How to protect end-users – Palo Alto Networks FireWall Concepts Training Series

How to protect end-users – Palo Alto Networks FireWall Concepts Training Series


So how can a Palo Alto Networks next-generation firewall protect the users in a network? In this video I will show you! If this is your first time here, I’m Lars from Consigas. We call ourselves the Palo Alto Networks Experts, because the next generation firewall is our passion! It’s what we do all day, every day: migrating firewalls, providing managed services, and most important and most important implementing security best practices. When I started to work with this box, in 2010 nearly anyone knew about Palo Alto Networks, But as an engineer I felt that this solution will change the world of cyber security, and yes, today We know it did big time because it’s one of the few security solutions that can truly secure your network However, there’s a caveat. You need to set it up in the right way in order to be effective, because while it’s awesome it’s not a magic box! So over the years we became Professional Services Partners for Palo Alto Networks, as well as one of the few Elite Authorized Training Centers (eATC), after working in the field for so many years, & being a trainer I would like to share my experience with you! so over the next couple of weeks and months we’ll release new videos and core concepts explaining the fundamental workings, of the NG Firewall, starting with the Threat Landscape, deployment methods, NAT, App-ID, SSL decryption, VPNs and many more! So follow us on LinkedIn, YouTube or Twitter to stay up to date. But now let’s have a look at how to protect the users in your network! The first thing that we need to recognize is, there isn’t just one thing! “Just one thing we do and then magically we’ll protect the entire network” and security protection always comes from different measurements, simply because individual threat prevention techniques like IPS systems, URL filtering, Anti-Virus, you name it.. all of them on their own are not effective because all of them can be evaded. It’s always just the combination that is effective. And it’s exactly what I would like to show you here now. Ok? Taking our example the first step was that the user tried to access a news webpage which included advertisement. Here the first thing that we can definitely recommend is block advertisements! Web-advertisements is nothing which really adds much value to the employees, so let’s just block it now. It’s very easy for me to say this, but if I would obviously talk to your marketing department they’re gonna tell you “No no no no no, I want to get access to web-advertisements because it’s my job!” Here we can already run into the first challenge. When we implement threat prevention techniques, in a lot of cases, we can only do this if we have a firewall where we can effectively also define exceptions. So in this example we can block the adds for everyone in the company, but allow specific users, or groups of users, like the marketing department, okay? So that’s really important to consider as well! Now, web-advertisements are something interesting What we need to understand is why it’s so interesting for hackers? Put yourself in the shoes of a hacker, and let’s say you would like to distribute your malware.. Let’s say you you want to earn money with ransomware for instance, okay? If you want to do this by users accessing a web-page, it means that you first have to hack a lot of that pages, and then place your code into those. That’s a lot of work, On the other side, if you use an advertisement network, you can just create your malware like a malicious flash file for instance, and then you just give it to the advertisement companies, and then, for you, they will distribute it to thousands of web pages worldwide. Perfect! Hackers heaven, very good! Obviously the risk to get caught is a little bit higher, but there actually have been cases where users got infected through advertisements inside of YouTube videos even.. Companies like Google, who are certainly one of the better ones, when it comes to security protections are notified against this. That’s what with web-advertisements you should always be careful about! In the next step, there was the download of malicious flash file, so here if we know from where the malicious flash file came, and we already identified the URL as a malicious, and we could have blocked this malicious URL. These files usually get delivered from other URLs, not the news web page itself. That page is linking to another web page, and this other web page is effectively what we can block if we already know it to be bad, okay? Also the exploit code itself, if we know it already as part of the IPS system we can also block the exploit code. The problem with this, is the same one like I said before with antivirus, because for the bad URLs we block it if we know it, for the IPS we block it if we know it. Right? So we only block the already known threats. That’s something that we definitely should do, but there’s a limit to this, right? What about the stuff that we don’t know? For this we have Wildfire! So what Wildfire does is basically trying to detect the malware based on its behavior. So what you do is, Let’s say, here we have the Internet connecting to your firewall, and then here on the inside we have the internal network. Okay, so now if there’s a file traversing the firewall, this file will now be uploaded to Wildfire which will do an analysis on this file, and it will effectively kind of look at its behavior. Instead of just checking a signature like antivirus It’s now looking at the behavior. So the same way you would open a PDF file on your PC, Wildfire would open it up, and check what is it doing, and if it sees that it’s just a PDF, well then, that’s fine but if it’s trying to change registry values, It tries to inject code in other processes, and tries to access the internet, so shows a combination of behaviors which are clearly and malicious, then it identifies this to be malicious, creates a signature, which then delivers it to the firewall and it does this in just five minutes. An important thing to notice here is the Wildfire signatures, which are downloading every five minutes don’t only include the signatures of the files you uploaded, but for every Palo Alto Networks customer worldwide, meaning if there was a threat seen anywhere in the world, just five minutes earlier, then you would already be protected against it, which I think is really effective! A problem, often here a concern that always arises is obviously we are uploading data to the cloud, and especially over here in Europe this is always a concern. The important thing here, is we need to understand what is exactly happening, and the big risk really comes from files like flash, executables, Java, and maybe Android apk files, now these files as long as you’re not a software development company, they don’t include private details, so nobody should have any concerns whatsoever uploading these files to the cloud. But then also, private related files, like PDF files, and office files, yes, they include private details, and you might not want to upload them to the cloud. Every company for itself needs to check their legal things, but again what you need to consider is that you can define a very granular policy where you can say, I only want to upload for instance, files which are publicly download accessible on the Internet, so any file just downloaded from the internet, which don’t use SSL for instance, you might want to upload. So with this, with these policies you can dive quite a lot into details there. So it’s not just yes or no right? Looking at the data here really makes sense, because this will give you a significant level of additional protection okay. Lastly there are also URL links, so if there’s SMTP or POP3 traffic traversing the firewall, the it will look inside of these emails and then takes up the links, sends the links to wildfire, and it will also analyze the links and if identifies there that by accessing a link malicious file was downloaded, it would also classify this, and also generate signatures for this. It’s also something which is very effective. On this one, by the way, don’t worry about Wildfire clicking on accept messages and stuff like this, so they have intelligence in there to overcome these these things as well Beside the cloud-based infrastructure for Wildfire, there’s also can an on-site solution which is called WF-500, which is very similar to the cloud, but we do need to recognize that what a box /an appliance on-site can do, it will never be the same like what the cloud can do, right? There’s always more you can do in the cloud, meaning the WF-500 from a functionality point of view is always behind the cloud, that’s why actually it also kind of makes sense to deploy this in a hybrid mode, where for instance, privacy files, like PDFs, word documents are sent to the local WF-500, while not privacy related files, like executables are still sent up to the public cloud, so these kind of hybrid setups are also supported, the important thing that we have to realize about Wildfire is that it is not just a sandbox, like what I just explained you, Wildfire really is a threat intelligence cloud. Why? Because it really correlates different indicators of compromise and then distributes them throughout the different threat prevention solutions, so for instance there’s a malicious file downloaded, with the sandbox we identify it’s malicious, and we create and obviously the AV signature. So that’s what we have just talked about. But then already the firewall also knows from where what URL was this file downloaded, so obviously this download URL is malicious as well, meaning we can straight away also update the URL filtering solution and by running the file, we might see that it tries to connect to certain command and control IP addresses, and tries to resolve them via DNS, so here we can also then update DNS signatures and where we see other types of command and control traffic, where we can then upgrade the IPS system with different command and control signatures. This is really important because if you compare this with most other firewall vendors, and they often just buy in databases for URL filtering, or AV or whatever from other vendors, which are separate, so it’s not all integrated, and this is a really big limitation because here what always is key for security prevention these days, is lowering the window of opportunity for the hacker. So the hacker launches his malware campaign, we identify the threat and straightaway we need to update all of the different systems what we have, with these indicators of compromise, so that when we see malicious activity, we can block this straight away. That’s really what Wildfire is is all about! Now there’s a downside of this because processing this in five minutes and sometimes less, it’s very powerful, It’s very quick, but still, it takes five minutes. The next generation firewall is a device which was built to handle a high volume of traffic at low latency, so it cannot really buffer anything for five minutes, and neither would the protocol support it. The firewall isn’t something like an email server, which can store and quarantine e-mails or files, okay? So this means that if there is a file traversing the firewall which the antivirus signatures don’t know yet, it will be uploaded to Wildfire, but at the same time, it will be passed through, to the end user. Now the difference is that after five minutes you will get a report, the Wildfire analysis report, which tells you “Hey listen, we have seen a file traversing your network, which we believe is bad.” An important thing here is, Palo Alto Networks is not just saying, “Hey listen this is bad, and you have to believe us”, they also tell you why they believe it is bad, right? It’s like in this case, you can see below simulated some mouse and keyboard events or Connected to unregistered domain names, and again the combination of these events suggests that this is a bad thing because getting alerted about an event like this happening after five minutes, versus getting to know two months afterwards for instance, then you got infiltrated, that’s obviously makes a big difference. Following on with our attack, so there was a download of a malicious flash file, and now there was the exploit on the end user device. This is something that happens on the end user device, so there’s nothing what we can do about this on the firewall. That’s also something that Palo Alto Networks recognized, and said okay.. There’s a lot of good and effective things that we can do on the network, but certain things you can only do something about, on the endpoint itself. And that’s when they said, okay.. what we also need if we want to protect enterprises, from a security point of view, we need to also have a look at the endpoint itself, and that’s when they came up with the next-generation endpoint security solution called Traps. Obviously here, we’re gonna focus on the firewall, but still I just want to show you very quickly what Traps is doing, because it actually also provides a lot of value to the firewall. Why? I’m gonna show you in a moment. Let’s look at these exploits on the end user device. The first thing what we need to recognize is that in order for an exploit to work, the hacker always needs to use exploit techniques, and exploit techniques you can see like a toolkit, like an electrician needs a screwdriver and a voltmeter, or something like this, okay? So like this hackers also need any tools, okay? And these are exploit techniques, like for instance the buffer overflow, meaning when let’s say you launch a program like an Internet Explorer, It will always reserve a specific area in the memory, and a buffer overflow would mean that it now tries to access an area in memory, which was not previously reserved. That’s just one example of an exploit technique. These exploit techniques are important because if we think “how can we prevent these exploits?” first of all as long as we can have software we can have software bugs, right? Bugs which can be exploited. This is something which will never gonna go away, and neither will we ever be able to know all of the bugs of software, before a hacker will know them. It’s just not realistic. At the same time the exploitation code that the hacker sends to the device to exploit the vulnerability, they are also in the thousands of millions, so this is also something where like with malware,we cannot really always cope up, we cannot cope up whit this, okay? That’s something we cannot know beforehand. What we can know beforehand, however, are these exploit techniques, because there are only about twenty to twenty-five out there. And only one or two, gets developed every year. This is something that we can cope with. So how would this work? Let’s say we have the exploit on the endpoint, and let’s say the flash file is loaded by Internet Explorer. The hacker would now try to do a memory corruption as all of these exploits are always related to some extent, to something, some manipulation of memory, simply because what the hacker, at the end of the day, tries to do, is he delivers a data file remember, a flash file, PDF files, a pure data file, which includes some instructions. He basically wants to get an existing piece of software like for instance, Internet Explorer to run and executing its commands. Well, that’s always the objective behind the next point. How the hacker is doing this, I mean it’s not just one example, for instance he’s doing in doing heap spray, which reserves different areas in memory, where he places his malicious code, then he triggers the buffer overflow with this now a benign software, or Internet Explorer accessing an area memory which is not previously reserved, and with this effectively loading the code of the hacker, and now Internet Explorer is executing the commands of the hacker. Now, all of this is highly simplified, so I can show it to you here, but when we really look at memory operations this is way more complex, but it’s what I want to give you an overview here, because now if we applied Traps to this, what Traps simply is doing, it’s trapping all these exploit techniques, so it’s stopping the heap spray or it’s stopping the buffer overflow, and this is obviously very effective because we don’t care what is this software bug, we don’t care what is the exploit code, this can be completely new zero-day attack, nobody knows about it and Traps blocks it! Okay? So it’s just a really effective method, and this exploit prevention, by the way, is only one element of Traps, and Traps, like the firewall, has the same approach of basically integrating a lot of different threat prevention techniques which makes the entire solution secure. The reason I explained this to you is because obviously Traps is a dedicated product that has nothing to do with the firewall, but, and that’s important, it is part of next-generation security platform, meaning Traps will also send data to the cloud, so for instance, if there’s any customer around the world having Traps, identifying a new zero-day malware, Traps will send this to the cloud, Wildfire will know it as well, and it will deliver protections also to the firewall, meaning it’s important for you to know because the protections that you receive are also originating from these endpoint protection solutions, making your firewall also more secure. By the way, obviously it also works the other way around, so if the firewall detects something it can send this to the cloud, and the cloud deliver it down to Traps as well. Following on with our attack, the next thing was that based on the exploit, the PC went to a malicious web page, without the user’s knowledge. Here what we can do is block malicious, or even better unknown URLs. Remember what I explained you before with Wildfire. updating different solutions. including URL filtering. Here this now kind of makes a completely different case because the possibility that PAN already knows about this malicious URL, with the integration of Wildfire is very high, so with this blocking malicious URLs is very effective and even more effective is Also to actually block unknown URLs! This is something we found to be extremely effective because no matter how good Wildfire and Palo Alto Networks is at detecting new malicious URLs, and just by definition, it will never ever be able to know everything. So if they know enough to allow all of the good stuff, then we can easily block the unknown URLs, This is very effective! This is something that often people are afraid of because it could block a lot of good applications, but it’s something which you can analyze easily, and I can tell you I’ve implemented this with a lot of big customers (3500++ users behind the firewall) and it’s working very well because Palo Alto Networks also has become really good at actually detecting new URLs, and there was kind of a funny case with a banking customer, and in the IT department there were some people making fun out of it, to try to find new port web-pages on google and which the firewall doesn’t know yet. Actually they found that PAN-DB from Palo Alto Networks was pretty good and pretty fast at identifying these these unknown URLs. So that’s something just from experience that I can tell you works pretty well. Next section was that there was a download of a malicious executable, okay? Here the first thing that we need to do is SSL decryption! The decryption really is a centerpiece of your firewall configuration, something which unfortunately I often see not being configured. If you look often at these firewall comparisons, these firewall test companies, they tell you “We tested five thousand different evasion techniques for the IPS system” or whatever, but the evasion technique that hackers use all the time they don’t test! That’s SSL! So a lot of attacks these days, or most to be honest, they SSL for the very same reason we use as well, so we can basically protect our data, and the hacker does the same thing, he doesn’t want to get caught, so he just uses SSL to hide his data, so again SSL decryption is very essential, because once we decrypt the SSL traffic we can look inside of it, and identify the download of the executable file, and block it! Here file blocking, and blocking the download of executables is extremely effective, simply because by far, not all, but by far the majority of attacks do depend on the download of an executable file, for the same reason that I explained you earlier. That just with an exploit, often the hacker misses functionality. So that’s why this is just really effective! Sometime you might think “but I cannot just block all the download of executables” You’re right, you cannot, but what we can do with your security policy, is basically define a rule where you allow the download of executables from trusted sources. Often what we see here, we users update their applications, so Google update, Firefox updates, and things like this, and then you block the actual download of executables from everywhere else. That’s really effective, because we don’t care if this executable is good or bad, right? We simply block it, and it works, and then again defining the exceptions, then that works quite well. Good! So then obviously, if the malware was already known by Wildfire, this can be blocked in there as well, by the Antivirus. Obviously getting updated every five minutes here certainly helps! It’s a big advantage compared to normal antivirus products, which just update every 24 to 48 hours. Now we are again at this half stage where we have a malware infected PC inside our network. The example that I showed you, the infection, was just one example of an infection, but you can have situations where an already infected PC comes into your network, and obviously you want to cope for these situations as well. Now we have to set up, the first thing what you probably want to do is actually get rid of your proxy! A lot of companies when we implemented the next-gen FW, they still had an old URL filtering proxy implemented, and it’s often a bit of controversy, of “should I keep the proxy or or not?” Often there’s an argument where they say “yes, the next generation firewall is really good, but next generation firewall + proxy is definitely more secure than a next generation firewall on its own. Yes, this is true! Right? But when it comes to security, you always need to consider really your constraints. You cannot implement all security products in the world in your network, you always have a constraint of money and time. Because it always takes money and time to manage these things! If you take the effectiveness of a proxy plus firewall, and take an account the extra money and time you need to to operate this, then it’s not an effective solution. If for instance, you just take this money and invest it, or money and time, and invest this Into for instance advanced endpoint protection like Traps, then you boost your your security protection way higher, you have a much more effective security operation. That’s why I always recommend to get rid of the proxy, because often also causes you a lack of visibility on the firewall, so it’s definitely the better approach. Then coming back to our attack, remember the first challenge the hacker had is that the malware infected PC needs to know the IP address of its command and control server. So the first thing it tried to do was sending this DNS query ro resolve thi command and control domain, so here Palo Alto Networks with Wildfire also identifies malicious DNS queries for known command & control domains. These are then blocked by the anti-virus and that’s good, because it blocks the communication, the problem that you have, is that in most cases the DNS server is inside of the network, meaning the packet you receive on the firewall comes from the IP address of the proxy, but knowing this chain, we know now that no it’s not the DNS server, in fact there is malware on a PC behind the DNS server, so obviously the attack or the Infection is contained, so that’s good, but we still would like to know who is this guy because you definitely want to get him out of the network. That’s why there’s an additional feature which is called a DNS sinkhole, and with it we’re also not just blocking the DNS request, we’re also sending back a fake response, with a fake IP address, like this one, 223.255.255.223, an IP address which is not known anywhere in your network, so with this now the malware is gonna try to connect to this IP address, which we’ll obviously block on the firewall. Now we’ll know who access tries to access this IP address, must be one whom we have sent such response to. and with this we can identify these malware infected PCs. So it’s something pretty small, but it’s something pretty clever as well, and really helpful, because what we have seen is that these suspicious DNS queries are one of the key indicators for compromise, which help us to identify machines inside of the network which are infected with malware. The next action, command & control traffic, here also the Anti-Spyware system can block known command & control traffic, another effective measurement, as well as App-ID. Remember when I explained App-ID I said any type of communication, which goes over the network, is identified by Palo Alto Networks as an application, and obviously they don’t know everything, and often especially here these command & control traffic actually come up as an unknown application, you have seen the database, it’s pretty big in there, so this means with this what we can do is, we can define what we want to allow. With this we can block everything else, including unknown, so this is a very effective measurement to reduce the attack surface, and with this secure our network. To be honest, unknown applications for command & control traffic, that’s something five years ago we have seen it a lot, in recent years it’s getting less and less, because more command & control traffic’s just web-based, so that we don’t see this much anymore, but it’s still recommended, and it could be a good measurement. So now now let’s assume we have a malware infected PC on our network, and this one has successfully establish the command & control traffic. Okay, so now you’re in trouble! Well certainly you’re in trouble if your network looks like this, so if your data center where effectively your crown jewels, your valuable IT Information are stored, is connected to internal network, and internally users can communicate directly to it, then you’re in trouble, because now the malware infected PC gets to the data center right, that’s why a very important measurement as well that you need to think about is “Zero-Trust architecture”, basically network segmentation to segment off especially users. Part of the Zero-Trust is really more like north-south, east-west segregation in the data center, creating different zones, but at the minimum what you should think about is separate your users from your data center (from your servers), okay? So that’s kind of the minimum what you need to do! Because in a lot of cases, even if you look at the big attacks, what do you see in the news? It’s usually in most cases first a device, an end user device was infected with malware, from where they the hackers, made their way into the data center. Okay, so network segmentation is a very important measurement as well! By the way if you’re interested in security best practices for Palo Alto Networks, then check out the blog on our webpage in the best practice section you can download this worksheet with over 120 best practices for the next-generation firewall and Very soon we will also launch the security best practice training with a lot of videos explaining all of these security best practices in detail, so if you’re interested then sign up to our mailing list, and we will let you know as soon as this free training is available!

Leave a Reply

Your email address will not be published. Required fields are marked *