[Firewall] paloalto network firewall

2007년 초에 paloalto network 사의 App-ID라는 개념 소개 white paper를 리뷰한 적이 있었는데 그때만 하더라도 과연 그러한 제품이 실제적으로 가능할까라는 의문이었다. 개념적으로는 상당히 진보되고 확실한 방법이긴 한데 수많은 어플리케이션을 식별하고 그에 따른 분류가 가능할까라는 부분이 가장 컸었는데 실제 제품이 나오고 적용까지 되는 걸 보면....

App-ID

Legacy port-based firewalls are ineffective at identifying and controlling applications because of their reliance on port and protocol as a means of traffic classification. Most applications are capable of bypassing using a variety of techniques such as tunneling another application, sneaking across port 80, hopping ports or using SSL. The lack of visibility and control means that port-based firewalls are no longer the central control point of the security infrastructure.

In order to restore the firewall as the strategic center of the security infrastructure, Palo Alto Networks developed a traffic classification technology that accurately identifies the applications, irrespective of port, protocol, SSL, or evasive tactic. The result is App-ID™, a patent-pending traffic classification technology that enables administrators to determine exactly which applications are running on their network.

Whereas port-based firewalls use only one mechanism of traffic classification, App-ID goes well beyond any other network security technology available, inspecting all of the traffic passing through the firewall, with one or more of identification techniques – including application protocol detection and decryption, application protocol decoding, application signatures, and heuristic analysis. The application identity is then used as the basis of the security policy.

Now, rather then react to the discovery of a strange application by summarily blocking it, the administrator can take a more balanced and informed approach by learning more about the application and then safely enabling its usage or blocking it based on the security risks. With App-ID, IT can now:

• Improve network visibility by accurately identifying application traffic irrespective of port and protocol.
• Enhance security by dictating access rights based upon the actual application traffic as opposed to simply the port and protocol.
• Increase malware prevention effectiveness by narrowing down the number of unauthorized applications traversing the network

User-ID

As enterprises continue to use Internet- and web-centric applications to aid expansion and increase efficiencies, visibility into what users are doing on the network becomes increasingly important. Dynamic IP addressing across both wired and wireless networks, and remote access by employees and non-employees alike have made the use of IP addresses an ineffective mechanism for monitoring and controlling user activity. Unfortunately, today’s port-based firewalls rely heavily on IP addresses as a means of identifying and controlling user activity.

Palo Alto Networks User-ID technology addresses the lack of visibility into user activity by seamlessly integrating with enterprise directory services (Active Directory, LDAP, eDirectory) to dynamically link an IP address to user and group information. In Citrix and terminal services environments, User-ID associates the individual user with their network activity, enabling IT to deploy granular security policies. Integration with other 3rd party repositories is enabled by an XML API.

With visibility into user activity, enterprises can monitor and control applications and content traversing the network based on the user and group information stored within the user repository. User-ID enables IT to:

• Regain visibility into user activities relative to the applications in use and the content they may generate.
• Tighten security posture by implementing policies that ties application usage to specific users and groups, as opposed to simply the IP address.
• Identify Citrix and Microsoft Terminal Services users and control their respective application usage.

User-ID gives an administrator complete visibility into the application activity at a user level, not just an IP address level and in so doing, addresses a key requirement in regaining control over the applications traversing the network. When used in conjunction with App-ID, and Content-ID technologies, User-ID enables IT organizations to enjoy unmatched policy-based visibility and control over users, applications and content.

Content-ID

Enterprise networks are rife with applications that can evade detection. Common methods include dynamically hopping ports, re-using other ports, emulating other applications or tunneling inside SSL. The use of evasive applications has not gone unnoticed by attackers as they increasingly use these invisible applications to transport threats past the firewall. Content-ID melds a uniform threat signature format, stream-based scanning and a comprehensive URL database with elements of application visibility to detect and block a wide range of threats, control non-work related web surfing, and limit unauthorized file and data transfers.

• Vulnerability prevention (IPS): Palo Alto Networks offers complete protection from all types of network-born threats including traditional vulnerability exploits as well as a new generation of hybrid and multi-vector threats. The Palo Alto Networks intrusion prevention features have been independently validated to have stellar IPS accuracy (93.4% catch rate) while simultaneously maintaining datasheet performance metrics. The full NSS report can be found here. The solution blocks known and unknown network and application-layer vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include:
  • Protocol decoders and anomaly detection
  • Stateful pattern matching
  • Statistical anomaly detection
  • Heuristic-based analysis
  • Block invalid or malformed packets
  • IP defragmentation and TCP reassembly
  • Custom vulnerability and spyware phone home signatures

  Traffic is normalized to eliminate invalid and malformed packets, while TCP reassembly and IP de-fragmentation is performed to ensure the utmost accuracy and protection despite any attack evasion techniques.

• Stream-based Virus Scanning: Virus and spyware prevention is performed through stream-based scanning, a technique that begins scanning as soon as the first packets of the file are received as opposed to waiting until the entire file is loaded into memory to begin scanning. This means that performance and latency issues are minimized by receiving, scanning, and sending traffic to its intended destination immediately without having to first buffer and then scan the file. Key antivirus capabilities include:
  • Protection against a wide range of malware such as viruses, including HTML and Javascript viruses, spyware downloads, spyware phone home, Trojans, etc.
  • Inline stream-based detection and prevention of malware embedded within compressed files and web content.
  • Leverages SSL decryption within App-ID to block viruses embedded in SSL traffic.
    
• URL Filtering: Complementing the threat prevention and application control capabilities is a fully integrated, on-box URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities. The on-box URL database can be augmented to suit the traffic patterns of the local user community with a custom, 1 million URL database. URLs that are not categorized by the local URL database can be pulled into cache from a hosted, 180 million URL database.  In addition to database customization, administrators can create custom URL categories to further tailor the URL controls to suit their specific needs. URL filtering visibility and policy controls can be tied to specific users through the transparent integration with enterprise directory services (Active Directory, LDAP, eDirectory) with additional insight provided through customizable reporting and logging.
• Data leak prevention: Administrators can implement several different types of data leak prevention policies to reduce the risk associated with unauthorized file and data transfer. The transfer of files can be controlled by looking deep within the payload to identify the file type (as opposed to looking only at the file extension) and allow or block according to the policy. Loss of confidential data such as credit card numbers or SSN can be controlled by detecting data patterns in the application flow and responding according to the policy.

Content-ID takes full advantage of Palo Alto Networks SP3 Architecture to deliver high performance threat prevention without impeding traffic.