Do you have a state-of-the-art firewall from Palo Alto Networks today?
In this rapidly-evolving technological world, it is crucial to check whether your firewall can still face current and future threats. Our Palo Alto experts have created a checklist with 7 items to help you protect your organization.Go to the checklist
Traditional malware is nowadays highly targeted and evasive. Therefore, the new malware types are specifically designed to be completely undetectable. The goal of these new malware types is to penetrate the network perimeter by delivering malware that moves laterally across an organization extracting data as it spreads while remaining invisible to traditional network defenses.
1. Complete visibility
You can’t prevent what you can’t see. Full visibility into the (mobile, network & cloud) environment across all traffic (encrypted or not) is essential. Your Palo Alto firewall analyses all traffic to provide that visibility with its Single Pass architecture allowing for predictable performance. This extends to all mobile devices with the GlobalProtect feature. The IoT security is providing full visibility on all connected devices on your network.
2. Reduce attack surface
Use a positive enforcement model to reduce the attack surface. This means only letting traffic through that is allowed by the policy, including granting access to the required function of an application and denying everything else. Furthermore, you should enforce multi-factor authentication where needed or if identity theft is suspected. DNS security is reducing the risk of malware abusing the DNS protocol. IoT security can provide behavioral learning of IoT devices and providing
security policies on the Palo Alto Networks Firewall.
3. Prevent known threats
You can’t let a known piece of malware or spyware traverse your environment or make your endpoints communicate with known-malicious sites. Palo Alto Networks’ Threat Prevention and URL-Filtering feature provide those prevention capabilities. Palo Alto Networks’ MineMeld allows extending that knowledge to third party feeds.
4. Prevent unknown threats
You must stop new threats as quickly as possible. You must find the unknown threat, reveal it, make it known, and stop it everywhere through automated updates. The Palo Alto Networks’ Wildfire feature provides that prevention capability for files. On the DNS side the DNS security reveals when DNS is misused to tunnel data, by malware to communicated with the control server.
Palo Alto Networks provides multiple protection features to cope with threats on each of the four levels mentioned above:
The Threat Prevention subscription protects the network from advanced threats by identifying and scanning all traffic – applications, users, and content – across all ports and protocols with predictable performance.
It includes a full-featured IPS allowing to define vulnerability matching rules within a next-generation policy, and you can add anti-malware scanning when and where required. Furthermore, Threat Prevention provides command-and-control protection through pattern definition of known botnets. Analysis of DNS queries for botnet patterns and sinkholing technology prevent that traffic from getting through.
You can enforce web browsing policies (per device subscription for unlimited users) with Palo Alto Networks’ URL-Filtering subscription. This subscription enables the enforcement of an acceptable use policy,
the blocking of threats sites, e.g., known malware, phishing or proxy-avoiding sites.
Palo Alto Networks’ Firewall enables the definition of policies which allow a positive security paradigm. This means only allowing access to data through authorized applications for authorized users and only for the required content type. This can be combined with the decryption policy which leaves privacy-sensitive categories encrypted.
Protection from previously unknown threats (Zero-Day threats, APT) can be provided through the Wildfire feature. WildFire is a cloud-based advanced threat intelligence service that identifies unknown malware, Zero-Day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a scalable, virtual environment. Through updates, WildFire automatically generates malware, URL and DNS signatures and distributes them in seconds to all global, WildFire-subscribed Palo Alto Networks platforms. For PE files (exe, dll, PowerShell) the static analysis with ML based technology is done on the firewalls, no need to upload to the cloud, to lower the risk of a patient zero on your network.
Protection from previously uninspected DNS traffic can be provided through the DNS security subscription. DNS security is a cloud-based advanced DNS analysis service that reveals DNS tunneling and command & control connections using DNS. More than 80% of the malware is abusing DNS communication to communicate and extract data. Static lists with known bad DNS requests are not sufficient to stop the threats as the adversaries are using DGA (Domain Generated Algorithms) to create thousands of domains in short time periods. Also, the IP’s resolved by domains are changed rapidly by the adversaries to avoid detection by static lists. DNS security service is cloud native to have the capacity to analyze DNS request and reveal abuse of DNS communication in real time.
IoT subscription is bringing insights in IoT/OT devices on your network. Leveraging the existing Palo Alto Networks firewalls the IoT subscription can provide you visibility and security for IoT devices on your network. It gives you information about IoT devices their operating system, vulnerabilities, weak security configuration and traffic behavior. Adding the possibility to accept traffic behavior and create policies based on device-id on the Palo Alto Networks firewalls. As more and more IoT devices such as security cameras, consumer electronics, energy management, IP Phones, printers, … are becoming connected the become a risk to the company. The IoT security is cloud based and can interact with Network Access Control devices to even further automate the security posture of the network when unknown/unsecure devices get deployed on the network protecting your business.
GlobalProtect extends the protection of the firewall to users wherever they are. This includes App-ID, SSL Decryption, Threat Prevention, URL-Filtering as well as File blocking and unknown threat protection with Wildfire.
By using GlobalProtect, you can consistently enforce security policies. This includes the protection of users that leave the building, the use of tablets or smartphones as well as Linux endpoints. Furthermore, for external users, a clientless portal can be used to provide access to applications.
GlobalProtect checks the endpoint to get an inventory of how it’s configured and builds a host information profile that’s shared with the Next-Generation Firewall. The Next-Generation firewall uses the host information profile to enforce application policies that only permit access when the endpoint is properly configured and secured.
Spit tunneling based on the destination domain, client process, and video streaming application can be implemented with that subscription.
MineMeld is an open-source application that streamlines the aggregation and sharing of threat intelligence.
MineMeld automates the process of digging for indicators from threat feeds and of packaging the information into a variety of formats you can use with different security platforms.
Those feeds can be commercial or open-source threat feeds, or even a way to integrate volatile information such as the Office365 URLs and IPs currently used.
This information is useful to enrich existing security policies.
This can be done by blocking bad websites or DNS domains, as well as defining in policies dynamic address groups or feeding external dynamic lists of IPs.
Orange Cyberdefense has defined a specific work package for our customers that wish to implement the MimeMeld solution.
Do you know the latest features for your Palo Alto Networks firewall? Can your Palo Alto Networks firewall support the latest PAN-OS version?Read More