The importance of activating all features on your Palo Alto Networks Next-Generation firewall
Traditional malware is nowadays highly targeted and evasive. Therefore, the new malware types are specifically designed to be completely undetectable. The goal of these new malware types is to penetrate the network perimeter by delivering malware that moves laterally across an organization extracting data as it spreads while remaining invisible to traditional network defenses.
1. Complete visibility
You can’t prevent what you can’t see. Full visibility into the (mobile, network & cloud) environment across all traffic (encrypted or not) is essential. Your Palo Alto firewall analyses all traffic to provide that visibility with its Single Pass architecture allowing for predictable performance. This extends to all mobile devices with the GlobalProtect feature.
2. Reduce attack surface
Use a positive enforcement model to reduce the attack surface. This means only letting traffic through that is allowed by the policy, including granting access to the required function of an application and denying everything else. Furthermore, you should enforce multi-factor authentication where needed or if identity theft is suspected.
3. Prevent known threats
You can’t let a known piece of malware or spyware traverse your environment or make your endpoints communicate with known-malicious sites. Palo Alto Networks’ Threat Prevention and URL-Filtering feature provide those prevention capabilities. Palo Alto Networks’ MineMeld allows extending that knowledge to third party feeds.
4. Prevent unknown threatsYou have to stop new threats as quickly as possible. You must find the unknown threat, reveal it, make it known, and stop it everywhere through automated updates. The Palo Alto Networks’ Wildfire feature provides that prevention capability.
Palo Alto Networks’ Firewall Features Explained
Palo Alto Networks provides multiple protection features to cope with threats on each of the four levels mentioned above:
1. Palo Alto Networks’ Threat Prevention Feature
The Threat Prevention subscription protects the network from advanced threats by identifying and scanning all traffic – applications, users, and content – across all ports and protocols with predictable performance.
It includes a full-featured IPS allowing to define vulnerability matching rules within a next-generation policy, and you can add anti-malware scanning when and where required. Furthermore, Threat Prevention provides command-and-control protection through pattern definition of known botnets. Analysis of DNS queries for botnet patterns and sinkholing technology prevent that traffic from getting through.
2. Palo Alto Networks’ URL-Filtering Software Feature
You can enforce web browsing policies (per device subscription for unlimited users) with Palo Alto Networks’ URL-Filtering subscription. This subscription enables the enforcement of an acceptable use policy, the blocking of threats sites, e.g., known malware, phishing or proxy-avoiding sites.
Palo Alto Networks’ Firewall enables the definition of policies which allow a positive security paradigm. This means only allowing access to data through authorized applications for authorized users and only for the required content type. This can be combined with the decryption policy which leaves privacy-sensitive categories encrypted.
3. Palo Alto Networks’ Wildfire Software Feature
Protection from previously unknown threats (Zero-Day threats, APT) can be provided through the Wildfire feature. WildFire is a cloud-based advanced threat intelligence service that identifies unknown malware, Zero-Day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a scalable, virtual environment. Through updates, WildFire automatically generates malware, URL and DNS signatures and distributes them within 5 minutes to all global, WildFire-subscribed Palo Alto Networks platforms.
The Palo Alto Networks’ Wildfire file analysis includes the following steps:
Wildfire uses static analysis to detect known threats by examining the characteristics of samples prior to execution. Because it is not signature-based, it can also detect and block unknown risks based on the characteristics of malware in the static analysis profile.
Machine Learning is used to identify variants of known threats by comparing malware feature sets against a dynamically-updated classification system.
Wildfire’s Dynamic Analysis is a custom-built, evasion-resistant virtual environment (i.e., Sif soandbox) in which previously unknown submissions are opened to determine real-world effects and behavior.
The heuristic engine determines if the file exhibits suspicious behavior and if so sends samples to the bare metal appliance that display the characteristics of an advanced VM-aware threat.
Bare-metal analysis (WildFire cloud analysis only)
That last step is executed in an entirely hardware-based analysis environment specifically designed for catching the most evasive type of malware that is aware of virtualized threat evaluation environments.
4. Palo Alto Networks’ GlobalProtect Software Feature
GlobalProtect extends the protection of the firewall to users wherever they are. This includes App-ID, SSL Decryption, Threat Prevention, URL-Filtering as well as File blocking and unknown threat protection with Wildfire.
By using GlobalProtect, you can consistently enforce security policies. This includes the protection of users that leave the building, the use of tablets or smartphones as well as Linux endpoints. Furthermore, for external users, a clientless portal can be used to provide access to applications.
GlobalProtect checks the endpoint to get an inventory of how it’s configured and builds a host information profile that’s shared with the Next-Generation Firewall. The Next-Generation firewall uses the host information profile to enforce application policies that only permit access when the endpoint is properly configured and secured.
Spit tunneling based on the destination domain, client process, and video streaming application can be implemented with that subscription.
5. Palo Alto Networks’
MineMeld is an open-source application that streamlines the aggregation and sharing of threat intelligence.
MineMeld automates the process of digging for indicators from threat feeds and of packaging the information into a variety of formats you can use with different security platforms.
Those feeds can be commercial or open-source threat feeds, or even a way to integrate volatile information such as the Office365 URLs and IPs currently used.
This information is useful to enrich existing security policies.
This can be done by blocking bad websites or DNS domains, as well as defining in policies dynamic address groups or feeding external dynamic lists of IPs.
SecureLink has defined a specific work package for our customers that wish to implement the MimeMeld solution.