the reach of the traditional
enterprise network. Users simply expect to be able to take their work with them and
to stay connected from anywhere. Unlike in the past, this behaviour is no longer
limited to the traditional road-warriors or home-office employees. Due to the
widespread availability new networking technologies such as WiFi and 3G/4G, end-
users have become very accustomed to having Internet connectivity literally
everywhere they go. The rise of iOS-based devices such as the iPhone and iPad has
made users even more mobile, and in some cases, more difficult to recognize and
secure. In some cases, these technologies lead to counter-intuitive situations where
users may accidentally roam outside of the corporate network even though they may
still be physically inside a corporate building.
To meet this goal, the logical perimeter must first standardize on the corporate
security policy as the rule of law for all network connections regardless of where they
occur. Security policies, like any rules or laws,must be applied consistently if they are
expected to serve their purpose. If the rules only apply in certain circumstances, then
they cease to be rules in any true sense and exceptions quickly become the norm.
This is precisely the situation that security teams find themselves in today. Users
have been mobile for many years, and enterprises have gradually become
accustomed to settling for a reduced quality of security for these users. The logical
perimeter establishes consistent security policy based on applications and users,
and in the process clearly sets the bar for new projects and what security levels they
will be expected to meet. While this step may seem obvious, it is nevertheless
extremely important to have a strong directive in order to push back against a long-
established trend of making security exceptions for remote users.
Secondly, network users outside the corporate network should receive the same
protections that are provided when inside the physical network. For example,
firewalling decisions should provide the same visibility and control of applications,
users and content established by the next-generation firewall at the traditional
perimeter. In fact, this requirement is particularly important for end-users in the field,
as client applications are very likely to be evasive and route around traditional port-
based controls.
Additionally, users may revert to less strict browsing behaviours when away from the
office, exposing them to even more potential threats. As with firewall controls, users
should be protected by the full complement of IPS, and threat prevention when they
are outside the physical network. This means true network-based IPS, malware and
botnet control, as well as a file, URL and content filtering. Obviously, users are
exposed to just as many risks and threats when outside the network, so it only
makes sense that they should receive the enterprises best protections.
One of the key concepts behind the next-generation firewall is the ability to enforce
policies based on user or user group. Instead of relying on IP address, the Palo Alto
Networks next-generation firewall integrates with the enterprise directory
infrastructure to uniquely identify and enforce policy to individual users and
machines. The User-ID technology integrates with a variety of directories including
Active Directory, eDirectory, Open LDAP, Citrix Terminal Server, Microsoft Terminal
Server and XenWorks.
User-ID can also be configured to monitor logon events from clients accessing their
Microsoft Exchange mailbox, enabling the solution to identify Mac OS X, Apple iOS,
and Linux/UNIX client systems that dont directly authenticate to the domain.
GlobalProtect extends these controls to incorporate the configuration of the end
users device. If the users end-point is not properly secured, security teams can
automatically enforce network controls to compensate. For example, a user may
have rights to access certain information on the enterprise network,but the
GlobalProtect Gateway can prevent that user from downloading files if his laptop is
not using disk encryption. Or alternatively, if the host antivirus is out of date, staff can
automatically restrict access to social networking sites where malware tends to
propagate. When added to the application, user and content controls available from
the Palo Alto Networks next-generation firewall, security teams now have a level of
control and flexibility that they have never had from traditional solutions. Just as the
nextgeneration firewall allows for more granular controls of firewall policy,
GlobalProtect offers granular control of user rights based on their host configuration.
Policies can be based on the following host characteristics.