Securely share applications instead of blocking them.

Palo Alto Networks makes it possible to strike the right balance between blocking and allowing applications, all through firewall policies that use business process-relevant elements such as application identity, user identity and content type or threat. This approach leads to more informed control of network access and business development. The use of business process-relevant elements transforms the traditional firewall policy based on the allow-block distinction into what we call “secure application enablemenent.” This means you can build firewall policies based on application/application properties, users and groups, as well as content, as opposed to elements such as port, protocol and IP address.


Allow the IT team to use a fixed set of remote management applications (e.g., SSH, RDP, telnet) on the standard ports for those applications, but block their use for all other users.

Allow the IT team to use a fixed set of remote management applications (e.g., SSH, RDP, telnet) on the standard ports for those applications, but block their use for all other users.

Allowing Facebook-related browsing for all users, blocking all games and social plug-ins associated with it; additionally allowing Facebook posts only for the marketing department. Scale all Facebook-related transmissions for malware and exploits.

Allow media streaming applications on a categorical basis, but in doing so, apply a QoS policy for that particular group of applications (rather than just the port) to minimize their impact on VoIP applications.

Allowing webmail applications but decrypting (SSL) the associated transmission, conducting inspections for malware, and controlling file transfer functions.

Transparently block all P@P applications, applications designed to evade detection, encrypted non-VPN tunnels and external Proxies regardless of port, protocol or tactics designed to evade detection.

best practices

According to best practices for firewall policies that allow secure application sharing, you should first get detailed information about the applications on your network. Palo Alto Networks can help obtain this information in the following ways:

Secure sharing of applications begins the moment they are identified.

Palo Alto Networks' next-generation firewall is built on APP-ID, a transmission classification technology that instantly and automatically identifies applications traversing the network: regardless of port, encryption (SSL or SSH) or detection avoidance technique used. In other words, App-ID technology is enabled by default - turn on the firewall, define the interfaces and initial policy, and you'll already have knowledge of what applications are traversing your network. No one else can offer a similar achievement. The application identity is then used as the basis for your security policy. App-ID constantly monitors the status of the application, checking whether certain properties, such as file transfer or "posting" functions, are active. When there is a change of status in this regard, an appropriate decision can be made based on the security policy. Additionally, areas in the data aspect that are involved in making more informed business-focused decisions include the description of the application, how it behaves, the ports it can use and how it is categorized.

Protection against application threats.

Application-dependent threat protection begins by limiting the scope of threats by implementing a transparent policy to block unwanted applications such as external Proxies, applications designed to evade detection, and P2P file-sharing applications. Once the use of certain applications and related functions is authorized, protection functions against viruses, vulnerability exploitation, spyware and modern malware should be activated. These activities are aimed at extending the application-specific context into a threat prevention system. For example, you can allow Oracle RDB to be used only on a standard port to ensure continuity of financial and operational activities, while also providing protection against SQL injection attacks and exploitation of Oracle-specific vulnerabilities. The threat protection features that are part of Content-ID technology use a single, unified signature format to conduct one-time transmission scans (and blocking, according to policy) for threats of any type. Current firewall vendors are trying to address the issue of facilitating the use of applications by adding application control features to stateful firewall mechanisms, just as they did with IPS systems. There are several significant limitations to this approach.

The "allow" rule based on port data takes precedence over the "block everything" rule.

The uninterrupted activity of port-based transmission classification means that the firewall will first have to open the default port controlling the application. To control the Facebook page, open the tcp/80 or tcp/443 port. Based on the December 2011 Application Usage and Related Risk Report, you may be allowing 297 (25% of the usual set of corporate applications) other applications to reside within your network at or against your will. This therefore means that the power of the default policy to block all applications is significantly reduced. As soon as a transmission reaches a Palo Alto Networks firewall, App-ID instantly identifies the type of application in question, on all ports at all times. Access control decisions are made on an application-by-application basis, and the default mechanism for blocking all applications can be sustained.

Applications using non-standard ports may be overlooked.

It is not uncommon for users with more technical expertise to use remote access tools on non-standard ports. Database developers are equally guilty of running SQL sessions on non-standard ports. Strict reliance on port-based classification means that applications using non-standard ports can be completely overlooked, despite custom configuration settings. Once again, the fundamental difference is how App-ID searches all ports for all applications.

Numerous policies with duplicated information add to the management effort.

A port-based firewall and an approach using additional application control mechanisms means that it is necessary to build and manage a firewall policy that includes information such as source, destination, user, port, action, etc. The same set of information will find its way to the policy controlling applications and will be further supplemented by application data and activities. If your organization resembles the vast majority of others, you will more than likely be using hundreds or even thousands of firewall policies. An approach centered around multiple bases with rules for policy will not only increase the administrative burden - it may also unnecessarily escalate business and security risks. Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content data as the basis for your policies to facilitate secure application use.

Systematic management of unknown transmission.

Unknown transmission epitomizes the 80% - 20% rule - a small portion of transmission in any network representing, however, a large risk. An unknown transmission can be associated with a custom application, an unidentified commercial application, or a threat. Providers do not have a way to systematically identify and manage such unknown transmissions. To clarify the situation, all transmission is recorded by the firewall through logs, although logs for applications are generated separately and are a subset making it almost impossible to manage unknown transmission. Blocking is not an option, as it can negatively affect business processes. Enabling is a high-risk factor. Palo Alto Networsk, on the other hand, categorizes unknown transmission so that it can find internal applications and create custom App-ID elements; this in turn allows packets associated with unidentified commercial applications to be captured and used to develop App-IDs; log collection and reporting functions can be used to see if packets pose a threat. Thus, we enable systematic management of unknown transmission down to the level of small elements representing low risk - all based on policy.