PALO ALTO NETWORKS: Next-Generation Firewall … Alto Networks next-generation firewalls enable ... PALO ALTO NETWORKS: Next-Generation Firewall Feature ... Windows, Apple Mac OS X,

Recent changes in application behavior and usage patterns have steadily eroded the protection that the traditional firewall once provided. Users are accessing any application, from any location, often times to get their job done. Many of these applications use non-standard ports, hop ports, or use encryption to simplify and streamline user access and to bypass the firewall. Cybercriminals are taking full advantage of this unfettered application usage to spread a new class of highly targeted modern malware. The result is that the traditional firewall, with its reliance on port and protocol, can no longer identify and control the applications and threats traversing the network.

Attempts to regain control over application usage and protect digital assets for all users have produced duplicate local and remote security policies supported by an industry of stand-alone or sheet metal integrated firewall helpers. This approach introduces policy inconsistency and does not solve the visibility and control problems due to inaccurate or incomplete traffic classification, cumbersome management, and multiple, latency-inducing scanning processes. Restoring visibility and control requires a new, fresh, from-the-ground-up approach to safe application enablement that is only delivered by a next-generation firewall.

Key Next-Generation Firewall Requirements: • Identifyapplications,notports.Identifytheapplication,irrespectiveofprotocol,encryption,orevasive

tactic and use the identity as the basis for all security policies.

• Identifyusers,notIPaddresses.Employuserandgroupinformationfromenterprisedirectoriesfor visibility, policy creation, reporting, and forensic investigation—no matter where the user is located.

• Blockthreatsinreal-time.Protectagainsttheentirelifecycleofanattackincludingdangerousapplications,vulnerabilities,malware,high-riskURLs,andawidearrayofmaliciousfilesandcontent.

• Simplifypolicymanagement.Safelyandsecurelyenableapplicationswitheasy-to-usegraphicaltools and a unified policy editor.

• Enablealogicalperimeter.Secureallusers,includingtravelingortelecommutingusers,withconsistentsecurity that extends from the physical to the logical perimeter.

• Delivermulti-gigabitthroughput.Combinepurpose-builthardwareandsoftwaretoenablelow-latency,multi-gigabit performance with all services enabled.

PaloAltoNetworksnext-generationfirewallsenableunprecedentedvisibilityandcontrolofapplications,users,andcontentusingthreeuniqueidentificationtechnologies:App-ID™,User-ID,andContent-ID.These identificationtechnologies,foundineveryPaloAltoNetworksfirewall,enableenterprisestosafelyandsecurely enable application usage, while significantly reducing total cost of ownership through device consolidation.

Next-Generation Firewall Overview

P A L O A LT O N E T W O R K S : N e x t - G e n e r a t i o n F i r e w a l l F e a t u r e O v e r v i e w

Userinformationcanbeharvestedfromenterprisedirectories(MicrosoftActiveDirectory,eDirectory,andOpenLDAP)andterminalservicesofferings(CitrixandMicrosoftTerminalServices)whileintegrationwithMicrosoftExchange,aCaptivePortal,andanXMLAPIenableorganizationstoextendpolicytoAppleMacOSX,AppleiOS,andUNIXusersthattypicallyreside outside of the domain.

App-ID: Classifying All Applications, All Ports, All the Time Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point,wasasatisfactorymechanismforsecuringthenetwork.Today, applications can easily bypass a port-based firewall; hoppingports,usingSSLandSSH,sneakingacrossport80,orusingnon-standardports.App-IDaddressesthetrafficclassification visibility limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the firewall sees it, to determine theexactidentityofapplicationstraversingthenetwork.

Unlikeadd-onofferingsthatrelysolelyonIPS-stylesignatures,implementedafterport-basedclassification,everyApp-IDautomatically uses up to four different traffic classification mechanismstoidentifytheapplication.App-IDcontinuallymonitors the application state, re-classifying the traffic and identifying the different functions that are being used. The securitypolicydetermineshowtotreattheapplication:block,allow,orsecurelyenable(scanfor,andblockembeddedthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusingQoS).

User-ID: Enabling Applications by Users and Groups Traditionally,securitypolicieswereappliedbasedonIPaddresses, but the increasingly dynamic nature of users and computingmeansthatIPaddressesalonehavebecomeineffective as a mechanism for monitoring and controlling useractivity.User-IDallowsorganizationstoextenduser-orgroup-based application enablement polices across Microsoft Windows,AppleMacOSX,AppleiOS,andLinuxusers.


Content-ID: Protecting Allowed Traffic Many of today’s applications provide significant benefit, but are also being used as a delivery tool for modern malware and threats.Content-ID,inconjunctionwithApp-ID,providesadministrators with a two-pronged solution to protecting thenetwork.AfterApp-IDisusedtoidentifyandblockunwanted applications, administrators can then securely enableallowedapplicationsbyblockingvulnerabilityexploits,modern malware, viruses, botnets, and other malware from propagatingacrossthenetwork,allregardlessofport,protocol,or method of evasion. Rounding out the control elements that Content-IDoffersisacomprehensiveURLdatabasetocontrolweb surfing and data filtering features.

PAGE 2

Application Protocol Detection / Decryption

Application Protocol Decoding

Application Signature

Heuristics

DATA

CC # SSN

Files

Vulnerability ExploitsViruses

Spyware

Content-ID

URLS

Web Filtering

THREATS

10.0.0.217

10.0.0.220

10.0.0.232

10.0.0.24210.0.0.245

10.0.0.227

10.0.0.239

10.0.0.221

10.0.0.23210.0.0.211

10.0.0.209User-ID

End StationPolling

CaptivePortal

LoginMonitoring

RoleDiscovery

Finance Group

Nancy I Marketing

Steve I Finance

Paul I Engineering


Application Visibility View application activity in

a clear, easy-to-read format. Add and remove filters to learn more about the application, its

functions and who is using them.

Secure Application EnablementTheseamlessintegrationofApp-ID,User-ID,andContent-ID enablesorganizationstoestablishconsistentapplicationenablement policies, down to the application function level in many cases, that go far beyond basic allow or deny. With GlobalProtect™,thesamepoliciesthatprotectuserswithinthe corporate headquarters are extended to all users, no matter where they are located, thereby establishing a logical perimeter forusersoutsideofthenetwork.

SecureenablementpoliciesbeginwithApp-IDdeterminingtheapplication identity, which is then mapped to the associated userwithUser-ID,whiletrafficcontentisscannedforthreats, files,datapatterns,andwebactivitybyContent-ID.TheseresultsaredisplayedinApplicationCommandCenter(ACC)where the administrator can learn, in near real-time, what ishappeningonthenetwork.Then,inthepolicy-editor,theinformationviewedinACCaboutapplications,users,andcontent can be turned into appropriate security policies that blockunwantedapplications,whileallowingandenablingothers in a secure manner. Finally, any detailed analysis, reporting, or forensics can be performed, again, with applications, users, and content as the basis.

Application Command Center: Knowledge is PowerApplicationCommandCenter(ACC)graphicallysummarizesthe log database to highlight the applications traversing the network,whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuoustrafficclassificationthatApp-IDperforms;ifanapplicationchangesportsorbehavior,App-IDcontinuestoseethetraffic,displayingtheresultsinACC.NeworunfamiliarapplicationsthatappearinACCcanbequicklyinvestigatedwithasingleclickthatdisplaysadescriptionoftheapplication,itskeyfeatures, its behavioral characteristics, and who is using it.

AdditionalvisibilityintoURLcategories,threats,anddataprovidesacompleteandwell-roundedpictureofnetworkactivity.WithACC,anadministratorcanveryquicklylearnmoreaboutthetraffictraversingthenetworkandthentranslatethat information into a more informed security policy.

Policy Editor: Translating Knowledge into Secure Enablement PoliciesTheknowledgeofwhichapplicationsaretraversingthenetwork,whoisusingthem,andwhatthepotentialsecurityrisksare,empowersadministratorstoquicklydeployapplication-,application function-, and port-based enablement policies in a systematicandcontrolledmanner.Policyresponsescanrangefromopen(allow),tomoderate(enablingcertainapplications orfunctions,thenscan,orshape,schedule,etc.),toclosed(deny).Examplesmayinclude:

• ProtectanOracledatabasebylimitingaccesstofinancegroups, forcing the traffic across the standard ports, and inspecting the traffic for application vulnerabilities.

• EnableonlytheITgrouptouseafixedsetofremote managementapplications(e.g.,SSH,RDP,Telnet)across their standard ports.

• Defineandenforceacorporatepolicythatallowsand inspects specific webmail and instant messaging usage butblockstheirrespectivefiletransferfunctions.

• AllowMicrosoftSharePointAdministrationtobeused by only the administration team, and allow access to MicrosoftSharePointDocumentsforallotherusers.

• Deploywebenablementpoliciesthatthatallowandscantraffictobusinessrelatedwebsiteswhileblockingaccesstoobviousnon-workrelatedwebsitesand“coaching”accesstoothersthroughcustomizedblockpages.

PAGE 3


PAGE 4

Unified Policy Editor A familiar look and feel

enables the rapid creation and deployment of policies

that control applications, users and content.

• ImplementQoSpoliciestoallowtheuseofbothbandwidth-intensive media applications and websites but limit their impactonVoIPapplications.

• DecryptSSLtraffictosocialnetworkingandwebmailsitesand scan for malware and exploits.

• Allowdownloadsofexecutablefilesfromuncategorizedwebsitesonlyafteruseracknowledgementtoprevent drive-by-downloadsviazero-dayexploits.

• DenyalltrafficfromspecificcountriesorblockunwantedapplicationssuchasP2Pfilesharing,circumventors,andexternal proxies.

The tight integration of application control, based on users and groups, and the ability to scan the allowed traffic for a widerangeofthreats,allowsorganizationstodramaticallyreduce the number of policies they are deploying along with the number of employee adds, moves, and changes that may occur on a day-to-day basis.

Policy Editor: Protecting Enabled ApplicationsSecurelyenablingapplicationsmeansallowingaccesstothe applications, then applying specific threat prevention and file, data,orURLfilteringpolicies.Eachoftheelementsincluded inContent-IDcanbeconfiguredonaper-applicationbasis.

• Intrusion Prevention System (IPS): Vulnerability protection integratesarichsetofintrusionpreventionsystem(IPS)featurestoblocknetworkandapplication-layervulnerabil-ityexploits,bufferoverflows,DoSattacks,andportscans.

• Network Antivirus:Stream-basedantivirusprotec-tionblocksmillionsofmalwarevariants,includingPDFviruses and malware hidden within compressed files or webtraffic(compressedHTTP/HTTPS).Policy-basedSSLdecryptionenablesorganizationstoprotectagainstmalwaremovingacrossSSLencryptedapplications.

• URL Filtering: Afully-integrated,customizableURLfiltering database allows administrators to apply granular web-browsing policies, complementing application visibility and control policies and safeguarding the enterprise from afullspectrumoflegal,regulatory,andproductivityrisks.

• File and Data Filtering:Datafilteringfeaturesenableadministrators to implement policies that will reduce the risksassociatedwithfileanddatatransfers.Filetransfersanddownloadscanbecontrolledbylookinginsidethefile(asopposedtolookingonlyatthefileextension),todetermineifitshouldbeallowedornot.Executablefiles,typicallyfoundindrive-bydownloads,canbeblocked,therebyprotectingthenetworkfromunseenmalwarepropagation. Finally, data filtering features can detect, and control the flow of confidential data patterns (credit cardandsocialsecuritynumbers).

PAGE 5


Content and Threat Visibility View URL, threat and file/data

transfer activity in a clear, easy-to-read format. Add and remove

filters to learn more about individual elements.

Modern Malware Detection and PreventionMalwarehasevolvedtobecomeanextensiblenetworkedapplicationthatprovidesattackerswithunprecedentedaccessandcontrolinsideofthetargetednetwork.Asthepower of modern malware increases, it is critical that enterprises be able to detect these threats immediately, evenbeforethethreathasadefinedsignature.PaloAltoNetworksnext-generationfirewallsprovideorganizationswith a multi-faceted approach based on the direct analysis ofbothexecutablefilesandnetworktraffictoprotecttheirnetworksevenbeforesignaturesareavailable.

• WildFire™:Usingacloud-basedapproach,WildFireexposespreviously unseen malicious executable files by directly observingtheirbehaviorinasecurevirtualizedenvironment.WildFirelooksformaliciousactionswithinMicrosoftWindows executable files such as changing registry values or operating system files, disabling security mechanisms, or injectingcodeintorunningprocesses.Thisdirectanalysisquicklyandaccuratelyidentifiesmalwareevenwhenno protection mechanism is available. The results are immediately delivered to the administrator for an appropriate response and a signature is automatically developed and delivered to all customers in the next available content update.

•Behavioral Botnet Detection:App-IDclassifiesalltrafficattheapplicationlevel,therebyexposinganyunknowntrafficonthenetwork,whichisoftenanindicationofmalware or other threat activity. The behavioral botnet reportanalyzesnetworkbehaviorthatisindicativeofabotnet infection such as repeatedly visiting malware sites, usingdynamicDNS,IRC,andotherpotentiallysuspiciousbehaviors. The results are displayed in the form of a list of potentially infected hosts that can be investigated as possible members of a botnet.

Traffic Monitoring: Analysis, Reporting and ForensicsSecuritybestpracticesdictatethatadministratorsstrikeabalance between being proactive, continually learning and adapting to protect the corporate assets, and being reactive, investigating,analyzing,andreportingonsecurityincidents.ACCandthepolicyeditorcanbeusedtoproactivelyapply application enablement policies, while a rich set of monitoring andreportingtoolsprovideorganizationswiththenecessarymeanstoanalyzeandreportontheapplication,users andcontentflowingthroughthePaloAltoNetworksnext-generation firewall.

• App-Scope:Complementingthereal-timeviewofapplica-tionsandcontentprovidedbyACC,App-scopeprovidesadynamic,user-customizableviewofapplication,traffic,and threat activity over time.

• Reporting:Predefinedreportscanbeusedas-is,customized,or grouped together as one report in order to suit the specificrequirements.AllreportscanbeexportedtoCSVorPDFformatandcanbeexecutedandemailedonascheduled basis.

• Logging: Real-time log filtering facilitates rapid forensic investigationintoeverysessiontraversingthenetwork.LogfilterresultscanbeexportedtoaCSVfileorsentto a syslog server for offline archival or additional analysis.

• Trace Session Tool: Accelerate forensics or incident investigationwithacentralizedcorrelatedviewacrossallofthelogsfortraffic,threats,URLs,andapplicationsrelated to an individual session.


GlobalProtect Enforce consistent secure

application enablement policies for all users, no matter where

they are located.

3300 Olcott Street Santa Clara, CA 95054

Main: +1.408.573.4000Sales: +1.866.320.4788 Support: +1.866.898.9087

www.paloaltonetworks.com

Copyright ©2011, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_DS_FFOV_101711

GlobalProtect: Consistent Security EverywhereApplications are not the only forces of change in the enterprise. Increasingly,end-userssimplyexpecttoconnectandworkfrom any location with any device of their choosing. As a result,ITteamsarestrugglingtoextendsecuritytothese devices and locations that may be well beyond the traditional perimeteroftheenterprise.GlobalProtectmeetsthischallengeby extending consistent security policies to all users regardless of their location and device.

First,GlobalProtectensuressecureconnectivityforalluserswithatransparentVPNthatsupportsarangeofdevicesincludingMicrosoftWindows,AppleMacOSX,andAppleiOS.Onceconnected,alltrafficisclassifiedbythefirewall,enablement policies are applied, traffic is scanned for threats, andthenetworkanduserareprotected.

Additionally,GlobalProtectcanapplyadditionalcontrols based on the state of the end-user’s device. For example, a user could be denied access to certain applicationsorsensitiveareasofthenetworkifthedevice has an out of date antivirus or does not have diskencryptionenabled.ThisallowsITtosafelyenable application usage across a range of end-user device types, while retaining a consistent next-generation approach to security.