End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto Networks)

Copyright © 2014, Palo Alto Networks
End to End Security With
Palo Alto Networks
Onur Kasap
Systems Engineer
November 2014-Kiev

PALO ALTO NETWORKS AT-A-GLANCE
CORPORATE HIGHLIGHTS
• Founded in 2005; first customer
shipment in 2007
• Safely enabling applications and
preventing cyber threats
• Able to address all enterprise
cybersecurity needs
• Exceptional ability to support
global customers
• Experienced team of 1,700+
employees
• Q4FY14: $178.2M revenue
$13
REVENUES ENTERPRISE CUSTOMERS
$49
$255
$MM
$119
$598
$396
$600
$400
$200
$0
FY09 FY10 FY11 FY12 FY13 FY14
4,700
9,000
13,500
19,000
20,000
16,000
12,000
8,000
4,000
0
Jul-11 Jul-12 Jul-13 Jul-14

A clear market leader – again
A leader for 3 years in a row in the
magic quadrant for enterprise network firewalls

Applications Have Changed, Firewalls Haven’t
Network security policy is enforced at the
firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any more

Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?
• SSL
• Proprietary encryption

Technology Sprawl and Creep Aren’t the Answer
Enterprise
Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application “accessibility” features
UTM
IPS DLP IM AV URL Proxy
Internet

Competitors Firewall Architecture
App
Signatures
IPS
Signatures
Virus
Signature
s
URL
Signatures
Application
Policy
Application
Inspection
IPS
Policy
Threat
Inspection
Anti-Virus
Proxy
AV
Inspection
Web Filtering
Policy
URL
Inspection
Packet Inspection Flow
L4 Session
Table
Stateful FW
policy
Port-based
session
Inspection

Application Control Belongs in the Firewall
Traffic Port
Port Policy
Decision
App Ctrl Policy
Decision
Application Control as an Add-on
• Port-based decision first, apps second
• Applications treated as threats; only block what you
expressly look for
Ramifications
• Two policies/log databases, no reconciliation
• Unable to effectively manage unknowns
IPS
Applications
Firewall
Traffic Application
Firewall IPS
App Ctrl Policy
Decision
Scan Application
for Threats
Applications
Application Control in the Firewall
• Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications
• Single policy/log database – all context is shared
• Policy decisions made based on shared context
• Unknowns systematically managed

Evasive Applications
•Yahoo Messenger
•BitTorrent Client
•Port 80
•Open
Port 5050
Blocked
Port 6681
Blocked
Port-Based Firewall

Scenario 1: DNS Traffic
Legacy Firewalls
Firewall Rule: ALLOW Port 53 Firewall Rule: ALLOW DNS
DNS DNS DNS DNS
Palo Alto Networks Firewalls
with App-ID
Firewall Firewall
Bittorrent
BitTorrent
Packet on Port 53: Allow DNS = DNS: Allow
BitTorrent ≠ DNS:
Deny
Visibility: BitTorrent detected and blocked
BitTorrent
Packet on Port 53: Allow
Visibility: Port 53 allowed

Scenario 2: BitTorrent with Application IPS
Legacy Firewalls
Application IPS Rule: Block Bittorrent
DNS DNS DNS
DNS DNS
Firewall App IPS Firewall
Bittorrent
Packet on Port 53: Allow DNS=DNS: Allow
Bittorrent
Bittorrent ≠ DNS:
Deny
Visibility: Bittorrent detected and blocked
Bittorrent
Bittorrent: Deny
Visibility: Bittorrent detected and blocked
with App-ID

Scenario 3: Zero-day Malware
Application IPS Rule: Block Bittorrent
Firewall App IPS
Firewall
DNS DNS DNS DNS
Legacy Firewalls
Zero-day C
& C
Packet on Port 53: Allow DNS=DNS: Allow
Command & Control ≠ DNS:
Deny
Visibility: Unknown traffic
detected and blocked
Bittorrent
Visibility: Packet on Port 53 allowed
DNS
Bittorrent
Bittorrent
Zero-day C
& C
Zero-day C
& C
Zero-day C
& C
C & C ≠ Bittorrent: Allow
with App-ID

The Answer? Make the Firewall Do Its Job
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
.

Making the Firewall a Business Enablement Tool
•App-ID™
•Identify the application
•Content-ID™
•Scan the content
•User-ID™
•Identify the user

Enabling Applications, Users and Content

Single-Pass Parallel Processing™ (SP3) Architecture
Single Pass
• Operations once per
packet
- Traffic classification (app
identification)
- User/group mapping
- Content scanning –
threats, URLs,
confidential data
• One policy
Parallel Processing
• Function-specific parallel
processing hardware
engines
• Separate data/control
planes

Single Pass Platform Architecture

PAN-OS Core Firewall Features
Visibility and control of applications, users and content
complement core firewall features
 Strong networking foundation
 Dynamic routing (BGP, OSPF, RIPv2)
 Tap mode – connect to SPAN port
 Virtual wire (“Layer 1”) for true transparent
in-line deployment
 L2/L3 switching foundation
 Policy-based forwarding
 VPN
 Site-to-site IPSec VPN
 Remote Access (SSL) VPN
 QoS traffic shaping
 Max/guaranteed and priority
 By user, app, interface, zone, & more
 Real-time bandwidth monitor
 Zone-based architecture
 All interfaces assigned to security zones
for policy enforcement
 High Availability
 Active/active, active/passive
 Configuration and session
synchronization
 Path, link, and HA monitoring
 Virtual Systems
 Establish multiple virtual firewalls in a
single device (PA-7050, PA-5000, PA-
3000, and PA-2000 Series)
 Simple, flexible management
 CLI, Web, Panorama, SNMP, Syslog
PA-7050
PA-5000 Series
PA-5060, PA-5050 PA-5020
PA-3000 Series
PA-3050, PA-3020
PA-2000 Series
PA-2050, PA-2020
PA-500
PA-200
VM-Series
VM-300, VM-200, VM-100,
VM-1000-HV

Flexible Deployment Options For Ethernet Interfaces
Tap Mode Virtual Wire Mode Layer 3 Mode
• Application, user and content
visibility without inline deployment
• Evaluation and Audit of existing
networks
• Application ID, Content ID, User
ID, SSL Decryption
• Includes NAT capability
• All of the Virtual Wire Mode
capabilities with the addition of
Layer 3 services: Virtual Routers,
VPN and, Routing Protocols

Threat Prevention of Zero-Day Attacks
WildFire and Traps

Why change
Attackers are more
91%increase in targeted attacks in 2013
sophisticated and well funded
of exploit kits utilize
vulnerabilities less than 2 years old 78%
Launching Zero-Day attacks
is more accessible and common
of breaches involve
a targeted user device 71%
Targeted attacks can only
be solved on the endpoint

Flow of a RAT Attack with 0-day Malware
The victim downloads and
installs the malware that takes
the station in the botnet
Hop Point
Popular
websites(Landing Site)
Malware repository
Víctim
Attacker
(C&C)
The victim visits the URL and
the drive-by download executes
The victim visits the site and is
redirected to the malicious URL
(iframe)
@
The attacker injects the URL, in a
legitimate site preferably, under his
control

Attack Stages of a Drive-by Download / Web Attack
Targeted malicious
email sent to user
User clicks on link to a
malicious website
Malicious website silently
exploits client-side vulnerability
With Web Attack Toolkit
Drive-by download of
malicious payload

Targeted Attack Example
Source; http://infosec3t.com/wp-content/uploads/2010/03/contagio_targeted_attack_email_2.png

Source: http://www.symantec.com/threatreport/topic.jsp?id=malicious_code_trends&aid=triage_analysis_of_targeted_attacks

Detection-focused technology investments
Network Security
 IPS deployed as IDS
 App blades that only detect and report
 SSL traffic allowed without decryption
 When decrypted, SSL just port-mirrored
 Sandboxes deployed to detect malware
 Snort engines to detect traffic to high
risk IPs
Endpoint Protection
 Forensics agents to capture what happened
 IOC scanners
 Massive PCAP storage
 Remediation tools to try and fix what was
detected
 $1,000/hour incident response consultants
to tell you who stole your data
Answer: Detection and Prevention of Advanced Threats

Advanced threat requires a solution, not point products
1
Reduce the
attack surface
Known viruses
and exploits
Client Exploit Command/Control
HTTP
SSL
DNS
URL / C&C
EXE, Java,
.LNK, DLL
High-risk
applications
2
Detect the
unknown
3
Create
protections
• Whitelist applications or block
high-risk apps
• Block known viruses, exploits
• Block commonly exploited file
types
• Analysis of all application
traffic
• SSL decryption
• WildFire sandboxing of
exploitive files
Detection and blocking of C&C via:
• Bad domains in DNS traffic
• URLs (PAN-DB)
• C&C signatures (anti-spyware)
Failed attempts Successful spear-phishing email Post-compromise activity

Why do you need network, endpoint, and cloud
working together?

Requirements for a new approach
1 Prevent attacks - even attacks seen for the first time
2 Protect all users and applications - including mobile and virtualized
3 Seamlessly combine network and endpoint security, as each has unique strengths
4 Provide rapid analysis of new threats
Requires next-generation network, endpoint,
and threat intelligence cloud capabilities

Platform approach
Next-Generation Firewall
 Inspects all traffic
 Blocks known threats
 Sends unknown to cloud
 Extensible to mobile &
virtual networks

Platform approach
Next-Generation Endpoint Protection
 Inspects all processes and files
 Prevents both known & unknown exploits
 Integrates with cloud to prevent known &
unknown malware

Platform approach
Threat Intelligence Cloud
 Gathers potential threats from
network and endpoints
 Analyzes and correlates threat
intelligence
 Disseminates threat intelligence to
network and endpoints

The making of a platform: information sharing
Unknowns
Unknowns &
zero-day
discoveries

The making of a platform: prevention distribution
Real-time
signatures

The making of a platform: correlated analytics
Integrated reporting
Confirm detection

Reaching Effects of WildFire
AV Signatures DNS Signatures Malware URL Filtering Anti-C&C Signatures
Threat Intelligence
Sources
WildFire Users

Next-Generation Appliances | Malware Management
WF-500 is a private cloud
Designed for organizations with regulatory or privacy concerns.
WF-500

WildFire cloud-based architecture scales
Manual analysis
Web Sandbox
Email Sandbox File share Sandbox
Central manager
APT Add-on Approach
WildFireTM
Public cloud or
Private cloud
appliance
WildFire Approach
 Easy to manage
and operationalize
 Scalable
 Cost effective
 Hard to manage
 Doesn’t scale
 Expensive
 Requires multiple devices
at each ingress, egress,
and point of segmentation

WildFire Subscription
WildFire WildFire
Subscription
WildFire analysis of PE analysis
Daily signature feed (TP subscription required)
WildFire logs integrated within PAN-OS
WildFire analysis of all other file types (PDF, MS Office, Java, Flash, APK*)
15-min signature feed
WildFire Cloud API key
Use of WF-500

Signature hierarchy
App-ID updates “IPS” signatures
Weekly
(vulnerability, anti-spyware)
Daily
15-minute
IP geolocation
Antivirus Botnet support
(zone file, dynamic DNS, malware URLs)
DNS signatures
WildFire signatures

Traps
Advanced Endpoint Protection

The failures of traditional approaches
EXE
Targeted Evasive Advanced
PDF NO
Known signature?
NO
Known strings?
NO
Previously seen
behavior?
Legacy
Endpoint Protection
Malware
direct execution
Exploit
vulnerability
to run any code

Introducing Traps
The right way to deal with advanced cyber threats
Prevent Exploits
Including zero-day exploits
Prevent Malware
Including advanced & unknown malware
Collect Attempted-Attack Forensics
For further analysis
Scalable & Lightweight
Must be user-friendly and cover complete enterprise
Integrate with Network and Cloud Security
For data exchange and crossed-organization protection

Block the core techniques – not the individual attacks
Software Vulnerability Exploits Exploitation Techniques
Thousands of new vulnerabilities and
exploits a year
Only 2-4 new exploit techniques a year
Malware Malware Techniques
Millions of new malware every year
10’s – 100’s of new malware
sub-techniques every year

Exploitation technique prevention – Clandestine Fox
Preparation Triggering Circumvention Post Malicious Activity
Heap Spray Use after free Utilizing OS
Prevention of one technique in the chain will block the entire attack
Memory
Corruption
Mitigation
Logic-Flaws
Real-Time
Intervention
OS
Functions
Shielding
Algorithmic
Memory Traps
Placement
function
ROP
CVE-2014-1776

Exploit technique prevention
how it works
Document is
opened by user
Traps seamlessly
injected into
processes
CPU
<0.1%
Process is protected
as exploit attempt is
trapped
Forensic data
is collected
Reported
to ESM
Process is Safe!
terminated
Attack is blocked
before any successful
malicious activity
Useradmin is
notified
Traps triggers
immediate actions
When an exploitation attempt is made, the exploit hits a “trap” and fails before any
malicious activity is initiated.

Malware prevention
Policy-Based Restrictions
WildFire Inspection
Malware Techniques Mitigation
Limit surface area of attack
control source of file installation
Prevent known malware
with cloud-based integration
Prevent unknown malware
with technique-based mitigation

User tries to
open executable
file
Policy-based
Restrictions Applied
HASH checked
against WildFire
File is
allowed to
execute
Malware technique
prevention employed
Malware prevention
how it works
Safe!
Reported
to ESM

Forensics capture
Ongoing capture and attack-triggered capture
Ongoing recording
- Any files execution
- Time of execution
- File name
- File HASH
- User name
- Computer name
- IP address
- OS version
- File’s malicious history
- Any interference with Traps service
- Traps Process shutdown attempt
- Traps Service shutdown attempt
- Related system logs
Exploit or malware hits a “trap” and
triggers real-time collection
- Attack-related forensics
- Time stamp
- Triggering File (non executable)
- File source
- Involved URLsURI
- Prevented exploitation technique
- IP address
- OS version
- Version of attempted vulnerable software
- All components loaded to memory under attacked process
- Full memory dump
- Indications of further memory corruption activity
- User name and computer name

Coverage and system requirements
Supported operating systems
Workstations
• Windows XP SP3
• Windows 7
• Windows 8.1
Servers
• Windows Server 2003
• Windows Server 2008 (+R2)
• Windows Server 2012 (+R2)
Footprint
• 25 MB
• 0.1% CPU
• Very Low IO

Benefits
Business
 Prevent breaches,
not just detect
 Increases business
continuity
 Lowers TCO
Operations
 Save time and
money on
Forensics and
remediation
 Easy to manage,
does not require
frequent updates
 Zero-day coverage
IT
 Install patches on
your own schedule
 Compatible with
existing solutions
 Minimal
performance
impact
Intelligence
 Access to threat
intel through
WildFire integration
 Attack-triggered
forensics collection

The Virtual Data Center

East/West Traffic flows often greater than North/South flows
Enterprise
Network

Security challenges
Physical firewalls may not see the East-West traffic
DB App Web
 Firewalls placement is designed
around expectation of layer 3
segmentation
 Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex
 Ability to transparently insert
security into the traffic flow is
needed
Hypervisor
Hardware
Firewall

Security challenges
Static policies cannot keep pace with dynamic workload deployments
 Provisioning of applications can occur
in minutes with frequent changes
 Security approvals and configurations
may take weeks/months
 Dynamic security policies that
understand VM context are needed

What happens when a VM is vMotioned?
App Web
Hypervisor
DB
Hypervisor
vMotion
Data Center
Core Network
Hardware
Firewall

VM-Series Next Generation Security Platform
• Consistent Features as hardware-based next-generation
firewall
 App-ID
 User-ID
 Content-ID
 Wildfire
• Inspects and Safely Enables Intra-Host
Communications (East-West traffic)
• Tracks VM Creation and Movement with
Dynamic Address Group objects
 API integration with orchestration: Automate
Workflows
 Centrally Managed through Panorama 58 | ©2014, Palo Alto Networks. Confidential and Proprietary.

VM-Series deployment options
VM-Series for VMware
vSphere (ESXi)
• VM-100, VM-200, VM-300, and
VM-1000-HV deployed as guest
VMs on VMware ESXi
• Deployed as part of virtual
network configuration for East-
West traffic inspection
VM-Series for Citrix NetScaler
SDX
• VM-100, VM-200, VM-300, and
VM-1000-HV deployed as guest VMs
on Citrix NetScaler SDX
• Consolidates ADC and security
services for multi-tenant and Citrix
XenApp/XenDesktop deployments
VM-Series for VMware NSX
• VM-Series for NSX deployed as a
service with VMware NSX and
Panorama
• Ideal for East-West traffic inspection

Dynamic Address Groups and VM Monitoring
VMware vCenter or ESXi
Name IP
Guest OS Container
web-sjc-01 10.1.1.2
Ubuntu 12.04 Web
sp-sjc-04 10.1.5.4
Win 2008 R2 SharePoint
web-sjc-02 10.1.1.3
Ubuntu 12.04 Web
exch-mia-03 10.4.2.2
Win 2008 R2 Exchange
exch-dfw-03 10.4.2.3
Win 2008 R2 Exchange
sp-mia-07 10.1.5.8
Win 2008 R2 SharePoint
db-mia-01 10.5.1.5
Ubuntu 12.04 MySQL
db-dfw-02 10.5.1.2
Ubuntu 12.04 MySQL
PAN-OS Dynamic Address Groups
Name
Tags Addresses
SharePoint
Win 2008 R2
“sp”
SharePoint Servers
MySQL Servers
MySQL Servers
MySQL
Ubuntu 12.04
“db”
Miami DC
Miami DC
“mia”
San Jose Linux
Web Servers
San Jose Linux
Web Servers
“sjc”
“web”
Ubuntu 12.04
10.1.5.4
10.1.5.8
10.5.1.5
10.5.1.2
10.4.2.2
10.1.5.8
10.5.1.5
10.1.1.2
10.1.1.3
PAN-OS Security Policy
Source Destination Action
SharePoint Servers
San Jose Linux
Web Servers ✔
MySQL
Servers
Miami DC 
db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL
10.5.1.9
60 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Model Sessions Rules Security
Zones
Address
Objects
IPSec VPN
Tunnels
SSL VPN
Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 1,000 500
VM-1000-HV 250,000 10,000 40 100,000 2,000 500

2 Core Configuration:
Core 1 = Management Plane
Core 2 = Data Plane
Core 2 = Data Plane: Read & Transmit packets
Core 3 & Core 4 = Data Plane: Process packets
Core 2 = Data Plane: Reads packets
Core 3 = Data Plane: Transmit packets
Core 4 thru Core 8 = Data Plane: Process packets
Effect of dedicating cores

Safely Enabling Mobile Devices
GlobalProtect™

Challenge: Quality of Security Tied to Location
Headquarters Branch Offices
Enterprise-secured with
full protection
malware
botnets
exploits
Airport Hotel Home Office
Exposed to threats, risky
apps, and data leakage

GlobalProtect™: Consistent Security Everywhere
•Headquarters •Branch Office
malware
botnets
exploits
• VPN connection to a purpose-built firewall that is performing the security work
• Automatic protected connectivity for users both inside and outside
• Unified policy control, visibility, compliance and reporting

Unlocking The Potential of Mobile Depends On Security
Intranet
Running Your
Business on
Mobile Devices
Benefits to Business
Mobile Maturity
Email
Accessing
Business Apps

New Approach to Safely Enabling Mobile Devices
Manage the Device Protect the Device Control the Data
Ensure devices are safely
enabled while simplifying
deployment & setup
• Ensure proper settings in
place, such as strong
passcodes and
encryption
• Simplify provisioning of
common configuration
like email and certificates
Protect the mobile device
from exploits and
malware
• Protecting the device
from infection also
protects confidential
data and unauthorized
network access
Control access to data
and movement of
between applications
•Control access by app,
user, and device state
•Extend data movement
controls to the device to
ensure data stays within
“business apps”

GlobalProtect Mobile Security Solution
GlobalProtect App
GlobalProtect Gateway
Delivers mobile threat
prevention and policy
enforcement based on apps,
users, content and device
state
Enables device management,
provides device state information,
and establishes secure
connectivity
GlobalProtect Mobile
Security Manager
Provides device
management, malware
detection, and device state

Manage The Device Manage Device Settings
 Enforce security settings such as passcode
 Restricts device functions such as camera
 Configure accounts such as email, VPN, Wi-
Fi settings
Understand Device State
 Monitor and report device state for policy
enforcement, such as:
 Whitelisted / blacklisted apps
 Rooted / jailbroken
Perform Key Operations
 Ex: lock, unlock, wipe, send a message
Detect Android Malware
 Detect and react to the presence of malware
GlobalProtect Mobile
Security Manager
GlobalProtect App

Protect The Device Consistent Security Everywhere
 IPsec/SSL VPN connection to a
purpose- built next-generation
security platform for policy
enforcement regardless of the
device location
Mobile Threat Prevention
 Vulnerability (IPS) and malware
(AV) protection for mobile threats
 URL filtering for protection against
malicious websites
 WildFire™ static and dynamic
analysis for advanced mobile
threats
Threats
GlobalProtect App

Control The Data
Control Access to Applications and Data
 Granular policy determines which users and
devices can access sensitive applications and
data
 Policy criteria based on application, user,
content, device, and device state for control
and visibility
 Identify device types such as iOS,
Android, Windows, Mac devices
 Identify device ownership such as
personal (BYOD) or corporate issued
 Identify device states such as
rooted/jailbroken
 File blocking based on content and content
type
Control Data Movement Between Apps
on the Device
 Solution provides the foundation for future
developments in data protection
Applications and Data
GlobalProtect App

How the Integrated Solution Works

Internet
WildFire Cloud
Traps
Advanced Endpoint Protection

End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto Networks)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto Networks)

Similar to End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto Networks) (20)

More from BAKOTECH

More from BAKOTECH (20)

Recently uploaded

Recently uploaded (20)

End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto Networks)