End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto Networks)

Copyright © 2014, Palo Alto Networks

End to End Security With

Palo Alto NetworksOnur Kasap

Systems Engineer

November 2014-Kiev


PALO ALTO NETWORKS AT-A-GLANCE

CORPORATE HIGHLIGHTS

• Founded in 2005; first customer

shipment in 2007

• Safely enabling applications and

preventing cyber threats

• Able to address all enterprise

cybersecurity needs

• Exceptional ability to support

global customers

• Experienced team of 1,700+

employees

• Q4FY14: $178.2M revenue

$13$49

$119

$255

$396

$598

$0

$200

$400

$600

FY09 FY10 FY11 FY12 FY13 FY14

$MM

REVENUES ENTERPRISE CUSTOMERS

4,700

9,000

13,500

19,000

0

4,000

8,000

12,000

16,000

20,000

Jul-11 Jul-12 Jul-13 Jul-14


A clear market leader – again

A leader for 3 years in a row in the

magic quadrant for enterprise network firewalls


Applications Have Changed, Firewalls Haven’t

Network security policy is enforced at the

firewall

• Sees all traffic

• Defines boundary

• Enables access

Traditional firewalls don’t work any more


Encrypted Applications: Unseen by Firewalls

What happens traffic is encrypted?• SSL

• Proprietary encryption


Technology Sprawl and Creep Aren’t the Answer

Enterprise Network

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address application “accessibility” features

IMDLPIPS ProxyURLAV

UTM

Internet


Competitors Firewall Architecture

App

Signatures

IPS

Signatures

Virus

Signature

s

URL

Signatures

Application

Policy

Application

Inspection

IPS

Policy

Threat

Inspection

Anti-Virus

Proxy

AV

Inspection

Web Filtering

Policy

URL

Inspection

Packet In

sp

ectio

n F

low

Stateful FW

policy

Port-based

session

Inspection

L4 Session

Table


Application Control Belongs in the Firewall

Port PolicyDecision

App Ctrl PolicyDecision

Application Control as an Add-on

• Port-based decision first, apps second

• Applications treated as threats; only block what you

expressly look for

Ramifications

• Two policies/log databases, no reconciliation

• Unable to effectively manage unknowns

IPS

Applications

Firewall

PortTraffic

Firewall IPS

App Ctrl PolicyDecision

Scan Applicationfor Threats

Applications

ApplicationTraffic

Application Control in the Firewall

• Firewall determines application identity; across all

ports, for all traffic, all the time

• All policy decisions made based on application

Ramifications

• Single policy/log database – all context is shared

• Policy decisions made based on shared context

• Unknowns systematically managed


Evasive Applications

•Yahoo Messenger

•BitTorrent Client

•Port 80

•Open

Port-Based Firewall

Port 5050

Blocked

Port 6681

Blocked


Firewall Firewall

Palo Alto Networks Firewallswith App-ID

Legacy Firewalls

Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53

DNS = DNS:Packet on Port 53: AllowAllow

DNS DNSDNS DNS

Bittorrent

BitTorrent ≠ DNS:Visibility: BitTorrent detected and blocked

Deny

BitTorrent

Packet on Port 53: AllowVisibility: Port 53 allowed

BitTorrent

Scenario 1: DNS Traffic


App IPSFirewall Firewall

Scenario 2: BitTorrent with Application IPS

Legacy Firewalls


DNS=DNS:Packet on Port 53: AllowAllow

DNS DNSDNS DNS

Bittorrent

Bittorrent ≠ DNS:Visibility: Bittorrent detected and blocked

Deny

Bittorrent

Bittorrent: DenyVisibility: Bittorrent detected and blocked

DNS

Bittorrent

Application IPS Rule: Block Bittorrent



Firewall Firewall

Legacy Firewalls


DNS=DNS:Packet on Port 53: AllowAllow

DNS DNSDNS DNS

Zero-day C & C

Command & Control ≠ DNS:Visibility: Unknown traffic

detected and blocked

Deny

Bittorrent

Visibility: Packet on Port 53 allowed

DNS

Bittorrent

Application IPS Rule: Block Bittorrent

Bittorrent

Zero-day C & C

Zero-day C & C

Zero-day C & C

C & C ≠ Bittorrent: Allow

App IPS

Scenario 3: Zero-day Malware



1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

The Answer? Make the Firewall Do Its Job

.


Making the Firewall a Business Enablement Tool

•App-ID™

•Identify the application

•Content-ID™

•Scan the content

•User-ID™

•Identify the user


Enabling Applications, Users and Content


Single-Pass Parallel Processing™ (SP3) Architecture

Single Pass

• Operations once per packet

- Traffic classification (app identification)

- User/group mapping

- Content scanning –threats, URLs, confidential data

• One policy

Parallel Processing

• Function-specific parallel processing hardware engines

• Separate data/control planes


Single Pass Platform Architecture


PAN-OS Core Firewall Features

Strong networking foundation

Dynamic routing (BGP, OSPF, RIPv2)

Tap mode – connect to SPAN port

Virtual wire (“Layer 1”) for true transparent

in-line deployment

L2/L3 switching foundation

Policy-based forwarding

VPN

Site-to-site IPSec VPN

Remote Access (SSL) VPN

QoS traffic shaping

Max/guaranteed and priority

By user, app, interface, zone, & more

Real-time bandwidth monitor

Zone-based architecture

All interfaces assigned to security zones

for policy enforcement

High Availability

Active/active, active/passive

Configuration and session

synchronization

Path, link, and HA monitoring

Virtual Systems

Establish multiple virtual firewalls in a

single device (PA-7050, PA-5000, PA-

3000, and PA-2000 Series)

Simple, flexible management

CLI, Web, Panorama, SNMP, Syslog

Visibility and control of applications, users and content complement core firewall features

PA-500

PA-200

PA-2000 SeriesPA-2050, PA-2020

PA-3000 SeriesPA-3050, PA-3020

PA-5000 SeriesPA-5060, PA-5050 PA-5020

VM-SeriesVM-300, VM-200, VM-100,

VM-1000-HV

PA-7050


Flexible Deployment Options For Ethernet Interfaces

Tap Mode Virtual Wire Mode Layer 3 Mode

• Application, user and content visibility without inline deployment

• Evaluation and Audit of existing networks

• Application ID, Content ID, User ID, SSL Decryption

• Includes NAT capability

• All of the Virtual Wire Mode capabilities with the addition of Layer 3 services: Virtual Routers, VPN and, Routing Protocols


Threat Prevention of Zero-Day Attacks

WildFire and Traps


Why change

Targeted attacks can only

be solved on the endpoint

Attackers are more

sophisticated and well funded

Launching Zero-Day attacks

is more accessible and common

of breaches involve

a targeted user device71%

of exploit kits utilize

vulnerabilities less than 2 years old78%

increase in targeted attacks in 2013 91%


Popular websites(Landing Site)

Malware repository

Hop Point

Víctim

Attacker(C&C)

The attacker injects the URL, in a

legitimate site preferably, under his

control

The victim visits the site and is

redirected to the malicious URL

(iframe)

The victim visits the URL and

the drive-by download executes

The victim downloads and

installs the malware that takes

the station in the botnet

@

Flow of a RAT Attack with 0-day Malware


Attack Stages of a Drive-by Download / Web Attack

Targeted malicious email sent to user

User clicks on link to a malicious website

Malicious website silently exploits client-side vulnerabilityWith Web Attack Toolkit

Drive-by download of malicious payload


Targeted Attack Example

Source; http://infosec3t.com/wp-content/uploads/2010/03/contagio_targeted_attack_email_2.png


Source: http://www.symantec.com/threatreport/topic.jsp?id=malicious_code_trends&aid=triage_analysis_of_targeted_attacks



Detection-focused technology investments

Network Security

IPS deployed as IDS

App blades that only detect and report

SSL traffic allowed without decryption

When decrypted, SSL just port-mirrored

Sandboxes deployed to detect malware

Snort engines to detect traffic to high

risk IPs

Endpoint Protection

Forensics agents to capture what happened

IOC scanners

Massive PCAP storage

Remediation tools to try and fix what was

detected

$1,000/hour incident response consultants

to tell you who stole your data

Answer: Detection and Prevention of Advanced Threats


Command/ControlClient Exploit

Advanced threat requires a solution, not point products

HTTP

SSL

DNS

URL / C&C

EXE, Java,

.LNK, DLL

Known viruses

and exploits

High-risk

applications

1Reduce the

attack surface2

Detect the

unknown3

Create

protections

• Whitelist applications or block

high-risk apps

• Block known viruses, exploits

• Block commonly exploited file

types

• Analysis of all application

traffic

• SSL decryption

• WildFire sandboxing of

exploitive files

Detection and blocking of C&C via:

• Bad domains in DNS traffic

• URLs (PAN-DB)

• C&C signatures (anti-spyware)

Successful spear-phishing email Post-compromise activityFailed attempts


Why do you need network, endpoint, and cloud

working together?


Requirements for a new approach

Requires next-generation network, endpoint,

and threat intelligence cloud capabilities

1 Prevent attacks - even attacks seen for the first time

2 Protect all users and applications - including mobile and virtualized

3 Seamlessly combine network and endpoint security, as each has unique strengths

4 Provide rapid analysis of new threats


Platform approach

Next-Generation Firewall

Inspects all traffic

Blocks known threats

Sends unknown to cloud

Extensible to mobile & virtual networks


Platform approach

Inspects all processes and files

Prevents both known & unknown exploits

Integrates with cloud to prevent known & unknown malware

Next-Generation Endpoint Protection


Platform approach

Threat Intelligence Cloud

Gathers potential threats from network and endpoints

Analyzes and correlates threat intelligence

Disseminates threat intelligence to network and endpoints


The making of a platform: information sharing

UnknownsUnknowns &

zero-day

discoveries


The making of a platform: prevention distribution

Real-time

signatures


The making of a platform: correlated analytics

Confirm detection

Integrated reporting


Reaching Effects of WildFire

Threat Intelligence Sources

WildFire Users

AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering


Next-Generation Appliances | Malware Management

WF-500 is a private cloud

Designed for organizations with regulatory or privacy concerns.

WF-500


WildFire cloud-based architecture scales

Web Sandbox

Email Sandbox File share Sandbox

Central manager

Manual analysis

APT Add-on Approach

WildFireTM

Public cloud or

Private cloud

appliance

WildFire Approach

Easy to manage

and operationalize

Scalable

Cost effective

Hard to manage

Doesn’t scale

Expensive

Requires multiple devices

at each ingress, egress,

and point of segmentation


WildFire SubscriptionWildFire WildFire

Subscription

WildFire analysis of PE analysis

Daily signature feed (TP subscription required)

WildFire logs integrated within PAN-OS

WildFire analysis of all other file types (PDF, MS Office, Java, Flash, APK*)

15-min signature feed

WildFire Cloud API key

Use of WF-500


Signature hierarchy

Weekly

Daily

15-minute

App-ID updates “IPS” signatures(vulnerability, anti-spyware)

IP geolocation

Antivirus Botnet support(zone file, dynamic DNS, malware URLs)

DNS signatures

WildFire signatures


Traps

Advanced Endpoint Protection


The failures of traditional approaches

EXE

Legacy

Endpoint Protection

Known signature?

NO

Known strings?

NO

Previously seen

behavior?

NOPDF

Malware

direct execution

Exploit

vulnerability

to run any code

Targeted Evasive Advanced


Introducing TrapsThe right way to deal with advanced cyber threats

Prevent ExploitsIncluding zero-day exploits

Prevent MalwareIncluding advanced & unknown malware

Collect Attempted-Attack ForensicsFor further analysis

Scalable & LightweightMust be user-friendly and cover complete enterprise

Integrate with Network and Cloud SecurityFor data exchange and crossed-organization protection


Block the core techniques – not the individual attacks

Software Vulnerability Exploits Exploitation Techniques

Thousands of new vulnerabilities and

exploits a year Only 2-4 new exploit techniques a year

Malware Malware Techniques

Millions of new malware every year 10’s – 100’s of new malware

sub-techniques every year


Preparation Triggering Circumvention Post Malicious Activity

Exploitation technique prevention – Clandestine Fox

Prevention of one technique in the chain will block the entire attack

Memory

Corruption

Mitigation

Logic-Flaws

Real-Time

Intervention

OS

Functions

Shielding

Algorithmic

Memory Traps

Placement

Heap Spray Use after free Utilizing OS

function

ROPCVE-2014-1776


Exploit technique preventionhow it works

Document is

opened by user

Traps seamlessly

injected into

processes

Process is protected

as exploit attempt is

trapped

CPU

<0.1%

When an exploitation attempt is made, the exploit hits a “trap” and fails before any

malicious activity is initiated.

Attack is blocked

before any successful

malicious activity

Safe!Process is

terminated

Forensic data

is collected

User\admin is

notified

Traps triggers

immediate actions

Reported

to ESM


Malware prevention

Policy-Based Restrictions

WildFire Inspection

Malware Techniques Mitigation

Limit surface area of attack

control source of file installation

Prevent known malware

with cloud-based integration

Prevent unknown malware

with technique-based mitigation


User tries to

open executable

file

Policy-based

Restrictions Applied

HASH checked

against WildFire

File is

allowed to

execute

Malware technique

prevention employed

Malware preventionhow it works

Safe!Reported

to ESM


Forensics captureOngoing capture and attack-triggered capture

Ongoing recording

- Any files execution

- Time of execution

- File name

- File HASH

- User name

- Computer name

- IP address

- OS version

- File’s malicious history

- Any interference with Traps service

- Traps Process shutdown attempt

- Traps Service shutdown attempt

- Related system logs

Exploit or malware hits a “trap” and

triggers real-time collection

- Attack-related forensics

- Time stamp

- Triggering File (non executable)

- File source

- Involved URLs\URI

- Prevented exploitation technique

- IP address

- OS version

- Version of attempted vulnerable software

- All components loaded to memory under attacked process

- Full memory dump

- Indications of further memory corruption activity

- User name and computer name


Coverage and system requirements

Supported operating systems

Workstations

• Windows XP SP3

• Windows 7

• Windows 8.1

Servers

• Windows Server 2003

• Windows Server 2008 (+R2)

• Windows Server 2012 (+R2)

Footprint

• 25 MB

• 0.1% CPU

• Very Low I\O


Benefits

Business

Prevent breaches,

not just detect

Increases business

continuity

Lowers TCO

Operations

Save time and

money on

Forensics and

remediation

Easy to manage,

does not require

frequent updates

Zero-day coverage

IT

Install patches on

your own schedule

Compatible with

existing solutions

Minimal

performance

impact

Intelligence

Access to threat

intel through

WildFire integration

Attack-triggered

forensics collection


The Virtual Data Center


East/West Traffic flows often greater than North/South flows

Enterprise Network


Security challengesPhysical firewalls may not see the East-West traffic

Firewalls placement is designed

around expectation of layer 3

segmentation

Network configuration changes

required to secure East-West traffic

flows are manual, time-consuming

and complex

Ability to transparently insert

security into the traffic flow is

needed

Hypervisor

DB App Web

Hardware

Firewall


Security challengesStatic policies cannot keep pace with dynamic workload deployments

Provisioning of applications can occur

in minutes with frequent changes

Security approvals and configurations

may take weeks/months

Dynamic security policies that

understand VM context are needed


Hypervisor

App Web

Hypervisor

DB

Data Center

Core Network

vMotion

Hardware

Firewall

What happens when a VM is vMotioned?


VM-Series Next Generation Security Platform• Consistent Features as hardware-based next-

generation firewall

App-ID

User-ID

Content-ID

Wildfire

• Inspects and Safely Enables Intra-Host Communications (East-West traffic)

• Tracks VM Creation and Movement with Dynamic Address Group objects

API integration with orchestration: Automate Workflows

Centrally Managed through Panorama58 | ©2014, Palo Alto Networks. Confidential and Proprietary.


VM-Series deployment options

• VM-100, VM-200, VM-300, and VM-1000-HV deployed as guest VMs on VMware ESXi

• Deployed as part of virtual network configuration for East-West traffic inspection

VM-Series for VMware

vSphere (ESXi)

• VM-100, VM-200, VM-300, and VM-1000-HV deployed as guest VMs on Citrix NetScaler SDX

• Consolidates ADC and security services for multi-tenant and Citrix XenApp/XenDesktop deployments

VM-Series for Citrix NetScaler

SDX

• VM-Series for NSX deployed as a service with VMware NSX and Panorama

• Ideal for East-West traffic inspection

VM-Series for VMware NSX


VMware vCenter or ESXi

Dynamic Address Groups and VM Monitoring

Name IP Guest OS Container

web-sjc-01 10.1.1.2 Ubuntu 12.04 Web

sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint

web-sjc-02 10.1.1.3 Ubuntu 12.04 Web

exch-mia-03 10.4.2.2 Win 2008 R2 Exchange

exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange

sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint

db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL

db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL

PAN-OS Security Policy

Source Destination Action

PAN-OS Dynamic Address Groups

Name Tags Addresses

SharePoint Servers

MySQL Servers

Miami DC

San Jose LinuxWeb Servers

Name Tags Addresses

SharePoint ServersSharePoint

Win 2008 R2“sp”

MySQL ServersMySQL

Ubuntu 12.04“db”

Miami DC “mia”


“sjc”“web”

Ubuntu 12.04

Name Tags Addresses

SharePoint ServersSharePoint

Win 2008 R2“sp”

10.1.5.410.1.5.8

MySQL ServersMySQL

Ubuntu 12.04“db”

10.5.1.510.5.1.2

Miami DC “mia”10.4.2.210.1.5.810.5.1.5


“sjc”“web”

Ubuntu 12.04

10.1.1.210.1.1.3

IP

10.1.1.2

10.1.5.4

10.1.1.3

10.4.2.2

10.4.2.3

10.1.5.8

10.5.1.5

10.5.1.2

Name

SharePoint Servers

MySQL Servers

Miami DC


Source Destination Action

SharePoint ServersSan Jose LinuxWeb Servers ✔

MySQLServers

Miami DC

db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL

10.5.1.9

60 | ©2014, Palo Alto Networks. Confidential and Proprietary.


Model Sessions Rules Security Zones

Address Objects

IPSec VPN Tunnels

SSL VPN Tunnels

VM-100 50,000 250 10 2,500 25 25

VM-200 100,000 2,000 20 4,000 500 200

VM-300 250,000 5,000 40 10,000 1,000 500

VM-1000-HV 250,000 10,000 40 100,000 2,000 500


2 Core Configuration:Core 1 = Management PlaneCore 2 = Data Plane

4 Core Configuration:Core 1 = Management PlaneCore 2 = Data Plane: Read & Transmit packetsCore 3 & Core 4 = Data Plane: Process packets

8 Core Configuration:Core 1 = Management PlaneCore 2 = Data Plane: Reads packetsCore 3 = Data Plane: Transmit packetsCore 4 thru Core 8 = Data Plane: Process packets

Effect of dedicating cores


Safely Enabling Mobile Devices

GlobalProtect™


Challenge: Quality of Security Tied to Location

Enterprise-secured with full protection

Headquarters Branch Offices

malware

botnets

exploits

Airport Hotel Home Office

Exposed to threats, risky apps, and data leakage


GlobalProtect™: Consistent Security Everywhere

•Headquarters •Branch Office

malware

botnets

exploits

• VPN connection to a purpose-built firewall that is performing the security work• Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance and reporting


Unlocking The Potential of Mobile Depends On Security

Intranet

Running Your

Business on

Mobile Devices

Ben

efi

ts t

o B

usin

ess

Mobile Maturity

Email

Accessing

Business Apps


New Approach to Safely Enabling Mobile Devices

Protect the Device Control the DataManage the Device

Ensure devices are safely

enabled while simplifying

deployment & setup

• Ensure proper settings in

place, such as strong

passcodes and

encryption

• Simplify provisioning of

common configuration

like email and certificates

Protect the mobile device

from exploits and

malware

• Protecting the device

from infection also

protects confidential

data and unauthorized

network access

Control access to data

and movement of

between applications

•Control access by app,

user, and device state

•Extend data movement

controls to the device to

ensure data stays within

“business apps”


GlobalProtect Mobile Security Solution

GlobalProtect App

GlobalProtect GatewayDelivers mobile threat

prevention and policy

enforcement based on apps,

users, content and device

state

Enables device management,

provides device state information,

and establishes secure

connectivity

GlobalProtect Mobile

Security ManagerProvides device

management, malware

detection, and device state


Manage The Device Manage Device Settings

Enforce security settings such as passcode

Restricts device functions such as camera

Configure accounts such as email, VPN, Wi-

Fi settings

Understand Device State

Monitor and report device state for policy

enforcement, such as:

Whitelisted / blacklisted apps

Rooted / jailbroken

Perform Key Operations

Ex: lock, unlock, wipe, send a message

Detect Android Malware

Detect and react to the presence of malware

GlobalProtect Mobile

Security Manager

GlobalProtect App


Protect The Device Consistent Security Everywhere

IPsec/SSL VPN connection to a

purpose- built next-generation

security platform for policy

enforcement regardless of the

device location

Mobile Threat Prevention

Vulnerability (IPS) and malware

(AV) protection for mobile threats

URL filtering for protection against

malicious websites

WildFire™ static and dynamic

analysis for advanced mobile

threats

Threats

GlobalProtect Gateway

GlobalProtect App


Control The Data Control Access to Applications and Data

Granular policy determines which users and

devices can access sensitive applications and

data

Policy criteria based on application, user,

content, device, and device state for control

and visibility

Identify device types such as iOS,

Android, Windows, Mac devices

Identify device ownership such as

personal (BYOD) or corporate issued

Identify device states such as

rooted/jailbroken

File blocking based on content and content

type

Control Data Movement Between Apps

on the Device

Solution provides the foundation for future

developments in data protection

Applications and Data

GlobalProtect Gateway

GlobalProtect App


How the Integrated Solution Works


Internet

WildFire Cloud

TrapsAdvanced Endpoint Protection


End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto Networks)

Technology

se palo alto networks

palo alto networkspanedu

openportbased firewall

dns trafficcopyright

shared policy decisions

onportbased decision

managed copyright

end security