Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
Palo
Alto
Networks
-
Next
Generation
Firewall
..................................................................................................
1
Enterprises
Need
Application
Visibility
and
Control
.......................................................................................
2
Key
Next-Generation
Firewall
Requirements:
................................................................................................
2
Visibility:
Turning
On
the
Lights
......................................................................................................................
2
Control:
Safe
Enablement
vs.
Blindly
Blocking
...............................................................................................
3
Specific
Examples:
Google
Talk
and
UltraSurf
................................................................................................
4
Enabling
the
Secure
Use
of
Facebook
.............................................................................................................
4
How
it
works
...................................................................................................................................................
6
App-ID:
Classifying
All
Applications,
All
Ports,
All
the
Time
............................................................................
6
User-ID:
Enabling
Applications
by
Users
and
Groups
.....................................................................................
7
Content-ID:
Protecting
Allowed
Traffic
...........................................................................................................
8
Extending
The
Network
Perimeter
...............................................................................................................
11
The
Logical
Perimeter:
A
Strategic
Solution
.................................................................................................
12
GlobalProtect
+
Next-Generation
Firewall
=
The Logical Perimeter
.........................................................
13
Enforce
Network
Controls
Based
on
User,
Role,
and
User
Profile
................................................................
14
The Information technology security has been steadily developing over past couple of
decades in a fast and evolutionary way. Every now and then, however, the evolutionary
path gets disrupted by a revolutionary change. Testimony to that are introduction of stateful
inspection on firewalls, entry and domination of easy-to-use purpose-built firewall
appliances and expansion of UTM functionality. Today again we witness a similar
revolutionary change which does away with traditional complexity and murkiness of
network traffic inspection and control, which easily identifies applications and segregates
those bad from those which are good, as well as empowering network security
administrators to identify with unprecendented ease not just what kind of traffic is flowing
across the network but also who exactly generates it. This technology enables quick
discovery and remediation of all aspects of network security issues providing not just the
adequate response to the incident itself but also almost immediate insight into most
important questions which security administrator needs answered: what the incident is,
where it comes from, what the impact would be and who exactly has done it.
By discarding the traditional traffic classification mechanisms of port and protocol, and
taking an application centric approach, the Palo Alto Networks next-generation firewall is
able to bring unparalleled application visibility and control back to the IT department.
Whether the need is to control one of the application categories such as P2P, social
networking or a more general application visibility and control requirement, the Palo Alto
Networks firewall allows administrators to define traditional firewall policies to control their
application traffic.
Armed with this information, administrators can make more informed enablement decisions.
Its like turning on the lights in a dark room suddenly everything is illuminated and easily
seen, and administrators can act on it. With a traditional firewall + IPS or other add-ons,
administrators are not given this level of detail. They only know what they have configured
the IPS to look for. Its very much like using a flashlight in a dark room you only have
limited visibility into the small area you are focused on.
Finally, the visibility available in one spot has significant benefits. Usually, visibility means
reviewing multiple log files, looking for the needle in a haystack. But Palo Alto Networks
data centre customers have found that the application visibility, the traffic visibility, coupled
with the inbound URL and threat logs all available in one user interface eliminate the
either/or choice between visibility and efficiency.
associated business objectives. By meeting with the business groups and discussing
the common company goals, IT can use this step to move away from the image of
always saying no and towards the role of business enabler.
2. Develop a corporate Facebook policy. Once visibility into Facebook usage patterns
are determined, organizations should engage in discussions regarding what should and
should not be said or posted about the company, the competition and the appropriate
language. Educating users on the security risks associated with Facebook is another
important element to encouraging usage for business purposes. With a click first, think
later mentality, Facebook users tend to place too much trust in their friend network,
potentially introducing malware while placing personal and corporate data at risk.
3. Use Technology to Monitor and Enforce Policy. The outcome of each of these
discussions should be documented with an explanation of how IT will apply security
policies to safely and securely enable use of Facebook within enterprise environments.
Palo Alto Networks next-generation firewalls allow organizations to take a very systematic
approach to enabling the secure use of Facebook by determining usage patterns,
establishing and enforcing corporate policies that enable the business objectives in a
secure manner.
Identify Who is Using Facebook: The first step in safely enabling the use of
Facebook (or other social networking applications) is to identify which applications are
being used and which employees are using them. Facebook, along with other social
networking applications, have added companion applications like email and chat and have
opened their platform to developers with Facebook Apps.
In addition to the base Facebook application, Palo Alto Networks can identify and
control Facebook Apps, Facebook Mail, Facebook Chat, Facebook Posting (read-only) and
Facebook Social Plugins.
Define and Enforce Appropriate Usage Policies: Once the Facebook applications and
associated users have been identified (via directory services integration), administrators
can apply appropriate usage policies that support the goals and objectives. Enforcing policy
control that spans both personal and professional use of Facebook requires a delicate
balancing act. Policies must be flexible enough to enable the business and allow some
personal use (where appropriate), yet be effective enough to protect the enterprise from
security or business risks. For example, a Facebook read-only policy can be enabled to
strike a balance between block or allow. Using the identity of the specific applications
combined with the user information from directory services (Active Directory, LDAP,
eDirectory) enables administrators to apply policies that go far beyond the traditional allow
or deny. Policy options include:
Allow or deny
Protect the Network From Attacks Propagated Across Facebook: With nearly 400
million users exchanging images, links and documents at a breakneck pace and a click
now, think later mentality, the Facebook population represents a very target-rich
environment for cyber criminals. Studies done by Kaspersky labs show that social
networking sites are 10 times more effective at delivering malware than previous methods
of email delivery.
With a Palo Alto Networks next-generation firewall, a detailed Facebook application control
policy can be augmented with an equally detailed threat prevention policy can be enabled
using Palo Alto Networks integrated threat prevention engine. The threat prevention engine
detects and blocks a wide range of threats (spyware, Trojans, viruses, application
vulnerabilities) including Koobface.
Monitor and Control Unauthorized File and Data Transfers:
As part of the balancing act between personal and professional use, organizations must
also evaluate how best to implement policies that are designed to limit unauthorized
transfer of files and data. Taking advantage of the Palo Alto Networks data filtering
capabilities, administrators can apply policies to detect the flow of confidential data patterns
(credit card numbers, social security numbers and custom patterns) with varied response
options depending on the policy. In addition to the data filtering capabilities, file blocking by
type can also be enabled. More than 50 different file types are identified and can be
controlled with response options that include outright blocking, block and send the user a
warning message or log and send an alert to the administrator.
How
it
works
App-ID:
Classifying
All
Applications,
All
Ports,
All
the
Time
Accurate traffic classification is the heart of any firewall, with the result becoming the basis
of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one
point, was a satisfactory mechanism for securing the network. Today, applications can
easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across
port 80, or using non-standard ports. App-ID addresses the traffic classification visibility
limitations that plague traditional firewalls by applying multiple classification mechanisms to
the traffic stream, as soon as the firewall sees it, to determine the exact identity of
applications traversing the network.
Unlike add-on offerings that rely solely on IPS-style signatures, implemented after portbased classification, every App-ID automatically uses up to four different traffic
classification mechanisms to identify the application. App-ID continually monitors the
application state, re-classifying the traffic and identifying the different functions that are
being used. The security policy determines how to treat the application: block, allow, or
securely enable (scan for, and block embedded threats, inspect for unauthorized file
transfer and data patterns, or shape using QoS).
User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise
directory and terminal services offerings, enabling administrators to tie application activity
and security policies to users and groups not just IP addresses. When used in
conjunction with App-ID and Content-ID, IT organizations can leverage user and group
information for visibility, policy creation, forensic investigation and reporting on application,
threat, web surfing and data transfer activity.
User-ID addresses the challenge of using IP addresses to monitor and control the activity
of specific network users something that was once a fairly simple task, but has become
difficult as enterprises moved to an Internet- and web-centric model.
Content-ID combines a real-time threat prevention engine with a comprehensive URL
database and elements of application identification to limit unauthorized data and file
transfers, detect and block a wide range of exploits, malware, dangerous web surfing as
well as targeted and unknown threats. The application visibility and control delivered by
App-ID, combined with the content inspection enabled by Content-ID means that IT
departments can regain control over application traffic and related content.
Enterprises of all sizes are at risk from a variety of increasingly sophisticated network-borne
threats that have evolved to avoid many of the industrys traditional security measures.
Palo Alto Networks Content-ID delivers a new approach based on the complete analysis of
all allowed traffic using multiple threat prevention and data-loss prevention techniques in a
single unified engine. Unlike traditional solutions, Palo Alto Networks actually controls the
threat vectors themselves through the tight control of all types of applications. This
immediately reduces the attack surface of the network after which all allowed traffic is
analyzed for exploits, malware, dangerous URLs, dangerous or restricted files or content,
and even exposes unknown threats attempting to breach the network.
Behavioural Botnet Detection: App-ID classifies all traffic at the application level,
thereby exposing any unknown traffic on the network, which is often an indication
of malware or other threat activity. The behavioural botnet report analyzes network
behaviour that is indicative of a botnet infection such as repeatedly visiting malware
sites, using dynamic DNS, IRC, and other potentially suspicious behaviours. The
results are displayed in the form of a list of potentially infected hosts that can be
investigated as possible members of a botnet.
Traffic Monitoring: Analysis, Reporting and Forensics
Security best practices dictate that administrators strike a balance between being
proactive, continually learning and adapting to protect the corporate assets, and
being reactive, investigating, analyzing, and reporting on security incidents. ACC and
the policy editor can be used to proactively apply application enablement policies,
while a rich set of monitoring and reporting tools provide organizations with the
necessary means to analyze and report on the application, users and content flowing
through the Palo Alto Networks next-generation firewall.
App-Scope: Complementing the real-time view of applications and content
provided by ACC, App-scope provides a dynamic, user-customizable view of
application, traffic, and threat activity over time.
Reporting: Predefined reports can be used as-is, customized, or grouped
together as one report in order to suit the specific requirements. All reports can be
exported to CSV or PDF format and can be executed and emailed on a scheduled
basis.
Logging: Real-time log filtering facilitates rapid forensic investigation into every
session traversing the network. Log filter results can be exported to a CSV file or
sent to a syslog server for offline archival or additional analysis.
Trace Session Tool: Accelerate forensics or incident investigation with a
centralized correlated view across all of the logs for traffic, threats, URLs, and
applications related to an individual session.
users may accidentally roam outside of the corporate network even though they may
still be physically inside a corporate building.
Secondly, network users outside the corporate network should receive the same
protections that are provided when inside the physical network. For example,
firewalling decisions should provide the same visibility and control of applications,
users and content established by the next-generation firewall at the traditional
perimeter. In fact, this requirement is particularly important for end-users in the field,
as client applications are very likely to be evasive and route around traditional portbased controls.
Additionally, users may revert to less strict browsing behaviours when away from the
office, exposing them to even more potential threats. As with firewall controls, users
should be protected by the full complement of IPS, and threat prevention when they
are outside the physical network. This means true network-based IPS, malware and
botnet control, as well as a file, URL and content filtering. Obviously, users are
exposed to just as many risks and threats when outside the network, so it only
makes sense that they should receive the enterprises best protections.
Key Requirements of the Logical Perimeter:
Establishes a consistent set of policies based on applications and users that apply
to all traffic
Provides the same protections outside as inside
Delivers enterprise performance and reliability
One of the key concepts behind the next-generation firewall is the ability to enforce
policies based on user or user group. Instead of relying on IP address, the Palo Alto
Networks next-generation firewall integrates with the enterprise directory
infrastructure to uniquely identify and enforce policy to individual users and
machines. The User-ID technology integrates with a variety of directories including
Active Directory, eDirectory, Open LDAP, Citrix Terminal Server, Microsoft Terminal
Server and XenWorks.
User-ID can also be configured to monitor logon events from clients accessing their
Microsoft Exchange mailbox, enabling the solution to identify Mac OS X, Apple iOS,
and Linux/UNIX client systems that dont directly authenticate to the domain.
GlobalProtect extends these controls to incorporate the configuration of the end
users device. If the users end-point is not properly secured, security teams can
automatically enforce network controls to compensate. For example, a user may
have rights to access certain information on the enterprise network,but the
GlobalProtect Gateway can prevent that user from downloading files if his laptop is
not using disk encryption. Or alternatively, if the host antivirus is out of date, staff can
automatically restrict access to social networking sites where malware tends to
propagate. When added to the application, user and content controls available from
the Palo Alto Networks next-generation firewall, security teams now have a level of
control and flexibility that they have never had from traditional solutions. Just as the
nextgeneration firewall allows for more granular controls of firewall policy,
GlobalProtect offers granular control of user rights based on their host configuration.
Policies can be based on the following host characteristics.