As many organizations realize, changes in the application and threat landscape, user behavior, and network infrastructure are changing! The security that traditional port-based firewalls once provided is often not enough. Users are accessing all types of applications using a range of device types these days. Datacenter expansion, virtualization, mobility, and cloud-based stances are forcing us to rethink how to protect networks.
Traditional thinking typically includes an attempt to lock down traffic through an increasing list of point technologies in addition to the firewall, which may hinder your business. Some allow all applications, which results in increased business and security risks. The challenge is that your traditional port-based firewall, even with bolt-on application blocking, does not provide an alternative to either approach. To balance between allowing everything and denying everything, the need to allow applications by using essentials such as the application identity, who is using the application, and the type of content as key firewall security policy criteria.
A solid starting strategy is to Identify applications, not ports. Classify traffic, as soon as it hits the firewall, to determine the application identity, irrespective of protocol, encryption, or evasive tactic. Then use that identity as the basis for all security policies.
Customers of Palo can also link application usage to user identity, not IP address, regardless of location or device. Employ user and group information from enterprise directories and other user stores to deploy consistent enablement policies for all your users.
Another huge factor is the ability to protect against threats both known and unknown. Preventing known vulnerability exploits, malware, spyware, malicious URLs while analyzing traffic for, and automatically delivering protection against highly targeted and previously unknown malware is essential to a viable and long-term Firewall project.
Many customers ask us how they can simplify policy management. With Palo Alto you can safely enable applications and reduce administrative efforts with easy-to-use graphical tools, a unified policy editor, templates, and device groups. Safe application enablement policies can help you improve your security posture, regardless of the deployment location. At the perimeter, you can reduce your threat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats— both known and unknown. In the datacenter – traditional or virtualized, application enablement results in ensuring only datacenter applications are in use by authorized users, protecting the content from threats and addressing security challenges presented using the virtual infrastructure. Your enterprise branch offices and remote users are protected by the same set of enablement policies deployed at the headquarters location, thereby ensuring policy consistency.
Businesses can enable applications with Palo Alto Networks next-generation firewalls that help address business and security risks associated with a growing number of applications in your network.
Deployment and Management application enablement functionality is available in purpose-built hardware platform or in a virtualized form factor. When you deploy multiple Palo Alto Networks firewalls, in either hardware or virtual form factors, you can use Panorama, an optional centralized management offering to gain visibility into traffic patterns, deploy policies, generate reports and deliver content updates from a central location.
Comprehensive applications require securing your network and growing your business that begins with in-depth knowledge of the applications on your network; who the user is, regardless of their platform or location; what content, if any, the application is carrying. With more complete knowledge of network activity, you can create more meaningful security policies that are based on elements of application, user and content that are relevant to your business. The user location, their platform and where the policy is deployed—perimeter, traditional or virtualized datacenter, branch office or remote user— make little or no difference to how the policy is created. You can now safely enable any application, any user, and any content. Complete Knowledge Means Tighter Security Policies Security best practices dictate that more complete knowledge of what’s on your network is beneficial to implementing tighter security policies.
Enabling Applications and Reducing Risk Safe application enablement uses policy standards that include application/application function, users and groups, and content as a means determining the right option. At the perimeter, including branch offices, mobile, and remote users, policies are focused on identifying all the traffic, then selectively allowing the traffic based on user identity; then scanning the traffic for threats.
Protecting Enabled Applications Safe application enablement means allowing access to certain applications, then applying specific policies to block known exploits, malware and spyware – known or unknown; controlling file or data transfer, and web surfing activity. Common threat evasion tactics such as port-hopping and tunneling are addressed by executing threat prevention policies using the application and protocol context generated by the decoders in App-ID. In contrast, UTM solutions take a silo-based approach to threat prevention, with each function, firewall, IPS, AV, URL filtering, all scanning traffic without sharing any context, making them more susceptible to evasive behavior.
Block Known Threats: IPS and Network Antivirus/Anti-spyware. A uniform signature format and a stream-based scanning engine enables you to protect your network from a broad range of threats. Intrusion prevention system (IPS) features block network and application-layer vulnerability exploits, buffer overflows, DoS attacks, and port scans. Antivirus/Anti-spyware protection blocks millions of malware variants, as well as any malware-generated command-and-control traffic, PDF viruses, and malware hidden within compressed files or web traffic (compressed HTTP/HTTPS). Policy-based SSL decryption across any application on any port protects you against malware moving across SSL encrypted applications.
Block Unknown, Targeted Malware: Wildfire. Unknown or targeted malware is identified and analyzed by WildFire, which directly executes and observes unknown files in a cloud-based, virtualized sandbox environment. WildFire monitors for more than 100 malicious behaviors and the result is delivered immediately to the administrator in the form of an alert.
Data filtering features also enable your administrators to implement policies that will reduce the risks associated with unauthorized file and data transfers. File transfers can be controlled by looking inside the file to determine if the transfer action should be allowed or not. Executable files, typically found in downloads can be blocked, by this means protecting your network from unseen malware. Data filtering features can detect and control the flow of sensitive data patterns (credit card or social security numbers).
Ongoing Management and Analysis Security say that your administrators should balance between proactively managing the firewall, whether it is a single device or many hundreds, and being reactive, analyzing, and reporting on security incidents.
Each Palo Alto Networks platform can be managed individually via a command line interface (CLI) or full-featured browser-based interface. For larger deployments, Panorama can be licensed and deployed as a centralized management solution that enables you to balance global, centralized control. Role-based management is supported across all channels, allowing you to assign features and functions to specific persons. Predefined reporting can be used as-is, customized, or grouped together as one report to suit the specific requirements. All reports can be exported to CSV or PDF format and can be executed and emailed on a scheduled basis.
Real-time log filtering facilitates rapid forensic investigation into every session traversing your network. Log filter results can be exported to a CSV file or sent to a syslog server for offline archival or additional analysis.
Palo Alto Networks offers a full line of purpose-built hardware or virtualized platforms that range from the PA-200 designed for remote offices, to the PA-5060, which is designed for high-speed datacenters. All this is based on a software engine and uses processing for networking, security, threat prevention and management to deliver you predictable performance. Please consider HA Inc as your enterprise level networking solution provider as you approach future projects or have interest in learning more about what Palo Alto has to offer!