2/2/23, 12:38 AM Palo Alto (1-6) Flashcards | Quizlet Palo Alto (1-6) Study Palo Alto (1-6) 5.0 (13 reviews) Terms in this set (52) Which built-in administrator deviceadmin role allows all rights except for the creation of administrative accounts and virtual systems? a. superuser b. custom role c. deviceadmin d. vsysadmin Which Next Generation VM VM-500 Series Model requires a minimum of 16 GB of memory and 60 GB of dedicated disk drive capacity? Select one: a. VM-700 b. VM-500 c. VM-100 d. VM-50 https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 1/23 2/2/23, 12:38 AM On the Alto Next Generation Palo (1-6) Palo Alto (1-6) Flashcards | Quizlet True firewall, a commit lock blocks other administrators from committing changes until all of the locks have been released. Select one: True False True or False. Traffic True protection from external locations where the egress point is the perimeter is commonly referred to as "North-South" traffic. Select one: True False Which three engines are built Select one or more: into the Single Pass Parallel User Identification (User-ID) Processing Architecture of the Content Identification (Content-ID) Next Generation firewall? Application Identification (App-ID) Select one or more: a. User Identification (UserID) b. Content Identification (Content-ID) c. Threat Identification (Threat-ID) d. Application Identification (App-ID) e. Group Identification (Group-ID) https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 2/23 2/2/23, 12:38 AM Which built in role on the next Palo Alto (1-6) Palo Alto (1-6) Flashcards | Quizlet deviceadmin generation firewall is the same as superuser except for creation of administrative accounts? a. deviceadmin b. vsysadmin c. sysadmin d. devicereader In which stage of the Cyber Exploitation Attack Lifecycle model do attackers gain access "inside" an organization and activate attack code on the victim's host and ultimately take control of the target machine? Select one: a. Weaponization and Delivery b. Reconnaissance c. Exploitation d. Command and Control Which Next Generation Aperture Firewall feature protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information. a. Aperture b. GlobalProtect c. Panorama d. AutoFocus https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 3/23 2/2/23, 12:38 AM Which command will reset a Palo Alto (1-6) Palo Alto (1-6) Flashcards | Quizlet request system private-data-reset next generation firewall to its factory default settings if you know the admin account password? Select one: a. reset system settings b. reload c. request system privatedata-reset d. reset startup-config Which feature can be Static Route configured with an IPv6 address? Select one: a. BGP b. Static Route c. DHCP Server d. RIPv2 What type of interface allows Layer2 the Next Generation firewall to provide switching between two or more networks? Select one: a. Tap b. Layer3 c. Virtual Wire d. Layer2 https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 4/23 2/2/23, 12:38 AM Palo Alto (1-6) Flashcards | Quizlet Which of the following Palo Alto (1-6) Select one or more: services are enabled on the HTTPS Next Generation firewall MGT SSH interface by default? Telnet Select one or more: a. HTTPS b. HTTP c. SSH d. Telnet Which Next Generation FW Running configuration type has settings active on the firewall? Select one: a. Running b. Candidate c. Legacy d. Startup Which of the following is a RIPV2 routing protocol supported in a Next Generation firewall? Select one: a. RIPV2 b. EIGRP c. ISIS d. IGRP https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 5/23 2/2/23, 12:38 AM Which type of (1-6) interface will Palo Alto Palo Alto (1-6) Flashcards | Quizlet Virtual Wire allow the firewall to be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology? Select one: a. Layer 3 b. Tap c. Layer 2 d. Virtual Wire All of the interfaces on a Next False Generation firewall must be of the same interface type. Select one: True False In a Next Generation firewall, True every interface in use must be assigned to a zone in order to process traffic. Select one: True False In addition to routing to other True network devices, virtual routers on the Next Generation firewall can route to other virtual routers. Select one: True False https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 6/23 2/2/23, 12:38 AM When using audit to Palo Altoconfig (1-6) Palo Alto (1-6) Flashcards | Quizlet Change compare configuration files on a Next Generation firewall, what does the yellow indication reveal? Select one: a. None b. Deletion c. Addition d. Change Which NGFW security policy Intrazone rule applies to all matching traffic within the specified source zones? Select one: a. Intrazone b. Universal c. Default d. Interzone What two interface types on Select one or more: the Next Generation firewall Virtual Wire provide support for Network Layer 3 Address Translation? Select one or more: a. Virtual Wire b. Layer2 c. Tap d. Layer 3 e. HA https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 7/23 2/2/23, 12:38 AM What should configured as Palo Altobe(1-6) Palo Alto (1-6) Flashcards | Quizlet Untrust-L3 the destination zone on the original packet tab of the NAT Policy rule in the Next Generation firewall? Select one: a. Untrust-L3 b. Any c. Trust-L3 d. DMZ-L3 Traffic going to a public IP The firewall gateway IP address is being translated by a Next Generation firewall to an internal server private IP address. Which IP address should the security policy use as the destination IP in order to allow traffic to the server? Select one: a. The server public IP b. The firewall Management port IP c. The firewall gateway IP d. The server private IP https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 8/23 2/2/23, 12:38 AM Which source Palo Alto address (1-6) Palo Alto (1-6) Flashcards | Quizlet Dynamic IP and Port translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule on the Next Generation firewall? Select one: a. Bi-Directional b. Dynamic IP and Port c. Static IP d. Dynamic IP On the Next Generation True firewall, if there is a NAT policy - there must also be a security policy. Select one: True False Security policy rules on the False Next Generation firewall specify a source and a destination interface. Select one: True False https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 9/23 2/2/23, 12:38 AM What feature the Next Palo Altoon(1-6) Palo Alto (1-6) Flashcards | Quizlet Application Command Center (ACC) Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth? Select one: a. Application Command Center (ACC) b. Quality of Service Statistics c. Applications Report d. Quality of Service Log What are the three pre- Select one or more: defined tabs in the Next Network Traffic Generation firewall Threat Activity Application Command Center Blocked Activity (ACC)? Select one or more: a. Network Traffic b. Threat Activity c. Blocked Activity d. Application Traffic https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 10/23 2/2/23, 12:38 AM Palo Alto (1-6) Flashcards | Quizlet When creating an application Palo Alto (1-6) They are called dynamic because they will filter, which of the following is automatically include new applications from an true? application signature update if the new Select one: application's type is included in the filter a. They are called dynamic because they will automatically include new applications from an application signature update if the new application's type is included in the filter b. They are used by malware c. Excessive bandwidth may be used as a filter match criteria d. They are called dynamic because they automatically adapt to new IP addresses In a Next Generation firewall, Four or five how many packet does it take to identify the application in a TCP exchange? Select one: a. Four or five b. Three c. Two d. One https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 11/23 2/2/23, 12:38 AM What feature the Next Palo Altoon(1-6) Palo Alto (1-6) Flashcards | Quizlet Application-default Generation firewall will set the security policy to allow the application on the standard ports associated with the application? Select one: a. Application-dependent b. Application-implicit c. Application-custom d. Application-default On the Next Generation False firewall, application groups are always automatically updated when new applications are added to the App-ID database. Select one: True False On the Next Generation Anti-Virus firewall, what type of security profile detects infected files being transferred with the application? a. Vulnerability Protection b. WildFire Analysis c. Anti-Virus d. URL Filtering e. File Blocking https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 12/23 2/2/23, 12:38 AM Palo Alto (1-6) Flashcards | Quizlet What isAlto the benefit of Palo (1-6) Select one or more: enabling the "passive DNS Improved malware detection in Wildfire monitoring" checkbox on the Improved PAN DB malware detection Next Generation firewall? Improved DNS based command and control Select one or more: signatures a. Improved malware detection in Wildfire b. Improved PAN DB malware detection c. Improved anti-virus detection d. Improved DNS based command and control signatures https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 13/23 2/2/23, 12:38 AM Palo Alto (1-6) Flashcards | Quizlet To properly Palo Altoconfigure (1-6) DOS Action: Protect, Classified Profile with "Resources protection to limit the number Protection" configured, and Classified Address of sessions individually from with "source-ip-only" configured specific source IPS you would configure a DOS Protection rule with the following characteristics: Select one: a. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured b. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured c. Action: Deny, Aggregate Profile with "Resources Protection" configured d. Action: Protect, Aggregate Profile with "Resources Protection" configured What component of the Next Zone protection Generation Firewall will protect from port scans? Select one: a. Zone protection b. DOS Protection c. Anti-Virus Protection d. Vulnerability protection https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 14/23 2/2/23, 12:38 AM What action show Palo Altowill(1-6) whether a downloaded PDF Palo Alto (1-6) Flashcards | Quizlet Filter the data filtering logs for the user's traffic and the name of the PDF file file from a user has been blocked by a security profile on the Next Generation firewall? Select one: a. Filter the traffic logs for all traffic from the user that resulted in a deny action b. Filter the data filtering logs for the user's traffic and the name of the PDF file c. Filter the session browser for all sessions from a user with the application adobe d. Filter the system log for failed download messages What is the maximum size of Configurable up to 10 megabytes .EXE files uploaded from the Next Generation firewall to WIldfire? Select one: a. Configurable up to 10 megabytes b. Always 2 megabytes c. Configurable up to 2 megabytes d. Always 10 megabytes https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 15/23 2/2/23, 12:38 AM WithoutAlto a Wildfire Palo (1-6) subscription, which of the Palo Alto (1-6) Flashcards | Quizlet MS Office doc/docx, xls/xlsx, and ppt/pptx files only following files can be submitted by the Next Generation FIrewall to the hosted Wildfire virtualized sandbox? Select one: a. PDF files only b. PE and Java Applet only c. MS Office doc/docx, xls/xlsx, and ppt/pptx files only d. PE files only In the latest Next Generation 5 Minutes firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates? Select one: a. 30 Minutes b. 15 Minutes c. 1 Hour d. 5 Minutes On the Next Generation True firewall, DNS sinkhole allows administrators to quickly identify infected hosts on the network using DNS traffic. True False https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 16/23 2/2/23, 12:38 AM Which role in the Information Palo Alto (1-6) Palo Alto (1-6) Flashcards | Quizlet Chief Information Officer (CIO) Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations ensures that an effective program is established and implemented for the organization by establishing expectations and requirements for the organizations's ISCM program; working closely with authorizing officials to provide funding, personnel, and other resources to support ISCM; and maintaining high-level communications and working group relationships among organizational entities? Select one: a. Chief Information Officer (CIO) b. Senior Information Security Officer (SISO) c. Authorizing Official (AO) d. Head of Agency (HOA) https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 17/23 2/2/23, 12:38 AM In the Information Security Palo Alto (1-6) Palo Alto (1-6) Flashcards | Quizlet Tier 3 - Information Systems Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, which Tier ensures that all system-level security controls (technical, operational, and management) are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time? Select one: a. Tier 3 - Information Systems b. Tier 4 - System Authorization c. Tier 2 - Mission/Business Process d. Tier 1 - Organization https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 18/23 2/2/23, 12:38 AM Which isAlto the correct Palo (1-6)order for the Risk Management Palo Alto (1-6) Flashcards | Quizlet Categorize, Select, Implement, Assess, Authorize, Monitor Framework (RMF) structured process in the Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations System? Select one: a. Categorize, Select, Implement, Authorize, Assess, Monitor b. Select, Categorize, Implement, Assess, Authorize, Monitor c. Categorize, Select, Implement, Assess, Authorize, Monitor d. Monitor, Select, Implement, Assess, Authorize, Categorize Which type of social Quid Pro Quo engineering attack involves hackers who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find? These attackers offer IT assistance to each and every one of their victims. Select one: a. Phishing b. Baiting c. Pretexting d. Quid Pro Quo https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 19/23 2/2/23, 12:38 AM Which Palo Alto Networks Palo Alto (1-6) Palo Alto (1-6) Flashcards | Quizlet override Next Generation Firewall URL Category Action sends a response page to the user's browser that prompts the user for the administrator-defined override password, and logs the action to the URL Filtering log? Select one: a. alert b. block c. continue d. override Which Next Generation Safe Search Enforcement Firewall URL filter setting is used to prevent users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option. Select one: a. Safe Search Enforcement b. User Credential Detection c. HTTP Header Logging d. Log Container Page Only https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 20/23 2/2/23, 12:38 AM A "continue" can be Palo Altoaction (1-6) Palo Alto (1-6) Flashcards | Quizlet URL Filtering and File Blocking configured on the following security profiles in the Next Generation firewall: Select one: a. URL Filtering and Antivirus b. URL Filtering, File Blocking, and Data Filtering c. URL Filtering d. URL Filtering and File Blocking Which URL filtering security Alert profile action logs the category to the URL filtering log? Select one: a. Alert b. Allow c. Log d. Default https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 21/23 2/2/23, 12:38 AM Palo Alto (1-6) Flashcards | Quizlet Which isAlto the correct Palo (1-6)URL Block, Allow, Custom URL, External Dynamic, matching order on a Palo Alto PAN-DB Cache, PAN-DB Download, PAN-DB Networks Next Generation Cloud Firewall? Select one: a. Block, Allow, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud b. Block, Allow, External Dynamic, Custom URL, PANDB Cache, PAN-DB Download, PAN-DB Cloud c. Allow, Block, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud d. Block, Allow, Custom URL, External Dynamic, PAN-DB Download, PAN-DB Cloud, PAN-DB Cache Which web development Java program is an objectoriented, class-based and concurrent language that was developed by Sun Microsystems in the 1990s? Select one: a. Java b. Python c. Ruby d. PHP https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 22/23 2/2/23, 12:38 AM Which color the Traffic Palo Altoof(1-6) Palo Alto (1-6) Flashcards | Quizlet Amber Light Protocol (TLP) indicates that information requires support to be acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved? Select one: a. Amber b. White c. Green d. Red https://quizlet.com/422013241/palo-alto-1-6-flash-cards/ 23/23 SRTY-6003 Securing the Edge 1 WEEK 5 Review of Palo Alto Agenda •Housekeeping Items • Identified an issue with the Firewall OVA file provided by Palo Alto. New OVA requested and should be here by end of week • As a result, all Palo Alto Lab due dates have been extended to November • If you have already submitted a lab, you are welcome to re-submit. Only the last submission will be graded. •In the news •Review of the testable areas of Palo Alto covered in lecture The Modules •Week 1 was Device Configuration •Week 2 was Palo Alto Architecture and Security Policies •Week 3 was PA App-ID •Week 4 was Content-ID and URL Filtering Group 1 - Device Configuration •Which of the following services are enabled on the Next Generation firewall MGT interface by default? (choose TWO) • Https, SSH, Telnet, or Http •Which of the following is a routing protocol supported in a Next Generation firewall? • RIPV2, IPS, IGRP, or EIGRP •Which type of interface will allow the firewall to be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology? • Tap, Layer 3, Layer 2, Virtual Wire Group 2 – PA Architecture •What is the difference between vsysadmin, deviceadmin, devicereader, and sysadmin? •What is the difference between an XSS attack and an XSRF (also called CSRF)? Which forges a request from a trusted user? •Which type of attack can be mitigated by deploying strong encryption services on your network? • Spoofing, sniffer, DoS, or Eavesdropping •Which Next Generation Firewall feature protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information. Group 3 - Palo Alto Security Policies •Which NGFW security policy rule applies to all matching traffic within the specified source zones? • Interzone or Intrazone? •Which is the correct order for the NIST Cybersecurity Framework process? • Identify, Protect, Detect, Respond, Recover • Identify, Protect, Detect, Recover, Respond • Identify, Detect, Protect, Respond, Recover • Detect, Identify, Protect, Respond, Recover •What should be configured as the destination zone on the original packet tab of the NAT Policy rule in the Next Generation firewall? Untrust L3, Trust L3, or DMZ L3? Group 4 – Application ID (App-ID) • What is the function of the Application Command Center? • In a Next Generation firewall, how many packet does it take to identify the application in a TCP exchange? • Which color of the Traffic Light Protocol (TLP) indicates that information requires support to be acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved? • Green, red, amber, or white? • What feature on the Next Generation firewall will set the security policy to allow the application on the standard ports associated with the application? • Application-implicit, application-custom, or application-default? Group 5 – Content ID • what type of security profile detects infected files being transferred with the application? • WildFire, URL Filtering, AntiVirus, or Vulnerability Protection • What is the benefit of enabling the "passive DNS monitoring" checkbox on the Next Generation firewall? • In the latest Next Generation firewall version, what is the shortest time that can be configured on the firewall to check for Wildfire updates? • 5, 10 or 15 minutes? • What is the maximum size of .EXE files uploaded from the Next Generation firewall to WildFire? • Always 2MB, up to 2MB, always 10MB, or up to 10MB? Group 6 – URL Filtering • What is ISCM? What is the CIO’s role? Which tier ensures that all system-level security controls (technical, operational, and management) are implemented correctly (tier 1, 2, 3, or 4?) • What is a quid pro quo attack? • Which URL filter setting is used to prevent users who use the Google, Yahoo, Bing, Yandex, or YouTube search engines from viewing search results unless their browser is configured with the strict safe search option? • Is this the correct URL matching order on a Palo Alto Networks Next Generation Firewall? • Block, Allow, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud SRTY-6003 Securing the Edge 1 Week 3 Application ID, Security Policies, and NAT Agenda •Define application identification (App-ID) •Configure application filters and application groups •Detect unidentified applications traversing the firewall •Migrate a port-based rule to an App-ID based rule •Display and manage Security Policy Rules •Create a Security policy •SNAT and DNAT Flow Logic of the NGFW What Is an “Application”? What Is App-ID? •Accurate traffic classification is the primary function of any firewall, with the result becoming the basis of the Security Policy •Multiple techniques to label traffic by application rather than just port and protocol Port-based security rule Application-based security rule Port-Based Versus Next-Generation Firewalls Zero-Day Malware: IPS Versus App-ID App-ID and UDP App data is required to identify traffic to be processed by Security Policy App-ID and TCP A database of application signatures updated as part of the firewall content updates. An app-ID heuristics engine used to look at patterns of communication. It attempts to identify and application based on its network behaviour. A set of application decoders that understand the syntax and commands of common applications. SSL and SSH decryption capabilities App-ID Operation Scan for Threats Using App-ID in a Security Policy What if an Application Shifts/Changes During a Session Dependent Applications ***Important to know and identify dependencies Determining Application Dependencies Check out: http://applipedia.paloaltonetworks.com Implicit Applications •Many common applications implicitly allow parent applications. •No explicit Security policy rule is required for a parent application. Implicit permissions for a parent application are processed only if you have not added an explicit security policy rule for the parent application. Determining Implicitly Used Applications Application Filters An application filter is an object that dynamically groups applications based on application attributes that you select from the App-ID database. The selectable attributes are category, subcategory, technology, risk, and characteristic. App filters are an alternative to specifically identifying each application. Rather, you allow/deny based on attributes common to those applications. Ex. Category could be “Business Systems” and subcategory “Office Programs”. Allow any traffic that falls within this filter as it is related to office software. Ex. Evernote, Google Docs, Office 365, etc. Application Filter Objects > Application Filter > Add •Dynamic grouping of applications •Created by selecting filters in the App-ID database •Used to simplify Security, QoS, and PBF policy rulebases Application Groups Objects > Application Groups > Add • What is an application group? • Facilitates and expedites creation and management of the policy rules Ex. You could group all applications that are not using default ports. | © 2019 Palo Alto Networks, Inc. 21 Nesting Application Groups and Filters Applications and Security Policy Rules Application filters and groups are added to the Security policy rules just as single applications are. They can be used to either allow or deny applications. Application Block Page •For blocked web-based applications, a response page can be displayed in the user’s browser. Identifying Unknown Application Traffic Unknown Network Traffic Firewalls identify traffic by port or application. Let’s look at application. Identify Unknown Application Traffic Iterative process: • Create rules to allow or block applications known to be traversing the firewall • Create a temporary rule to detect unidentified applications traversing the firewall • As applications are identified, create specific rules to allow or block them Policies > Security What to do with “Unknown” Traffic? Ex. Wireshark Overrides App-ID and Security policies Policy Optimizer • Migrate port-based rules to App-ID-based rules • Help reduce attack surface and provide information about application usage • Prevent evasive applications from running on non-standard ports • Identify over-provisioned application-based rules Migrating from port-based to Application-Based Policies Then “clone” the existing port-based rule ***Each Phase is discussed in the following slides Ensure that traffic matches the application based rule before it can match the legacy port based rule Review the Traffic logs and Security policies to determine if traffic is continuing to match any legacy port-based rule. If no legitimate traffic has matched a legacy rule, then that legacy rule can be removed Phase 1: Viewing Data of Port-Based Rules. What is happening with existing rules? Discovering Applications Matching a Port-Based Rule Policies > Security > Policy Optimizer > No App Specified Active Learning Exercise •In order to understand Phase 2 “Adding Application–Based Rules”, review the next 6 slides. These slides show THREE options for Phase 2 of the migration process. •Answer the following questions: • Which option do you prefer? • Identify a scenario when you would use each of the three options? •Share your opinion/findings in the Week 3 Discussion Forum on FOL Prioritizing Port-Based Rules to Convert A gradual conversion is safer than migration of a large rule-base at one time Phase 3: Reviewing Port-Based Rules •After 60 days, review the Policy Optimizer columns in the Security policy. •Look for port-based rules with zero hits. Disabling Port-Based Rules •Disable port-based rules that have not matched to any new traffic. •Disabled rules are rendered in gray italic font. •Tag rules that must be removed later (optional). Removing Port-Based Rules •After 90 days, delete port-based rules that have not matched to any new traffic. •The goals: • At least 80% application-based rules • No inbound or outbound unknown applications (internal is acceptable) Policies > Security Ways to update App-ID Dynamic Content Updates: App-ID Scheduled App-ID Updates Content Update Absorption • Review Apps for list of modified applications and details for each application • Review Policies to see policy rules that may enforce traffic differently Security and NAT policies Security Policy Fundamentals: Controlling Network Traffic HIP = Host Information Profile Sessions and Flows Traffic passing through the firewall is matched against a session and each session is then matched against a Security policy rule. When you define Security policy rules, consider only the C2S flow direction. Displaying and Managing Security Policy Rules Security Policy – Three Types of Rules universal rule applies to all matching interzone and intrazone traffic in the specified source and destination zones Implicit and Explicit Rules Security Policy Rule Match Policy Rule Hit Count Scheduling Security Policy Rules Managing the Policy Ruleset Universally Unique Identifiers (UUIDs) Finding Unused Security Policy Rules Rule Usage Filter Address Objects Tags You can make tags mandatory Tag-Based Rule Groups You can assign rules to tag groups. Before you can assign a group tag to a rule, you must first create the tag and assign it to the Security policy rule. Creating a New Service Definition You can confine an application type to a specific port, BUT the default port is “any”. Active Learning Exercise: Ports!! •Create a table of the most common ports used for different services and applications. •Identify the port (default), the service, and the protocol (TCP/UDP) in your table •Identify any popular alternative ports as well (if known) •Save that table as an excel file and upload that file into the Week 3 Discussion Forum. •Remember to comment on the posts of others. Push their thinking. Ask the “what if”, “why” and “how” questions. Using Global Find Can search for • an IP address • an object name • a policy rule name • a threat ID • an application name Global Find will not search dynamic content such as logs, address ranges, or allocated DHCP addresses. • Does not search for individual username In general, you can search only content that the firewall writes to the or group names candidate configuration. Example use cases for the Global Find feature are: Find all objects with a given tag See where a given IP address is used in the configuration, including Address objects, Dynamic objects, literals in policies, and network configuration Find a policy that includes a username or user group See any place a given username appears in the config, including user activity reports and policies Find out if an application is used in a policy, application group, application filter, or a report query Find a ticket number that was added to a comment in a policy or on another object Enabling Intrazone and Interzone Logging To configure logging on the implicit rules, select a rule and click Override. Rule Changes Archive Why archive all rule changes? • Often done to meet regulatory compliance requirements Test Policy Functionality: “Test Security Policy Match” Enables you to enter a set of test criteria directly from the web interface rather than from the CLI. Viewing the Traffic Log Network Address Translation (NAT) Policies on a Palo Alto Firewall Flow Logic of the Next-Generation Firewall What are: • PBF • SNAT • DNAT Which layer is this inspection happening on? NAT configuration can take two forms: SNAT and DNAT The firewall is a NATing device What is a DMZ? Is it inside or outside? Source NAT Source NAT translates the private address and makes the traffic routable across the internet. Source NAT Types •Static IP: • 1-to-1 fixed translations • Changes the source IP address while leaving the source port unchanged • Supports the implicit bidirectional rule feature •Dynamic IP: • 1-to-1 translations of a source IP address only (no port number) • Private source address translates to the next available address in the range •Dynamic IP and port (DIPP): • Allows multiple clients to use the same public IP addresses with different source port numbers. • The assigned address can be set to the interface address or to a translated address. Source NAT Policies and Security Policies Configuring Source NAT Source NAT Examples Source NAT Examples (Cont.) (DIPP) With this type of NAT, an available address in the specified range can be used multiple times because each time the address is paired with a different port number. Why might we need to do this? Think about IPv4 and public Ips… Configuring Bidirectional Source NAT DIPP NAT Oversubscription Destination NAT Destination NAT Attributes Dynamic IP Address Support for Destination NAT Destination NAT and Security Policies Configuring Destination NAT Destination NAT Port Translation Configuration Summary •Today we discussed App-ID, Security Policies, and NATting in Palo Alto Firewalls. Reminders •Lab #1 has been posted and is due. Lab 2 will be posted this week. •Next week is Week 4 - Anti-Virus/Anti-Spyware/File Blocking in Palo Alto • We will also be discussing Palo Alto’s WildFire cloud service • To prepare: Please watch this video that discusses Wildfire (approx. 13 minutes) •Test in Week 5 (we will discuss the test next week) SRTY6003 Week 1: Introduction to the course and to Palo Alto A “wake-up” riddle… It has keys but no locks. It has space, but no room. You can enter, but can’t go inside. What is it? Stephen Freymond •Professor, School of IT •sfreymond@fanshaweonline.ca PHIL1019 Ethics 3 Agenda •Part 1: Course Overview • housekeeping/routine • course outline and expectations for the course •Part 2: Lesson for Week 1 • What is Security • Types of Attacks • History of Firewalls • Zero Trust • Your task this week is to complete the Workstation Setup on your laptop/PC Let’s talk about the SRTY 6003 course The Routine • At the start and end of each class I’ll take some time to remind you of upcoming tests/assignments (aka my “Housekeeping” slide) • Synchronous classes will start with a virtual “check in” to see if there are any questions stemming from last week, and generally see how you are doing/feeling with your course load. • We will also explore current events, news items, and other resources relating to Security Planning and ISM in general. • ISM is a student-centered program. Your learning is paramount. Own your learning! • Then we will proceed with an interactive lesson • Come prepared for class • Be prepared to work in breakout groups during tutorial • Will conclude each lesson with an invitation for questions and reminders for the coming weeks 6 Current Events: What is happening in (your) world? •https://searchsecurity.techtarget.com/feature/A-cybersecurity-skills-gapdemands-thinking-outside-the-box •https://www.cbsnews.com/news/ransomware-attack-shuts-down-richmondmichigan-school-district/ •https://www.technologyreview.com/f/615002/ransomware-may-have-cost-the-usmore-than-75-billion-in-2019/ How to Succeed in This Course… • This is a “Lecture and Lab style” class, so I suggest you take notes and research. • Lots of interactive exercises and (hopefully) discussions during class time • I suggest you take notes during the lecture, as not all test questions come from the PowerPoint slides and labs! • Slides are a HANDOUT that highlights key points, but they do not cover all you need to know. • Not all concepts are fully explained on the slides. You need to do the exercises and listen to/participate in tutorials. • Everything in the lessons / resources / discussion is testable material. • Ask questions if you don’t understand something – you likely won’t be the only person. • Don’t try to memorize! Memory alone will not suffice. Understanding and application are key!! • Do not underestimate the work required for this course/program 8 Student Success •Show respect for your professor and your peers •Be active and participate in online class discussions •HELP EACH OTHER. Create your own study groups (or use the discussion forum). Some of you may solve problems faster than your peers – share your success by showing them how! •Prepare properly for lectures and tests •Do all the required and recommended work •Do not miss tests 9 Course Design ➢4 hours/week of scheduled time (2+2) ➢you should reserve another 4 hours/week for studying, labs, discussions, and other course tasks ➢Tutorials are asynchronous (you watch tutorial recordings at your own pace) ➢You can also complete the labs on your own if you wish. ➢Instructor office hours double as student drop-in time for course questions (including labs). Attendance to the drop-in sessions is optional. ➢Scheduled time consist of: 1. Discussions, tutorials/lectures, exercises (ALEs) and case reviews 2. Lab time and drop-in discussion. This will be the time you spend working on the labs, taking screenshots of your work, and creating your submission file (.ppt or .pptx) The Course Outline Course Outline •Learning Outcomes • What you will be able to demonstrate once the course is completed. • Questions on tests will reflect your attainment of these objectives •Course Plan • Detailed list of what you should expect to be taught each week • How to prepare for class • Test and assignment due dates 12 INFO 6003 – Learning Outcomes This course is designed to help you meet specific learning outcomes. •There are 10 course learning outcomes. •EVERYTHING we do in this course is designed to help you meet those outcomes • If you are not clear as to how a task/content relates to these outcomes, please ask! • #ownyourlearning •Note the active nature of the outcomes – they are also future-focused. What you will learn, know, understand, apply, develop, identify, create, describe, explain, etc. SRTY6003 – 10 Learning Outcomes 1. Manage, maintain and monitor firewall operations 2. Discuss the necessity and operations of Authentication, Authorization and Accounting (AAA) Services 3. Describe ACL and NAT operations 4. Discuss the need for Application ID and Content ID 5. Discuss the pros and cons of File Blocking. 6. Discuss the security benefits and concerns with using the firewall to decrypt sessions 7. Describe and implement appropriate VPN technologies given requirements 8. Configure and implement AAA services, ACLs, and NAT 9. Implement Management Reporting and fully describe it’s functionality 10. Discuss High Availability design and implementation. Assessments Methods in this Course •Quizzes/Testing • Written quizzes and exams use the Respondus Lockdown Browser (RLDB) application. • Any method may be used to test the class (not always easy!) • Hard-wired ethernet cable is preferable to wireless (RLDB hates signal drops) • Working, tested, laptop – USE THE MOCK TEST in FOL to test your machine •Labs/Assignments • Both practical/technical and research-based requirements • Proper formatting and referencing is a MUST •Discussion Forums • Due weekly for a total of 5% • (More on this late in the tutorial) 15 How will you be evaluated in this course? There are THREE tests in this course •All quizzes and exams use the Respondus Lockdown Browser •Tests are NOT open book •Expect an average time of 30-60 seconds per question •Short answer, long answer, M/C, T/F, FIB, Matching, •All tests are manually graded by me. •Testable material includes anything discussed “in class” (both verbally and on the slides), in any resources shared on FOL, and in the practical labs. Test time lost due to PC or Respondus problems is not recoverable. 16 SRTY6003 – Securing the Edge 1 Some of the topics we will cover: -Introduction to concepts, theories, terms, and definitions (the “language” of network security) -Methods of securing networks, data, infrastructure, and traffic -Basic configurations and policies -NAT and appliance blocking -File blocking and user access Introduction to Vendor Specific software: -Palo Alto (security platform) -Cisco ASA/firewalls -PFSense (open source firewall) Labs and Assignments •Assessments • READ THE LAB RUBRIC! • Six practical labs (5% each) • 2 unit tests (15% each) • Final exam (35%) • 5% Discussion Forum contributions •There is no textbook for this class, but you still have a lot of resources: • Read vendor documentation • Watch relevant instructional videos • Find (or create) scenarios and case studies where you would need to apply the skills and knowledge you are learning. 18 Assignments (Labs) •Hand in ALL assignments/Labs on time. •Put the assignment name and your last name in the file name •(ex. Robertson_DFLab1.pptx) •All assignments submitted via FOL in the correct submission box •Assignments submitted in any other method (including email) will not be accepted •Assignments submitted using the wrong submission box will not get graded. •Submission box is open until the noted time, example 11:59pm. You must complete the submission process before this time. •Assignments must be submitted uncompressed, and using PowerPoint or Word files (not .pdf). •Use this command in every screenshot: whoami & date /t & time /t •Assignments must have references - Failure to do this may result in an academic offense Grading •Rubrics are used for all labs. • What is a rubric? • Writing skills are graded, references are required, formatting is graded • Content, flow, grammar/spelling • Submit via Evaluation > Submission in FOL by the deadline • You WILL receive detailed, specific, and constructive feedback from me 20 Learn to love APA ☺ •APA is one method of formatting your paper and your references •ALL of your written work should comply with APA standards • This is in the rubric! • Discussion forum exempt from APA, but you must still reference work you use • Always have a title page and a References page • APA format includes margins, section headings, font, and more •See the Fanshawe College Library website for help with APA •The reason you are required to use APA on your written work is because professional writing is a critical skill for employment. •It also helps you avoid an academic offence •Great resource for you: https://owl.purdue.edu/owl/purdue_owl.html Course Expectations •Missed Assignments and Tests • Students are not entitled to complete missed tests • In case of a significant event supported by documentation AND professor’s approval AND prior notification, a missed test may be completed •Re-writes & extra grade items • Students will not be permitted to rewrite tests • Students will not be entitled to extra work or assignments in order to raise a grade •Assignments are written. Writing skills are critical in information security and in business. You will be evaluated on your RESEARCH and WRITING skills • Use an editor (if you are not comfortable with writing in English, for example) • Collaboration is encouraged, but DO NOT COPY. Plagiarism is severely penalized. 22 Course Plan and Dates to Remember •Weeks 1-4 – Palo Alto • Basic Configuration and Policies • Policy, NAT, Appliance Blocking • File Blocking and User Access •Weeks 6-9 – Cisco • Basic Configuration and Policies • Policy, NAT, Appliance Blocking • File Blocking and User Access •Weeks 11-13 – PFSense • Basic Configuration and Policies • Policy, NAT, Appliance Blocking • File Blocking and User Access •Week 14 – Final Exam HIGHLIGHTS: •Lab 1: Due Week 2 (5%) •Lab 2: Due Week 4 (5%) •Palo Alto Unit Test: Due Week 5 (15%) •Cisco Lab 1: Due Week 7 (5%) •Cisco Lab 2: Due Week 9 (5%) •Cisco Unit Test – 15%: Due Week 10 (15%) •pfSense Lab 1: Due Week 12 (5%) •pfSense Lab 2: Due Week 13 (5%) •Final Exam: Due Week 14 (35%) Discussion Forum: Weekly (5% total) 23 Why Discussion Forums? •In the absence of F2F interactions, I have elected to use the FOL discussion forums as a way to promote social interactions and knowledge-building among students. •Discussion forums allow us to build a Community of Practice (Lave & Wenger, 2007). Communities share ideas and experiences. They allow us to critically examine and challenge concepts, ideas, facts, methods, and opinions. •Criticizing the poster is not permitted, nor is inappropriate language or content •We can all learn from each other’s experiences and ideas, but not if you don’t share them! So everyone benefits – including you – if everyone contributes. •Marks are given for created threads AND for replies, but not for “reads”. •A little cheerleading is ok, but try to make sure your posts and replies further the conversation. Ask the “why” questions! Play devil’s advocate. Build on ideas. •Your opinion has value, but always try to SUPPORT your statements with EVIDENCE. Part 2: Introducing Edge Security Week 1 – Agenda • • • • Overview of Edge Security Key Terms and Concepts Anatomy of a Cyber-Attack, Attack Types Organizational Approaches to Edge Security INFO 6027 26 Edge Security Overview •What is “edge” security? What does it mean to secure the edge? •Why do you have TWO courses dedicated to this subject? •What do firewalls do? Why do we need them (or do we need them)? •How many of you have configured a firewall? Source: https://www.networkworld.com/article/322489 3/what-is-edge-computing-and-how-it-schanging-the-network.html Cyber-attack Lifecycle Stop the attack at any point! What Does This Mean for Security? •There are three points of attack: • The data • The network • The people • Which is the most easily (and often) exploited? Assessing Network Threats •Extreme, ill-informed attitudes about security threats can lead to poor decisions •These are the two ends of the spectrum 1. There is no real threat, nothing to worry about 2. Extreme alarm: all hackers are experts and out to break into my network Type #1: “There’s no real threat” or “No one would target us” • Fosters a laissez-faire attitude toward security • Promotes a reactive approach to security • Security measures are not put in place until after a breach has occurred • This approach must be avoided at all costs Assessing Network Threats Type #2: The world full of hackers out to get us! • Yes, malicious actors exist, but not to the extent publicized in media • Lesser-skilled hackers are more pervasive • They target smaller companies and easier victims • Usually, more skilled actors seek high profile networks • bigger payday, challenge, bragging rights and peer recognition • Financial and ideological gain are the objectives •The only practical approach is the realistic one - a moderate solution to the two extremes •Assessment of risk level is a complex task •Many factors need to be addressed Classifying Threats •Intrusion • Cracking • Social engineering • War-dialing • Wardriving •Blocking • Denial of Service (DoS) • Distributed Denial of Service (DDoS) •Malware • Viruses • Worms • Trojan horses • Spyware • • Cookies Key loggers Prioritizing Your Approach to Edge Security •Administrators should ask: • What are the realistic dangers? Ex. Ransomware is a very common danger/. • What are the most likely attack types for our type of business or network topology? • What are some common vulnerabilities? • What is the likelihood of an attack? Threat Assessment Factors •What is the value of the target (Attractiveness) •What information is on the system (Information content) •How easy is it to get to the system (Security devices) © 2019 by Pearson Education, Inc. Chapter 1 Introduction to Network Security 34 Threat Assessment (Vulnerability Score) •A numerical scale can be assigned to each factor • Attractiveness (A): 1–10 • Information content (I): 1–10 • Security devices (S): 1–10 •The equation is: (A + I) – S = V (vulnerability score) • Lower score indicates lower risk © 2019 by Pearson Education, Inc. Chapter 1 Introduction to Network Security 35 Do you speak the “language” of edge security? •White, Grey, and Black hats •Script kiddies •Crackers •Cloud Computing •Ethical hacker or sneaker •Phreaking •Gateway devices •Firewall •Access Control •Proxy server •Intrusion-detection system •Fog Computing •Non-repudiation (can’t deny) •Auditing •3, 4, and 5G cellular • www.yourwindow.to/information%2Dsecurity/ • www.ietf.org/rfc/rfc2828.txt Approaching Network Security •Proactive versus reactive •Three possible approaches: 1. Perimeter: Focus is on perimeter devices; internal devices are still vulnerable 2. Layered: Focus includes both perimeter and individual computers within the network 3. Hybrid: Combination of multiple security paradigms © 2019 by Pearson Education, Inc. Chapter 1 Introduction to Network Security 37 Firewalls What Is a Firewall? •A barrier between the world and your network •Provided via: • Packet filtering • Stateful packet filtering • User authentication • Client application authentication Firewall Generations •First generation: Packet Filters •Second Generation: Stateful Filters •Third Generation: Application Layer •Fourth Generation: Next Generation Firewall (NGFW) First Generation • First generation: Packet Filters • Packet filters inspect packets transferred between computers. • When a packet does not match the filtering rules • The packet filter either accepts or rejects the packet • Packets may be filtered by source and destination network address, protocol, source and destination ports. • Disadvantages • Does not compare packets • No authentication • Susceptible to SYN and Ping flood attacks • Does not track packets • Does not look at the packet data, just the header • Not necessarily the most secure firewall Second Generation •Second Generation: Stateful Packet Inspection • These firewalls perform the functions of the first generation • Maintains a database of conversations between the endpoints – specifically port numbers the two IP addresses • Being aware of the context of packets makes them less susceptible to flood attacks • Knows if packet is part of a larger stream • Recognizes whether source IP is within the firewall • Can look at the contents of the packet • When possible, the recommended firewall solution • Uses the transport layer (layer 4) • Vulnerable to DoS attacks State Machine Model •Looks at the state of a machine from one time period to the next • Determines security violation based on the comparison •Several ways are used to evaluate the state of the system: • Users • States • Commands • Output Third Generation •Third Generation: Application Layer • Also known as application proxy or application-level proxy • Examines the connection between the client and the server applications • Enables administrators to specify what applications are allowed • Allows for user authentication • Application layer filtering that understands common applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)) • Detects unwanted applications and services are attempting to bypass the firewall •Disadvantages • Requires more system resources • Susceptible to flooding attacks (SYN and Ping) • Due to time it takes to authenticate user • When connection is made, packets are not checked Fourth Generation •Fourth Generation: Next Generation Firewall (NGFW) • Provide wider and deeper inspection at the application layer. • Intrusion Prevention Systems (IPS) • Identity management • Web application firewall (WAF) Other Edge Protection Devices (IDS vs IPS) Intrusion Detection System •Passive •Logs the activity •Alerts an administrator (perhaps) Intrusion Prevention System •Active •Takes steps to prevent an attack in progress •Problem of false positives Implementing Firewalls •Need to understand the firewall’s relationship to the network it is protecting •Most common solutions • Network host-based • Dual-homed host • Router-based firewall • Screened host Network Host-Based •Software-based solution runs on top of operating system •Must harden the operating system in the following ways: • Ensure all patches are updated • Uninstall unneeded applications or utilities • Close unused ports • Turn off all unused services •Cheap solution Dual-Homed Hosts •Expanded version of the Network host firewall •Also runs on top of an existing OS •The biggest disadvantage – as with Network host firewalls – is its reliance on the security of the OS Router-Based Firewall •Router-based firewalls are most often the first line of defense •They use simple packet filtering •Ideal for novice administrators •Can be preconfigured by vendor for specific needs of user •Can be placed between segments of a network Screened Host • A combination of firewalls • Bastion host and screening router is used • Similar in concept to the dual-homed host In Practice: Utmost Security •Multiple firewalls • Stateful packet inspecting firewall • Application gateway •Screened firewall routers separating each network segment •Dual-perimeter firewall, packet screening on all routers, individual packet filtering firewalls on every server What is a DMZ? •Demilitarized Zone •Can be implemented using one or two separate firewalls • One faces the outside world • One faces the inside • Web, email, and FTP servers are located in the area in-between them Network Address Translation (NAT) •Translates internal IP addresses to public addresses •Can explicitly map ports to internal addresses for web servers •Supersedes proxy servers Zero Trust What is Zero Trust •Zero Trust is a security model originally proposed by John Kindervag in 2010 •Suggested a new security paradigm of “designing from the inside out.” •Provides optimization of network security and future flexibility •Traditional security model uses outside, DMZ, and inside or red, yellow, green http://www.cs.tufts.edu/comp/116/archive/fall2018/jflanigan.pdf Zero Trust •According to Gilman and Barth (2017) in their book “Zero Trust Networks”, a zero trust network is built upon five fundamental assertions: 1. 2. 3. 4. 5. The network is always assumed to be hostile External and internal threats exist on the network at all times Network locality is not sufficient for deciding trust in a network Every device user, and network flow is authenticated and authorized Policies must be dynamic and calculated from as many sources of data as possible. http://www.cs.tufts.edu/comp/116/archive/fall2018/jflanigan.pdf Summary and Homework Summary • What is edge security • Types of attacks • Introduction to Firewalls • Key terms and Concepts Homework • Contribute your bio to the discussion form and reply to the posts of others • Share your findings from Exercise 1a in the Week 1 discussion forum • Complete the setup of vsRail as per posted instructions • Prepare for next week: • Read slides 69-89 in this presentation • We will be discussing Palo Alto firewall products and services. | © 2019 Palo Alto Networks, Inc. 58 Week 1 Homework: Types of Attacks (slides 69-89) Denial of Service Attacks •Denial of Service (DoS) •Distributed Denial of Service (DDoS) •SYN Flood •Smurf Attack •The Ping of Death •UDP Flood •ICMP Flood •DHCP Starvation •HTTP Post DoS •PDoS •Distributed Reflection Denial of Service Denial of Service Attack •Based on the premise that all computers have operational limitations •Utilizes the ping utility to execute the attack •You can use the /h or /? Switch with ping to find out what options are available Distributed Denial of Service (DDoS) Attack •Variation of a Denial of Service •Launched from multiple clients • Example: DynDNS attack was done by controlling thousands of IOT devices •More difficult to track due to the use of zombie machines • What is a zombie machine? © 2019 by Pearson Education, Inc. Chapter 2 Types of Attacks 62 SYN Flood •Takes advantage of the TCP handshake process •Can be addressed in the following manners: • Micro Blocks • Bandwidth Throttling • SYN Cookies • RST Cookies • Stack Tweaking Smurf Attack •Very popular attack •Utilizes the ICMP packet to execute the attack Ping of Death (PoD) •Attacks machines that cannot handle oversized packets •Ensure that systems are patched and up to date •Most current operating systems automatically drop oversized packets UDP Flood and IMCP Flood •UDP Flood • Variation to the PoD that targets open ports • Faster due to no acknowledgments required • Sends packets to random ports • If enough are sent, the target computer shuts down •ICMP Flood • Another name for the ping flood Other Denial-of-Service Attacks •HTTP Post DoS • Hangs server with slowly delivered HTTP post message •Permanent DoS (PDoS) (a.k.a. phlashing) • Damages the system badly • Often attacks device firmware Distributed Reflection DoS (DRDoS) •Uses routers to execute the DoS attack •Routers do not have to be compromised in order to execute the attack •Configure routers to not forward broadcast packets Distributed Reflection DoS (DRDoS) DoS Tools •Tools are downloadable from the Internet •Ease of access facilitates widespread use •Examples • Low Orbit Ion Cannon • High Orbit Ion Cannon • DoSHTTP Real World Examples •FakeAV •Flame •MyDoom •Gameover ZeuS •CryptoLocker and CrytoWall Defending Against DoS Attacks •Understand how attack is perpetrated •Configure firewall to disallow incoming protocols or all traffic • This may not be a practical solution •Disable forwarding of directed IP broadcast packets on routers •Maintain virus protection on all clients on your network •Maintain operating system patches •Establish policies for downloading software Defending Against Buffer Overflow Attacks •More common than DoS a few years ago •Still a very real threat •Designed to put more information in the buffer than it is meant to hold •Application design can reduce this threat •More difficult to execute Defending Against Buffer Overflow Attacks •How do buffer overflow attacks occur? •What do script viruses have to do with buffer overflows? Defending Against IP Spoofing •Used to gain unauthorized access to computers •Source address of packet is changed •Becoming less frequent due to security •Potential vulnerabilities with routers: • External routers connected to multiple internal networks • Proxy firewalls that use the source IP address for authentication • Routers that subnet internal networks • Unfiltered packets with a source IP on the local network/domain Defending Against Session Hijacking •The hacker takes over a TCP session •Most common is the “man-in-the-middle” •Can also be done if the hacker gains access to the target machine •Encryption is the only way to combat this type of attack Virus Attacks •Most common threat to networks •Propagate in two ways • Scanning computer for network connections • Reading e-mail address book and sending to all •Examples: • Sobig Virus • Mimail and Bagle • Sasser Protecting Against Viruses •Always use virus scanner software •Do not open unknown attachments •Establish a code word with friends and colleagues •Do not believe security alerts sent to you Trojan Horse Attacks •Program that looks benign but has malicious intent •They might: • Download harmful software • Install a key logger or other spyware • Delete files • Open a backdoor for hacker to use Thank you! Please share any questions in the “Course Questions” discussion forum SRTY-6003 Securing the Edge 1 Week 4 Palo Alto: Content ID, File Blocking and URL Filtering Housekeeping • Lab 2 has been posted. Due February 7th at 2359hrs EST • Some issues with the DMZ VM. Shared new download link (check FOL announcement) • No updates from drop-in session last Thursday. • Lab 1 has been graded and grades have been published. Lots of feedback. • Digitally signing your screenshots, changing hostname on VM-50 (not on the client), inclusion of system clock when possible, etc. • This is our last week of Palo Alto (Test next week Thursday at 10am EST) • Discussion Forums update: Week 2 has 12 threads but no replies. • I will close Weeks 1 and 2 before the test. • Peer tutors (next slide!) Peer Tutors •The Peer Tutoring site is now up and running, you will find scheduled sessions that you can attend but you can post a question at any time and the peer tutor will answer next time they are available. Please do not expect an instant response as everyone has many other commitments, which is why time management is so important - do not leave things to the last minute! •I suggest you log into the site and take a look: ISM/NSA Peer Mentor Site (21W) https://www.fanshaweonline.ca/d2l/home/1141389 •This resource is for you so please make use of it. • Dedicated times for live chat, direct and private email correspondence, and it’s FREE! • Week 6 progress reports. If unsatisfactory you might consider PM’s as a resource for you. In the News… News from YOU… •https://cio.economictimes.indiatimes.com/news/digital-security/it-securityrecommendations-for-businesses-in-2021/80480923 In Other News… •Is the end of the firewall in sight? •SonicWall firewall maker hacked using zero-day in its VPN device •Data Breach in Washington State Auditors Office •3/4 of Americans have had to change password due to security breach •Number of identity theft reports doubled last year Agenda •Describe Content-ID and the seven different Security Profile types •Define the two predefined Vulnerability Protection Profiles (ie. “strict” and “default”) •Configure Security Profiles to prevent virus and spyware infiltration •Configure File Blocking Profiles to control the flow of file types through the firewall •Configure a DoS Profile to help mitigate Layer 3 and 4 protocol-based attacks •Configure a custom URL Filtering Profile to minimize the number of blocked websites between trusted zones •Configure safe search and logging options •Summary and Reminders Content-ID Overview Content-ID •Combines threat prevention engine and policies to inspect and control content traversing the firewall •Scans network traffic for: • Software vulnerability exploits • Viruses • Spyware • Malicious URLs • Restricted files and data •How is Content-ID different from App-ID? Security Policy with Security Profiles •Part of the security policies that have an action of “allow” (but not “deny”) •Security Profiles implement additional security checks on allowed traffic. : Antivirus for web browsing Security Profile Types (There are SEVEN of them…) Policies > Security Antivirus File Blocking Anti-Spyware Data Filtering Vulnerability Protection WildFire Analysis URL Filtering Security Profile Group Threat Log •Vulnerability threats/Protection, Antivirus, and Anti-spyware profiles all log events to the Threat log. • Logs are displayed in the ACC: Application Control Center Vulnerability Protection Security Profiles Default Vulnerability Protection Security Profiles Vulnerability Protection Profile Rules Vulnerability Exceptions A profile’s rules specify the actions to take when threats are found Antivirus and Anti-Spyware Security Profiles Default Antivirus Security Profile What is a Zero Trust configuration? Creating a New Antivirus Profile for traffic that matches the Antivirus Profile rule Creating a New Antivirus Profile (Cont.) What is a false positive? Default Anti-Spyware Security Profiles •To create customized profile actions: • Clone the default read-only profile and edit the clone, or • Add a brand new profile What is a “phone home” network connection? Configuring Anti-Spyware Profile Rules Anti-Spyware Exceptions Exception vs. Exemption? • Exemption is a type of exception DNS Signatures Objects > Security Profiles > Anti-Spyware > Add Sinkhole Operation The default action for the Palo Alto Networks DNS signatures is “sinkhole” Sinkhole Events in the Threat Log • Infected hosts are easily identified in the Threat log or through use of reports. • Any host that attempts to connect to the sinkhole IP address is potentially infected with malware File Blocking Profiles File Blocking Overview •Prevent introduction of malicious data •Prevent exfiltration of sensitive data •Logs to Data Filtering log is sent File type is identified by filename extension and by examination of the file content For example, you might block a .exe file in email, but allow it if using an FTP client Data Filtering Log •Data Filtering log displays the list of files blocked by your file blocking profiles. •Source is the system that sent the file (not the one that initiated the session) •Destination is the system that received the file. Creating a New File Blocking Profile Continue Response Page •A “continue” action requires user permission to complete the file transfer. •Operates only when paired with the application web-browsing •Helps prevent “drive-by downloads” Blocking Multi-level Encoded Files Objects > Security Profiles > File Blocking > Add Encoding has legitimate uses but can be used to insert malicious data and exfiltrate sensitive data. Data Filtering Profiles Creating a Data Pattern Objects > Custom Objects > Data Patterns > Add Three types of data patterns Creating a Data Filtering Profile (ex. social security numbers, credit card numbers, the word “confidential”) Attaching Security Profiles to Security Policy Rules Assigning Security Profiles to Security Rules •Assign individual Security Profiles to a Security policy rule, or •Assign a Security Profile Group to a Security policy rule Security Profile Groups Objects > Security Profile Groups > Add •Add Security Profiles that are commonly used together •Security Profile Groups simplify Security policy rule administration Telemetry and Threat Intelligence Telemetry and Threat Intelligence •Opt-in feature; nothing selected by default •Globally enhances threat protection •Can preview data sent to Palo Alto Networks Configuring Telemetry Denial of Service Protection Denial-of-Service Protection •Packet-based (not signature-based) and not linked to Security policy •Two-pronged approach : • Zone Protection Profile protects ingress zone • DoS policy plus DoS Profile protects destination zone or specific hosts 1.0 Zone Protection: Flood Protection •Protects against most common flood attacks •Alarm Rate: Threshold to trigger log events •Activate: Threshold to activate mitigation response •Maximum: Threshold after which all further packets dropped 2.0 Zone Protection: Reconnaissance Protection •Alerts or protects against TCP or UDP port scans and •ICMP/TCP/UDP host sweeps 3.0 Zone Protection: Packet-Based Attack Protection Network > Network Profiles > Zone Protection > Add •Packet-based attacks use protocol options or malformed packets to adversely affect target systems. •We can block these packets. 4.0 Zone Protection: Protocol Protection Network > Network Profiles > Zone Protection > Add •Applies only to Layer 2 and Virtual Wire zones: • Firewall normally allows non-IP traffic in these zone types. •Enables you to control which non-IP protocols are allowed to flow between or within these security zone types Enabling Zone Protections •Profiles applied one per zone DoS Protection Profiles and Policies Configuring a DoS Protection Policy Policies > DoS Protection > Add Configuring a DoS Protection Profile Objects > Security Profiles > DoS Protection > Add URL Filtering URL Filtering Feature URL Filtering Profiles •URL Filtering Profiles implement additional security checks on allowed traffic. URL Category: Policy Versus Profile URL Filtering Log •Attachment of a URL Filtering Profile to a Security rule generates log entries: • “alert,” “block,” “continue,” and “override” actions trigger log entries. Monitor > Logs > URL Filtering | © 2019 Palo Alto Networks, Inc. 54 URL Filtering Security Profile Objects > Security Profiles > URL Filtering •To create customized profiles: • Clone the default read-only profile and edit the clone, or • Add a brand new profile Multi-Category and Risk-Based URL Filtering Device > Setup > Content-ID > URL Filtering • PAN-DB URL Filtering cloud assigns websites to multiple categories. • Categories indicate how risky the site is, the website’s content, and the website’s purpose or function. • The security-related risk categories demonstrate levels of suspicious activity. • Websites that have been registered for fewer than 32 days are considered newregistered-domains. Configure Per-URL Category Actions URL matching order: 1. Block list* 2. Allow list* 3. Custom URL categories* 4. External Dynamic Lists* 5. PAN-DB firewall cache 6. Downloaded PAN-DB file 7. PAN-DB cloud Configure a Custom URL Category Objects > Custom Objects > URL Category > Add | © 2019 Palo Alto Networks, Inc. • Define URL categories enforcement separate from category defaults • Create URL filtering based on URL or category • Replaces URL filtering overrides 58 URL Filtering Response Pages URL Admin Settings Device > Setup > Content-ID > URL Admin Override > Add Configure a URL Admin Override password that a user must enter to access a URL configured with an “override” action. Device > Setup > Content-ID > URL Filtering Configure Safe Search and Logging Options Objects > Security Profiles > URL Filtering > Add Configure Credential Phishing Prevention Method HTTP Header Insertion and Modification • Enable access to only enterprise versions of SaaS applications • Inserts header if missing or overwrites existing header • Four predefined SaaS applications: • Dropbox • Google • Office 365 • YouTube Handling Unknown URLs • Category column in URL Filtering log lists unknown. Recommendation: Set unknown URL category action to support your security requirements Handling Not-Resolved URLs • Category column in URL Filtering log lists not-resolved. Recommendation: Set not-resolved URL category match action to “alert” Downloading the URL Seed Database •Download an initial seed database to use the URL Filtering feature Device > Licenses Recategorization Request: Via Log Entries Monitor > Logs > URL Filtering Recategorization Requests: Via Webpage Objects > Security Profiles > URL Filtering > Add Attaching URL Filtering Profiles Security Profile Groups Objects > Security Profile Groups > Add •Add Security Profiles that commonly are used together •Simplifies security rule administration Assigning Security Profiles to Security Policy Rules Policies > Security > Add •Assign individual Security Profiles to a Security policy rule, or •Assign a Security Profile Group to a Security policy rule Reminders • Test next week, so no lecture/tutorial recording (so that you can study!) • Our tests will be during the drop-in lab time, • Alternate test times are available to part-time students or those studying outside of the EST. • Please email me if you need an alternate test time • Test will cover ALL FOUR WEEKS of Palo Alto • May use a variety of questions. Ex. Short/long answer, multiple choice, true/false, fillin-the-blanks, matching, etc. • Time management is key! • MUST use Respondus Lockdown Browser (not monitor) • Test is NOT open book • Make sure you have reliable internet and power (hard-wired is best) • I mark each test manually, so ignore the auto-grade at the end of the test. SRTY-6003 Securing the Edge 1 Basic Interface Configuration Basic Interface Configuration Next-Generation Firewall Essentials 1 PAN-OS® 7.1 Courseware Version A Agenda • Security zones • Interface types: • • • • • TAP mode Decrypt mirror Virtual wire Layer 2 Layer 3: ˗ Virtual router ˗ IP addressing ˗ DHCP • VLAN Interface • Loopback • Aggregate Flow Logic of the Next-Generation Firewall Initial Packet Processing Source Zone/ Address/ UserID PBF/ Forwarding Lookup Security Pre-Policy Check Allowed Ports Session Created Application Check for Encrypted Traffic Decryption Policy Security Policy Check Security Policy Check Security Profiles Post-Policy Processing Re-Encrypt Traffic NAT Policy Applied Destination Zone NAT Policy Evaluated Application Override Policy App-ID/ Content-ID Labeling Packet Forwarded Security Zones Security Zones Network > Zones > Add • Specify zone name • Specify zone type • Assign interface Security Zones and Policies • Security policies use zones to regulate and log traffic: • Intrazone traffic is allowed by default • Interzone traffic is denied by default Security Zone Interfaces • An interface is configured to only one zone. • A security zone can have multiple interfaces. Interface Zone Address E 1/10 Internet 161.23.4.254 E 1/11 DMZ 172.16.1.254 E 1/12 ─ ─ E 1/12.10 Users 192.168.10.254 E 1/12.20 Users 192.168.20.254 E 1/12.30 VoIP 192.168.30.254 Tunnel.4 Remote-LAN 10.5.1.254 Interface Types Interface Types • Ethernet: • TAP • HA • Virtual wire • Layer 2 • Layer 3 • Aggregate • Decrypt mirror • VLAN • Loopback • Tunnel Network > Interfaces Ethernet Interface Configuration Network > Interfaces > Ethernet Interface type: TAP HA Virtual wire Layer 2 Layer 3 Decrypt mirror Aggregate Virtual Wire Layer 2 Layer 3 Flexible Deployment Options for Ethernet Interfaces TAP ▪ Application, user, and content visibility without inline deployment ▪ Evaluation and audit of existing networks Virtual Wire ▪ ▪ App-ID, Content-ID, User-ID, and SSL decryption Includes NAT capability Layer 3 ▪ All of the Virtual Wire mode capabilities with the addition of Layer 3 services: virtual routers, VPN, and routing protocols Ethernet TAP Mode • TAP mode deployment allows passive monitoring of traffic flows across a network by way of a switch SPAN or mirror port. • The firewall cannot perform traffic shaping or blocking. • Tap interfaces must be assigned to a security zone for ACC and reporting capabilities. Internet LAN E1/1 SPAN Port Configuring TAP Interfaces Network > Interfaces > Ethernet Interface Type Security Zone Ethernet Virtual Wire Interface • Binds two physical interfaces together • Supports App-ID, decryption, NAT, Content-ID, and User-ID • Typically used when no switching or routing is needed • No configuration changes for adjacent network devices Internet Configuring a Virtual Wire Object Network > Virtual Wires > Add • A virtual wire can allow or block traffic based on 802.1Q VLAN tags: • 0 = untagged traffic • Applies security rules to multicast traffic, enables multicast firewalling 802.1Q tags allowed Enable multicast addresses Configuring Virtual Wire Interfaces Network > Interfaces > Ethernet Interface Type Virtual Wire Object Security Zone Virtual Wire Subinterfaces • Provide flexibility in setting distinct policies when needed to manage traffic from multitenancy networks • Allow for the assignment of incoming traffic to different ingress and egress security zones by either: • VLAN tags • VLAN tags and IP classifiers (source IP) • Traffic from different VLANs can now be assigned to different zones and then managed by different security policies • Traffic from different VLANs can be assigned to different ports: • Voice VLAN can be assigned to one port, and data VLAN to another Configuring a Virtual Wire Subinterface Network > Interfaces > Ethernet > Add Subinterface Layer 2 and Layer 3 Interfaces Layer 2 E1/3 LAN (10.20.1.0/24) Mail Servers (10.20.1.0/24) E1/4 E1/5 App Servers (10.20.1.0/24) Switching between network segments Layer 3 E1/3 10.1.2.1/24 Users E1/5 192.168.2.1/24 E1/4 Internet 172.16.2.1/24 Routing between networks DMZ Layer 2 Interface Example PA-FW Eth1/1 L2 VLAN 192.168.20.100 Eth1/2 L2 192.168.20.10 Eth1/3 L2 192.168.20.20 VLAN Configuration Network > VLANs > Add VLAN Object Name Physical Layer 2 interfaces and Layer 2 subinterfaces in the VLAN objects Layer 2 Interface Configuration Network > Interface Layer 2 Subinterfaces Network > Interfaces > Ethernet > Add Subinterface Physical Interface Subinterface ID 802.1Q Tag Layer 2 Zone Configuring a Layer 3 Interface Network > Interfaces > Ethernet • Interface Type: Layer 3 • Security zone • IP address: • Static or DHCP client • DHCP server or DHCP relay • Interface management profile: • Allows or denies management protocols such as SSH and HTTP on the MGT interface • Virtual router: • Contains a set of static and dynamic routes used by a specified group of interfaces Configuring a Layer 3 Interface Network > Interfaces > Ethernet Interface type: Layer 3 Virtual Router Security Zone IP Address Interface Management Profile MTU Assigning an IP Address to an Interface Network > Interfaces > Ethernet Configuring a Layer 3 Subinterface Network > Interfaces > Add Subinterface Physical Interface Subinterface ID Virtual Router Security Zone 802.1Q Tag Define Management Profile Interface Management Profile • Defines which management functions are allowed on a traffic interface • Management profiles are applied to Layer 3 interfaces Network > Network Profiles > Interface Mgmt > Add Restricts administrative access to specific IP addresses Virtual Routers • All interfaces assigned to a virtual router share the same routing table: • The routing table of a virtual router can be defined by static and dynamic (RIP, OSPF, BGP) routes. • Allows for the configuration of different routing behavior for different interfaces. Network > Virtual Routers Multiple Virtual Routers Internet VLAN10 VR1 VLAN20 L3 VLAN30 VR2 Internet VLAN40 Virtual Router Static Routes Network > Virtual Routers Virtual Router Dynamic Routes ▪ Standards-based support for: • OSPFv2 and OSPFv3 • RIPv2 • BGPv4 ▪ Routing support across IPSec tunnels ▪ Multicast routing support for: • PIM-SM • PIM-SSM • IGMP Network > Virtual Routers Troubleshooting Routing • Confirm virtual router run-time statistics • On the active firewall, select Network > Virtual Router and click More Runtime Stats More Runtime Stats • The routing table shows internal network routes and shows default routes propagated from the upstream routers. Network > Virtual Router > More Runtime Stats Source Source address Source zone Source user Destination Policy-Based Forwarding Destination address Destination application Destination service (port number) Device > Setup > Session > Session Settings IPv6 Capabilities Support for: • IPv6 Layer 3 interfaces • IPv6 addresses in all policies • IPv6 static routes in virtual routers • ICMPv6 • DHCPv6 • Neighbor discover • Dual stack • SLAAC • LDAP • RADIUS Device > Setup > Session > Session Settings IPv6 Capabilities Support for: • IPv6 Layer 3 interfaces • IPv6 addresses in all policies • IPv6 static routes in virtual routers • ICMPv6 • DHCPv6 • Neighbor discover • Dual stack • SLAAC • LDAP • RADIUS Supported IPv6 Features • Networking • Static Routing • Dynamic Routing (OSPFv3) • PBF • NAT (NAT64 only) • Site-to-Site VPN • IPv6 over IPv4 IPSec Tunnel • DNS Proxy GlobalProtect VPNs are not supported ▪ Traffic Classification and Threat Prevention • App-ID • Content-ID • User-ID • DoS Rule Base • Zone Protection IPv6 Interface Configuration Network > Interfaces > Ethernet • Dual stack support You can have IPv4 and IPv6 addresses on the same interface. DHCP Server Network > DHCP > DHCP Server • When an interface is configured as a DHCP server, it assigns addresses to DHCP clients. DHCP Server Options Network > DHCP > DHCP Server • If an interface on the firewall is a client of an external DHCP server, the DHCP server can inherit this information and forward it to clients. VLAN Interfaces Internet Eth1/8 L3 Eth1/1 L2 VLAN Int VLAN 192.168.20.100 VR 192.168.20.254 PA-FW Eth1/2 L2 192.168.20.10 Eth1/3 L2 192.168.20.20 Configuring a VLAN Interface Network > Interfaces > VLAN > Add This is not a subinterface. It does not reference traffic tagged with VLAN ID 1. VLAN object associated with this VLAN interface Configuring Loopback Interfaces Network > Interfaces > Loopback Loopback Interface ID Virtual Router Security Zone IP Address Aggregate Interfaces • An aggregate interface group combines up to eight Ethernet interfaces using link aggregation. • Increased throughput and link redundancy. • The aggregate interface is a logical interface that can be configured as if it were a regular interface. • LACP is supported. Switch NIC-1 Switch port 1 NIC-2 Switch port 2 Link Aggregation Create an Aggregate Interface Network > Interfaces > Ethernet > Add Aggregate Group This is not a subinterface. It does not reference traffic tagged with VLAN ID 1. For Layer 3, add IP address Assign an Interface to an Aggregate Group Network > Interfaces > Ethernet Questions? SRTY-6003Securingthe Edge 1 2023 Week 2: Introduction to Palo Alto Housekeeping •Lab 1 is posted this week (license issue resolved at home). • Due next week •Discussion Forum ! •Test #1 (Palo Alto Unit Test) is coming up – what’s your strategy? • Test is in Week 5 EdgeSec in the News… •Apple Drops Controversial Firewall-Bypass Feature •Backdoor account discovered in Zyxel firewalls •Human firewalls? •Many cyberattacks successfully bypass security firewalls •Cybersecurity talent pool must expand to take advantage of quantum computing opportunities Agenda for Today ➢Understand the characteristics of Palo Alto’s Security Operating Platform ➢ What is the single-pass architecture and why is it used? ➢Explore the Zero Trust security model and how Palo Alto handle zero trust ➢Introduce some administrative controls (WebUI, CLI, Rest API) ➢ Initial and Admin access to a Palo Alto appliance ➢ Configuration management in Palo Alto ➢ Managing Licensing and software updates ➢ How to administer admin and other user accounts ➢ Viewing and Filtering Logs Welcome to Palo Alto Networks! •Palo Alto Networks Learning Center • Log in to the Palo Alto Networks Learning Centerat https://education.paloaltonetworks.com/learningcenter •Palo Alto Networks exam information •Additional resources •Course objectives •Course modules •Lab environment •Miscellaneous with general Q&A Palo Alto Networks Certifications 1. What certifications does Palo Alto offer? What details were you able to find? (content, cost, requirements, etc.) 2. Which of these certification interests you the most? Why? 3. What are Prisma, Strata, and Cortex? Create a discussion forum post (under week 2) and answer these questions. Palo Alto Learning Center Topic Areas •Platforms andArchitecture •Initial Configuration •Basic Interface Configuration •Security and NATPolicies •Basic App-ID •Basic Content-ID •File Blocking and WildFire •Decryption •Basic User-ID •Site-to-Site VPNs •Management and Reporting •Active/Passive High Availability Palo Alto Learning Center Topic Areas •Our PA unit in this course is based on the Cybersecurity Infrastructure and Configuration (CIC) course offered by Palo Alto’s NetAcademy This course provides the student with a general understanding of how to install, configure, and manage firewalls for defense of enterprise network architecture. Students will learn the theory and configuration steps for setting up the security, networking, threat prevention, logging, and reporting features of next generation firewall technologies. Other Training Resources Cybersecurity Survival Guide https://s3.amazonaws.com/assets.paloaltonetworksacademy.net/csg/Cybersecuri ty_Survival_Guide_4.pdf PaloAlto Networks YouTube Channels: https://www.youtube.com/user/paloaltonetworks https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVHYMMWdbrnUgrUao4_4isr PaloAlto Networks Lightboard Series https://www.youtube.com/watch?v=DRBmlOJafY&feature=youtu.be&list=PLqATPiC_Bcl-t8vrzZlnGi3HTurs9Yuf3 PaloAlto Networks Webinars – BrightTalk: https://www.paloaltonetworks.com/campaigns/brighttalk.html PaloAlto Networks Technical Documentation https://docs.paloaltonetworks.com Firewall Test Drive https://www.paloaltonetworks.com/events/test-drive.html Supplemental Online Resources NICE – National Initiative for CyberSecurity Education https://www.nist.gov/itl/applied-cybersecurity/nice The Hacker News http://thehackernews.com PBS NOVA LABS – Cybersecurity http://www.pbs.org/wgbh/nova/labs/lab/cyber/ Palo Alto Platforms and Architecture (Security Platform overview) Cyber Attack and Palo Alto Reconnaissance Weaponization Delivery Exploitation Installation Stop the attack at any point! Command and Control Act on Objective Next-Generation Security Platform •NGFW – Identifies the network traffic. •Threat Intelligence Cloud – Correlates threats, gather information from multiple sources. – AutoFocus/WildFire •Advanced Endpoint Protection – Block malicious at the endpoint. Development of Unified Threat Management (UTM) Internet Serial Processing in the UTM Palo Alto Networks Firewall Architecture Control Plane Management CPU configuration | logging | reporting RAM MGT interface SSD consol e Signature Matching Stream-based, uniform signature match including vulnerability exploits (IPS), virus, spyware, CC#, and SSN Data PlaSnGe Signature Matching exploits | virus | spyware | CC# | SSN Security Processing App-ID | User-ID | URL match | policy match | SSL/IPsec | decompression Network Processing flow control | MAC lookup | route lookup | QoS | NAT Single-Pass Pattern Match Signature Matching Components Enforce Policy Security Processing Components Network Processing Components Control Plane | Management Provides configuration, logging, and reporting functions on a separate processor, RAM, and hard drive Hardware component types and sizes per layer vary per firewall model. Security Processing High-density parallel processing for flexible hardware acceleration for standardized complex functions Network Processing Front-end network processing, hardware-accelerated per-packet route lookup, MAC lookup, and NAT Zero Trust Model: NEVER TRUST, ALWAYS VERIFY. NorthSouth Traffic East-West Traffic Flow Logic of the Next-Generation Firewall Initial Packet Processing Security Pre-Policy SourceZone/ Address/ User-ID Check Allowed Ports PBF/ Forwarding Lookup Destination Zone NAT Policy Evaluated Application Override Policy App-ID/ Content-ID Labeling Session Created Application Checkfor Encrypted Traffic Decryption Policy Security Policy Check Security Policy Check Security Profiles Post-Policy Processing Re-Encrypt Traffic NATPolicy Applied Packet Forwarded Hardware Platforms Compare capacities at: www.paloaltonetworks.com/products/productselection.html Next-Generation Firewalls PA-5200 Series PA-3200 Series PA-800 Series PA-220R PA-7000 Series PA-220 Panorama M-200 M-500/WF-500/600 VM-Series (PAN OS 9) Models and Capacities • Ideal for protecting virtualized data centers and “east-west” traffic • RESTfulAPIs: • Integrate VMs with external orchestration and management tools • Virtual Machine Monitoring: • Poll virtual machine inventory and changes, collecting data into tags • Dynamic Address Groups: • Identify newly deployed machines with tags instead of static addresses Performance and Capacities VM-700 VM-500 VM-300 VM-100/ VM-50 VM-200 /Lite Firewall throughput (App-ID enabled) 16Gbps 8Gbps 4Gbps 2Gbps 200Mbps Threat prevention throughput New sessions per second Dedicated CPU cores Dedicated memory (minimum) 8Gbps 4Gbps 2Gbps 1Gbps 100Mbps 120,000 2, 4, 8, 16 56GB 60,000 2, 4, 8 16GB 30,000 2, 4 9GB 15,000 2 6.5GB 3,000 2 4.5GB/4GB Dedicated disk drive capacity (minimum) 60GB 60GB 60GB 60GB 32GB VM-Series Hypervisors •VMware: • NSX: Install and manage firewalls on multiple ESXi servers. • ESXi: Integrates with external management systems • VMware vCloud Air: Protect your VMware-based publiccloud •Citrix NetScaler SDX •Kernel-based Virtual Machine (KVM): • Linux-based virtualization and cloud-based initiatives •Microsoft Hyper-V andAzure •Amazon Web Services Virtual Systems • Separate, logical firewalls within a single physical firewall • Creates an administrative boundary • Use case: multiple customers or departments Physical firewall vsysA TrustZone UntrustZone Data Interfaces vsysB TrustZone UntrustZone Data Interfaces Initial Configuration Palo Alto Initial Configuration Initial Access to the System • Initial configurations must be performed over either: • Dedicated out-of-band management Ethernet interface (MGT) • Serial console connection • Default MGT IP addressing: • Hardware: 192.168.1.1/24 • VM: DHCP client • Default access: • User name: admin • Password: admin Administrative Access Web Interface SSH/Console CLI Panorama REST XML API Web Interface Functional Category Tabs Commit Configuration Changes Logout Button 28 | © 2019 Palo Alto Networks, Inc. Help Portal Tasks Button Web Interface Editing Guidance Contextual Help Red underline shows tabs where information is required. Yellow highlights indicate required fields. OK button is unavailable if required information is missing or is invalid. 29 | © 2019 Palo Alto Networks, Inc. Configuring the Static MGT Interface Using the CLI > configure Entering configuration mode [edit] # set deviceconfig system type static # set deviceconfig system ip-address 10.30.11.1 netmask 255.255.255.0 default-gateway 10.30.11.254 dnssetting servers primary 172.16.20.230 # commit ....10%....20%....30%....40%....50%....60%....70%....80%....90%....100% Configuration committed successfully Internet 10.30.11.254 10.30.11.1 DNS: 172.16.20.230 Initial System Access Gaining Admin Access •Four ways to access firewall management. • Web UI • SSH/Console CLI • Panorama • REST XML API Quick Look at the Web UI Web UI – Signs and Symbols Resetting to Factory Default •From CLI (with known admin user password): > request system private-data-reset • Erases all logs • Resets all settings, including IP addressing, which causes loss of connectivity • Saves a default configuration after the MGT IP address is changed •Without known admin user password: • From the console port, type maint during bootup • Choose Reset to Factory Default MGT Interface Configuration: Web Interface Device > Setup > Interfaces > Management Minimum configuration requires IP address, netmask, and default gateway. 36 | © 2019 Palo Alto Networks, Inc. Restrict administrative access to specific IP addresses MGT Interface Dynamic Address Firewall can identify itself to the DHCP server with hostname or client ID (MAC). Configure DNS and NTP Servers Device > Setup > Services Configure the Hostname and Domain Device > Setup > Management > General Settings DHCP can provide the firewall hostname and domain. Banners and Messages Device > Setup > Management > Banners and Messages Configuration Management Config Types Candidate Configuration •What is shown in the UI becomes the running config upon successful commit. # commit Running Configuration •Active on the firewall. Commit Operation Transaction Locks • Config lock: Blocks other administrators from making changes to the configuration • Commit lock: Blocks other administrators from committing changes until all of the locks have been released Configuration Management Device > Setup > Operations Configuration Management: Auditing • Any two configuration files can be compared. Device > Config Audit Licensing and Software Updates Activate the Firewall Step Hardware Firewall VM-Based Firewall Register with Palo Alto Networks Support Use serial number from Dashboard Use emailed auth codes and purchase/order number Activate licenses at Device > Licenses Retrieve license keys from license server Activate feature using authorization code Verify update and DNS servers Use correct update and DNS server in Device > Setup > Services Manage content updates Get latest application and threat signatures and URL filtering database Install software updates Verify OS version and install recommended version Activate the VM-Series Firewall 1. Register with Palo Alto Networks: a. A set of authorization codes will be emailed. b. Log in to https://support.paloaltonetworks.com. (If you haven’t already registered, register for a Support account with your capacity auth-code and purchase or sales order number.) c. Click the Assets > Add VM-Series Authentication Code link to manage your VM-Series firewall licenses and download the software. 1. Activate licenses: • Select Device > Licenses and select the Activate feature using the authentication code link. 3. Manage content updates. 4. Install software updates. Dynamic Updates Device > Dynamic Updates Schedule and check for new content To install from a file, upload content first PAN-OS® Software Updates Install software that has been downloaded Check for new software Load software from desktop Rapid Mass Deployment • When the firewall is at factory-default, it can bootstrap from an external virtual or physical USB device. • Without contacting the update server, the firewall can now perform: • Licensing • Content and software updates • Addressing • System configuration • Connection to Panorama • The firewall can now boot up and connect itself to the network and to a Panorama management server. Account Administration Administrator Roles Roles define the type of access an administrator has on the firewall: ▪ Dynamic Roles: Built-in roles such as superuser and device administrator ▪ Admin Role Profiles: Custom-made roles Device > Admin Roles Using External AAA to Authenticate Admin Users Device > Server Profiles Creating Administrator Accounts Device > Administrators Set Admin Passwords Device > Administrators Minimum Password Complexity Device > Setup > Management > Minimum Password Complexity Discussion Forum – Week 2 In addition to the ALE’s already discussed in this lesson, here are your discussion forum post requirements. • Find a news article (from a source other than Palo Alto Networks) that promotes any Palo Alto products/services. Then find a news article that criticizes (or had a negative opinion of) Palo Alto Networks products and services. Whoever posts first has an advantage, as you may not post an article that a peer has already posted. Note: Please do not just share the link to the article. Include your summary, challenge/clarification questions, and critique of the article and its contents. Summary and Reminders Summary: • Introduced Palo Alto products and services • Platforms and Architectures • Initial Configuration • Configuration Management Reminders • Palo Alto Lab #1 is due next week • Discussion Forum posts/replies for week 2 (due before week 3) • Next week we will be discussing • Security policies, AppID, and NAT