Enterprise networks are rife with applications that can evade detection. Common methods include dynamically hopping ports, re-using other ports, emulating other applications or tunneling inside SSL. The use of evasive applications has not gone unnoticed by attackers as they increasingly use these invisible applications to transport threats past the firewall. Content-ID melds a uniform threat signature format, stream-based scanning and a comprehensive URL database with elements of application visibility to detect and block a wide range of threats, control non-work related web surfing, and limit unauthorized file and data transfers.
- Vulnerability prevention (IPS): Palo Alto Networks offers complete protection from all types of network-born threats including traditional vulnerability exploits as well as a new generation of hybrid and multi-vector threats. The Palo Alto Networks intrusion prevention features have been independently validated to have stellar IPS accuracy (93.4% catch rate) while simultaneously maintaining datasheet performance metrics. The full NSS report can be found here. The solution blocks known and unknown network and application-layer vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include:
- Protocol decoders and anomaly detection
- Stateful pattern matching
- Statistical anomaly detection
- Heuristic-based analysis
- Block invalid or malformed packets
- IP defragmentation and TCP reassembly
- Custom vulnerability and spyware phone home signatures
Traffic is normalized to eliminate invalid and malformed packets, while TCP reassembly and IP de-fragmentation is performed to ensure the utmost accuracy and protection despite any attack evasion techniques.
- Stream-based Virus Scanning: Virus and spyware prevention is performed through stream-based scanning, a technique that begins scanning as soon as the first packets of the file are received as opposed to waiting until the entire file is loaded into memory to begin scanning. This means that performance and latency issues are minimized by receiving, scanning, and sending traffic to its intended destination immediately without having to first buffer and then scan the file. Key antivirus capabilities include:
- Protection against a wide range of malware such as viruses, including HTML and Javascript viruses, spyware downloads, spyware phone home, Trojans, etc.
- Inline stream-based detection and prevention of malware embedded within compressed files and web content.
- Leverages SSL decryption within App-ID to block viruses embedded in SSL traffic.
- URL Filtering: Complementing the threat prevention and application control capabilities is a fully integrated, on-box URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities. The on-box URL database can be augmented to suit the traffic patterns of the local user community with a custom, 1 million URL database. URLs that are not categorized by the local URL database can be pulled into cache from a hosted, 180 million URL database. In addition to database customization, administrators can create custom URL categories to further tailor the URL controls to suit their specific needs. URL filtering visibility and policy controls can be tied to specific users through the transparent integration with enterprise directory services (Active Directory, LDAP, eDirectory) with additional insight provided through customizable reporting and logging.
- Data leak prevention: Administrators can implement several different types of data leak prevention policies to reduce the risk associated with unauthorized file and data transfer. The transfer of files can be controlled by looking deep within the payload to identify the file type (as opposed to looking only at the file extension) and allow or block according to the policy. Loss of confidential data such as credit card numbers or SSN can be controlled by detecting data patterns in the application flow and responding according to the policy.
Content-ID takes full advantage of Palo Alto Networks SP3 Architecture to deliver high performance threat prevention without impeding traffic.
