Objectives:
Describe the seven different Security Policy Types
Define the two predefined Vulnerability Protection Profiles
Configure Security Profiles to rpevent virus and spyware infiltration
Configure File Blocking Profiles to identify and control the flow of file types through the firewall
Configure a DoS profile to help mitigate Layer 3 and Layer 4 protocol based attacks
Content ID Overview
Content I.D. is a real time threat prevention engine with administrator created policies to inspect and control content flowing through the firewall.
Content I.D. offers a method of detection based on complete analysis of all allowed traffic throught the firewall.
Multiple threat prevention and data loss capabilities are combined into a single unified engine
Applications are identified almost immediatly by the firewall, and allow allowed traffic is analysed for exploits, virures, spyware, malicious URLs and dangerous files or restricted content
Security Policies with Security Profiles
When a security policy rule permits traffic through the firewall, a security profile can be attached than deepens a scan into the traffic flowing through the firewall interface.
It can check for viruses, scan for spyware or exploits, is a malicious URL being accessed? Or is sensitive organisation data being leaked externally?
If a match is found, a predefined action can be taken against the offending session. Simply allow the traffic through, or block it. Ask the user permission if they wish to continue with the offending session, or simply log the threat for an administrator to review later.
Security Profile Types
Vulnerability Protection
Vulnerability protection attempts to scan for known exploiting of vulnerabilities in software taking place in a session
URL Filtering
URL filtering classifies web browsing into categories, and can control it based on it’s content
Anti-Spyware
Anti spyware picks up and nullifys downloading of spyware downlods, carried out from installed spyware from inside the organisation
Antivirus
Antivirus picks up on infected files being transferred from within an application
File Blocking
File blocking tracks and blocks file uploads, and downloads based on the file type and application
Data Filtering
Data filtering identifies and blocks transfer of specific data patterns (credit card numbers) found in network traffic
WildFile Analysis
WildFire forwards unknown files to the WildFire service for malware analysis
Security Profile Group
A security profile group is a set of security profiles treated as a unit, to simply the task of adding seperate profiles to a policy rule.
Anti Spyware DNS Signatures
The cloud based DNS signature database allows instant access to anti-spyware DNS signatures without needing to download any update packets.
It includes built in domain protection logic too, that can detect potentially harmful domains
Each list added to the profile can be configured with their own action. These actions are allow, alert, block, and sinkhole
DNS signature exceptions can be manually added too, meant for the purpose of handling false positives.
To add an exception, enter the DNS signature threat I.D. number in the threat log, and click ‘ADD’.
Anti Spyware Sinkhole Operation
The DNS sinkhole allows infected hosts on the network to be quickly identified.
The default action for Palo Alto DNS signatures is to sinkhole, and the sinkhole IP is a Palo Alto networks server.
The firewall itself can be configured to use another IP address as the sinkhole address.
The sinkhole address does not need to be connected to a real host. The only recommendation would be that the sinkhole address be in a different zoen than the DNS client, so that the traffic violation is logged on the firewall.
File Blocking Overview
File blocking profile blocks prohibited, malicious or suspect files from being downloaded or uploaded to the network.
Three actions can be taken when the profile detects a violation
- Alert – Allows the transfer, but creates an entry in the data filtering log
- Continue – Log the activity but allows a file transfer only with the users permission
- Block – Logs the activity and blocks the file transfer
The continue action gives the user a respone page, requiring a click of a continue button to continue their file download or upload.
The continue action only works when paired to the web-browsing application, and is a useful capability to prevent drive-by downloads.
File blocking can be done on a file type, or per application basis. For example, file attachments could be blocked in gmail but permitted to transfer via FTP.
Blocking Multi-Level Encoded Files
Files can be encoded by multiple layers of protocols and applications.
Encoding has legitimate uses, such as compression, but can also be used to insert malicious data and upload sensitive data.
The Palo Alto firewall can decode a maximum of four-levels of encoding in multi-level files. If a file exceeds this number of levels, it can be blocked by a File Blocking Profile.
Encoding methods that the firewall can decode, are base64, gzip, HTTP 1.1 chunked encoding, pkzip, qpencode, and uuencode.
The configuration can be tested by zipping the same file five times, and attempt to pass the file through the firewall.
Telemetry and Threat Intelligence
Telemetry is a community driven approach to threat prevention.
It allows your firewall to collect and share information about applications, threats, and device health with Palo Alto.
it also performs passive DNS monitoring for all traffic.
The benefits from telemetry is Palo Alto uses the intelligence gathered to delviery enhanced intrusion prevention systems, and spyware signatures to customers worldwide. It allows Palo Alto to test and evaluate experimental sgiantures with no impact to the administrators network.
Telemetry is an opt in feature, and which is shared can be cgosen through the telemetry and threat intelligence settings.
All information gathered from telemetry is saved to the wildfire global cloud, with anonymity preserved and not shared with third party organisations.
Denial of Service Protection
DoS protections use packet header information from layer 3 and layer 4 to detect threats rather than a signature, and are not linked to a security policy.
The zone based protection profile provides a wide comprehensive denial of service protection from the edge of the organisations network, preventing the enterprise engaging from a volumetric denial of service attack.
This DoS zone protection profile acts as a first line of defence for the network.
The DoS protection policy and profiles allow flexible rules and criteria to be matched that protects destination zones and even specific hosts suchg as web servers, dns serves, or any other server that could be prone to DoS attacks.
Zone Protection: Flood Protection
The flood protection profile protects against the most common SYN flood, UDP flood, and ICMP flood attacks
All the categories use random early drop for protection except for SYN, which gives a choice between random early drop and SYN cookies.
There are three thresholds for the zone protection profile,
- Alarm Rate – Trigger log events
- Activate – Active the mitigation response
- Maximum – All further packets above this rate are dropped
When using SYN cookies, the activate threshold should be set to 0 to ensure all TCP connection attempts are tracked
The zone protection profile is disabled by defaulty when the threat prevention licence is installed
Leave a Reply