PALO ALTO INTRO

Palo Alto Networks Next-Generation Firewall’s main strength is its Single Pass Parallel Processing (SP3) Architecture, which comprises two key components:

1.   Single Pass Software

2.   Parallel Processing Hardware

Key safe enablement requirements: • Identify applications, not ports. Classify traffic, as soon as it hits the firewall, to determine the application identity, irrespective of protocol, encryption, or evasive tactic. Then use that identity as the basis for all security policies.

• Tie application usage to user identity, not IP address, regardless of location or device. Employ user and group information from enterprise directories and other user stores to deploy consistent enablement policies for all your users, regardless of location or device.

 • Protest against all threats—both known and unknown. Prevent known vulnerability exploits, malware, spyware, malicious URLs while analyzing traffic for, and automatically delivering protection against highly targeted and previously unknown malware.

• Simplify policy management. Safely enable applications and reduce administrative efforts with easy-to-use graphical tools, a unified policy editor, templates, and device groups.

SINGLE PASS SOFTWARE

Palo Alto Networks Next-Generation Firewall is empowered with Single Pass Software, which processes the packet to perform functions like networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for identifying threats and contents, which are all performed once per packet as shown in the illustration below:

PARALLEL PROCESSING HARDWARE

Palo Alto Networks Parallel Processing hardware ensures function-specific processing is done in parallel at the hardware level which, in combination with the dedicated Data plane and Control plane, produces stunning performance results. By separating the Data plane and Control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the Platform

Palo Alto Networks Next-Generation Firewall offers processors dedicated to specific functions that work in parallel. The Data Plane in the high-end models contains three types of processors (CPUs) connected by high-speed 1Gbps busses.

The three type of processors are:

1.   Security Matching Processor: Dedicated processor that performs vulnerability and virus detection.

2.   Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar tasks.

3.   Network Processor: Dedicated processor responsible for network functions such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

PA-200 and PA-500 Series Firewalls are meant for Small Businesses

PA-3020, PA-3050 & PA-3060 are good for Mid-Size Enterprise Networks

The PA-5000 Series firewalls such as the PA-5020, PA-5050 & PA-5060  Medium to Large Data Centre Firewall for mid to large size data centres.

The PA-7000 Series firewalls are the chassis based firewalls available in PA-7050 & PA-7080 offer a huge throughput (App-ID) between 120Gbps and 200Gbps, and are targeted for Service Provider Networks.

Below is a list of the configuration options available for Ethernet (physical) interfaces:

·         Tap Mode

·         Virtual Wire

·         Layer 2

·         Layer 3

·         Aggregate Interfaces

·         HA

Following are the Logical interface options available:

·         VLAN

·         Loopback

·         Tunnel

·         Decrypt Mirror

TAP MODE DEPLOYMENT OPTION

deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or

mirror port.

The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an

interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch

SPAN port provides the firewall with the mirrored traffic. This provides application visibility within the

network without being in the flow of network traffic.

TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring).

A typical deployment would involve the configuration of SPAN on Cisco Catalyst switches where the destination SPAN port is the switch port to which our Palo Alto Firewall connects

During the configuration of SPAN it is important to ensure the correct SPAN source and SPAN Destination ports are configured while also enabling Tap mode at the Firewall.

VIRTUAL WIRE  (V-WIRE) DEPLOYMENT OPTION

In a virtual wire deployment, you install a firewall transparently on a network segment by binding two

firewall ports (interfaces) together. The virtual wire logically connects the two interfaces; hence, the virtual

wire is internal to the firewall.

Use a virtual wire deployment only when you want to seamlessly integrate a firewall into a topology and the

two connected interfaces on the firewall need not do any switching or routing. For these two interfaces, the

firewall is considered a bump in the wire.Virtual Wire, also know as V-Wire, deployment options use Virtual Wire interfaces. t V-Wire deployment is that the firewall can be inserted into an existing topology without requiring any changes to the existing network topology.

The V-Wire deployment options overcome the limitations of TAP mode deployment, as we are able to monitor and control traffic traversing the link. A Virtual Wire interface supports App-ID, User-ID, Content-ID, NAT and decryption.

LAYER 2 DEPLOYMENT OPTION

Palo Alto Networks Next Generation Firewall can also be deployed in Layer 2 mode. In this mode switching is performed between two or more network segments

In Layer 2 deployment mode the firewall is configured to perform switching between two or more network segments. Traffic traversing the firewall is examined, as per policies, providing increased security and visibility within the internal network.

LAYER 3 DEPLOYMENT OPTION

Layer 3 deployment mode is a popular deployment setup. In this mode the firewall routes traffic between multiple interfaces, each of which is configured with an IP address and security zone. The Firewall interfaces can also be configured to obtain their IP address via a DHCP server and can be used to manage the security appliance.

App-Id: Identifying any application on any port

 

Traffic classification is at the heart of any firewall, because your classifications form the basis of your security policies. Traditional firewalls classify traffic by port and protocol. At one point, this was a satisfactory mechanism for securing the perimeter. Not anymore.

If you still use a port-based firewall it is easy for applications to bypass it by:

§  Hopping ports

§  Using SSL and SSH

§  Sneaking across port 80

§  Using non-standard ports

.

App-ID™ instantly applies multiple classification mechanisms to your network traffic stream, as soon as the device sees it, to accurately identify applications.

Classify traffic based on applications, not ports

Here’s how App-ID identifies applications crossing your network:

§  Traffic is first classified based on the IP address and port.

§  Signatures are then applied to allowed traffic to identify the application based on unique application properties and related transaction characteristics.

§  If App-ID determines that encryption (SSL or SSH) is in use, and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.

• Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).
• For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.

As the applications are identified by App-ID’s successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorised file transfer and data patterns, or shape using QoS.

FLOW LOGIC OF THE NEXT-GENERATION FIREWALL

User-ID Overview

User-ID™ enables you to identify all users on your network using a variety of techniques to ensure that you can identify users in all locations using a variety of access methods and operating systems,

Visibility—Improved visibility into application usage based on users gives you a more relevant picture of network activity. The power of User-ID becomes evident when you notice a strange or unfamiliar application on your network. Using either ACC or the log viewer, your security team can discern what the application is, who the user is, the bandwidth and session consumption, along with the source and destination of the application traffic, as well as any associated threats.

Policy control —Tying user information to Security policy rules improves safe enablement of applications traversing the network and ensures that only those users who have a business need for an application have access.

For example, while IT support personnel may legitimately need access to remote desktop applications, the majority of your users do not.

Logging, reporting, forensics —If a security incident occurs, forensics analysis and reporting based on user information rather than just IP addresses provides a more complete picture of the incidentUsage report to see which users are transferring the most data over unsanctioned SaaS applications.

User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with a wide range of user repositories and terminal services environments. Depending on your network environment, there are a variety of ways you can map a user's identity to an IP address. Some of these include:

• Authentication events
• User authentication
• Terminal services monitoring
• Client probing
• Directory services integration
• Syslog Listener and a powerful XML API

GlobalProtect

GlobalProtect provides a comprehensive security solution for mobile devices built upon the technologies of the Palo Alto Networks enterprise security platform and tailored to address mobile requirements. It delivers unprecedented levels of integration to deliver a unique solution that combines technology, global intelligence and policy enforcement over mobile apps and threats. These principles allow businesses to provide a safe environment for applications and data while still permitting users to enjoy the native user experience of their preferred device.

WildFire

WildFireTM simplifies an organization’s response to the most dangerous threats—automatically detecting unknown malware and quickly preventing threats before organizations are compromised. Unlike legacy security solutions, WildFire quickly identifies and stops these advanced attacks without requiring manual human intervention or costly Incidence Response (IR) services after the fact.

• Unified hybrid cloud architecture, either deployed through the public cloud, or via a private cloud appliance that maintains all data on the local network.
• Dynamic analysis of suspicious content in a cloud-based virtual environment to discover unknown threats.
• Automatic creation and enforcement of best-in-class content-based malware protections.
• Link detection in email, proactively blocking access to malicious websites.

 

Content-ID: High-Performance Threat Prevention

Content-ID

Content-ID gives you a real-time threat prevention engine, combined with a comprehensive URL database, and elements of application identification to:

• Limit unauthorized data and file transfers
• Detect and block exploits, malware and malware communications
• Control unapproved web surfing

The application visibility and control of App-ID, coupled with the content inspection enabled by Content-ID, empowers your IT team to regain control over your application traffic and related content.

Overview of our technology that delivers real-time threat prevention and content control.

Content-ID is based on a single-pass architecture, which is a unique combination of software and hardware that was designed from the ground up to integrate multiple threat prevention technologies (IPS, anti-malware, URL filtering, etc.) into a single stream-based approach that simplifies management, streamlines processing, and maximizes performance.

As with all Palo Alto Networks analysis, threat prevention is applied in full application and protocol context – across all of your traffic and ports – to ensure that threats are detected and blocked, despite evasion attempts. Content-ID provides you with fully integrated protection from vulnerability exploits, malware and malware-generated command and control traffic. Our threat prevention technologies include

·        
IPS – IPS functionality blocks vulnerability exploits, buffer overflows, and port scans. Additional capabilities, like blocking invalid or malformed packets, IP defragmentation and TCP reassembly, protect you from the evasion and obfuscation methods used by attackers (available as part of our Threat Prevention subscription).

·         Anti-Malware – Known malware as well as future variations of known malware are detected by a stream-based engine that blocks in-line at very high speeds; updated protection for unknown malware is available within as little as 5 minutes for WildFire customers (available as part of our Threat Prevention subscription).

·         Command and Control – Stops malware outbound communications, as well as passively analyzes DNS queries, and will identify the unique patterns of botnets. This reveals infected users, prevents secondary downloads and data from leaving your enterprise (available as part of our Threat Prevention subscription).

·         URL Filtering – Our fully integrated URL Filtering database lets you more easily and effectively enforces your policies for Web browsing, as well as reduces malware incidents by blocking access to known malware and phishing download sites

• Securely enable web usage with the same policy control mechanisms that you apply to applications – allow, allow and scan, apply QoS, block and more.
• Reduce malware incidents by blocking access to known malware and phishing download sites.
• Tailor your web filtering control efforts by creating white lists (allow), black lists (block), or through custom categories and database customisation.
• Facilitate and hone your SSL decryption policies. For example, “don’t decrypt traffic to financial services sites,” but “decrypt traffic to blog sites.”

File and Data Filtering – The data filtering features in Content-ID enable you to implement policies that reduce the risks associated with the transfer of unauthorised files and data.

§  File blocking by type: Control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension).

§  Data filtering: Control the transfer of sensitive data patterns such as credit card and social security numbers in application content or attachments.

§  File transfer function control: Control file transfer functionality within an individual application, allowing application use while preventing undesired inbound or outbound file transfer

·         The data filtering features in Content-ID enable you to implement policies that reduce the risks associated with the transfer of unauthorized files and data, such as file blocking by type; data filtering to control the transfer of sensitive data patterns, including credit card and Social Security numbers in application content or attachments; and file transfer function control that provides control over file transfer functionality within an individual application, allowing application use while preventing undesired inbound or outbound file transfers (available on all Next-Generation Firewalls).