04-App ID + content ID

1

NetwerkbeveiligingSven Sanders

Sven Sanders - Odisee

2

Application Identification


3

Initial Packet Processing

Source Zone/ Address/ User-

ID

PBF/ Forwarding

Lookup

Destination Zone

NAT PolicyEvaluated

Security Pre-Policy

Check Allowed Ports

Session Created

ApplicationCheck for Encrypted

Traffic

Decryption Policy

Application Override Policy

App-ID/Content-ID Labeling

Security Policy Check Security Policy

Check Security Profiles

Post Policy Processing

Re-Encrypt Traffic

NAT Policy Applied

Packet Forwarded


4

Packet filtering firewall

•Yahoo Messenger

•BitTorrent Client

•Port 80• Open

Port-Based Firewall

Port 5050Blocked✗

Port 6681Blocked✗


5

Scenario 1

Palo Alto Networks Firewalls with App-IDTraditional Firewalls

Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53

Firewall

DNS = DNS: Allow

✔DNS DNS

BitTorrent ✗BitTorrent ≠ DNS:

Visibility: BitTorrent detected and blockedDeny

Firewall

Packet on Port 53: Allow

✔DNS DNS

BitTorrent ✔

Packet on Port 53: AllowVisibility: Port 53 allowed

BitTorrent


6

Scenario 2

App IPSFirewall Firewall

Traditional Firewalls

Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53

DNS=DNS:Packet on Port 53: AllowAllow

✔✔ DNS DNSDNS DNS

BitTorrent ✗BitTorrent ≠ DNS:

Visibility: BitTorrent detected and blockedDeny

BitTorrent ✔BitTorrent: Deny

Visibility: BitTorrent detected and blocked

✔ DNS

BitTorrent ✗

Application IPS Rule: Block BitTorrent

Palo Alto Networks Firewalls with App-ID


7

Scenario 3

Legacy Firewalls

Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53 Application IPS Rule: Block BitTorrent

Firewall

DNS=DNS: Allow

✔DNS DNS

Zero-day C & C ✗

Command & Control ≠ DNS:Visibility: Unknown traffic detected

and blocked

Deny

BitTorrent ✗Firewall

Packet on Port 53: Allow

✔DNS DNS

BitTorrent ✔

Visibility: Packet on port 53 allowed

✔ DNS

BitTorrent ✗ Zero-day C & C ✔ Zero-day

C & C ✔ Zero-day C & C

C & C ≠ BitTorrent: Allow

App IPS

Palo Alto Networks Firewalls with App-ID


8

App ID flow


9

Application shift

Facebook-chat

Protocol Decoders

Application Signatures

Application Shift

Application Shift

HTTP

HeuristicsFacebook-base


10

Application depencies

Google-translate-base

Allow | Deny

Allow | Deny

Application shift

Web-browsing


11

Implicit applications


12

Onderscheid

https://urlfiltering.paloaltonetworks.com/testASite.aspx


13

App definition updates


14

Policies aanpassen•Na download nieuwe app definities


15

App filter


16

App group•Eigen statische groepering applicaties


17

Content-ID


18

Initial Packet Processing

Source Zone/ Address/ User-ID

PBF/ Forwarding

Lookup

Destination Zone

NAT PolicyEvaluated

Security Pre-Policy

Check Allowed Ports

Session Created

ApplicationCheck for Encrypted

Traffic

Decryption Policy

Application Override

Policy

App-ID/Content-ID Labeling

Security PolicyCheck

Security Policy

Check Security Profiles

Post Policy Processing

Re-Encrypt Traffic

NAT Policy Applied

Packet Forwarded


19

Content-ID•Stream based


20

Security profiles

Antivirus

Anti-Spyware

Vulnerability

URL Filtering

File Blocking

Data FilteringSecurity Profile Group

WildFire Analysis


21

URL filtering


22

URL filtering volgorde

1

24

3


23

Custom category

Accepts wildcards and IP addresses


24

URL filter acties


25

Response pages

Blocked

Continue

Override


26

URL filtering log


27

Override password

Device > Setup > Content-ID > Add


28

Antivirus


29

Anti-Spyware


30

Anti-SpywareObjects > Security Profiles > Anti-Spyware

AdwareAnyBackdoorBotnetBrowser-hijackData-theftKeyloggerNet-wormp2p-communicationSpyware

DefaultAllowAlertDropReset-ClientReset-ServerReset-BothBlock IP

Categories

Actions


31

File blockingObjects > Security Profiles > File Blocking


32

Logging

Monitor > Logs > Data Filtering


33

Drive-by-download protection

User attempts to download a file through the browser

Website initiates an automatic file download

Continue response page presented to user

Log updated

File download proceeds File download is cancelled

User clicks Continue

User exits response page


34

Unknown threats•Moderne malware▫Advanced Persistent Threats

Stealthy Persistent Adaptable Detection avoidance

Ihb signature based


35

Wildfire


36

Wildfire flow: identify

File download terminated; entry

made in threat log

yesVirus detected and the profile set to block?

File downloaded

File sent for WildFire

processing

Security policy allow

Antivirus profile enabled on

security policy

yes

no

File sent to Content-ID engine for

antivirus scanning

File downloaded over user session

no

WildFire Analysis profile enabled

1


37

Wildfire workflow: assess

File download logged in data filtering log

Action: WildFire-upload-skip

Hash sent for WildFire processing

File signed by trusted signer?

no

yes


Actions: forward WildFire-upload-

skip

Match?Classified as

threatyes Session sent

to WildFire

no

yes

no

File hash sent to WildFire and compared to

previous entries

1

2


38

Wildfire workflow: analyzed

File logged as benignlog sent to firewall

(if enabled)

WildFire process file in sandbox to determine if

malicious

File and session sent to WildFire

Forensics report generated in Web portal

and email sent (if enabled)

yes Threat signature generated and

tested


Action: WildFire-upload-success

no

2


39

E-mail•Header info•Analyse body▫Links▫attachments

WildFire

Sender/Receiver; Subject; Fields

Mail Server

Compromised Host

URL / Attachments

Exploit

BLOCK


40

Submission log

Upload nagaan: via CLI (ogenblikkelijk):debug wildfire upload-log

Monitor > Logs > WildFire Submissions


41

DNS sinkhole

MaliciousServerInternet

Public DNS Server

Firewall

Infected Host

Switch

DNS Query for Malicious Server

Sinkhole Address Returns

Host Contacts Sinkhole IP Address

Infectedhost easily identified in traffic logs!

DNS Signature Match


42

Vulnerabilitry protection profile


43

Threat logs

Monitor > Logs > Threat

04-App ID + content ID

Documents

Transcript of 04-App ID + content ID