APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

Similar documents
App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Next-Generation Firewall Overview

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

Cisco ASA Next-Generation Firewall Services

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

Palo Alto Networks PAN-OS

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Security 2.0: Balancing Business Enablement and Information Security

A Comprehensive CyberSecurity Policy

Custom Application Signatures

1110 Cool Things Your Firewall Should Do. Extend beyond blocking network threats to protect, manage and control application traffic

Palo Alto Networks Stallion Spring Seminar -Tech Track. Peter Gustafsson, June 2010

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

How can we gain the insights and control we need to optimize the performance of applications running on our network?

VM-SERIES FOR VMWARE VM VM

Paloalto Networks PCNSA EXAM

A Modern Framework for Network Security in Government

BUILDING A NEXT-GENERATION FIREWALL

SRX als NGFW. Michel Tepper Consultant

ACTIONABLE SECURITY INTELLIGENCE

PANORAMA. Key Security Features

PANORAMA. Figure 1: Panorama deployment

The administrators capability to shape these four aspects is enabled through the firewalls service quality measurements, such as:

Sun Mgt Bonus Lab 5: Application-Based Quality of Service on Palo Alto Networks Firewalls

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Getting the Most Out of Your Next-Generation Firewall

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

PROTECT WORKLOADS IN THE HYBRID CLOUD

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

Cisco Intrusion Prevention Solutions

Achieve deeper network security

JUNIPER SKY ADVANCED THREAT PREVENTION

Palo Alto Networks PCNSE7 Exam

The Application Usage and Risk Report End User Application Trends in the Enterprise - Country Specific Findings

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Juniper Sky Advanced Threat Prevention

FIREWALL BUYERS GUIDE

Medigate and Palo Alto Networks Integration

SIEM: Five Requirements that Solve the Bigger Business Issues

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

NetDefend Firewall UTM Services

IBM Next Generation Intrusion Prevention System

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

TRAPS ADVANCED ENDPOINT PROTECTION

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

The Top 6 WAF Essentials to Achieve Application Security Efficacy

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Access Control. Access Control Overview. Access Control Rules and the Default Action

Security by Default: Enabling Transformation Through Cyber Resilience

Take Back Control: Increase Security, Empower Employees, Protect the Business

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Cisco Firepower NGFW. Anticipate, block, and respond to threats

TIBCO Cloud Integration Security Overview

Exam Questions JN0-633

Application Visibility and Risk Report

XG Firewall. What s New in v17. Setup, Control Center and Navigation. Initial Setup Wizard. Synchronized App Control Widget.

Access Control. Access Control Overview. Access Control Rules and the Default Action

ASA Access Control. Section 3

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

A Firewall Architecture to Enhance Performance of Enterprise Network

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

SONICWALL SECURITY HEALTH CHECK PSO 2017

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

PRACTICAL NETWORK DEFENSE VERSION 1

Securing Your Microsoft Azure Virtual Networks

SONICWALL SECURITY HEALTH CHECK SERVICE

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Application Firewall-Instant Message Traffic Enforcement

Securing Your Amazon Web Services Virtual Networks

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Snort: The World s Most Widely Deployed IPS Technology

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Evaluation criteria for Next-Generation Firewalls

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Symantec Endpoint Protection Family Feature Comparison

Cybersecurity, Trade, and Economic Development

CyberP3i Course Module Series

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Enhanced Intelligent QoS

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Cisco s Appliance-based Content Security: IronPort and Web Security

The threat landscape is constantly

SONICWALL SECURITY HEALTH CHECK SERVICE

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

Build Your Zero Trust Security Strategy With Microsegmentation

PALANTIR CYBERMESH INTRODUCTION

CSE 565 Computer Security Fall 2018

Sun Mgt Bonus Lab 1: Automated Reporting in Palo Alto Firewalls 1

Cisco Next Generation Firewall Services

SECURING YOUR MICROSOFT ENVIRONMENT

Sun Mgt Bonus Lab 11: Auto-Tagging in PAN-OS 8.X

The risks and rewards of Social Media and Enterprise 2.0

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

Gladiator Incident Alert

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Transcription:

APP-ID A foundation for visibility and control in the Palo Alto Networks Security Platform App-ID uses multiple identification techniques to determine the exact identity of applications traversing your network irrespective of port, protocol, evasive tactic, or encryption. Identifying the application is the very first task performed by App-ID, providing you with the knowledge and flexibility needed to safely enable applications and secure your organization. App-ID is a patented traffic classification technology that identifies applications traversing the network, irrespective of port, protocol, evasive tactic or encryption (TLS/SSL or SSH). Facilitates a more complete understanding of the business value and associated risk of the applications traversing the network. Enables creation and enforcement of safe application enablement policies. Brings application visibility and control back to the firewall, where it belongs. As the foundational element of our enterprise security platform, App-ID provides visibility and control over applications even those that try to evade detection by masquerading as legitimate traffic, hopping ports or sneaking through the firewall using encryption (TLS/SSL or SSH). In the past, unapproved or non-workrelated applications on your network left you with two choices either block everything in the interest of data security, or enable everything in the interest of business. These choices left little room for compromise. App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. When used in conjunction with User-ID, you can see exactly who is using the application based on their identity, not just an IP address. Armed with this information, your security team can use positive security model rules to allow the applications that enable the business, controlling them as needed to improve your security posture. Firewall Traffic Classification: Applications, not Ports Stateful inspection, the basis for most of today s firewalls, was created at a time when applications could be controlled using ports and source/ destination IPs. The strict adherence to port-based classification and control is foundational and cannot be turned off. Even when augmented by after the fact classifiers, applications cannot be effectively controlled. Palo Alto Networks recognized that applications had evolved to where they can easily slip through the firewall and chose to develop App-ID, an innovative firewall traffic classification technique that does not rely on any one single element like port or protocol to identify applications. Instead, App-ID uses multiple mechanisms to determine what the application is. The application s identity then becomes the basis for firewall policy. App-ID has been created to be highly extensible and, as applications continue to evolve, application detection mechanisms can be added to App-ID or updated Palo Alto Networks Technology Brief 1

KNOWN PROTOCOL DECODER Start Decryption (SSL or SSH) Decode Signatures Policy IP/Port Policy Application Signatures Policy IDENTIFIED TRAFFIC (NO DECODING) UNKNOWN PROTOCOL DECODER Apply Heuristics Policy REPORT & ENFORCE POLICY Figure 1: How App-ID classifies traffic. as a means of keeping pace with the ever-changing application landscape. App-ID Traffic Classification Technology Using as many as four different techniques, App-ID determines what the application is as soon as the traffic hits the firewall appliance, irrespective of port, protocol, encryption (TLS/SSL or SSH) or other evasive tactic. The number and order of identification mechanisms used to identify the application will vary depending on the application. The general flow for App-ID is as follows: Application Signatures: Signatures are used first to look for unique application properties, and related transaction characteristics, to correctly identify the application regardless of the protocol and port being used. The signature also determines if the application is being used on its default port or a non-standard port (for example, RDP across port 80 instead of port 3389, its standard port). If the identified application is allowed by security policy, further analysis of the traffic is done to identify more granular applications as well as scan for threats. TLS/SSL and SSH Decryption: If App-ID determines that TLS/SSL encryption is in use and a decryption policy is in place, the traffic is decrypted and then passed to other identification mechanisms as needed. If no policy is in place, then decryption is not employed. A similar approach is used with SSH to determine if port forwarding is in use as a means to tunnel traffic over SSH. Such tunneled traffic is identified as ssh-tunnel and can be controlled via security policy. Application and Protocol Decoding: Decoders for known protocols are used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Messenger used across HTTP). Decoders validate that the traffic conforms to the protocol specification and they provide support for NAT traversal and opening dynamic pinholes for applications such as VoIP or FTP. Decoders for popular applications are used to identify the individual functions within the application as well (e.g., webex-file-sharing). In addition to identifying applications, decoders identify files and other content that should be scanned for threats or sensitive data. Heuristics: In certain cases, evasive applications still cannot be detected even through advanced signature and protocol analysis. In those situations, it is necessary to apply additional heuristic, or behavioral analysis to identify certain applications, such as peer-to-peer file sharing or VoIP applications that use proprietary encryption. Heuristic analysis is used as needed, with the other App-ID techniques discussed here, to provide visibility into applications that might otherwise elude positive identification. The actual heuristics used are specific to an application and include checks based on such things as the packet length, session rate, and packet source. With App-ID as the foundational element of our security platform, your security team can regain visibility into, and control over, the applications traversing your network. App-ID: Dealing with Custom or Unknown Applications New applications are added to the App-ID database weekly, yet nearly every network will still have cases where unknown application traffic is detected. There are typically three scenarios where unknown traffic will be detected: a commercially available application unknown to App-ID, an internal custom application, or a threat. Unknown Commercial Applications: Using visibility tools, you can quickly determine if the traffic is a commercial off-the-shelf (COTS) application. If it is a COTS application, you can capture and submit traffic packets to Palo Alto Networks for App-ID development. The new App-ID is developed, tested, and added to the database for all users in the form of a weekly update. Internal or Custom Applications: If the application is internal, or custom, you Palo Alto Networks Technology Brief 2

can create a custom App-ID using a set of available protocol and application decoders. Once the custom App-ID is developed, your internal application is classified and inspected in the same manner as applications with standard App-IDs. Custom App-IDs are managed in a separate database on the device, ensuring they are not impacted by the weekly (commercial) App-ID updates. Threats: Once the commercial and internal applications have been addressed, the third possible source of unknown traffic is threats. Here too, you can quickly determine the risk levels using the behavioral botnet report or other forensics tools to isolate the characteristics and apply appropriate policy control. Even after attempts to identify, some traffic in the system may remain unknown. Because our firewall supports a positive enforcement model, the remaining unknown traffic can be blocked (by default) or allowed but tightly controlled by policy if desired. Alternative offerings (e.g., Intrusion Prevention Systems) are based on negative control and will allow unknown traffic to pass through without providing any semblance of visibility or control. How App-ID Works: Identifying WebEx When a user initiates a WebEx session, the initial connection is an encrypted communication. With App-ID, the device sees the traffic and the signatures determine that it is using TLS/SSL. The decryption engine and protocol decoders are then initiated to decrypt the TLS/SSL and detect that it is HTTP traffic. Once the decoder has the HTTP stream, App-ID can apply contextual signatures and detect that the application in use is WebEx. At this point the session traffic becomes known as WebEx traffic by the firewall. Visibility (e.g., ACC in the user interface) and control of the WebEx traffic via security policy are enabled. If the end user were to initiate the WebEx Desktop Sharing feature, this mode-shift from conferencing to remote access would be detected by App-ID. Again, visibility to this specific application function would be provided and policy control over WebEx Desktop Sharing would be possible (distinct from general WebEx use). Application Identity: The Heart of Policy Control Identifying the application is the first step in learning more about the traffic traversing your network. Learning what the application does, the ports it uses, its underlying technology, and its behavioral characteristics is the next step toward making a more informed decision about how to treat the application. Once a complete picture of usage is gained, you can apply policies with a range of responses. Examples include: Allow or deny Allow but scan for exploits, viruses and other threats Allow based on schedule, users or groups Control file or sensitive data transfer Decrypt and inspect Apply traffic shaping through QoS Apply policy-based forwarding Allow a subset of application functions Any combination of the above With App-ID as the foundational element of our firewalls, you can restore visibility and control over the applications and traffic traversing your network. Figure 2: Application Function Control maximize productivity by safely enabling the application itself (Microsoft SharePoint) or individual functions. Palo Alto Networks Technology Brief 3

Application Function-Level Controls To many customers, safe application enablement means striking an appropriate security policy balance by enabling some application functions while blocking others. Examples include: Allowing Microsoft SharePoint Documents, but blocking the use of SharePoint Administration. Block Facebook -mail, -chat, -posting and -apps, but allow Facebook itself, effectively only allowing users to browse Facebook. Enable the use of MSN, but disable the use of MSN-file transfer or only allow certain file types to be transferred. Using an application hierarchy that includes the base application and supporting functions, App-ID makes it easy for you to choose which applications to allow overall, while blocking or controlling functions within the application. Figure 2 shows Share- Point as the base application, and the individual functions within. Controlling Multiple Applications: Dynamic Filters and Groups There are cases where you may want to control larger groups of applications in bulk, as opposed to controlling them individually. The two mechanisms that address this policy requirement are dynamic filters and application groups. Dynamic Filters: A dynamic filter is a set of applications that is created based on any combination of the filter criteria: category, subcategory, behavioral characteristic, underlying technology or risk factor. Security policies (e.g. deny, allow, scan) can be applied to dynamic filters. The security policy is then enforced for application traffic that matches the filter criteria. As new App-IDs are introduced and delivered to the firewall via weekly updates, dynamic filters are automatically updated for those applications that meet the filter criteria. This helps minimize administrative effort associated with security policy management. Figure 3 below shows a snapshot view of Palo Alto Networks online application database. Here you can browse the current database of App-IDs, including an interactive view of applications based on the same criteria that can be used in dynamic filters. Application Groups: An application group is defined as a static list of applications. An example would be a group of remote management applications such as RDP, Telnet, and SSH. In a typical organizational scenario, each of these applications is used by support and IT personnel, yet employees who fall outside of these groups are also known to use them as a means to access their home networks. An application group can be created, with an associated security policy that allows use only by support and IT personnel (supported by User-ID). As new employees join the organization, they need only be added to the appropriate directory group. No updates are needed to the security policy itself. Figure 3: Browse up-to-date application research and analysis at the Palo Alto Networks Application Research Center, https://applipedia.paloaltonetworks.com Palo Alto Networks Technology Brief 4

Expanding the List of Applications The list of App-IDs is expanded weekly with 3 to 5 new applications typically added based on input from customers, partners, and market trends. When you find unidentified applications on your network, you can capture the traffic and then submit the information for App-ID development. Once a new App-ID is developed and tested, it is added to the list as part of the weekly content updates. Summary App-ID is a powerful and differentiated core capability of the Palo Alto Networks Next-Generation Firewall, enabling advanced visibility and granular control of traffic in your network. With this visibility and control, you can evaluate what is taking place in your environment, and then define policies that: ensure appropriate use, reduce attack surface, and stop threats. Ultimately, App-ID is a key foundational element in enabling superior risk management for your organization. 4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. pan-tb-app-id-092115

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback