8. •Page 8 |
Neue Anforderungen
1. Identifizierung von Anwendungen unabängig
von Port, Protokoll, SSL-Tunnel …
2. Identifizierung von Benutzern unabhängig von
IP-Adressen
3. Granulare Darstellung und Kontrolle über
Zugriff und Funktion von Anwendungen
4. Schutz in Echtzeit vor in Anwendungen
eingebetteten Angriffen
5. Multi-Gigabit, In-Line Implementierung ohne
Performance-Einbußen
Next Generation Firewall™
22. •. •Page 24 |
Vertrauen
• Gegründet 2005 von Security Visionär Nir Zuk
• Entwickelt von Security-Experten von CP, Netscreen,
Juniper, McAfee, BlueCoat, Cisco, …
• $65 Million “Funding” der Top Venture Capital Unternehmen
(Sequoia Capital, Greylock Partners, Globespan Capital
Partners, …)
• Mittlerweile über 1800 Kunden weltweit
• 9000 gelieferte Maschinen
• Gartner: Top Visionary in Gartner Quadrant!
Personal Applications: IM, P2P, file sharing, web-mail, social networks, …Enterprise 2.0Projektkoordination, Innen- und AußenkommunikationfreienWissensaustauschUnternehmenskulturderautonomenSelbststeuerung von Teams
The Palo Alto Networks solution utilizes 4 major technologies to identify applications.Protocol Decoders: These software constructs understand the application at the protocol level and provide contexts for the application. For example the HTTP decoder understands that there will be a Method and a Version for each HTTP request. The decoders are what assist in detecting when a second protocol is tunneled within an existing session. This is called “Protocol in Protocol”.Protocol Decryption: Secure Socket layer communication is decrypted so that the internal content can be examined. This is done by using a man in the middle attack as the data crosses the firewall.Application Signatures: Both stream and contextual signatures are used to identify the application or the changing in application mode. Heuristics: This system looks at overall patterns of communication to detect applications that are not suited to signature based identification.
As an example of signature based detection look at WebEx.The initial connection is an SSL based communication. Protocol decoders and Decryption will detect that is it SSL, decrypt the SSL and then detect that it is HTTP traffic. Once the decoder has the HTTP stream the system can apply contextual signatures and detect that the application using the SSL / HTTP connection is WebEx.If the user were to press the button to initiate desktop sharing the application would undergo a “Mode Shift”. Now the session has altered from a conferencing application to a remote access application. Application signatures will detect this and the application will be updated to WebEx Desktop Sharing.
When traffic is unable to be identified by the application decoders and signatures the Heuristics engine kicks in. This engine will look at patterns of communication in an attempt to identify the application based on its network behavior.This type of detection is required for applications that use proprietary end to end encryption such as Skype and encrypted bit torrent.
Using the Known Good and Known Bad groups, three policies can be created. It is worth noting that this configuration can be made more complex as needed, but the basic design is pictured above.The first rule allows all approved traffic. The second rule block all known bad traffic. This configuration allows the administrator to block a category while allowing an example of that category. For example, Instant Messenger applications can be blocked as a Filter in rule 2 while Yahoo Messenger can be allowed as an Application in rule 1. The third rule catches all traffic that does not match the first two rules. Depending on the environment the third rule can be a block or an allow. For organizations where security is the primary concern the rule would be block. If the traffic ultimately is needed, it can be added to rule 1.In any case, all traffic matching rule 3 must be logged and checked by the security team. Any applications being caught by the last rule need to be examined and a determination needs to be made if they need to be added to the Known Good or Known Bad groups. Over time there should be very little traffic hitting the third rule. Ultimately this design should be compressed down to a single allow rule for the approved traffic and all other applications will be denied by the implied deny all at the end of the policy set.
Unified = vereinigt/vereinheitlicht
The design of the Palo Alto Networks firewall allows for a variety of deployment options. Some simple examples include:Application Visibility: By utilizing tap mode interfaces the device can be connected to a core switches span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the device cannot block any harmful traffic nor can it decrypt SSL connections. This typically leads to one of the following deployment types.Transparent In-Line: Using Vwire interfaces the device can be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology. In this mode all of the protection and decryption features of the device can be used.Firewall Replacement: Using L3 interfaces the device can take the place of any current enterprise firewall deployment.A unique advantage of the device is the ability to mix and match these interface types on a single chassis. The same system could be deployed in an Application Visibility role for one portion of the network while being in line with another.