Palo Alto Networks -‐ Next Generation Firewall Contents

advertisement
Palo Alto Networks -­‐ Next Generation Firewall Contents Palo Alto Networks -­‐ Next Generation Firewall .................................................................................................. 1 Enterprises Need Application Visibility and Control ....................................................................................... 2 Key Next-­‐Generation Firewall Requirements: ................................................................................................ 2 Visibility: Turning On the Lights ...................................................................................................................... 2 Control: Safe Enablement vs. Blindly Blocking ............................................................................................... 3 Specific Examples: Google Talk and UltraSurf ................................................................................................ 4 Enabling the Secure Use of Facebook ............................................................................................................. 4 How it works ................................................................................................................................................... 6 App-­‐ID: Classifying All Applications, All Ports, All the Time ............................................................................ 6 User-­‐ID: Enabling Applications by Users and Groups ..................................................................................... 7 Content-­‐ID: Protecting Allowed Traffic ........................................................................................................... 8 Extending The Network Perimeter ............................................................................................................... 11 The Logical Perimeter: A Strategic Solution ................................................................................................. 12 GlobalProtect + Next-­‐Generation Firewall = The Logical Perimeter ......................................................... 13 Enforce Network Controls Based on User, Role, and User Profile ................................................................ 14 The Information technology security has been steadily developing over past couple of
decades in a fast and evolutionary way. Every now and then, however, the evolutionary
path gets disrupted by a revolutionary change. Testimony to that are introduction of stateful
inspection on firewalls, entry and domination of easy-to-use purpose-built firewall
appliances and expansion of UTM functionality. Today again we witness a similar
revolutionary change which does away with traditional complexity and ‘murkiness’ of
network traffic inspection and control, which easily identifies applications and segregates
those bad from those which are good, as well as empowering network security
administrators to identify with unprecendented ease not just what kind of traffic is flowing
across the network but also who exactly generates it. This technology enables quick
discovery and remediation of all aspects of network security issues providing not just the
adequate response to the incident itself but also almost immediate insight into most
important questions which security administrator needs answered: what the incident is,
where it comes from, what the impact would be and – who exactly has done it.
By discarding the traditional traffic classification mechanisms of port and protocol, and
taking an application centric approach, the Palo Alto Networks next-generation firewall is
able to bring unparalleled application visibility and control back to the IT department.
Whether the need is to control one of the application categories such as P2P, social
networking or a more general application visibility and control requirement, the Palo Alto
Networks firewall allows administrators to define traditional firewall policies to control their
application traffic.
Enterprises Need Application Visibility and Control In a world where social networking and cloud-based applications dominate business
application discussions, the need for application visibility and control has never been
greater.
A growing number of Internet-savvy employees are accessing any business and personal
applications they want in order to be more productive and stay connected. The benefits
may be clear, but there are also security risks, which is why many enterprises are
demanding that their security infrastructure help them regain visibility and control over the
applications traversing the network.
Gartner has highlighted application visibility and control as a critical requirement for next
generation firewalls. Today, many security vendors are weaving the terms “nextgeneration” and “application control” into marketing messages for their existing port-based
offerings.
Key Next-­‐Generation Firewall Requirements: • Identify applications, not ports. Identify the application, irrespective of protocol, encryption,
or evasive tactic and use the identity as the basis for all security policies.
• Identify users, not IP addresses. Employ user and group information from enterprise
directories for visibility, policy creation, reporting, and forensic investigation—no matter
where the user is located.
• Block threats in real-time. Protect against the entire lifecycle of an attack including
dangerous applications, vulnerabilities, malware, high-risk URLs, and a wide array of
malicious files and content.
• Simplify policy management. Safely and securely enable applications with easy-to-use
graphical tools and a unified policy editor.
• Enable a logical perimeter. Secure all users, including travelling or telecommuting users,
with consistent security that extends from the physical to the logical perimeter.
• Deliver multi-gigabit throughput. Combine purpose-built hardware and software to enable
low-latency, multi-gigabit performance with all services enabled.
Palo Alto Networks next-generation firewalls enable unprecedented visibility and control of
applications, users, and content using three unique identification technologies: App-ID™,
User-ID, and Content-ID. These identification technologies, found in every Palo Alto
Networks firewall, enable enterprises to safely and securely enable application usage, while
significantly reducing total cost of ownership through device consolidation.
Visibility: Turning On the Lights A firewall must classify all traffic, across all ports—it is the whole point of a firewall. An IPS
(or UTM using IPS to identify applications) only sees patterns it is expressly looking for,
typically only on certain specified ports. The resulting benefit of doing this in the firewall: the
administrator has a clear and comprehensive picture of all of the applications on the
network.
Armed with this information, administrators can make more informed enablement decisions.
It’s like turning on the lights in a dark room – suddenly everything is illuminated and easily
seen, and administrators can act on it. With a traditional firewall + IPS or other add-ons,
administrators are not given this level of detail. They only know what they have configured
the IPS to look for. It’s very much like using a flashlight in a dark room – you only have
limited visibility into the small area you are focused on.
Finally, the visibility available in one spot has significant benefits. Usually, “visibility” means
reviewing multiple log files, looking for the needle in a haystack. But Palo Alto Networks
data centre customers have found that the application visibility, the traffic visibility, coupled
with the inbound URL and threat logs – all available in one user interface – eliminate the
either/or choice between visibility and efficiency.
Control: Safe Enablement vs. Blindly Blocking A next-generation firewall is designed to enable and control application access, and, if need
be, hand it off to be scanned for threats by an IPS. The benefit of doing application
identification and control in the firewall: safe enablement of applications. Organizations can
allow, deny, allow for certain groups, allow certain functions, allow but shape, or allow
but scan for threats or confidential data. In contrast, an IPS’s control model is negative, and
terminal - meaning that an IPS can only block, which is insufficient for application cont
Using a stateful inspection firewall plus an IPS to identify and control applications,
IT organizations must rely on simple signatures, but applications’ port-agility and
SSLencryption can render those signatures useless – “find it and kill it” only works when
you can find it. Everything else gets through. And that means the ability to effectively
control applications is very limited.
Bottom line: if the firewall uses stateful inspection to classify traffic, it isn’t a
next-generation firewall. If it isn’t a next-generation firewall, it doesn’t really
change anything for your network security.
Specific Examples: Google Talk and UltraSurf It seems it should be easy for an IPS to have a signature to
identify Google Talk, allowing an admin to block Google Talk. It could also have signatures
to block Google Talk Gadget, Gmail Chat, and Google Talk File Transfer. However, there
are two potential challenges – first, the port agility of some of these applications (IPS
engines still use port to determine which decoder to use, and signatures are written for
specific decoders) renders application identification spotty – administrators have to specify
all of the ports to search on. Second, Gmail defaults to SSL-encrypted now, and most IPSs
are not capable of decrypting outbound SSL – so Gmail Chat works just fine, despite
whatever policy is in place on the UTM. Palo Alto Networks App-IDTM includes an ability to
decrypt SSL, coupled with identifying the application. In this case, that includes controlling
file transfers over Gmail as well as Gmail Talk (a special implementation of Google Talk
embedded in Gmail).
2. Block UltraSurf. Anyone who knows what UltraSurf does would likely want to block it as it
allows the user to tunnel any other internet application through an encrypted tunnel capable
of traversing traditional firewalls, proxies, and IPS systems. Here the biggest challenge is
the way UltraSurf uses a proprietary implementation of SSL to bypass protocol decoding
and signature detection, so the IPS approach cannot identify and block UltraSurf. Put
another way, “find it and kill it” only works when you can find it. And since UltraSurf can be
used to tunnel just about any application, all other application controls are rendered
useless. Palo Alto Networks’ App-IDTM uses its heuristics engine to identify UltraSurf, and
to keep up with UltraSurf’s often changing evasion tactics.
Enabling the Secure Use of Facebook Facebook is rapidly extending its influence from the personal world to the corporate world
as employees use these applications to get their jobs done. At the same time, many
organizations are looking at the nearly 400 million Facebook users as an opportunity to
conduct research, execute targeted marketing, gather product feedback and increase
awareness. The end result is that Facebook can help organizations improve their bottom
line. However, formally enabling the use of Facebook introduces several challenges to
organizations. Many organizations are unaware of the how heavily Facebook is being used,
or for what purpose. In most cases, policies governing specific usage are non-existent or
unenforceable. Finally, users tend to be too trusting, operating in a click now, think later”
mentality which introduces significant security risks.
Like any application that is brought into the enterprise by end-users, blindly allowing
Facebook may result in propagation of threats, loss of data and damage to the corporate
reputation. Blindly blocking is also an inappropriate response because it may play an
important role in the business, and may force users to find alternative means of accessing
Facebook (proxies, circumvention tools, etc). Organizations should follow a systematic
process to develop, enable and enforce appropriate Facebook usage policies while
protecting network resources.
1. Find out who’s using Facebook. There are many cases where there may already be a
“corporate” Facebook presence established by marketing or sales, so it is critical that IT
determine which social networking applications are in use, who is using them and the
associated business objectives. By meeting with the business groups and discussing
the common company goals, IT can use this step to move away from the image of
“always saying no” and towards the role of business enabler.
2. Develop a corporate Facebook policy. Once visibility into Facebook usage patterns
are determined, organizations should engage in discussions regarding what should and
should not be said or posted about the company, the competition and the appropriate
language. Educating users on the security risks associated with Facebook is another
important element to encouraging usage for business purposes. With a “click first, think
later” mentality, Facebook users tend to place too much trust in their friend network,
potentially introducing malware while placing personal and corporate data at risk.
3. Use Technology to Monitor and Enforce Policy. The outcome of each of these
discussions should be documented with an explanation of how IT will apply security
policies to safely and securely enable use of Facebook within enterprise environments.
Palo Alto Networks next-generation firewalls allow organizations to take a very systematic
approach to enabling the secure use of Facebook by determining usage patterns,
establishing and enforcing corporate policies that enable the business objectives in a
secure manner.
Identify Who is Using Facebook: The first step in safely enabling the use of
Facebook (or other social networking applications) is to identify which applications are
being used and which employees are using them. Facebook, along with other social
networking applications, have added companion applications like email and chat and have
opened their platform to developers with Facebook Apps.
In addition to the base Facebook application, Palo Alto Networks can identify and
control Facebook Apps, Facebook Mail, Facebook Chat, Facebook Posting (read-only) and
Facebook Social Plugins.
Define and Enforce Appropriate Usage Policies: Once the Facebook applications and
associated users have been identified (via directory services integration), administrators
can apply appropriate usage policies that support the goals and objectives. Enforcing policy
control that spans both personal and professional use of Facebook requires a delicate
balancing act. Policies must be flexible enough to enable the business and allow some
personal use (where appropriate), yet be effective enough to protect the enterprise from
security or business risks. For example, a Facebook “read-only” policy can be enabled to
strike a balance between block or allow. Using the identity of the specific applications
combined with the user information from directory services (Active Directory, LDAP,
eDirectory) enables administrators to apply policies that go far beyond the traditional allow
or deny. Policy options include:
Allow or deny
Allow but scan
Allow based on schedule
Decrypt and inspect
Allow and apply traffic shaping
Allow for certain users or
groups
Allow certain application functions
Any combination of the
above
Protect the Network From Attacks Propagated Across Facebook: With nearly 400
million users exchanging images, links and documents at a breakneck pace and a “click
now, think later” mentality, the Facebook population represents a very target-rich
environment for cyber criminals. Studies done by Kaspersky labs show that social
networking sites are 10 times more effective at delivering malware than previous methods
of email delivery.
With a Palo Alto Networks next-generation firewall, a detailed Facebook application control
policy can be augmented with an equally detailed threat prevention policy can be enabled
using Palo Alto Networks integrated threat prevention engine. The threat prevention engine
detects and blocks a wide range of threats (spyware, Trojans, viruses, application
vulnerabilities) including Koobface.
• Monitor and Control Unauthorized File and Data Transfers:
As part of the balancing act between personal and professional use, organizations must
also evaluate how best to implement policies that are designed to limit unauthorized
transfer of files and data. Taking advantage of the Palo Alto Networks data filtering
capabilities, administrators can apply policies to detect the flow of confidential data patterns
(credit card numbers, social security numbers and custom patterns) with varied response
options depending on the policy. In addition to the data filtering capabilities, file blocking by
type can also be enabled. More than 50 different file types are identified and can be
controlled with response options that include outright blocking, block and send the user a
warning message or log and send an alert to the administrator.
How it works App-­‐ID: Classifying All Applications, All Ports, All the Time Accurate traffic classification is the heart of any firewall, with the result becoming the basis
of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one
point, was a satisfactory mechanism for securing the network. Today, applications can
easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across
port 80, or using non-standard ports. App-ID addresses the traffic classification visibility
limitations that plague traditional firewalls by applying multiple classification mechanisms to
the traffic stream, as soon as the firewall sees it, to determine the exact identity of
applications traversing the network.
Unlike add-on offerings that rely solely on IPS-style signatures, implemented after portbased classification, every App-ID automatically uses up to four different traffic
classification mechanisms to identify the application. App-ID continually monitors the
application state, re-classifying the traffic and identifying the different functions that are
being used. The security policy determines how to treat the application: block, allow, or
securely enable (scan for, and block embedded threats, inspect for unauthorized file
transfer and data patterns, or shape using QoS).
User-­‐ID: Enabling Applications by Users and Groups Traditionally, security policies were applied based on IP addresses, but the increasingly
dynamic nature of users and computing means that IP addresses alone have become
ineffective as a mechanism for monitoring and controlling user activity. User-ID allows
organizations to extend user- or group-based application enablement polices across
Microsoft Windows, Apple Mac OS X, Apple iOS, and Linux users.
User information can be harvested from enterprise directories (Microsoft Active Directory,
eDirectory, and Open LDAP) and terminal services offerings (Citrix and Microsoft Terminal
Services) while integration with Microsoft Exchange, a Captive Portal, and an XML API
enable organizations to extend policy to Apple Mac OS X, Apple iOS, and UNIX users that
typically reside outside of the domain.
User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise
directory and terminal services offerings, enabling administrators to tie application activity
and security policies to users and groups – not just IP addresses. When used in
conjunction with App-ID™ and Content-ID™, IT organizations can leverage user and group
information for visibility, policy creation, forensic investigation and reporting on application,
threat, web surfing and data transfer activity.
User-ID addresses the challenge of using IP addresses to monitor and control the activity
of specific network users – something that was once a fairly simple task, but has become
difficult as enterprises moved to an Internet- and web-centric model.
Compounding the visibility problem in an increasingly mobile enterprise, where employees
access the network from virtually anywhere around the world, internal wireless networks reassign IP addresses as users move from zone to zone, and network users are not always
company employees.
Content-­‐ID: Protecting Allowed Traffic Many of today’s applications provide significant benefit, but are also being used as a
delivery tool for modern malware and threats. Content-ID, in conjunction with App-ID,
provides administrators with a two-pronged solution to protecting the network. After App-ID
is used to identify and block unwanted applications, administrators can then securely
enable allowed applications by blocking vulnerability exploits, modern malware, viruses,
botnets, and other malware from propagating across the network, all regardless of port,
protocol, or method of evasion. Rounding out the control elements that Content-ID offers is
a comprehensive URL database to control web surfing and data filtering features.
Content-ID™ combines a real-time threat prevention engine with a comprehensive URL
database and elements of application identification to limit unauthorized data and file
transfers, detect and block a wide range of exploits, malware, dangerous web surfing as
well as targeted and unknown threats. The application visibility and control delivered by
App-ID™, combined with the content inspection enabled by Content-ID means that IT
departments can regain control over application traffic and related content.
Enterprises of all sizes are at risk from a variety of increasingly sophisticated network-borne
threats that have evolved to avoid many of the industry’s traditional security measures.
Palo Alto Networks Content-ID delivers a new approach based on the complete analysis of
all allowed traffic using multiple threat prevention and data-loss prevention techniques in a
single unified engine. Unlike traditional solutions, Palo Alto Networks actually controls the
threat vectors themselves through the tight control of all types of applications. This
immediately reduces the “attack surface” of the network after which all allowed traffic is
analyzed for exploits, malware, dangerous URLs, dangerous or restricted files or content,
and even exposes unknown threats attempting to breach the network.
Single Pass, Parallel Processing Architecture Forms A High-Performance
Foundation
First and foremost, network security infrastructure must perform. In order to implement a
true next-generation firewall, Palo Alto Networks had to develop a new architecture that
could perform computationally intensive functions (e.g., application identification) at wire
speed.
Palo Alto Networks next-generation firewalls use a single-pass parallel processing (SP3)
architecture to protect datacenter environments at speeds of up to 20 Gbps.
The two key elements that make up the SP3 architecture are the single pass software
architecture and the custom-built hardware platform. Palo Alto Networks SP3 architecture
is a unique approach to hardware and software integration that simplifies management,
streamlines processing and maximizes performance.
Content-ID is built on a single-pass architecture, which is a unique integration of
software and hardware that simplifies management, streamlines processing and
maximizes performance. The single-pass architecture (SP3) integrates multiple
threat prevention disciplines (IPS, anti-malware, URL filtering, etc) into a single
stream-based engine with a uniform signature format. This allows traffic to be fully
analyzed in a single pass without the incremental performance degradation seen in
other multi-function gateways. The software is tied directly to a parallel processing
hardware platform that uses function specific processors for threat prevention to
maximize throughput and minimize latency.
Modern Malware Detection and Prevention
Malware has evolved to become an extensible networked application that provides
attackers with unprecedented access and control inside of the targeted network. As
the power of modern malware increases, it is critical that enterprises be able to
detect these threats immediately, even before the threat has a defined signature.
Palo Alto Networks next-generation firewalls provide organizations with a multifaceted approach based on the direct analysis of both executable files and network
traffic to protect their networks even before signatures are available.
• WildFire™: Using a cloud-based approach, WildFire exposes previously unseen
malicious executable files by directly observing their behaviour in a secure
virtualized environment. WildFire looks for malicious actions within Microsoft
Windows executable files such as changing registry values or operating system
files, disabling security mechanisms, or injecting code into running processes. This
direct analysis quickly and accurately identifies malware even when no protection
mechanism is available. The results are immediately delivered to the administrator
for an appropriate response and a signature is automatically developed and
delivered to all customers in the next available content update.
• Behavioural Botnet Detection: App-ID classifies all traffic at the application level,
thereby exposing any unknown traffic on the network, which is often an indication
of malware or other threat activity. The behavioural botnet report analyzes network
behaviour that is indicative of a botnet infection such as repeatedly visiting malware
sites, using dynamic DNS, IRC, and other potentially suspicious behaviours. The
results are displayed in the form of a list of potentially infected hosts that can be
investigated as possible members of a botnet.
Traffic Monitoring: Analysis, Reporting and Forensics
Security best practices dictate that administrators strike a balance between being
proactive, continually learning and adapting to protect the corporate assets, and
being reactive, investigating, analyzing, and reporting on security incidents. ACC and
the policy editor can be used to proactively apply application enablement policies,
while a rich set of monitoring and reporting tools provide organizations with the
necessary means to analyze and report on the application, users and content flowing
through the Palo Alto Networks next-generation firewall.
• App-Scope: Complementing the real-time view of applications and content
provided by ACC, App-scope provides a dynamic, user-customizable view of
application, traffic, and threat activity over time.
• Reporting: Predefined reports can be used as-is, customized, or grouped
together as one report in order to suit the specific requirements. All reports can be
exported to CSV or PDF format and can be executed and emailed on a scheduled
basis.
• Logging: Real-time log filtering facilitates rapid forensic investigation into every
session traversing the network. Log filter results can be exported to a CSV file or
sent to a syslog server for offline archival or additional analysis.
• Trace Session Tool: Accelerate forensics or incident investigation with a
centralized correlated view across all of the logs for traffic, threats, URLs, and
applications related to an individual session.
Extending The Network Perimeter Both applications and network users themselves are becoming less and less bound
to the physical infrastructure of the enterprise. Enterprises are doing everything they
can to reduce the cost and management burden associated with their enterprise
applications, leading firms to move applications to hosted models either in the public
or private cloud and software increasingly being delivered as a service.
Such initiatives are mission-critical for the enterprise as they can directly save time,
money and manpower. Users have also migrated beyond the reach of the traditional
enterprise network. Users simply expect to be able to take their work with them and
to stay connected from anywhere. Unlike in the past, this behaviour is no longer
limited to the traditional “road-warriors” or home-office employees. Due to the
widespread availability new networking technologies such as WiFi and 3G/4G, endusers have become very accustomed to having Internet connectivity literally
everywhere they go. The rise of iOS-based devices such as the iPhone and iPad has
made users even more mobile, and in some cases, more difficult to recognize and
secure. In some cases, these technologies lead to counter-intuitive situations where
users may accidentally roam outside of the corporate network even though they may
still be physically inside a corporate building.
The Logical Perimeter: A Strategic Solution As most security professionals know from experience, security is not simply a
product or a feature that can be added on to a project at the end, but rather a
process that must be designed in from the beginning.
The logical perimeter provides the requisite framework for integrating a standardized
and consistent approach to security into every network connection regardless of
location. This means the rules and policies remain consistent and the organization’s
best intelligence and protections are universally applied.
To meet this goal, the logical perimeter must first standardize on the corporate
security policy as the rule of law for all network connections regardless of where they
occur. Security policies, like any rules or laws,must be applied consistently if they are
expected to serve their purpose. If the rules only apply in certain circumstances, then
they cease to be rules in any true sense and exceptions quickly become the norm.
This is precisely the situation that security teams find themselves in today. Users
have been mobile for many years, and enterprises have gradually become
accustomed to settling for a reduced quality of security for these users. The logical
perimeter establishes consistent security policy based on applications and users,
and in the process clearly sets the bar for new projects and what security levels they
will be expected to meet. While this step may seem obvious, it is nevertheless
extremely important to have a strong directive in order to push back against a longestablished trend of making security exceptions for remote users.
Secondly, network users outside the corporate network should receive the same
protections that are provided when inside the physical network. For example,
firewalling decisions should provide the same visibility and control of applications,
users and content established by the next-generation firewall at the traditional
perimeter. In fact, this requirement is particularly important for end-users in the field,
as client applications are very likely to be evasive and route around traditional portbased controls.
Additionally, users may revert to less strict browsing behaviours when away from the
office, exposing them to even more potential threats. As with firewall controls, users
should be protected by the full complement of IPS, and threat prevention when they
are outside the physical network. This means true network-based IPS, malware and
botnet control, as well as a file, URL and content filtering. Obviously, users are
exposed to just as many risks and threats when outside the network, so it only
makes sense that they should receive the enterprise’s best protections.
Key Requirements of the Logical Perimeter:
• Establishes a consistent set of policies based on applications and users that apply
to all traffic
• Provides the same protections outside as inside
• Delivers enterprise performance and reliability
GlobalProtect + Next-­‐Generation Firewall = The Logical Perimeter
GlobalProtect introduces a modern approach to enterprise security. Instead of trying
to reinvent the entirety of enterprise security on the end-user’s laptop, GlobalProtect
takes what already works today, the next-generation firewall, and delivers it
transparently to all remote connections. Almost as importantly, GlobalProtect takes
advantage of the next-generation firewalls that are already deployed and can
typically be deployed with no additional hardware required. The solution is comprised
of three different components:
GlobalProtect Agent: The GlobalProtect agent is a small piece of software that
resides on the end user’s PC. This agent can be delivered to the user automatically
via Active Directory, SMS or Microsoft System Configuration Manager or can be
downloaded directly from the GlobalProtect Portal. The agent provides secure
connectivity between a remote user and the enterprise Palo Alto Networks firewall to
ensure secure connectivity as well as next-generation visibility and control of traffic
regardless of location. The agent supports Microsoft Windows XP, Vista, Windows 7,
and Mac OS X, enabling IT to extend security and connectivity to a wide variety of
today’s most popular devices. When licensed, the agent can actively test and select
for the best performing Palo Alto Networks GlobalProtect Gateway. And lastly it
compiles a Host Information Profile (HIP) of the client device including such factors
as patch level, disk encryption, antivirus version and many more. Additionally Palo
Alto Networks leverages the IPSec VPN client built in to Apple iOS devices. This
provides native connectivity and secure access, but does not support HIP profiles or
intelligent gateway selection.
GlobalProtect Portal: The GlobalProtect Portal provides the centralized
management for the solution. Any Palo Alto Networks firewall can act as the portal
while also performing its everyday duties as a next-generation firewall. However,
each GlobalProtect deployment will only have 1 portal at a time. The portal provides
three key functions: It delivers the GlobalProtect Agent to users. It provides the
GlobalProtect agents with a list of available GlobalProtect Gateways. And lastly, it
manages the authentication certificates for the solution. The GlobalProtect Portal,
like all Palo Alto Networks can be run as a high-availability pair, to ensure always-on
reliability of the solution.
GlobalProtect Gateway: The GlobalProtect Gateways are responsible for the
majority of the actual security enforcement in the solution. Similar to the portal, any
Palo Alto Networks firewall can be a gateway for the GlobalProtect solution.
However, unlike the portal, you can leverage as many gateways simultaneously as
you need, ensuring multiple potential routes between an agent and gateway. The
Gateway has three core functions: First and foremost, it performs the full breadth of
next-generation firewalling functionality including application control, threat
prevention, URL filtering, user visibility, etc on all traffic from associated
GlobalProtect Agents. It also provides the end of the secure connection established
by the Agent. Lastly, it receives the Host Information Profile (HIP) and enforces
policies accordingly.
Enforce Network Controls Based on User, Role, and User Profile One of the key concepts behind the next-generation firewall is the ability to enforce
policies based on user or user group. Instead of relying on IP address, the Palo Alto
Networks next-generation firewall integrates with the enterprise directory
infrastructure to uniquely identify and enforce policy to individual users and
machines. The User-ID technology integrates with a variety of directories including
Active Directory, eDirectory, Open LDAP, Citrix Terminal Server, Microsoft Terminal
Server and XenWorks.
User-ID can also be configured to monitor logon events from clients accessing their
Microsoft Exchange mailbox, enabling the solution to identify Mac OS X, Apple iOS,
and Linux/UNIX client systems that don’t directly authenticate to the domain.
GlobalProtect extends these controls to incorporate the configuration of the end
user’s device. If the user’s end-point is not properly secured, security teams can
automatically enforce network controls to compensate. For example, a user may
have rights to access certain information on the enterprise network,but the
GlobalProtect Gateway can prevent that user from downloading files if his laptop is
not using disk encryption. Or alternatively, if the host antivirus is out of date, staff can
automatically restrict access to social networking sites where malware tends to
propagate. When added to the application, user and content controls available from
the Palo Alto Networks next-generation firewall, security teams now have a level of
control and flexibility that they have never had from traditional solutions. Just as the
nextgeneration firewall allows for more granular controls of firewall policy,
GlobalProtect offers granular control of user rights based on their host configuration.
Policies can be based on the following host characteristics.
•
•
•
•
•
•
Operating System and Application Patch Level
Host Anti-Malware Version
Host Firewall Version
Disk Encryption
Data Backup Products
Customized host conditions
Download