Objectives:
Block known malware attacks by configuring Security Profiles according to best practices
Detect unknown malware attacks by configuring WildFire according to best practices
Overview of Inspecting Allowed Traffic
When network traffic passes between zones on the firewall, it matches against rules on the security policy.
Even if the security policy gets a match and permits traffic, the security profile attached to the rule can allow further inspection of packets passing through the firewall to occur
The security profile can check for threats like:
- Viruses
- Spyware
- Expoits
- Malicious URLs
- Malicious files
- Sensitive data
- Zero-day malware
If a match is found in the security file, it can carry out various actions like allow, block, ask the user for permission to continue, or log the violation.
The security profile allows a network administrator have more granular control over allowed traffic
Security profiles can detect known and unknown threats
Known threats, updated with regular update downloads, can pick up on new and old malicious traffic. The security profiles designed for detecting known threats are:
- Antivirus
- Using signature matches
- Updated daily
- Antispyware
- Using signature matches
- Custom signatures can be created
- Vulnerability Protectioin
- Using signature matches
- Custom signatures can be created
- URL Filtering
- Using pattern matches
- Data Filtering
- Using pattern matches
- File Blocking
- Using file type and transfer detection
The Palo Alto firewall also has a platform for picking up on unknown threats, WildFire Analysis
WildFire analyses files and URLs in a virtual sandbox enviroment. Wildfire creates new signatures for newly discovered threats, distrubuting them to firewalls worldwide
Day One Security Profile Methodology
The Day One Security Profile is best practice security profile configuration for blocking threat and minimising application downtime between outbound, inbound, and internal zones.
The security profile allows the administrator to build three sets of custom security profiles, one for inbound, one for outbound, and one between internal zones.
If an administrator is concerned that false positives will be blocked, the administrator can configure them to report security profile violations, but do not block them.
Blocking Signature Detected Threats
The Palo Alto firewall uses signatures to detect and block known viruses, spyware, and software exploits.
Updates to these signatures are distributed frequently to firewalls with Palo Alto content updates. Wildfire also frequently distributes updates.
If new spyware is encountered that Palo Alto does not have a signature for, the network administrator can craft their own custom signatures to block threats.
Viewing Information
To view blocked or alerted threat information, click on the Threat Log in the monitor tab.
The ID column in this log can be useful for creating exceptions in the profile rules, if a false positive occurs.
Overview of URL Access
The PAN-DB URL filtering database is maintained by Palo Alto Networks, which groups websites into categories.
A firewall with a valid URL filtering licence can control user access to websites
URL Filtering profiles should be attached to all security policy rules that allow traffic in a zero-trust configuration
Filtering information can be viewed in the URL filtering monitor tab. Note the continue is a prompt sent to the user confirming they wish to continue to visit a webapge, the override action is a result of the user confirming they want to still visit that webpage
Blocking Unauthorised File Transfers
The Palo Alto supports the blocking of unauthorised file transfers via with a link in a E-mail attachment, webpage, or instant mesage containing a FTP, Google Drive, Dropbox or similar URL.
The file blocking profile detects the file type using the filename extension and the content inside the file. Once determined the profile will block or allow the file transfer
Viewing Blocked Files
The data filtering log displays a list of files blocked by the File Blocking Profiles. The firewall records the filename and file type along with other information.
The firewall security policy rules and file blocking profiles should be adjusted accordingly with the information presented in these logs.
Detecting unknown threats
WildFire is the Palo Alto profile that is primarly in use for detecting new or unknown threats. WildFire requires a WildFire subscription to be used.
A cloud based sandbox enviroment, WildFire analyses unknown files and URLs within e-mail links that the Palo Alto discovers. The sandbox determines whether the samples are benign, grayware, phishing or malicious.
If the WildFire cloudbox discovers malware, it generates a signature from the sample file and distributes the signature to all firewalls within minutes (that have an active subscription). These quick updates allow firewalls to have an edge over malicious applications with quick detection and blocking, all potentionally discovered from one other single firewall!
Basic WildFire support is included with a Threat Prevention licence. To get the full features of WildFire a valid WildFire licence is required. If a WildFire licence is not present, Palo Alto firewalls without a licence will get the licence definitions on the next Antivirus Content Update.
If WildFire forwarding is eanbvled, the firewall forwards files that were blocked by antivirus signatures. Signatures can often match multiple variants of the same malware application, and can block new variants of the virus application that have not been seen before. The forwarded file can be used by the Palo Alto research team to further protect firewalls with new additions to IP address, URL and domain blocklists.
The WildFire Profile
The WildFire profile performs additional checks on allowed network traffic. As is the same with other security profile rules, WildFire Analysis applies to all packets over the life of a session.
The recommended practice is to forward all files and links to WildFire for analysis.
Configuring WildFire Forwarding
To configure wildfire forwarding, go to the Device Tab, then the WildFire tab underneath that.
Viewing WildFire Logs
WildFire logs can be viewed in the Monitor, WildFire submissions tab.
Blocking Sensitive Data Transfers
The data filtering profile can prevent sensitive information from leaving a protected network.
A data filtering profile attached to all security policy rules allow scans for data patterns to occur
Three types of data patterns can be scanned for, Predefined Patterns (Credit Card Numbers, Social Security Numbers), Regular Expressions (Regex), and File properties (Property=Value). They are 22 predefined patterns in PAN-OS 2.0
The property=value object type can be tied into a third party data loss prevention product
Data Filtering Log
The Data Filtering Log (under the Monitor tab) allows the administrator to determine if there has been any succesful or blocked transfers of data. Information can also be viewed if there was any hosts or systems involved in the transfer of data. Packet captures can also be viewed to see which sensitive data was transferred but a password needs to be set in order to protect this data.
Protecting Access to the Data Filter
A password must be set on the Data Filtering Log if packet captures are enabled. This is to prevent easy access to sensitive data.
HTTP ‘Accept-Ranges’ Option
The HTTP Accept-Ranges option allows a web client to resume a stopped data transfer, by requesting a resend of the missing data.
Palo Alto recommends that this is disabled, so that if a sensitive data transfer is stopped it can not be resumed
Security Policy Modifications
Rule Tags and Descriptions
Rules can be tagged and assigned on security policies to allow for easy identification, a description can also be entered on a security rule to help any other network administrators learn how a security policy is used
Rule Tags and descriptions can be forced on rules on the Policy Rulebase Settings, a tag, description, or audit comment can be forced to be present before a commit can be made to the firewall.
Configuring Security Profile Groups
The recommended configuration from Palo Alto is to use the same naming convention as the security profiles: outbound, internal, and inbound.
Security Profile Groups can be attached in the same way to a security rule as a Security Profile.
Optional Initial Configuration
If the administrator is concerned about false positives, they have an option to use a configuration that only sends alerts, but does not block malware.
The alerts can be used as a source of information when it comes to reconfiguring the firewall to better protect networks.
Best Practice Configuration Templates
Iron Skillet can be used with Palo Alto to try get a best practice configuration in place. Iron Skillet is a website repository of firewall and Panorama day one configuration templates according to best practice recommendations.
Day One configurations help keep a network safe by blocking malware, but minimises downtime as a result of too strict configuration. They are safe starting points for most deployments
Configuration settings can be added as more information about specific services and applications are learned in a network enviorment
The Iron Skillet template creates a set of inbound, outbound, internal security profile and security profile groups.
Iron Skillet creates custom reports too as well as log and log forwarding settings.
Additional configuration will be required to best suit your network, including but not limited too additional interface addresses, zones, and routing.
How good is your configuration?
A tool is present for Palo Alto to analyse firewall, and panorama configurations. These are compared against Palo Altos best configuation practices. The tool returns a set of recommendations on how to improve the network security
The best practice security tool can be accessed on the Customer Support Portal.
Leave a Reply