Categories
EDU-110 Study Palo Alto

Palo Alto EDU-110: Content-ID

Objectives:

Describe the seven different Security Policy Types

Define the two predefined Vulnerability Protection Profiles

Configure Security Profiles to rpevent virus and spyware infiltration

Configure File Blocking Profiles to identify and control the flow of file types through the firewall

Configure a DoS profile to help mitigate Layer 3 and Layer 4 protocol based attacks

Content ID Overview

Content I.D. is a real time threat prevention engine with administrator created policies to inspect and control content flowing through the firewall.

Content I.D. offers a method of detection based on complete analysis of all allowed traffic throught the firewall.

Multiple threat prevention and data loss capabilities are combined into a single unified engine

Applications are identified almost immediatly by the firewall, and allow allowed traffic is analysed for exploits, virures, spyware, malicious URLs and dangerous files or restricted content

Security Policies with Security Profiles

When a security policy rule permits traffic through the firewall, a security profile can be attached than deepens a scan into the traffic flowing through the firewall interface.

It can check for viruses, scan for spyware or exploits, is a malicious URL being accessed? Or is sensitive organisation data being leaked externally?

If a match is found, a predefined action can be taken against the offending session. Simply allow the traffic through, or block it. Ask the user permission if they wish to continue with the offending session, or simply log the threat for an administrator to review later.

Security Profile Types

Vulnerability Protection

Vulnerability protection attempts to scan for known exploiting of vulnerabilities in software taking place in a session

URL Filtering

URL filtering classifies web browsing into categories, and can control it based on it’s content

Anti-Spyware

Anti spyware picks up and nullifys downloading of spyware downlods, carried out from installed spyware from inside the organisation

Antivirus

Antivirus picks up on infected files being transferred from within an application

File Blocking

File blocking tracks and blocks file uploads, and downloads based on the file type and application

Data Filtering

Data filtering identifies and blocks transfer of specific data patterns (credit card numbers) found in network traffic

WildFile Analysis

WildFire forwards unknown files to the WildFire service for malware analysis

Security Profile Group

A security profile group is a set of security profiles treated as a unit, to simply the task of adding seperate profiles to a policy rule.

Anti Spyware DNS Signatures

The cloud based DNS signature database allows instant access to anti-spyware DNS signatures without needing to download any update packets.

It includes built in domain protection logic too, that can detect potentially harmful domains

Each list added to the profile can be configured with their own action. These actions are allow, alert, block, and sinkhole

DNS signature exceptions can be manually added too, meant for the purpose of handling false positives.

To add an exception, enter the DNS signature threat I.D. number in the threat log, and click ‘ADD’.

Anti Spyware Sinkhole Operation

The DNS sinkhole allows infected hosts on the network to be quickly identified.

The default action for Palo Alto DNS signatures is to sinkhole, and the sinkhole IP is a Palo Alto networks server.

The firewall itself can be configured to use another IP address as the sinkhole address.

The sinkhole address does not need to be connected to a real host. The only recommendation would be that the sinkhole address be in a different zoen than the DNS client, so that the traffic violation is logged on the firewall.

File Blocking Overview

File blocking profile blocks prohibited, malicious or suspect files from being downloaded or uploaded to the network.

Three actions can be taken when the profile detects a violation

  • Alert – Allows the transfer, but creates an entry in the data filtering log
  • Continue – Log the activity but allows a file transfer only with the users permission
  • Block – Logs the activity and blocks the file transfer

The continue action gives the user a respone page, requiring a click of a continue button to continue their file download or upload.

The continue action only works when paired to the web-browsing application, and is a useful capability to prevent drive-by downloads.

File blocking can be done on a file type, or per application basis. For example, file attachments could be blocked in gmail but permitted to transfer via FTP.

Blocking Multi-Level Encoded Files

Files can be encoded by multiple layers of protocols and applications.

Encoding has legitimate uses, such as compression, but can also be used to insert malicious data and upload sensitive data.

The Palo Alto firewall can decode a maximum of four-levels of encoding in multi-level files. If a file exceeds this number of levels, it can be blocked by a File Blocking Profile.

Encoding methods that the firewall can decode, are base64, gzip, HTTP 1.1 chunked encoding, pkzip, qpencode, and uuencode.

The configuration can be tested by zipping the same file five times, and attempt to pass the file through the firewall.

Telemetry and Threat Intelligence

Telemetry is a community driven approach to threat prevention.

It allows your firewall to collect and share information about applications, threats, and device health with Palo Alto.

it also performs passive DNS monitoring for all traffic.

The benefits from telemetry is Palo Alto uses the intelligence gathered to delviery enhanced intrusion prevention systems, and spyware signatures to customers worldwide. It allows Palo Alto to test and evaluate experimental sgiantures with no impact to the administrators network.

Telemetry is an opt in feature, and which is shared can be cgosen through the telemetry and threat intelligence settings.

All information gathered from telemetry is saved to the wildfire global cloud, with anonymity preserved and not shared with third party organisations.

Denial of Service Protection

DoS protections use packet header information from layer 3 and layer 4 to detect threats rather than a signature, and are not linked to a security policy.

The zone based protection profile provides a wide comprehensive denial of service protection from the edge of the organisations network, preventing the enterprise engaging from a volumetric denial of service attack.

This DoS zone protection profile acts as a first line of defence for the network.

The DoS protection policy and profiles allow flexible rules and criteria to be matched that protects destination zones and even specific hosts suchg as web servers, dns serves, or any other server that could be prone to DoS attacks.

Zone Protection: Flood Protection

The flood protection profile protects against the most common SYN flood, UDP flood, and ICMP flood attacks

All the categories use random early drop for protection except for SYN, which gives a choice between random early drop and SYN cookies.

There are three thresholds for the zone protection profile,

  1. Alarm Rate – Trigger log events
  2. Activate – Active the mitigation response
  3. Maximum – All further packets above this rate are dropped

When using SYN cookies, the activate threshold should be set to 0 to ensure all TCP connection attempts are tracked

The zone protection profile is disabled by defaulty when the threat prevention licence is installed

Leave a Reply

Your email address will not be published. Required fields are marked *