All Layers Are Not Created Equal

May 01, 2019
5 minutes

This post is also available in: 简体中文 (Chinese (Simplified)) 繁體中文 (Chinese (Traditional)) 日本語 (Japanese) 한국어 (Korean) Português (Portuguese (Brazil))


How the Principles of Journalism Help Define Zero Trust Policy

Everyone knows that in order for a news article, blog post or white paper to have any credibility, a writer needs to cover the “who, what, where, when, why and how” of the topic. Without covering these things, the reader is left with a partial story. We can credit Rudyard Kipling for clearly defining these journalistic essentials for us:


I keep six honest serving-men

(They taught me all I knew);

Their names are What and Why and When

And How and Where and Who.


-Rudyard Kipling, Just So Stories, 1902


However, the usefulness of this “Kipling Method” extends far beyond journalistic best practices. For years, I have used the Kipling Method to help companies define policy and build Zero Trust networks. It ensures that security teams are thorough in their definitions and that anyone, including non-technical business executives, can understand cybersecurity policies due to the simplicity of the approach. Given that the first design principle of Zero Trust is to focus on business objectives, this method is particularly useful.


Policy at Layer 3 vs. Policy at Layer 7

In order to actually apply the Kipling Method and build a real Zero Trust architecture, you need to understand why it cannot be done with Layer 3 technologies.

First, what is the difference between Layer 3 and Layer 7? Layer 3 is the layer where information is evaluated based only on IP address, port or protocol. It is severely limited by the lack of information that can be seen. IP addresses can be spoofed. Simple port scans will uncover all the open ports so that the attacker can encapsulate stolen data and exfiltrated across the open port, and the protocol is really just a metadata tag to help the administrator understand the type of traffic that is supposed to be traversing a specific port. Most importantly, ALL adversaries know how to bypass Layer 3 controls. You need to be able to define things with higher fidelity to keep your company secure.

Layer 7 is much more specific. It is where information is evaluated based on the actual application that’s being used (for example, defining Facebook as a unique application rather than traffic running across ports 80 and 443). While at Forrester, I created a five-step methodology to a Zero Trust network. The fourth step states that you need to write policy rules for your segmentation gateway based on the expected behavior of the data and the user or applications that interact with that data. This is what the Palo Alto Networks Next-Generation Firewall, serving as a segmentation gateway in a Zero Trust environment, allows you to do, and due to the granularity of the policy, it can only be done at Layer 7.


Applying the Kipling Method Using the Palo Alto Networks Next-Generation Firewall

Here’s how you can apply the Kipling Method when deploying the Palo Alto Networks Next-Generation Firewall, using our revolutionary User-ID, App-ID and Content-ID technologies:

  • User-ID becomes a WHO statement: “Who is accessing a resource?”

User-ID is a Layer 7 instantiation of the approximation given by the source IP address. For example, we can grab OUs from Active Directory to pull domain users into a custom User-ID. We can then add things like multifactor authentication (MFA) or the Host Information Profile (HIP) from our GlobalProtect client to enrich the fidelity of the “Who” statement. We can also add MFA to a User-ID and an additional attribute for more granular control.

  • App-ID becomes a WHAT statement: “What application is being used to access the resource?”

Palo Alto Networks currently has more than 2800 published App-IDs (visit Applipedia to see the growing list) to be used in building these rules. This means that attackers can no longer use a generic application, such as web services (HTTP/HTTPS), to bypass the security control.

  • Content-ID becomes a HOW statement: “How should the User-ID and App-ID traffic be allowed to access a resource?”

Content-ID includes Threat Prevention rules, our advanced intrusion prevention capability; SSL Decryption so that malicious traffic and stolen data can’t hide inside of encrypted tunnels; URL Filtering so that users don’t go to malicious or phishing domains; WildFire, our state-of-the-art sandbox technology that redefines the way malware is stopped; and our new DNS Security service, which applies predictive analytics for automated protections to thwart attacks that use DNS.

With these three technologies defining WHO, WHAT and HOW statements, a basic Kipling Method Layer 7 rule can be easily defined and then implemented using our Panorama management system. Additionally, PAN-OS has the ability to add a WHEN statement (a time delineated rule); a WHERE statement, which is the location of the resource (this can often be automatically pulled into Panorama via an API); or a WHY statement by reading metadata from a data classification tool and using that in the rule.


The Kipling method has been designed to help both business leaders and security administrators define granular, Layer 7 policies using the simple who, what, when, where, why and how methodology given to us by Rudyard Kipling. Individuals who have never considered writing firewall policy can easily understand this methodology and help define the criteria necessary to create a rule set for your segmentation gateway.


Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.