Palo Alto's next-generation firewall product overview

application behavior and usage patterns are constantly threatening the protection measures provided by traditional firewalls. Users often access arbitrary applications from any location in order to complete their work. Many such applications use non-standard ports, dynamic ports, or encryption techniques to simplify user access processes and bypass firewalls. Cybercriminals take full advantage of this unfettered application usage to spread a highly targeted new type of malware. This causes traditional firewalls that rely on ports and protocols to continue to identify and control applications and threats in the network.

gradually produced some repeated local and remote security policies, which were supported by independent firewall help programs or integrated plug-ins. Such methods lead to inconsistent policies and fail to solve visualization and control problems caused by inaccurate or incomplete traffic classification, lengthy and complicated management, and multiple scanning processes that cause delays. Restoring visualization and control capabilities requires a completely new approach to safely enable applications, which is only available in the next generation of firewalls.

Key requirements of the next-generation firewall:

identifies applications, not ports. Identify applications regardless of protocols, encryption techniques, or circumvention policies, and use this identification capability as the basis for all security policies.

Identifies the user, not the IP address. Use user and group information in the enterprise directory to visualize, create policies, conduct reports, and forensic investigations, regardless of where users are located.

Block threats in real time. Help protect against attacks throughout the life cycle, including dangerous applications, vulnerabilities, malware, high-risk URLs, and a wide range of malicious files and content.

Simplify policy management. Enable applications safely and with confidence through easy-to-use graphical tools and unified policy editor.

Implement logical boundaries. Adopt a consistent security policy that extends from physical boundaries to logical boundaries to protect all users, including travel or telecommuting users.

provides a throughput of several gigabytes. Combining specially designed hardware and software, it provides low latency and multi-gigabit throughput performance with all services enabled.

Palo Alto parallel processing architecture

Palo Alto Networks a new generation firewall using the following three unique identification technologies to achieve unprecedented visualization and control capabilities for applications, users and content: App-IDTM, User-ID and Content-ID. These three identification technologies have been applied to each Palo Alto Networks firewall, enabling enterprises to use applications safely and safely while greatly reducing the total cost of ownership through device integration.

App-ID: Classify all applications on all ports at any time.

accurate classification of traffic is the core of all firewalls and will become the basis of security policies. Traditional firewalls classify traffic by ports and protocols, which used to be an ideal network protection mechanism. However, today's applications can easily bypass port-based firewalls; for example, apply dynamic port change technology, use SSL and SSH, secretly invade through port 80, or use non-standard ports. After the firewall monitors the communication flow, the App-ID can determine the exact origin of various applications in the network by applying various classification mechanisms to the communication flow, thus solving the problem of traffic classification visualization limitation that has been plagued by traditional firewalls.

Each App-ID automatically uses up to four traffic classification mechanisms to identify applications, which is different from add-in products that only rely on IPS-style signatures and are implemented after port-based classification. App-ID continuously monitor application status, reclassify traffic and identify various functions in use. Security policies determine how to handle applications: block, allow, or enable security (scan for embedded threats and block, detect unauthorized file transfers and data types, or use QoS to control bandwidth).

Palo Alto App-ID

User-ID: enables applications by user and group

used to apply security policies based on IP addresses, but as users and computing become more and more dynamic, it is no longer possible to use IP addresses as an effective mechanism to monitor and control user activities. User-ID allows organizations to extend user or group-based application enabling policies among Microsoft Windows, Apple Mac OS X, Apple iOS, and Linux users.

can obtain user information from enterprise directories (Microsoft Active Directory, eDirectory, and Open LDAP) and Terminal Services (Citrix and Microsoft Terminal Services), while integration with Microsoft Exchange, Captive Portal, and XML API enables organizations to extend policies to Apple Mac OS X, Apple iOS, and UNIX users who are usually located outside the domain.

Palo Alto User-ID

Content-ID: protects allowed traffic

many current applications can provide valuable benefits, they have also become delivery tools for new malware and threats. The combination of Content-ID and App-ID can provide administrators with a two-pronged network protection solution. After using App-ID to identify and block unwanted applications, administrators can then safely enable allowed applications by blocking vulnerability attacks, new types of malware, viruses, botnets, and other malware spreading in the network without considering ports, protocols, or circumvention methods. What makes the control elements provided by Content-ID more complete is a comprehensive URL database that can control network browsing and data filtering functions.

Palo Alto Content-ID

Secure-enabled applications

seamless integration of App-ID, User-ID, and Content-ID enables organizations to develop consistent application enabling policies that in many cases can go down to the functional level of the application, not just allow or reject. With GlobalProtect™, the same policy of protecting users at the company's headquarters can be extended to all users (no matter where they are), thus establishing logical boundaries for users outside the network.

a security enabling policy is to use the App-ID to determine the application identity (which will then be mapped to the associated user using User-ID), and at the same time, the Content-ID scans the traffic content for threats, files, data types, and network activity. These results are displayed in the Application Control Center (ACC), where administrators can learn about what is happening on the network in real time. Next, in the Policy Editor, information about applications, users, and content viewed in the ACC can be translated into appropriate security policies to block unwanted applications while allowing and enabling other applications in a secure manner. Finally, you can use the application, users, and content as the basis to perform all detailed analysis, reporting, or forensics processes again.

Application Control Center: Knowledge is Power

Application Control Center (ACC) graphically summarizes log databases to highlight applications in the network, users of applications, and potential security impacts. ACC will dynamically update using the continuous traffic classification performed by the App-ID; If the application changes the port or behavior, App-ID will continue to monitor the traffic and display the relevant results in ACC. With just one click, you can quickly view the new or unfamiliar application displayed in ACC, and the description of the application, main functions, behavioral characteristics, and users currently using it will be displayed. Other information such as URL categories, threats and data displayed can provide a complete and comprehensive network activity map. With ACC, administrators can quickly understand the details of network traffic and then convert this information into more detailed security policies.

Policy Manager

Policy Editor: converts knowledge into security enabled policies.

By understanding which applications are running on the network, who are using them, and what potential security risks exist, administrators can quickly deploy enabling policies based on applications, application functions, and ports in a controlled system manner. Policy response methods include open (allow), moderate (enable certain applications or functions, then scan or control bandwidth, schedule, etc.), and close (reject). Examples are as follows:

protects Oracle databases by restricting access to finance departments, forcing traffic through standard ports, and checking for application vulnerabilities in traffic.

only allows IT teams to use a fixed set of remote management applications (such as SSH, RDP, and Telnet) through standard ports.

define and enforce a company policy to allow specific webmails and instant messages and check their usage, but prevent their respective file transfer functions.

only allows the management team to use Microsoft SharePoint Administration and allows all other users to access Microsoft SharePoint documents.

Deploy Web Enabling Policies to allow and scan traffic to business-related websites, while blocking access to websites that are obviously not work-related, and "booting" access to other websites through custom blocking pages.

implement QoS policies to allow the use of media applications and websites that occupy a large amount of bandwidth, but limit their impact on VoIP applications.

decrypt SSL traffic to social networks and webmail sites, and scan for malware and vulnerabilities.

Allows executable files to be downloaded from unclassified websites only after users confirm that illegal downloads are prevented through zero-day vulnerabilities.

denies all traffic from specific countries or blocks unwanted applications such as P2P file sharing, bypass access, and external proxies.

tightly integrates user and group-based application control and the ability to scan for various threats in allowed traffic, enabling organizations to significantly reduce the number of policies deployed and the number of employees that may increase, leave and change positions on a daily basis.

Policy Editor: Protects Enabled Applications

enabling applications securely means allowing access to these applications and then applying specific threat defense policies, as well as file, data, or URL filtering policies. Each element included in the Content-ID can be configured according to each application.

Intrusion Prevention System (IPS): Vulnerability Prevention integrates a rich set of Intrusion Prevention System (IPS) functions to prevent network and application layer vulnerability attacks, buffer overflow, DoS attacks, and port scanning.

Network Antivirus: Stream-based virus protection can block millions of malware variants, including PDF viruses and malware hidden in compressed files or network traffic (compressed HTTP/HTTPS). Policy-based SSL decryption enables organizations to resist malware passing between SSL encryption applications.

URL filtering: A fully integrated customizable URL filtering database allows administrators to apply optimized web browsing policies, supplement application visualization and control policies, and enable enterprises to cope with various legal, regulatory and productivity risks.

File and Data Filtering: Administrators can use data filtering to implement policies that will reduce the risks associated with file and data transfer. You can control the transfer and download of a file by viewing the file content (not just the file extension) to determine whether the file should be allowed or rejected. Executables that are usually located in stowaway downloads can be blocked, thus protecting the network from invisible malware. Finally, the data filtering function can detect and control the transmission of confidential information (credit card number and social security number).

Visualization of all information

Detection and Defense of New Malware

malware has developed into an extensible network application that provides attackers with unprecedented access and control in the target network. With the continuous enhancement of new malware capabilities, enterprises must be able to detect threats immediately before they already have defined feature files. Palo Alto Networks a new generation of firewalls to provide organizations with diversified methods to protect their networks based on direct analysis of executable files and network traffic even before feature files are available.

WildFire™ : WildFire use a cloud-based approach to expose malicious executable files that were previously invisible by directly viewing the behavior of these files in a secure virtualized environment. WildFire can look for malicious actions in Microsoft Windows executable files, such as changing registry values or operating system files, disabling security mechanisms, or injecting code into running processes. This direct analysis can quickly and accurately identify malware even when there is no protection mechanism available. The results will be immediately provided to the administrator so that it can respond appropriately, and a feature file will be automatically developed and provided to all customers in the next available content update.

botnet detection: App-ID can classify all traffic at the application level to expose any unknown traffic in the network, which is usually a sign of malware or other threat activity. Botnet reports can analyze network behaviors that indicate botnet infection, such as multiple visits to malicious websites, use of dynamic DNS and IRC, and other potentially suspicious behaviors. The results will be displayed in a list that includes hosts that may have been infected and may be investigated as members of a botnet.

Traffic Monitoring: Analysis, Reporting, and Forensics

security best practices instruct administrators to strike a balance between active defense, which is to continuously learn and adapt to protect company assets, and passive response, which is to investigate, analyze, and report security incidents. ACC and Policy Editor can be used to proactively enable application security policies, while companies can use a complete set of monitoring and reporting tools to analyze and report applications, users and content Networks the next generation of firewalls through Palo Alto.

Application Scope: App-Scope provides dynamic, user-customizable application, traffic and threat activity monitoring, and supplements the real-time monitoring of applications and content provided by ACC.

Reports: You can either use predefined reports as is, customize predefined reports, or combine them into one report to meet specific requirements. All reports can be exported to CSV or PDF format, and these reports can be executed and emailed as planned.

Login: Real-time record filtering helps to quickly identify and investigate each session on the network. Record filtering results can be exported to CSV files or sent to syslog servers for offline storage or other analysis.

Tracking Session Tool: Use centralized related monitoring tools to speed up the identification or incident investigation of all records to determine whether there are traffic, threats, URLs, and applications related to a single session.

GlobalProtect: No matter where you are, safety remains the same.

applications are not the only driving force for enterprise change. More and more end users only want to connect to the network and work from any location using any device of their choice. As a result, IT teams are working hard to extend security to these devices and locations, which may go far beyond the traditional protection boundaries of the enterprise. GlobalProtect meet this challenge by extending a consistent security policy to all users, regardless of their location and device.

First, GlobalProtect ensure that all users using transparent VPN (which supports a series of devices including Microsoft Windows, Apple Mac OS X and Apple iOS) can connect securely. After connecting, the firewall will classify all traffic, apply enabling policies, and scan for threats in traffic to protect the network and users.

In addition, the GlobalProtect can apply other control policies based on the state of the end user device. For example, if the antivirus software in the device has expired or disk encryption is not enabled, users may be denied access to sensitive areas of a specific application or network. This will allow IT teams to securely enable applications across a range of end-user device types, while preserving a new generation of approaches that comply with security policies.

Palo Alto Global Protect Global Protection