PaloAPAN ACE Traininglto Training Print 01-30

8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30

1/27

Design andImplementation of the

Palo Alto Networks

FirewallPA-EDU-201 rev b

PaloAlto Training print indd 1

PaloAlto Training print.indd 13/8/10 12:24 PM

3/8/10 12:24 PM


2/27

Agenda

Day 11. Introduction

2. Firewall Deployment

3. Application Control

Day 26. SSL Decryption

7. VPN

8. Advanced Deployment

Options.

5. User Identification9. Management

10. Data Mining

2009 Palo Alto Networks. Proprietary and Confidential 3.0-aPage 2 |



3/8/10 12:24 PM


3/27

Intruduction



3/8/10 12:24 PM


4/27

Application Based Firewall

tcp/443tcp/443

Pag e 4 | 20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -a 2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -a

F

I

RE

W

A

L

L

Evasive Applications

Pag e 5 |

Yahoo Messenger

Port 5050

Blocked

Port 80

Open

PingFU - Proxy

Bittorrent Client

Port 6681

Blocked



3/8/10 12:24 PM


5/27


6/27

20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -aPag e 8 |

4000 Series Architecture

Flash Matching HW Engine

Palo Alto Networks uniform signatures

Multiple memory banks memorybandwidth scales performance

Multi-Core Security Processor

High density processing for flexiblesecurity functionality

Hardware-acceleration for standardizedcomplex functions (SSL, IPSec,decompression)

Dedicated Control Plane

Highly available mgmt

High speed logging androute updates

FlashMatchingEngine

RAM

RAM

RAM

RAM

Dual-coreCPU

RAM

RAM

HDD

10 Gig Network Processor

Front-end network processing offloadssecurity processors

Hardware accelerated QoS, route lookup,MAC lookup and NAT

CPU16

. .

SSL IPSecDe-Compression

CPU1

CPU2

Control Plane Data Plane

RAM

RAMCPU3

QoS

Route,ARP,MAClookup

NAT

2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -aPag e 9 |

PA-2000 Series Specifications

- 1U rack-mountable chassis

- Single non-modular power supply

- 80GB hard drive (cold swappable)

- Dedicated out-of-band management port

- RJ-45 console port, user definable HA port

PA-2050

1 Gbps FW

500 Mbps threat prevention

250,000 sessions

16 copper gigabit

4 SFP interfaces

PA-2020

500 Mbps FW

200 Mbps threat prevention

125,000 sessions

12 copper gigabit

2 SFP interfaces



3/8/10 12:24 PM


7/27

20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -aPage 10 |

2000 Series Architecture

Route,ARP,MAClookup

NAT

Flash Matching HW Engine

Palo Alto Networks uniformsignatures

Multiple memory banks memorybandwidth scales performance

Multi-Core Security Processor

High density processing for flexiblesecurity functionality

Hardware-acceleration for standardizedcomplex functions (SSL, IPSec)

Dedicated Control Plane

Highly available mgmt

High speed logging androute updates

1Gbps

FlashMatchingEngine

RAM

RAM

RAM

RAM

Dual-coreCPU

RAM

RAM

HDD

Network Processor

Front-end network processingoffloads security processors

Hardware accelerated route lookup,MAC lookup and NAT

CPU4

SSL IPSec

CPU1

CPU2

1Gbps


RAM

RAMCPU3

2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -aPage 11 |

PA-500 Specifications



3/8/10 12:24 PM


8/27


PA-500 Architecture


2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -aPage 13 |

Single-Pass Parallel Processing (SP3) Architecture

Single Pass

Operations once per packet

- Traffic classification (appidentification)

- User/group mapping

- Content scanning threats, URLs,

confidential dataOne policy

Parallel Processing

Function-specific hardwareengines

Separate data/control planes



3/8/10 12:24 PM


9/27


Flexible Deployment Options

Visibility Transparent In-Line Firewall Replacement

Application, user and contentvisibility without inlinedeployment

IPS with app visibility & control

Consolidation of IPS & URLfiltering

Firewall replacement with appvisibility & control

Firewall + IPS

Firewall + IPS + URL filtering

Thank You

2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

Page 15 |

PaloAlto Training print indd 10PaloAlto Training print.indd 10 3/8/10 12:25 PM3/8/10 12:25 PM


10/27

Firewall Deployment



11/27

Agenda

Security Zones

L3 Interface Configuration

Security Policy Basics

NAT Policy




12/27

20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -a

Security Zones

Zones represent networks of differing trust levels

Pag e 3 |

Internet

Data CenterUsers

Guests

DMZ

Internet - DMZ

Internet-DataCanter

Interfaces and Zones

An Interface must be in a Security Zone

A Security Zone can have multiple Interfaces

2 00 9 Pa lo A lto Ne tw or ks. Pr op rietar y an d Co nf ide nt ial 3 .0 -aPag e 4 |

Interface Zone Address

E 1/2 Internet 161.23.4.56

E 1/11 DMZ 172.16.1.254

E 1/12.10 Users 192.168.10.254

E 1/12.20 Users 192.168.20.254

E 1/12.30 VoIP 192.168.30.254



13/27

Layer 3 Interfaces

Provide Routing and NAT Functions

All L3 interfaces in a Virtual Router share a routing table

Each L3 interface has an IP Address

20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPag e 5 |

LAN10.1.1.0

Internet

DMZ192.168.100.0

E1/910.1.1.254

E1/10192.168.100.254

E1/1112.4.5.77

Vrouter A

PAN Device

Virtual Routers

L3 Interfaces areadded to VirtualRouters (VR)

The VR contains all

routing information- Static Routes

- Dynamic RoutingProtocol configuration

20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPag e 6 |



14/27

Configure L3 Interface


Zone

VirtualRouter

IP Address

InterfaceType

Configuring DHCP Server


Select

Interface

LeaseOptions

IP AddressRange



15/27

Introduction to Security Policy

All traffic going between security zones require an allowpolicy

The policy list is evaluated from the top down

The first rule that matches the traffic is used

No further rules are evaluated after the match


Building Blocks of Policy

Address Objects

- Hosts ( /32 mask)

- Networks

- Can be named

-

Can be added to groups Users

Applications

- Represent content

- Includes Static and Dynamic Groups

Services

- Represent L4 addresses

2 00 9 Pa lo A lto Ne tw or ks. Pr op rietar y an d Co nf ide nt ial 3 .0 -aPage 10 |



16/27

Simple Policy Walkthrough

20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPage 11 |

192.168.41.22

74.125.19.23

E 1/2 Zone Users E 1/1 Zone Internet

20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -a

NAT Policy

Network Address Translation Policies define when andhow translation occurs

Source Translation is commonly used for access to theInternet

Destination Translation is used to provide external accessto servers in the private network

Page 12 |

Public IPs

Private IPs



17/27

20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -a

Source Address Translation

Page 13 |

SA DA SP DP

10.1.1.47 4.2.2.2 43778 80

SA DA SP DP

64.3.1.22 4.2.2.2 1031 80

Pre NAT From L3-trust -> L3-untrust

Post NAT From L3-trust -> L3-untrust

20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -a

Destination Address Translation

Page 14 |

SA DA SP DP

12.67.5.2 64.10.11.103 5467 80

SA DA SP DP

12.67.5.2 192.168.10.100 5467 80

Pre NAT From L3-untrust -> L3-untrust

Post NAT From L3-untrust -> L3-trust



18/27

Thank You

2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

Page 15 |



19/27


20/27

Agenda

What is an Application?

Application Control Center (ACC)

Single Pass Architecture and Packet Flow

Application groups and Filters Security Policy Examples

Application Override Policy




21/27

What is an Application?


iGoogle

GMail

GTalk

Google Calendar

eMule

UltraSurf

Lotus Notes

Central location to view

the state of the Network

Application Control Center




22/27

Application Identification Components

Detect Protocol in Protocol

Provide context for signatures

Protocol Decoders

Man in the middle SSL decryption

Protocol Decryption

Detect applications initiating

Application Signatures

Uses patterns of communication

Heuristics


Application Identification - Signatures


Protocol Decoders

Decryption

Application Signatures

SSL

Forward proxy

HTTP

webex

Webex desktop sharing

Mode shift



23/27

Application identification - Heuristics


Unknown

Encrypted Bittorrent

Encrypted Bittorent

Heuristics

Protocol Decoders

Examine communications

Flow Logic

InitialPacket

Processing

SourceZone /

Address

ForwardingLookup

DestinationZone

NAT Policy

SecurityPre Policy

CheckAllowed

Ports

SessionCreated

ApplicationCheck for

SSL

SSLDecryption

Policy

ApplicationOverride

PolicyApp ID

SecurityPolicy

CheckSecurityPolicy

CheckSecurityProfiles

SP3

Post PolicyProcessing

SSL Re-Encrypted

NATApplied

PacketForwarded




3/8/10 12:46 PM


24/27

UDP Example

Source Address

Destination Address

Destination Port

Application Data

20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPage 10 |

DNS Query for www.meebo.com

00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45 00

00 3b d1 26 00 00 80 11 54 18 0a 10 00 6e 0a 00

00 f6 c1 76 00 35 00 27 c7 5a a3 24 01 00 00 01

00 00 00 00 00 00 03 77 77 77 05 6d 65 65 62 6f

03 63 6f 6d 00 00 01 00 01

TCP Example

Source Address

Destination Address

Destination Port

Application Data


HTTP Connection to www.meebo.com

00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45

00 30 d1 29 40 00 80 06 8f 60 0a 10 00 6e d0 51

bf 6e 3a 52 01 bb 31 d7 06 19 00 00 00 00 70 02

ff ff 74 e4 00 00 02 04 05 b4 01 01 04 02

TCP syn

1f8b080000000000 0003b457fd6 fdb36

1 3 f e 57 a e 1 a 3 6 3b 9 9 2 d 3 5 f b 0 0 d a c 4 f6 b 0 .

26e9bbbc 489a6075570c 7d8b81924e12

638954492aae57e4 7 fd f1d2539b2f791

feb0370860ea783c de3d7c ee789c 3d39

bb3e5dfe7a730e3f 2daf2ee1e6cd8bcb

...........................................

synack

ack

get

Meebo



3/8/10 12:47 PM


25/27


26/27

Sample Common Filters


Used to cover families of applications

Frequently used for policies that block traffic

Sample Security Policy Application Groups

Known_Good

- Static Group ofApplications

DNS

Web-browsing

SSL

Flash

Known_Bad

- Static Group of filtersand applications

Games

IM

P2P

Remote Access

Tunneling

20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPage 15 |



3/8/10 12:47 PM


27/27

Security Policy Example

First rule allows specific good applications

Second rule blocks applications that are obviouslyunwanted

Third rule catches all other applications could beallow or block based on environment

Administrators track traffic effected by the thirdrule and add it to Known_Good or Known_Bad


User Defined Application usage

Application Override

- Bypasses App ID for internal port based applications

Customizing Application settings

- Changing time out

-

Adjusting Risk Defining new HTTP applications

- New App-ID signatures for specific HTTP based applications

- User defined regexp

- Contextual signature engine




3/8/10 12:47 PM

PaloAPAN ACE Traininglto Training Print 01-30

Documents

Transcript of PaloAPAN ACE Traininglto Training Print 01-30