Internet Gateway Best Practices

Similar documents
Agenda , Palo Alto Networks. Confidential and Proprietary.

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Breaking the Cyber Attack Lifecycle

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

Palo Alto Networks. October 6

FROM PRODUCT TO PLATFORM

A Modern Framework for Network Security in Government

REPORT & ENFORCE POLICY

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

The PA-4000 Series can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Palo Alto Networks Next-generation Firewall Overview

Enterprise Security Platform for Government

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Content-ID. Content-ID URLS THREATS DATA

Moving Beyond Proxies

How Palo Alto Networks Can Help With ASD's Top Cyber Intrusion Mitigation Strategies

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Firewall Testing Methodology W H I T E P A P E R

MEETING CSIP OBJECTIVES WITH AN AUTOMATED AND PREVENTIVE SECURITY APPROACH

Content Inspection Features

Firewall Feature Overview

Protecting Your Network Against Risky SSL Traffic ABSTRACT

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

May Palo Alto Networks 232 E. Java Drive Sunnyvale, CA

Palo Alto Networks Next-Generation Firewall Overview

WildFire Reporting. WildFire Administrator s Guide. Version 6.1

Critical Security Controls

Networking for Caribbean Development

What s Next for Network Security - Visibility is king! Gøran Tømte March 2013

Next-Generation Firewall Overview

WildFire Cloud File Analysis

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Introduction to Endpoint Security

Still Using Proxies for URL Filtering? There s a Better Way

74% 96 Action Items. Compliance

On-Premises DDoS Mitigation for the Enterprise

Targeted attacks: Tools and techniques

WildFire. Preparing for Modern Network Attacks

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

SANS Top 20 Critical Controls for Effective Cyber Defense

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Fight Malware, Malfeasance, and Malingering with F5

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Carbon Black and Palo Alto Networks

A Modern Framework for Network Security in the Federal Government

Covert Operations: Kill Chain Actions using Security Analytics

Guideline on Firewall

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

The Benefits of SSL Content Inspection ABSTRACT

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Things Your Next Firewall Must Do

Software that provides secure access to technology, everywhere.

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Next-Generation Firewall Overview

Filter Avoidance and Anonymous Proxy Guard

Next Generation Enterprise Network Security Platform

Using Palo Alto Networks to Protect the Datacenter

Inspection of Encrypted HTTPS Traffic

Next-Generation Firewall Overview

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Additional Security Considerations and Controls for Virtual Private Networks

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Firewalls, Tunnels, and Network Intrusion Detection

Secure Cloud-Ready Data Centers Juniper Networks

Malicious Mitigation Strategy Guide

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Advanced Security and Risk Management for Cloud and Premise environments

Security Administration R77

What s Next for the Next Generation Firewall Vendor Palo Alto Networks Overview. October 2010 Matias Cuba - Regional Sales Manager Northern Europe

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Cisco IPS Tuning Overview

Uncover security risks on your enterprise network

Protecting Your Organisation from Targeted Cyber Intrusion

Implementing Cisco IOS Network Security

Windows Remote Access

Next Generation IPS and Reputation Services

e2e Secure Cloud Connect Service - Service Definition Document

Replacing Microsoft Forefront Threat Management Gateway with F5 BIG-IP. Dennis de Leest Sr. Systems Engineer Netherlands

Gateway Security at Stateful Inspection/Application Proxy

Simple security is better security Or: How complexity became the biggest security threat

End-user Security Analytics Strengthens Protection with ArcSight

Fighting Advanced Threats

Transcription:

Internet Gateway Best Practices Tim Treat Customer Success Architect Palo Alto Networks David Guretz Systems Engineer Palo Alto Networks

Internet Gateway Architecture View Next- Generation Threat Cloud IT Sanctioned SaaS Apps Internet Internet Internet VPN VPN Internet Perimeter Branch Site X DMZ Campus Core LAN Segmentation Site 1 Mobile/ Endpoints Campus Edge 2 2015, Palo Alto Networks. Confidential and Proprietary.

Goals of Best Practices Minimize the chances of successful intrusion by using strong security policy. Reduce the attack surface with App- ID and User- ID. Block known bad with Content- ID. Discover unknowns with WildFire. Decrypt to ensure full content inspection. Know your network! Identify the presence of an attacker should an intrusion occur. Highlight violations of the security policy through logging/reporting.

4 2015, Palo Alto Networks. Confidential and Proprietary. Fundamental Requirements Map all flows to user identities. Limit application traffic based on user group needs. Apply security profiles to limit risks in all cases. Ensure visibility and control through the use of decryption.

Know Your Network

Attack Chain Gap Analysis Protect Yourself at Every Attack Stage Delivery Exploit and/ or Install C2 Privileged Operations Resource Access Exfiltration Unauthorized Access Unauthorized Use = Internet Gateway Stages Gartner Cyber Attack Chain Source: http://blogs.gartner.com/ramon- krikken/2014/08/08/introducing- gartners- cyber- attack- chain- model/

Attack Chain Gap Analysis Perform a Gap Analysis at the Gateway Work with our partners and teams to document your current state of protection, and get the most out of your investment. Delivery, C2 and Exfil Stages ü User Control ü Application Control ü URL Filtering ü DNS Sinkhole ü Decryption ü Threat Prevention

Employ User Groups Know Who : User- ID Require known User- ID for traffic originating in user zones. Unknown users could have malware resident on their devices. Prevent embedded devices that never authenticate from reaching the Internet. Unknown users get no love. Use captive portal for initial configuration. Incorporate user groups in policy to tune various best practices: Employee vs. non- employee distinction (e.g. decryption, blocking tunneling apps). QoSpolicy by user group. Easily identify application and threat activity by user rather than IP address.

Identify Whitelist Apps Know What : App- ID Goal is to use positive enforcement to permit required apps and deny all else. Use a migration process to gradually refine security policy to an application- based whitelist. Whitelisted applications by user Blocked applications Allow rules to help refine policy Implicit deny

Align User Groups and Whitelists What s in the Whitelist? ENTERPRISE APPS PERSONAL APPS Sales HR R&D Employees NTP STUN OCSP APP GROUPS APP FILTERS Known Users

Block Unauthorized Apps Unauthorized App Blocking Applications must be explicitly blacklisted while the catch- all permit rules exist at the bottom of the rule base. Blacklist applications that: Evade and Bypass security UltraSurf, Tor, Freegate, etc. Are misused or used by attackers Remote Access, File Sharing, Tunneling, DNS. 30% 25% Prevalence 20% 15% 10% Tor Hamachi Ultrasurf Glype- proxy Freegate PHProxy

Closely Monitor Suspicious Apps Watch for Unwanted Activity Web browsing and SSL over non-standard ports by known users Investigate for potentially legitimate non-standard port usage by HTTP(S). Web browsing and SSL over non-standard ports by unknown users Investigate for potential User-ID coverage issues. Any app over app default Investigate unexpected apps that should be whitelisted or blacklisted. Any app over any port Investigate for potentially legitimate non-standard port usage by known applications Identify unknown traffic to create custom App-IDs.

Use Violation Reporting Automate Whitelist Violation Reporting

Follow- up on Whitelist Violations Evaluate Whitelist Violations Review whitelist violations and add to known good or bad. For example, 79 unique remote access applications were found on eval networks across more than 6600 orgs. 4,400 organizations have 5 or more remote access applications RDP was 48%. Team Viewer was 16%. Do you really need 5 or more remote access applications? Considering.

Strictly Control Critical Apps Choose What Wisely Widely used remote access tool found on 75% of eval networks Uses SSL, hops ports, is digitally signed Free for non-commercial use, supported on many devices TeamSpy: Background installation and full endpoint control Dynamically patched in-memory to extend TeamViewer capabilities Used for intelligence gathering and lateral movement in target networks

Ensure Apps Operate as Intended Service Definition Block non- standard port usage, even for web browsing it is usually an evasion technique. Sample URLs for the Neutrino Exploit Kit (EK): hxxp://du8siun.frapdays[.]com:8000 hxxp://du8siun.frapdays[.]com:8000 When migrating policy, do not remove existing service definitions if they re more restrictive than app default.

Block Known Bad URLs URL Filtering Block dangerous URL filtering categories outright: malware phishing questionable parked proxy- avoidance- and- anonymizers unknown dynamic- dns Combine with strict file blocking profile and full threat prevention feature set to limit exposure.

Block Known Malicious Domains 100% 80% 60% 40% 20% 0% Dynamic DNS Domain Resolution (Wildfire Inspection Results) Malicious files querying domain Benign files querying domain

Eliminate Known Bad Files Block Dangerous File Types Looks like a PDF file Inside is an.exe with a PDF icon

Block High- Risk Files Block: Alert: File Blocking Block all executables (PE) files wherever possible. Block other high- risk file types: help (.hlp), shortcuts (.lnk), java (.java,.class), flash (.swf). Block encrypted rar or other uncommon archive file types used for data exfiltration. Alert on all file types for visibility in both directions useful for monitoring and investigations. Options: What if you can t block all executables as recommended? Forward PE files to WildFire. Use the Continue action to thwart drive- by and give users a moment of pause.

Strict Profiles for Vulnerability Protection Vulnerability Protection Use Strict profile to block client and server- side vulnerabilities. Protects against popular exploit kits targeting client- side vulnerabilities. Angler, Rig, Sweet- Orange, Magnitude, Nuclear, Hanjuan, Neutrino, Fiesta No need to tune signature set for performance, unlike most competitors.

Strict Blocking for Known C2 Anti- Spyware Command and Control (C2) protection C2 detection focused on top malware families and RATs Payload and DNS- based anti- C2 signatures 25,000+ DNS C2 signatures created per day via WildFire Passive DNS increasing our threat intelligence Clone Strict profile: Set DNS signatures to block. Enable DNS sinkhole for added intelligence collection. Enable Passive DNS monitoring.

WildFire and Antivirus Across All Applications WildFire and Antivirus Enable WildFire for all supported file types traversing perimeter Discover 0- day malware and exploits within PDFs, Office documents, web- based attacks (Flash, Java), and Android mobile malware. Forward to WildFire: All PE files, if not blocking per file blocking best practice All Adobe Flash and Reader files (PDF, SWF) All Microsoft Office files (PowerPoint, Excel, Word, RTF) All Java related files Java, CLASS All Android files APK (Android) Antivirus protection Block antivirus and WildFire antivirus over all applications.

>40% of ALL traffic is encrypted 15% of WildFire web-based malware delivered over SSL 24 2015, Palo Alto Networks. Confidential and Proprietary.

Enable Decryption Decryption Decrypt everything except sensitive categories. Sensitive: Health, Finance, Government, Military, Shopping, Banking Use bypass rules only where required, and be precise. Specific destinations (IP or URL) Specific users or groups Apply certificate controls in decryption profile to mitigate risk.

Use Exceptions Where Needed Decryption Exceptions? An important application breaks due to decryption Bypass with destination IP or URL A site uses sensitive information but is in a category that should otherwise be decrypted Specific users need to be excluded for regulatory or legal reasons A site (typically a partner site) needs to bypass strict certificate controls

A Call To Action Schedule an attack chain gap analysis with one of our partners or sales teams Commit to fully implementing all Internet Gateway best practices https://www.paloaltonetworks.com/documentation/71/pan- os/pan- os/policy/best- practice- internet- gateway- security- policy.html

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information