Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
BEST PRACTICES SECURING YOUR NETWORK BY APPLICATION Visibility and Attack Surface Reduction Palo Alto Networks has identified hundreds of a pplications used to slyly d eliver threats into v ictim organizations, most of which could have been prevented. Visibility, Control, and Policy Applications lie at the core of your business and network traffic. They’re an integral part of how business is done. Because of that, they’re designed to be highly available to users. To achieve this goal, applications use non-standard ports, and even “hop ports” by going from port to port until they find an open one, to ensure users always have access. There is no guarantee that a given set of ports will always define an application, which is why security policies should be applied to traffic associated with applications, instead of just ports. Palo Alto Networks has identified hundreds of applications used to slyly deliver threats into victim organizations, most of which could have been prevented. Palo Alto Networks® Next-Generation Firewall (NGFW) identifies traffic by application first, using our App-ID™ technology, regardless of port or protocol. This allows you to create security and usage policies based on applications and their corresponding functions, like chat or file sharing. Customers typically combine App-ID with our User-ID™ technology, which identifies users regardless of IP address or device, to view and understand their traffic within the context of who is accessing what on the network. A Phased Approach to Application-Based Security Whether you’ve just implemented Palo Alto Networks products or have been administering them for years, make sure you’re maximizing their full value by reviewing our best practices for identifying and securing traffic by application. As with any technology, there is usually a gradual approach to a complete implementation, consisting of carefully planned deployment phases meant to make the transition as smooth as possible, with minimal impact to your end users. With this approach in mind, we’ve recommended our NGFW best practices in three phases, each building on the Palo Alto Networks | Best Practices Guide 1 recommendations before it. The ultimate goal for your NGFW implementation should be to end up with a robust next-generation policy based on application, for any port and protocol. There are two basic approaches to deploying application-based policies with App-ID: 1.Migrate existing policies from your legacy, port-based firewall. 2.Start from scratch and build policies from the ground up either in a previously unprotected network location or as a slow transition from a legacy, port-based firewall. This chapter will speak to the recommended best practices for each approach: “ Migrating Existing Policies” and “Starting From Scratch.” Palo Alto Networks LIVE Community – App-ID Learn more about App-ID technology Pros • Conservative, Step-by-Step Approach • Retains Historical Rules Migrating Existing Policy Legacy • Low Risk Protocol/Port Conversion, Content-ID • Low Impact Pros • No Special Tools Required • Easy to Create App-ID Rules and Eliminate Cruft • Relatively Quick Consolidation, User-ID Next-Generation VS Starting from Scratch Legacy App-ID Migration Virtual-wire behind legacy firewall Replace legacy firewall Next-Generation Figure 1: Migration paths Tip: Use our Migration Tool to speed up the migration process. Engage our Professional Services team to complete this process even more quickly or to take this task off your hands completely. PHASE 1: APPLICATION VISIBILITY Because App-ID technology is a standard feature of our next-generation firewalls, application visibility is something our customers achieve simply by turning on their firewall. Migrating existing policies: Most of our customers deploy one of our next-generation firewalls by migrating existing policies from their legacy firewalls. This takes the existing port-and-protocol policies and converts them, like for like, to PAN-OS® policies. When this conversion is done, you’ll be running your NGFW in production, but with your port-based policy. However, even though the firewall is running port-based policies, it’s still logging application data, which you can leverage to create accurate application-based rules that parallel the legacy rules and act as a conduit for risk reduction and rule consolidation through our unique capability of setting application, user, content, and security parameters within a single rule. Learn about Palo Alto Networks Migration Tool Palo Alto Networks | Best Practices Guide 2 Tip: Think about processes or events that may occur less frequently than your 30 days might allow – for example, an accounting audit which may only happen once per year that utilizes a specific set of applications, or a major national or international sporting event which may occur once every few months that utilizes a specific streaming application. Starting from scratch – Baseline visibility: You may be in a position where you want to build your own next-generation policy from scratch. However, before you can start creating effective application-based policies, you must first understand your organization’s traffic flow and/or log data. Don’t stop here! Continuing to the next phase and implementing application-based policies to replace legacy port-and-protocol-based policies is critical to realizing the full value of your Palo Alto Networks Next-Generation Security Platform. The first step is to place your NGFW in virtual-wire or transparent mode behind, or in front of, your legacy firewall with an explicit “allow-any-any” rule. You won’t be enforcing any policy, but you will have visibility of all traffic within the context of applications, which will give you a baseline for building policies later on. Leaving this setup in place for at least 30 days will give you a decent representation of your traffic mix. Administrator’s Guide: • Monitoring PHASE 2: NEXT-GENERATION POLICIES Migrating existing policies – Converting to application-based policies Tip: Automated tools help streamline much of this process by handling hundreds of rules at a time. However, remember that human judgment is also an important part of this process. Tip: Before either your migration to or creation of application-based policies, consider adding rules to selectively decrypt SSL flows to provide further visibility into what’s really contained in that traffic. This will allow you to simultaneously build rules to account for encrypted traffic to which you otherwise would be blind. By decrypting traffic before building application-based rules, you’ll have more visibility into and control of the applications being used. Palo Alto Networks | Best Practices Guide After your NGFW has at least 30 days of production traffic, you’ll have enough logs to accurately identify your organization’s traffic mix, and you can begin migrating your legacy rules to application-based rules. During this time, it’s a good idea to monitor traffic and converted rules to make sure end users are not impacted by blocked services, for example. You’ll continue to monitor as you migrate all port-based rules to application-based rules. Make sure to look at actual log data because there are often applications hitting certain rules that may be surprising. The goal is to safely enable applications by making sure you’ve properly enabled all legitimate applications, as well as identified and restricted those that have no business on, or pose a danger to your network. The best way to do this is to go rule by rule, looking at which applications are being allowed or denied, cloning the rule, and populating the App-ID field. Then you’ll move the new rule above the original and let traffic run through it for another 30-90 days to verify that no traffic is still hitting that original rule. Once you’ve confirmed this, you can remove the original, port-based rule. The most important step in the process is removing port-based rules, so make sure this is done for every rule that has been converted. Once all port-based rules have been removed, your policy set will primarily be application-based, which will allow or deny traffic at the application level, even if the application uses a non-standard port. There will likely still be a few policies that are port-based where appropriate. Figure 2: The bottom rule is an example of a migrated legacy policy, while the top rule is an example of next-generation policy because it includes the application identification information, using App-ID. 3 Tip: Combine applicationbased policies with User-ID technology to ensure that only users who need access to certain restricted applications actually have access, and further reduce your organization’s risk. Introducing User-ID can be done earlier in the process, but after you have an application-based rule set, you’ll have a much better, more organized view of which users should be reflected in which rules. Tip: Build threat policies, such as vulnerability protection, URL filtering categories, and antimalware rules and as you create App-ID rules. This will not only help you identify and act on malicious content, but will also make this process more efficient, as you’re already going through each rule. Starting from scratch – Building App-ID policies Once you have 30 days worth of traffic and a comprehensive representation of your traffic, you can begin to build application-based policy. Leave the virtual wire in place as you create your new policies, and as you build out the rule set, you’ll see less and less traffic hitting the allow-any-any rule you started with. When no legitimate traffic continues to hit the explicit “allow-any-any rule,” change this into a deny-any-any rule. You’re now ready to completely replace the legacy firewall with your NGFW. Administrator’s Guide: • Set up basic security policies • Use application objects in policy PHASE 3: CONSOLIDATION, CUSTOMIZATION, AND RISK REDUCTION Now that you have application-based policies in place, you may be able to consolidate the number of policies and further build out your rule set by adding custom applications, using the vast library of Palo Alto Networks’ application decoders. Rule consolidation reduces management overhead by simplifying your view of what’s allowed or blocked by your NGFW. Instead of having a single rule each for application, user, and threat protection, for example, we allow you to combine these traffic parameters into a single policy, oftentimes significantly reducing the number of rules you must manage, making it much easier to keep rule sets updated. Administrator’s Guide: • Configure custom App-IDs • Manage custom or unknown applications Migrating existing policies – Consolidating rules Once a rule set has been migrated to App-ID, it’s worth reviewing the entire policy for opportunities to consolidate – looking specifically for rules that: 1.Are shadowed by other rules. 2.Can be combined by address groups, application groups, or other methods. 3.Are no longer used. Administrator’s Guide: Tip: Combine file blocking profiles to your application- and user-based policies by white- or black-listing file type upload and download restrictions to further reduce the risk of accidental infection and data loss. Palo Alto Networks | Best Practices Guide • Search duplicated rules by name 4 Our Commitment to Support Our Customers Palo Alto Networks is committed to ensuing a successful deployment and provides comprehensive support through our Global Customer Services organization. We understand fully that failure is not an option. Our support offerings and training programs are designed to mitigate any deployment concerns you may have. • Palo Alto Networks Solution Assurance Services • Palo Alto Networks Customer Support Plans • Palo Alto Networks Consulting Services • Palo Alto Networks Educational Services Join Palo Alto Networks LIVE Community for user discussions, tutorials, and knowledge base articles. • PAN-OS Administrator’s Guide, Version 7.0 – App-ID • PAN-OS Administrator’s Guide, Version 6.0 – App-ID Join Palo Alto Networks Fuel User Group community to connect with like-minded professionals around the globe who are ready to discuss their hard-won best practices and trade insights. You can also get exclusive access to subject matter experts to answer your most challenging, security-related questions through online events, such as webinars and Q&A sessions, and in-person events, as well. 4401 Great America Parkway Santa Clara, CA 95054 Main:+1.408.753.4000 Sales:+1.866.320.4788 Support:+1.866.898.9087 www.paloaltonetworks.com © 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks. com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. pan-wp-best-practices-visibility-110415