Palo Alto Networks Next-Generation Firewalls
Palo Alto Networks has built a next-generation firewall with several innovative technologies—enabling organizations to fix the firewall. These technologies bring business-relevant elements (applications, users, and content) under policy control on a high performance firewall architecture. This technology runs on a high-performance, purpose-built platform based on Palo Alto Networks single-pass parallel processing (SP3) architecture. Unique to the SP3 architecture, traffic is only examined once, using hardware with dedicated processing resources for security, networking, content scanning and management to provide line-rate, low-latency performance under load.
Application Traffic Classification
Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-IDTM, a patent-pending traffic classification mechanism that is unique to Palo Alto Networks, addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.
Classify traffic based on applications, not ports.
App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. The identification mechanisms are applied in the following manner:
- Traffic is first classified based on the IP address and port.
- Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics.
- If App-ID determines that encryption (SSL or SSH) is in use and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.
- Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).
- For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.
As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.
Always on, always the first action taken across all ports.Classifying traffic with App-ID is always the first action taken when traffic hits the firewall, which means that all App-IDs are always enabled, by default. There is no need to enable a series of signatures to look for an application that is thought to be on the network; App-ID is always classifying all of the traffic, across all ports – not just a subset of the traffic (e.g., HTTP). All App-IDs are looking at all of the traffic passing through the device; business applications, consumer applications, network protocols, and everything in between. App-ID continually monitors the state of the application to determine if the application changes midstream, providing the updated information to the administrator in ACC, applies the appropriate policy and logs the information accordingly. Like all firewalls, Palo Alto Networks next-generation firewalls use positive control, default deny all traffic, then allow only those applications that are within the policy. All else is blocked.
All classification mechanisms, all application versions, all OSes.App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent OS and client signatures that need to be enabled to try and control this application in other offerings.
Full visibility and control of custom and internal applicationsInternally developed or custom applications can be managed using either an application override or custom App-IDs. An applications override effectively renames the traffic stream to that of the internal application. The other mechanism would be to use the customizable App-IDs based on context-based signatures for HTTP, HTTPs, FTP, IMAP, SMTP, RTSP, Telnet, and unknown TCP /UDP traffic. Organizations can use either of these mechanisms to exert the same level of control over their internal or custom applications that may be applied to SharePoint, Salesforce.com, or FaceBook.
Securely Enabling Applications Based on Users & Groups
Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications means that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Palo Alto Networks next-generation firewalls integrate with a wide range of user repositories and terminal service offerings, enabling organizations to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user activity on the network as well as user-based policy-control, log viewing and reporting.
Transparent use of users and groups for secure application enablement.User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with the widest range of enterprise directories on the market; Active Directory, eDirectory, OpenLDAP and most other LDAP based directory servers. The User-ID agent communicates with the domain controllers, forwarding the relevant user information to the firewall, making the policy tie-in completely transparent to the end-user.
Identifying users via a browser challenge.In cases where a user cannot be automatically identified through a user repository, a captive portal can be used to identify users and enforce user based security policy. In order to make the authentication process completely transparent to the user, Captive Portal can be configured to send a NTLM authentication request to the web browser instead of an explicit username and password prompt.
Integrate user information from other user repositories.
Transparently extend user-based policies to non-Windows devices.
Visibility and control over terminal services usersIn addition to support for a wide range of directory services, User-ID provides visibility and policy control over users whose identity is obfuscated by a Terminal Services deployment (Citrix or Microsoft). Completely transparent to the user, every session is correlated to the appropriate user, which allows the firewall to associate network connections with users and groups sharing one host on the network. Once the applications and users are identified, full visibility and control within ACC, policy editing, logging and reporting is available.
High Performance Threat Prevention
Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and the related content.
The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include:
- Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
- Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
- Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
- Statistical anomaly detection prevents rate-based DoS flooding attacks.
- Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
- Custom vulnerability or spyware phone home signatures that can be used in the either the anti-spyware or vulnerability protection profiles.
- Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly are utilized for protection against evasion and obfuscation methods employed by attackers.
Traffic is normalized to eliminate invalid and malformed packets, while TCP reassembly and IP de-fragmentation is performed to ensure the utmost accuracy and protection despite any attack evasion techniques.
URL FilteringComplementing the threat prevention and application control capabilities is a fully integrated, URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities. The on-box URL database can be augmented to suit the traffic patterns of the local user community with a custom, 1 million URL database. URLs that are not categorized by the local URL database can be pulled into cache from a hosted, 180 million URL database. In addition to database customization, administrators can create custom URL categories to further tailor the URL controls to suit their specific needs. URL filtering visibility and policy controls can be tied to specific users through the transparent integration with enterprise directory services (Active Directory, LDAP, eDirectory) with additional insight provided through customizable reporting and logging.
File and Data Filtering
Data filtering features enable administrators to implement policies that will reduce the risks associated with the transfer of unauthorized files and data.
- File blocking by type: Control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension).
- Data filtering: Control the transfer of sensitive data patterns such as credit card and social security numbers in application content or attachments.
- File transfer function control: Control the file transfer functionality within an individual application, allowing application use yet preventing undesired inbound or outbound file transfer.