Tutorial: Configuring Your Security Policy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Hi everyone! This is Tom with the community team and in this video tutorial we're going to take a look at optimizing your security policy let's take a look at a couple of example policies. An administrator that just started setting up his appliance might be tempted to use 'any' in the source and/or destination for their security policy because that's "easy to work with" you don't need to take care your zones are accurate before you start working, but those configurations tend to stay there for a while and might actually introduce some security risks because you kind of tend to lose control or sight over where your traffic is going and can be coming from so as an example I've set up a LAN connection and WAN connection over here and these are set to intra-zone and interzone instead of universal So, what's the difference between these 3? A universal policy will apply any in any direction so a 'local' source zone is going to be allowed to the 'local' destination zone and 'remote' destination zone and then the 'remote' source zone will be allowed to the 'local' destination and the 'remote' destination if you have an intranet zone set this means that even if you have is a mixture of all your zones in the source and the destination, they'll only be allowed to connect to their own zone so that means a 'local' will only be allowed to connect back to the 'local' zone and the 'remote' source zone will only be allowed to connect back to the 'remote' destination zone. While Interzone is going to be the reverse: the 'local' source zone is only going to be allowed to talk to any destination zone it isn't itself and then the 'remote' source zone is only going to be allowed to talk to any other destinations zone except itself so 'local' and any other zones but not 'remote' another important step to improve your security is to change the service from any to application-default or a static set of ports, depending on your needs, but at least make sure there is no 'any' left. So go ahead and change this to application-default Since PAN-OS 6.0, if you create a new security policy it's going to be application-default by default but it might be worth revisiting your security policy, it might have been there for a while and if it has been set to 'any' manually or was created before you migrated to PAN-OS 6.0 there might still be services set to 'any' which is not optimal Why is this? For example: any session that gets created on the firewall is going to pass through the firewall policy twice. Which means that when you receive your SYN packet App-ID is not going to be able to identify an application just yet because it's new, there's no data in there yet the only thing the firewall has is the 5-tuple set of: source zone, source subnet, destination zone, destination subnet and destination port so for example if you're running a security policy that is only going to allow web browsing on port 80 and DNS on UDP port 53, any session coming in or going out on port 22 should be denied. If your service is set to 'any' the handshake will be let through and App-ID will need to determine if this application is web browsing or something completely different, which means that in this scenario, where the application is still set to 'any', we won't be able to restrict the creation of sessions based on the destination port just yet, because there aren't any applications that can guide the application-default to only allow certain ports to be open during the session creation phase. In many cases, especially when a firewall administrator is creating his very first policy, he might not be aware which applications to allow or deny maybe there are a couple of straightforward applications like web browsing and ssl, DNS that might be allowed, but there are many others where it might not be as easy to determine which ones to deny and to allow For cases like that there's a nifty feature that's called the application filter Application filter is a sort of group that groups your applications by means of their behavior so what you can do, for example, I have my blocked-apps filter here I've selected all the subcategories I don't like in a risk factor i don't like. and it's going to populate the list of applications automatically which also means that if in the near future a new application becomes available through a dynamic update which is added to the application repository which matches these parameters it's automatically going to be added to my list. So if I do the same thing for my allowed applications: so I create for example 'allowed apps filter' And I select services that I like like for example: authentication, maybe some database internally, ERP and then internal file sharing do not like gaming.. general business... some internet utility and I select the technology that I like, for example, I do not want peer-to-peer so, browser based, client-server, network protocol and i only want the fairly low risk to high-ish risk applications, but nothing that's risk factor of five And now I have a friendly list of applications of things that I trust based on the category, subcategory, technology and risk factor without going in and pinpointing specific applications that i want to allow. If I now go back to my security policy and add them in here This will make your environment a lot more secure Another thing that's often overlooked, are the security profiles. In all cases I would recommend administrators to create their own security profiles instead of using the default. This will help you get more acquainted with what is available to you and secondly it's also going to allow you to set a couple of features that are not available in the default profile. For example if we go to the antivirus profile and create a new one we can set packet captures this is going to create a little packet capture each time a virus is detected which can be helpful if you want any post-mortem information or want to investigate what's going on on the network and also includes a set of wildfire actions which aren't included in the default profile. Next: in the anti spyware profile you can create a profile that's just a little more aggressive than the default one. By, for example, setting the action to reset or block IP instead of the default action assigned to a specific anti spyware threat and it can also collect packet captures Another neat feature in the anti spyware profile is that you can enable DNS sinkhole which means that, if in your organization a host sends out a DNS request for a malicious domain, that request is intercepted and the reply is spoofed with a different IP address than the actual host. This will serve two purposes first off it's going to interrupt any command and control sessions going out because they are not going to be able to reach the intended IP address to actually receive commands from out there, and it will be more easy to detect any host that have been infected because they will be connecting to an IP address you know, being the sinkhole IP address. you can either choose to put in your own IP address choose the IPv4 loopback on the host itself, which means it's going to create the sinkhole on the host which will not be detected by the firewall, or you can use the Palo Alto Networks provided sinkhole IP address on a public IP If you're going to use your own IP address, make sure to not use an IP address that's actually being used inside your organization because that's going to spawn connections to that host. You can also set an IPv6 sinkhole and you can enable packet capture if you need to. Enabling passive DNS monitoring will send out anonymized DNS information to Palo Alto Networks so we can gather that information and use it to improve our signatures so if you can i would recommend enabling this as that will improve life for everyone. Another cool feature, if you do have your own dynamic block list you can add it right here and set the action that needs to be applied to that, so we can allow, block, alert or sinkhole For the vulnerability protection profile you can create a profile that's also a little more aggressive so for example, if we create a profile for anything it's critical or high from host type clients, so meaning coming from the client instead of taking the default action we're going to block the IP address for a certain amount of time for example 600 we're going to enable extented packet capture and then you can create a similar rule for server-side and then we can create policies for lower severity medium, low, informational and set the action to drop instead of Block the IPaddress client... still want to have extended packet captures We're going to clone that for the server side as well creating a custom URL filtering profile will allow you to change some of the logging attributes from the default as you can see here. Default has a lot of allow categories which isn't a bad thing but anything that's allowed in the URL filter profile is not going to be logged by default so if you want to get a view of what's being passed through your firewall: You can set all the actions to alert and then still block all the categories that you don't want to allow. But you'll get a log entry for each allowed category that's going through your firewall When this is done: in the settings you'll also be able to manipulate a couple of settings that you won't be able to change in the default one, for example you can disable 'log container pages only' which will give you a full URL instead of just the the host you can enable safe search enforcement which will make sure that your users are using google in safe search mode only you can add a couple of options to add to your logging With this profile you'll get far more information of what's being accessed by your users then the default one. For file blocking profile I've actually created a different video called 'tips from the field: file blocking profile' I'll add the link below make sure to check it out it's really really interesting and contains a lot of useful information of which file types you will want to block and why Lastly: if you go to your security policy make sure to actually change your profiles from anything that's default into all the stuff you just created so you can take advantage of these profiles don't forget to add wildfire analysis this will ensure that PE APK PDF ms-office jar and flash files are uploaded to the Wildfire cloud for analysis If any of the uploaded files containing an infection, signatures can be created to block these files Thanks for watching! I hope you liked the video if you did please hit the like button and don't forget to subscribe to our channel, thanks!
Info
Channel: Palo Alto Networks LIVEcommunity
Views: 32,500
Rating: undefined out of 5
Keywords: Palo Alto Networks, Tutorial, Live Community, Security Policy, optimize, network security, tpiens, tom piens, reaper, best practice
Id: oUdqQSRyMis
Channel Id: undefined
Length: 14min 13sec (853 seconds)
Published: Tue Jul 05 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.