NEXT-GENERATION FIREWALL
Fundamental changes taking place in computer applications and threats, as well as in user behavior and network infrastructure, are leading to a gradual erosion of the protection formerly provided by traditional, port-based firewalls. In performing daily tasks, users use a variety of applications and operate a variety of devices. Meanwhile, the growth of data centers and virtualization, mobility and cloud technologies involves rethinking how to ensure that applications can be used and networks are protected at the same time.
Traditional methods, for example, involve trying to block all application traffic by using an ever-expanding list of point technologies that are add-ons to the firewall. Such a solution can hinder business operations. On the other hand, one may try to allow access to all applications, which is also unacceptable because of the associated business and security risks. The problem is that traditional port-based firewalls, even those that allow complete blocking of applications, offer no alternative to either method. In order to strike a balance between a total lockdown approach and an approach that allows fully unimpeded access, you need to use secure application usage features based on business-relevant elements such as application identity, application user data or content type as key criteria for firewall security policies.
the most important requirements for safe use of the application
Identify applications, not ports. Classify network traffic as soon as it arrives at the firewall to determine the identity of the application regardless of protocol, encryption or evasive tactics. Then using that identity as the basis for all security policies.
Tie application usage to users’ identities rather than IP addresses, regardless of location or device. Use user and group data from directory services and other user information resources to implement consistent application usage policies for all users regardless of location or device.
Protection against all threats – both known and unknown. Prevent known vulnerability exploitation techniques and the operation of malware and spyware, as well as malicious URLs, while analyzing traffic for the presence of highly targeted and previously unknown malware and automatically protecting against it.
Simplify the management of security policies. Secure application access and fewer administrative actions with easy-to-use graphical tools, a unified policy editor, templates and device groups.
Policies to ensure secure use of applications help enhance security regardless of where the application is deployed. The edge network can reduce the number of threats by blocking a number of unwanted applications, and then the applications allowed to scan for threats, both known and unknown. When it comes to the data center – whether traditional or virtualized – application usage technology means that data center applications can only be used by authorized users, thus protecting the center’s content from threats and addressing security concerns related to the dynamic nature of virtual infrastructure. Branch offices and remote users can be protected with the same set of application usage policies deployed at headquarters, ensuring policy consistency.
Using apps to drive the business forward
The secure application experience offered by Palo Alto Networks’ innovative firewalls helps manage operations and confront the security risks associated with the rapidly growing number of applications on the corporate network. Providing access to applications to users or groups of users, whether local, mobile or remote, and protecting network traffic from known and unknown threats allows you to increase security while growing your business.
Ability to permanently classify all applications on all ports
The secure application experience offered by Palo Alto Networks’ innovative firewalls helps manage operations and confront the security risks associated with the rapidly growing number of applications on the corporate network. Providing access to applications to users or groups of users, whether local, mobile or remote, and protecting network traffic from known and unknown threats allows you to increase security while growing your business.
Include users and devices in security policies, not just IP addresses
Creating and managing security policies based on the application and the user’s identity, regardless of device or location, is a more effective method of protecting a network than techniques using only port and IP address. Integration with a wide range of corporate user databases identifies the identities of Microsoft Windows, Mac OS X, Linux, Android and iOS users accessing applications. Mobile users and those working remotely are effectively protected with the same consistent policies that are applied to the local or corporate network. The combination of visibility and control of user activity regarding the application means that you can securely share Oracle, BitTorrent or Gmail and any other application on the network regardless of when and how the user accesses it
Access.
Protection against all threats, both known and unknown
To be able to protect today’s network, it is necessary to deal with all sorts of known breach methods, malware and spyware, as well as completely unknown and targeted threats. The beginning of this process is to reduce the exposed area of the network by allowing certain applications and rejecting all others, whether implicitly, using a “reject all others” strategy, or through explicit policies. Then, coordinated threat protection can be applied to all admitted traffic by blocking known malware sites, vulnerability exploiters, viruses, spyware and malicious DNS queries in a one-pass operation. Custom or other types of unknown malware are actively analyzed and identified by executing unknown files and directly observing more than 100 malicious behaviors in a virtualized sandbox environment. When new malware is discovered, the signature of the infected file and associated malware traffic is automatically generated and delivered to the user. All of this preventive analysis uses the full context of applications and protocols, which guarantees detection even of those threats that try to hide from security mechanisms in tunnels, compressed data or custom ports.
Flexibility of implementation and management
Secure application functionality is available on a custom-designed hardware platform or in virtualized form. If you are deploying multiple Palo Alto Networks firewalls, whether in hardware or virtualized form, you can use the Panorama tool, which is an optional centralized management solution that provides visibility into traffic patterns and allows you to deploy policies, generate reports and provide content updates from a central location.
Safe use of applications: a comprehensive approach
the use of applications requires a comprehensive approach to securing the network and growing the business, based on a thorough knowledge of the applications on the network: who the users are, regardless of platform or location, and what compactness, if any, the application contains. With a more complete knowledge of network activity, you can create more effective security policies based on application elements, users and content that matter to your business. The location of users, their platform and where they deploy security – a security perimeter, a traditional or virtualized data center, a branch office or a remote user – have minimal or no impact on how policies are created. Now you can safely share any application and content with any user.
Using applications and reducing risks
The secure application functionality uses policy-based decision criteria, including application/application function, users and groups, and content, to enable a balance between completely blocking all applications and a high-risk approach that allows completely free access.
At the security perimeter, such as at branch offices or mobile and remote users, application usage policies focus on identifying all traffic, then selectively allowing traffic based on user identity and scanning network traffic for threats. Sample security policies:
- Limit the use of email and instant messaging to a few variants; decrypt those that use SSL, inspect traffic for breaches, and send unknown files to the WildFire service for analysis and signature addition.
- Allowing media streaming applications and sites while using QoS and malware protection features to limit the impact on VoIP applications and protect the network.
- Controlling access to Facebook by allowing all users to browse the site, blocking all games and social add-ons of the site, and allowing Facebook posts to be published for marketing purposes only. Scans all Facebook traffic for malware and attempts to exploit security vulnerabilities.
- Control Internet usage by allowing and scanning traffic pertaining to sites related to the company's business while blocking access to sites clearly unrelated to the business; manage access to questionable sites through customizable blocked pages.
- Establish consistent security by transparently implementing the same policies for all users (local, mobile and remote) using GlobalProtect.
- Using an implicit "reject everything else" strategy or overtly blocking unwanted applications such as P2P or security bypass programs and traffic from specific countries to reduce application traffic that is a source of business and security risks.
In data centers – whether traditional, virtualized or mixed – the functions of application usage are primarily to validate applications, look for malicious applications and protect data.
- Isolate the Oracle-based repository of credit card numbers in its own security zone; control access to funded groups; route traffic to standard ports; inspect traffic for application vulnerabilities.
- Allow only the IT team to access the data center via a fixed set of remote management applications (e.g. SSH, RDP, Telnet) on standard ports.
- Allow only the company's SharePoint administration team to use Microsoft's SharePoint administration features and allow all other users to use SharePoint documents.
protection of shared applications
Using applications securely involves allowing access to specific applications, then applying specific policies to block known abuse, malware and spyware (known and unknown), and controlling file or data transfer and Internet browsing activity. Popular security bypass tactics, such as port hopping and tunneling, are combated with preventive policies that use the application and protocol context generated by decoders in the App-ID function. UTM solutions, on the other hand, use silo-based threat prevention methods that are applied to every function, firewall, IPS, antivirus, URL filtering, all network traffic without regard to context, making them more susceptible to evasive techniques.
- Blocking known threats: IPS and network antivirus/antispyware software. A uniform signature format and a streaming-based scanning mechanism allows you to protect your network against many types of threats. The Intrusion Prevention System (IPS) handles security vulnerability exploits involving network blocking and occurring at the application layer, and protects against buffer overflows, DoS attacks and port scanning. Antivirus/antispyware protection blocks millions of varieties of malware, as well as the command-and-control traffic they generate, PDF viruses and malware hidden in compressed files or Web traffic (compressed HTTP/HTTPS data). Policy-based SSL decryption across all applications and ports protects against malware passing through SSL-encrypted applications.
- Block unknown, targeted malware: Wildfire™. Unknown and targeted malware is identified and analyzed by WildFire, which directly executes and observes unknown files in a virtualized sandbox environment in the cloud. WildFire monitors more than 100 malicious behaviors, and the results of the analysis go immediately to the administrator in the form of an alert. An optional subscription to WildFire offers enhanced protection, logging and reporting features. Subscription holders receive protection within an hour of discovering new malware anywhere in the world, effectively preventing the spread of such software before it reaches you. The subscription also comes with access to the WildFire product's integrated logging and reporting functionality and an API for uploading samples to the WildFire cloud for analysis.
- Identification of bot-infected hosts. The App-ID feature classifies all applications, across all ports, including all unknown traffic, which can often be a source of threats or anomalies in the network. The bot behavior report compiles unknown traffic, suspicious DNS and URL queries, and a variety of unusual network behavior, providing a picture of devices that may be infected with malware. The results are displayed in the form of a list of potentially infected hosts that can be analyzed as suspicious botnet elements.
- Limiting unauthorized file and data transfers. Data filtering features allow administrators to implement policies that reduce the risks associated with unauthorized file and data transfers. File transfer can be controlled by checking the file's compactness (not just its extension) to determine whether or not the transfer operation can be allowed. Executable files, often found in attacks involving unwanted downloads, can be blocked, protecting the network from the invisible spread of malware. Data filtering functions detect and control the flow of sensitive data (credit card numbers, insurance numbers or other types of individually defined private numbers).
- Controlling Internet use. A fully integrated, customizable URL filtering mechanism enables administrators to apply granular Web browsing policies that complement application visibility and control policies and protect the company from all kinds of regulatory compliance and productivity standards issues. In addition, URL categories can be included in building security policies to provide additional granularity to SSL decryption controls, QoS features or other elements that are the basis of other rules.
continuous management and analysis
Experience with optimal security solutions indicates that administrators should strike a balance between proactively managing the firewall, whether for a single device or hundreds of devices, and responding by investigating, analyzing and reporting security incidents.
- Management: each Palo Alto Networks platform can be managed separately via a command line interface or a feature-rich GUI. For large-scale deployments, the Panorama product can be licensed and deployed as a centralized management solution to reconcile global, centralized control with local policy flexibility through features such as templates and shared policies. Additional support for standards-based tools such as SNMP and a REST architecture-based API allows integration with third-party management tools. Both the GUI of the device and the Panorama product interface have the same appearance and offer the same user experience, so there is no need for additional user training in case of migration. Administrators can use any of the interfaces and make any changes at any time without worrying about synchronization issues. Role-based administration is supported in all management tools, allowing functions to be assigned to specific individuals.
- Reporting: You can use predefined reports in unmodified or customized form and grouped as a single report as required. All reports can be exported to CSV or PDF format, opened and emailed on a set schedule.
- Logging: The real-time log filtering function allows you to control every session on your network. Log filtering results can be exported to a CSV file or sent to a syslog server for offline archiving or additional analysis.
custom-designed hardware platform or virtualized platform
Palo Alto Networks offers a full range of custom-designed hardware platforms, from the PA-200, designed for remote corporate offices, to the PA-5060, designed for high-end data centers. The platforms architecture has been based on single-pass software and uses function-specific processing for network connectivity, security, threat prevention and management, distinguished by stable and efficient operation. The same firewall functionality that hardware platforms are equipped with is available in the VM Series Virtual Firewall, which secures virtualized and cloud-based computing environments with the same policies applied to edge network computers as firewalls in remote offices.
