04-App ID + content ID
Transcript of 04-App ID + content ID
1
NetwerkbeveiligingSven Sanders
Sven Sanders - Odisee
2
Application Identification
Sven Sanders - Odisee
3
Initial Packet Processing
Source Zone/ Address/ User-
ID
PBF/ Forwarding
Lookup
Destination Zone
NAT PolicyEvaluated
Security Pre-Policy
Check Allowed Ports
Session Created
ApplicationCheck for Encrypted
Traffic
Decryption Policy
Application Override Policy
App-ID/Content-ID Labeling
Security Policy Check Security Policy
Check Security Profiles
Post Policy Processing
Re-Encrypt Traffic
NAT Policy Applied
Packet Forwarded
Sven Sanders - Odisee
4
Packet filtering firewall
•Yahoo Messenger
•BitTorrent Client
•Port 80• Open
Port-Based Firewall
Port 5050Blocked✗
Port 6681Blocked✗
Sven Sanders - Odisee
5
Scenario 1
Palo Alto Networks Firewalls with App-IDTraditional Firewalls
Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53
Firewall
DNS = DNS: Allow
✔DNS DNS
BitTorrent ✗BitTorrent ≠ DNS:
Visibility: BitTorrent detected and blockedDeny
Firewall
Packet on Port 53: Allow
✔DNS DNS
BitTorrent ✔
Packet on Port 53: AllowVisibility: Port 53 allowed
BitTorrent
Sven Sanders - Odisee
6
Scenario 2
App IPSFirewall Firewall
Traditional Firewalls
Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53
DNS=DNS:Packet on Port 53: AllowAllow
✔✔ DNS DNSDNS DNS
BitTorrent ✗BitTorrent ≠ DNS:
Visibility: BitTorrent detected and blockedDeny
BitTorrent ✔BitTorrent: Deny
Visibility: BitTorrent detected and blocked
✔ DNS
BitTorrent ✗
Application IPS Rule: Block BitTorrent
Palo Alto Networks Firewalls with App-ID
Sven Sanders - Odisee
7
Scenario 3
Legacy Firewalls
Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53 Application IPS Rule: Block BitTorrent
Firewall
DNS=DNS: Allow
✔DNS DNS
Zero-day C & C ✗
Command & Control ≠ DNS:Visibility: Unknown traffic detected
and blocked
Deny
BitTorrent ✗Firewall
Packet on Port 53: Allow
✔DNS DNS
BitTorrent ✔
Visibility: Packet on port 53 allowed
✔ DNS
BitTorrent ✗ Zero-day C & C ✔ Zero-day
C & C ✔ Zero-day C & C
C & C ≠ BitTorrent: Allow
App IPS
Palo Alto Networks Firewalls with App-ID
Sven Sanders - Odisee
8
App ID flow
Sven Sanders - Odisee
9
Application shift
Facebook-chat
Protocol Decoders
Application Signatures
Application Shift
Application Shift
HTTP
HeuristicsFacebook-base
Sven Sanders - Odisee
10
Application depencies
Google-translate-base
Allow | Deny
Allow | Deny
Application shift
Web-browsing
Sven Sanders - Odisee
11
Implicit applications
Sven Sanders - Odisee
12
Onderscheid
https://urlfiltering.paloaltonetworks.com/testASite.aspx
Sven Sanders - Odisee
13
App definition updates
Sven Sanders - Odisee
14
Policies aanpassen•Na download nieuwe app definities
Sven Sanders - Odisee
15
App filter
Sven Sanders - Odisee
16
App group•Eigen statische groepering applicaties
Sven Sanders - Odisee
17
Content-ID
Sven Sanders - Odisee
18
Initial Packet Processing
Source Zone/ Address/ User-ID
PBF/ Forwarding
Lookup
Destination Zone
NAT PolicyEvaluated
Security Pre-Policy
Check Allowed Ports
Session Created
ApplicationCheck for Encrypted
Traffic
Decryption Policy
Application Override
Policy
App-ID/Content-ID Labeling
Security PolicyCheck
Security Policy
Check Security Profiles
Post Policy Processing
Re-Encrypt Traffic
NAT Policy Applied
Packet Forwarded
Sven Sanders - Odisee
19
Content-ID•Stream based
Sven Sanders - Odisee
20
Security profiles
Antivirus
Anti-Spyware
Vulnerability
URL Filtering
File Blocking
Data FilteringSecurity Profile Group
WildFire Analysis
Sven Sanders - Odisee
21
URL filtering
Sven Sanders - Odisee
22
URL filtering volgorde
1
24
3
Sven Sanders - Odisee
23
Custom category
Accepts wildcards and IP addresses
Sven Sanders - Odisee
24
URL filter acties
Sven Sanders - Odisee
25
Response pages
Blocked
Continue
Override
Sven Sanders - Odisee
26
URL filtering log
Sven Sanders - Odisee
27
Override password
Device > Setup > Content-ID > Add
Sven Sanders - Odisee
28
Antivirus
Sven Sanders - Odisee
29
Anti-Spyware
Sven Sanders - Odisee
30
Anti-SpywareObjects > Security Profiles > Anti-Spyware
AdwareAnyBackdoorBotnetBrowser-hijackData-theftKeyloggerNet-wormp2p-communicationSpyware
DefaultAllowAlertDropReset-ClientReset-ServerReset-BothBlock IP
Categories
Actions
Sven Sanders - Odisee
31
File blockingObjects > Security Profiles > File Blocking
Sven Sanders - Odisee
32
Logging
Monitor > Logs > Data Filtering
Sven Sanders - Odisee
33
Drive-by-download protection
User attempts to download a file through the browser
Website initiates an automatic file download
Continue response page presented to user
Log updated
File download proceeds File download is cancelled
User clicks Continue
User exits response page
Sven Sanders - Odisee
34
Unknown threats•Moderne malware▫Advanced Persistent Threats
Stealthy Persistent Adaptable Detection avoidance
Ihb signature based
Sven Sanders - Odisee
35
Wildfire
Sven Sanders - Odisee
36
Wildfire flow: identify
File download terminated; entry
made in threat log
yesVirus detected and the profile set to block?
File downloaded
File sent for WildFire
processing
Security policy allow
Antivirus profile enabled on
security policy
yes
no
File sent to Content-ID engine for
antivirus scanning
File downloaded over user session
no
WildFire Analysis profile enabled
1
Sven Sanders - Odisee
37
Wildfire workflow: assess
File download logged in data filtering log
Action: WildFire-upload-skip
Hash sent for WildFire processing
File signed by trusted signer?
no
yes
File download logged in data filtering log
Actions: forward WildFire-upload-
skip
Match?Classified as
threatyes Session sent
to WildFire
no
yes
no
File hash sent to WildFire and compared to
previous entries
1
2
Sven Sanders - Odisee
38
Wildfire workflow: analyzed
File logged as benignlog sent to firewall
(if enabled)
WildFire process file in sandbox to determine if
malicious
File and session sent to WildFire
Forensics report generated in Web portal
and email sent (if enabled)
yes Threat signature generated and
tested
File download logged in data filtering log
Action: WildFire-upload-success
no
2
Sven Sanders - Odisee
39
E-mail•Header info•Analyse body▫Links▫attachments
WildFire
Sender/Receiver; Subject; Fields
Mail Server
Compromised Host
URL / Attachments
Exploit
BLOCK
Sven Sanders - Odisee
40
Submission log
Upload nagaan: via CLI (ogenblikkelijk):debug wildfire upload-log
Monitor > Logs > WildFire Submissions
Sven Sanders - Odisee
41
DNS sinkhole
MaliciousServerInternet
Public DNS Server
Firewall
Infected Host
Switch
DNS Query for Malicious Server
Sinkhole Address Returns
Host Contacts Sinkhole IP Address
Infectedhost easily identified in traffic logs!
DNS Signature Match
Sven Sanders - Odisee
42
Vulnerabilitry protection profile
Sven Sanders - Odisee
43
Threat logs
Monitor > Logs > Threat