Download best practices - Palo Alto Networks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
Document related concepts

Unix security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
BEST
PRACTICES
SECURING YOUR NETWORK BY ­APPLICATION
Visibility and Attack Surface Reduction
Palo Alto ­Networks has identified
­hundreds of a
­ pplications used to
slyly d
­ eliver threats into v
­ ictim
organizations, most of which
could have been ­prevented.
Visibility, Control, and Policy
Applications lie at the core of your business and network traffic. They’re an integral part
of how business is done. Because of that, they’re designed to be highly available to users.
To achieve this goal, applications use non-standard ports, and even “hop ports” by going
from port to port until they find an open one, to ensure users always have access. There
is no guarantee that a given set of ports will always define an application, which is why
security policies should be applied to traffic associated with applications, instead of just
ports. Palo Alto Networks has identified hundreds of applications used to slyly deliver
threats into victim organizations, most of which could have been prevented.
Palo Alto Networks® Next-Generation Firewall (NGFW) identifies traffic by application
first, using our App-ID™ technology, regardless of port or protocol. This allows you
to create security and usage policies based on applications and their corresponding
functions, like chat or file sharing.
Customers typically combine App-ID with our User-ID™ technology, which identifies
users regardless of IP address or device, to view and understand their traffic within the
context of who is accessing what on the network.
A Phased Approach to Application-Based Security
Whether you’ve just implemented Palo Alto Networks products or have been administering them for years, make sure you’re maximizing their full value by reviewing our best
practices for identifying and securing traffic by application.
As with any technology, there is usually a gradual approach to a complete implementation, consisting of carefully planned deployment phases meant to make the transition as
smooth as possible, with minimal impact to your end users. With this approach in mind,
we’ve recommended our NGFW best practices in three phases, each building on the
Palo Alto Networks | Best Practices Guide
1
recommendations before it. The ultimate goal for your NGFW implementation should
be to end up with a robust next-generation policy based on application, for any port and
protocol.
There are two basic approaches to deploying application-based policies with App-ID:
1.Migrate existing policies from your legacy, port-based firewall.
2.Start from scratch and build policies from the ground up either in a previously unprotected network location or as a slow transition from a legacy, port-based firewall.
This chapter will speak to the recommended best practices for each approach: “­ Migrating
Existing Policies” and “Starting From Scratch.”
Palo Alto Networks LIVE Community – App-ID
Learn more about App-ID technology
Pros
• Conservative,
Step-by-Step
Approach
• Retains Historical
Rules
Migrating Existing Policy
Legacy
• Low Risk
Protocol/Port
Conversion,
Content-ID
• Low Impact
Pros
• No Special Tools
Required
• Easy to Create
App-ID Rules and
Eliminate Cruft
• Relatively Quick
Consolidation,
User-ID
Next-Generation
VS
Starting from Scratch
Legacy
App-ID
Migration
Virtual-wire
behind
legacy firewall
Replace legacy
firewall
Next-Generation
Figure 1: Migration paths
Tip: Use our Migration Tool to
speed up the migration process.
Engage our Professional Services
team to complete this process
even more quickly or to take this
task off your hands completely.
PHASE 1: APPLICATION VISIBILITY
Because App-ID technology is a standard feature of our next-generation firewalls, application visibility is something our customers achieve simply by turning on their firewall.
Migrating existing policies:
Most of our customers deploy one of our next-generation firewalls by migrating existing
policies from their legacy firewalls. This takes the existing port-and-protocol policies and
converts them, like for like, to PAN-OS® policies. When this conversion is done, you’ll
be running your NGFW in production, but with your port-based policy. However, even
though the firewall is running port-based policies, it’s still logging application data, which
you can leverage to create accurate application-based rules that parallel the legacy rules
and act as a conduit for risk reduction and rule consolidation through our unique capability
of setting application, user, content, and security parameters within a single rule.
Learn about Palo Alto Networks Migration Tool
Palo Alto Networks | Best Practices Guide
2
Tip: Think about processes or
events that may occur less frequently than your 30 days might
allow – for example, an accounting audit which may only happen
once per year that utilizes a specific set of applications, or a major
national or international sporting
event which may occur once
every few months that utilizes a
specific streaming application.
Starting from scratch – Baseline visibility:
You may be in a position where you want to build your
own next-generation policy from scratch. However,
before you can start creating effective application-based
policies, you must first understand your organization’s
traffic flow and/or log data.
Don’t stop here! Continuing to
the next phase and implementing
application-based policies to
replace legacy port-and-protocol-based policies is critical to
realizing the full value of your Palo
Alto Networks Next-Generation
Security Platform.
The first step is to place your NGFW in virtual-wire or
transparent mode behind, or in front of, your legacy
firewall with an explicit “allow-any-any” rule. You won’t be
enforcing any policy, but you will have visibility of all traffic within the context of applications, which will give you a baseline for building policies later on. Leaving this setup in place
for at least 30 days will give you a decent representation of your traffic mix.
Administrator’s Guide:
• Monitoring
PHASE 2: NEXT-GENERATION POLICIES
Migrating existing policies – Converting to application-based policies
Tip: Automated tools help
streamline much of this process
by handling hundreds of rules
at a time. However, remember
that human judgment is also an
important part of this process.
Tip: Before either your migration
to or creation of application-based
policies, consider adding rules
to selectively decrypt SSL flows
to provide further visibility into
what’s really contained in that
traffic. This will allow you to simultaneously build rules to account
for encrypted traffic to which
you otherwise would be blind. By
decrypting traffic before building
application-based rules, you’ll have
more visibility into and control of
the applications being used.
Palo Alto Networks | Best Practices Guide
After your NGFW has at least 30 days of production traffic, you’ll have enough logs to
accurately identify your organization’s traffic mix, and you can begin migrating your legacy
rules to application-based rules. During this time, it’s a good idea to monitor traffic and
converted rules to make sure end users are not impacted by blocked services, for example.
You’ll continue to monitor as you migrate all port-based rules to application-based rules.
Make sure to look at actual log data because there are often applications hitting certain
rules that may be surprising. The goal is to safely enable applications by making sure
you’ve properly enabled all legitimate applications, as well as identified and restricted
those that have no business on, or pose a danger to your network.
The best way to do this is to go rule by rule, looking at which applications are being allowed
or denied, cloning the rule, and populating the App-ID field. Then you’ll move the new
rule above the original and let traffic run through it for another 30-90 days to verify that
no traffic is still hitting that original rule. Once you’ve confirmed this, you can remove the
original, port-based rule. The most important step in the process is removing port-based
rules, so make sure this is done for every rule that has been converted.
Once all port-based rules have been removed, your policy set will primarily be application-based, which will allow or deny traffic at the application level, even if the application
uses a non-standard port. There will likely still be a few policies that are port-based where
appropriate.
Figure 2: The bottom rule is an example of a migrated legacy policy, while the top
rule is an example of next-generation policy because it includes the
application identification information, using App-ID.
3
Tip: Combine applicationbased policies with User-ID
technology to ensure that only
users who need access to certain
restricted applications actually
have access, and further reduce
your organization’s risk. Introducing User-ID can be done earlier in
the process, but after you have an
application-based rule set, you’ll
have a much better, more organized view of which users should
be reflected in which rules.
Tip: Build threat policies, such
as vulnerability protection, URL
filtering categories, and antimalware rules and as you create
­App-ID rules. This will not only
help you identify and act on
malicious content, but will also
make this process more efficient,
as you’re already going through
each rule.
Starting from scratch – Building App-ID policies
Once you have 30 days worth of traffic and a comprehensive representation of your
traffic, you can begin to build application-based policy. Leave the virtual wire in place
as you create your new policies, and as you build out the rule set, you’ll see less and less
traffic hitting the allow-any-any rule you started with.
When no legitimate traffic continues to hit the explicit “allow-any-any rule,” change this
into a deny-any-any rule. You’re now ready to completely replace the legacy firewall
with your NGFW.
Administrator’s Guide:
• Set up basic security policies
• Use application objects in policy
PHASE 3: CONSOLIDATION, CUSTOMIZATION, AND RISK REDUCTION
Now that you have application-based policies in place, you may be able to consolidate the
number of policies and further build out your rule set by adding custom applications, using
the vast library of Palo Alto Networks’ application decoders.
Rule consolidation reduces management overhead by simplifying your view of what’s allowed or blocked by your NGFW. Instead of having a single rule each for application, user,
and threat protection, for example, we allow you to combine these traffic parameters into
a single policy, oftentimes significantly reducing the number of rules you must manage,
making it much easier to keep rule sets updated.
Administrator’s Guide:
• Configure custom App-IDs
• Manage custom or unknown applications
Migrating existing policies – Consolidating rules
Once a rule set has been migrated to App-ID, it’s worth reviewing the entire policy for
opportunities to consolidate – looking specifically for rules that:
1.Are shadowed by other rules.
2.Can be combined by address groups, application groups, or other methods.
3.Are no longer used.
Administrator’s Guide:
Tip: Combine file blocking
­profiles to your application- and
user-­based policies by white- or
black-listing file type upload and
download restrictions to further
reduce the risk of accidental
infection and data loss.
Palo Alto Networks | Best Practices Guide
• Search duplicated rules by name
4
Our Commitment to Support Our Customers
Palo Alto Networks is committed to ensuing a successful deployment and provides
comprehensive support through our Global Customer Services organization. We
understand fully that failure is not an option. Our support offerings and training
programs are designed to mitigate any deployment concerns you may have.
• Palo Alto Networks Solution Assurance Services
• Palo Alto Networks Customer Support Plans
• Palo Alto Networks Consulting Services
• Palo Alto Networks Educational Services
Join Palo Alto Networks LIVE Community for user discussions, tutorials, and knowledge
base articles.
• PAN-OS Administrator’s Guide, Version 7.0 – App-ID
• PAN-OS Administrator’s Guide, Version 6.0 – App-ID
Join Palo Alto Networks Fuel User Group community to connect with like-minded
professionals around the globe who are ready to discuss their hard-won best practices
and trade insights. You can also get exclusive access to subject matter experts to answer
your most challenging, security-related questions through online events, such as
webinars and Q&A sessions, and in-person events, as well.
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:+1.866.320.4788
Support:+1.866.898.9087
www.paloaltonetworks.com
© 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.
com/company/trademarks.html. All other marks mentioned herein may be trademarks
of their respective companies. pan-wp-best-practices-visibility-110415
Related documents
About Target Discovery, Inc
About Target Discovery, Inc
War Relics in the “Valley of Heart`s Delight”
War Relics in the “Valley of Heart`s Delight”
Actors behind advanced threats - Med-IT
Actors behind advanced threats - Med-IT
Evolution and Development - Acceleration Studies Foundation
Evolution and Development - Acceleration Studies Foundation
Intelligent Narrative Technologies: Papers from the
Intelligent Narrative Technologies: Papers from the
ASD's Top Cyber Intrusion Mitigation Strategies
ASD's Top Cyber Intrusion Mitigation Strategies
Human Computation and Serious Games AIIDE Joint
Human Computation and Serious Games AIIDE Joint
World History Course Syllabus Room e 214 Tutorial Hours – By
World History Course Syllabus Room e 214 Tutorial Hours – By
A Microeconomic View of Data Mining
A Microeconomic View of Data Mining
Palo Alto Networks
Palo Alto Networks
Palo Santo - Kalas Gems
Palo Santo - Kalas Gems
there`s no “i” in secure network: user-based
there`s no “i” in secure network: user-based
editorial mining the natural world for new pathogens
editorial mining the natural world for new pathogens