Next-Generation Firewall Demo

Watch how Palo Alto Networks Next-Generation Firewalls (NGFW) secure your business with a prevention-focused architecture. See how PAN-OS and integrated innovations like Threat Prevention, WildFire Malware Analysis, URL Filtering and DNS Security protect you against modern security threats like credential theft and data exfiltration.

 

To learn how our NGFWs simplify security and minimize risk, check out: https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall

 


 

TRANSCRIPT

 

Sam:

Thank you for joining our Palo Alto networks next gen firewall capabilities demo. Our demo is geared towards network operations, data center and security administrators who have not seen our firewalls in action, or may be using an older version and would like to see the new security features. Now, let's get right into the demo.

 

Nav:

Thanks Sam. We'll start with the login and dashboard. When we first sign into the user interface, we see the dashboard which shows a summary of configuration, which is the device information here and user information which is about the admin so you can see here. We want to start out our demo today by clicking on the ACC tab, which stands for application command center. Our next gen firewall classifies all application traffic. It inspects the content within, it identifies users and stops threats. The ACC provides this knowledge in an interactive, easy to use and visual way. This provides you with the ability to make informed security decisions. The first thing we notice in the ACC is a graphical depiction of all applications traversing the network. This is in the application usage section here, but we also see user activity by bytes sent and received. Now if we scroll down, we also see the source IP activity and destination IP activity.

 

Nav:

We also see the source regions and destination regions. This shows your world map and showing you where traffic is coming from and where traffic is going. We also see global protect host information here. There is no data here because we do not have remote users in this demo. But if you do, this part we show you information about those remote users. You also see on the right here, the rule usage which is the rules that are allowing or blocking the maximum amount of traffic, so the ACC is like a 10 000 foot view of your network with the ability to quickly dive down to a more granular view. The ACC is a standard feature that does not require any additional licensing.

 

Sam:

Nav, can you walk us through an example of how an administrator would use the ACC to gain important insights into network and threat activity?

 

Nav:

Yes, great idea. This will show the true power of the ACC and how it connects all of the capabilities of the connection firewall to provide actionable and intuitive data. The application usage graph at the top is front and center in the ACC, it shows all traffic grouped by applications. The tree map displays the applications by category which is dark gray here like general internet networking, collaboration and you also application subcategories which are lighter gray here. Internet utility file sharing, encrypted tunnel and so on.

 

Nav:

And the applications themselves are color coded by risk. Red is risky, green is okay and so on. Below you see the top application sorted by bytes. We can click on any category or application to drill down in more detail. Now let's click on general internet. Now we can see all applications associated with this category. We see web browsing taking up the majority of the bandwidth here, which is expected in a perimeter deployment like this. But Rapidshare also taking up a large portion.

 

Sam:

Can you tell us a bit more about Rapidshare for those viewers who may be unfamiliar with the app?

 

Nav:

Sure. Let's hover over while value here. So if you hover over here and see the value, the pop up here provides the answers. It provides us with a description of the application. It provides a category, lists the standard ports, a risk level, as well as things to look out for when dealing with this application. With our next gen firewalls, application identification is always on for all traffic, regardless of port. Thanks to our app ID technology. Now, let's drill down a little more. Let me click on Rapidshare here. Now we can see in detail all the traffic associated with Rapidshare in this widget. The large amount of bytes here might grab your attention.

 

Nav:

With another click we can promote the filter for further analysis. So you see this filter here, which says, "Add global filter."? Let me click here. To promote a filter means to filter all global network traffic by this application. So what we've done now is applied this filter to all widgets in the ACC. You can see our filter string up here in the left navigation bar. And as you can see we show all users of Rapidshare here, all IPs associated with this traffic, source and destination regions and also the rules associated with Rapidshare. But for now, let's take a look at some user activity that catches our eye. Marsha Worth here is the number one user of Rapidshare in the last hour. Our user ID capabilities enable us to identify users by name rather than just IP addresses. Let's take a closer look at Marsha's usage of Rapidshare by promoting this filter as well. And to promote the filter. I'll click, "Add global filter." Again here and now are filtering everything by Rapidshare as well as Marsha would.

 

Nav:

So when looking at the source IP activity, we see that all the Rapidshare traffic is coming from a desktop computer in the lab. Now I'm curious, let's look at the regions. We also see that all the traffic is coming from headquarters, which is a set of internal IPs here. And it's going to several countries and regions here. Let's find out more.

 

Nav:

Let's look at rules, a large amount of this traffic, in fact, all of this traffic is coming from a rule called, "Watch risky apps." We can now perform a very easy global search to find the instance of watch risky apps rule in our rule base. Now click here and click, "Global find." You'll see the security rule and if I just hover over here, you will see the name of the rule and the definition of the rule without ever leaving the ACC tab. Looking at this definition, we can see that this is obviously an allow rule, but you may ask yourself if we should modify this rule to change the handling of Rapidshare traffic.

 

Sam:

So let's do a quick recap. So far we've established some knowledge that will help us toward making an informed decision. Marsha has been using Rapidshare. She transferred a lot of data from headquarters to several countries from a lab desktop and it passed through a rule called, "Watch risky apps.”

 

Nav:

That's exactly right. Now, of course it would also be interesting to see what else Marsha has been doing outside of Rapidshare. As you can see we have our filter string from our activity on the left hand side of the screen. Now we could remove any filter here. Let's say we remove Rapidshare. by removing Rapidshare, We can quickly see all the activity of Marsha across all applications and let me click, "Home." Here. Now you see all the applications that were being used by Marsha in the last hour. Within this application usage widget, we also see in the threats column that Marsha has encountered some threats.

 

Nav:

This is worth exploring. At this point we've only been using the network activity tab, but there are also other tabs available as well. By default, ACC will display the network, threat, blocked activity and tunnel activity tabs so we can look at the threat activity tab to see threat activity by Marsha.

 

Nav:

In this tab we can see information about threat behavior across the network such as hosts that are visiting malicious domains. You can see wildfire activity by file type, and we can see other information like applications using nonstandard ports. The same design convention empowers you to drill down into more detail or promote any item or utilize global filters to help find other instances of an event, host name or rule. In this section you can see valuable information about all kinds of threat activity in the network.

 

Nav:

Finally, let's select the blocked activity tab. In this tab you can find information about blocked applications, blocked users and blocked content as well as information about which policies are actively blocking content. We can see Marsha's web activity. It was blocked a few times, because of a threat and the session was terminated. So at this point I also want to show you how you can customize the tabs we just used.

 

Nav:

You can add, move or remove widgets from each of the tabs and you can create a fully custom tab. All the widgets displayed in the three or four default tabs can be used interchangeably. Meaning you can tailor what the ACC displays for each user and role. You might even want to create a widget that is dedicated to watching Marsha's behavior or Rapidshare. Let's click on the, "Plus." Icon here and let me show you how this works. So you click, "Add widget." And it'll show you all the additional widgets that may be available here. You can add those to your view and you can also customize that. So now we've gathered a lot of information about Marsha's application usage, her threat activity, and established which rule was triggered. This should be enough information for us to change the watch risky apps rule that we identified. To do this, let's once again click on the search icon in the top right corner since it remembers our search and this time, let me click this.

 

Nav:

This will take us directly to this rule and into the policies tab so you can see this rule. And we are looking at the watch risky apps rule. Of course there are other rules in the policy tab. We are currently only seeing this one rule and a couple of others, because we did a search for it. Let's bring up the other rules. Now I'm going to clear this filter so that it shows you all the rules including watch risky apps.

 

Nav:

Now we can see all the rules in the evaluation order. In the policy tab, we empower you to manage and control applications in a single security rule base, for next gen firewall, for URL filtering, threat prevention, advanced malware prevention, DNS security, data filtering and file blocking. This means you don't have to create and manage many different rule bases for all of these functions. Note that our rules are human readable, improving manageability significantly. You can read each rule from left to right and make sense of it. You can see which users have access to which destinations, applications and how content is inspected. If I scroll here, you will see the source and destination here, and also see the applications. You can see what security profiles are applied and we'll go into that and then a little bit more detail. You will also see the rule usage for each rule and when that rule was last hit.

 

Nav:

This simplicity translates directly into fewer errors and improved security. You now could easily open up one rule and modify it. Now let me again open the watch risky apps rule. Let me do a search for that and look at the watch risky apps rule. The security policy rule here shows you all the elements of the rule from the name to source, user, destination, application URL category, as well as actions. If I click on, "Application." It shows you the application categories and subcategories that it's using.

 

Nav:

The reason why Rapidshare is allowed is because file sharing includes Rapidshare and that's how it's allowing all that traffic. Now what we can do is instead of relying on file sharing applications like this rule does, you could list only the file sharing applications that are sanctioned or tolerated by our organization. That will block all of the file sharing applications that are unsanctioned. We call this a positive enforcement model, which explicitly defines which applications and application functions are allowed through your next gen firewall. This approach minimizes opportunities for attack, because you're not allowing unsanctioned applications that can be misused by attackers. Now you want to safely enable the applications that you do allow. For that, let's click the actions tab on this tab. You can define the security profiles that must be applied to the traffic that is allowed by this rule so that we can prevent any threats from coming in. As you can see, under profile setting, we have applied the best practice one group profile to this rule. Let's see what this profile is.

 

Nav:

To do that, let's go to the objects, and under security profiles, security profile groups let's look at all of these groups. You can see all the security profiles grouped together here. The antivirus profile, the anti spyware profile, vulnerability protection, URL filtering, file blocking, data filtering as well as Wildfire analysis profile. Wildfire is our cloud-based advanced malware analysis system that uses multiple analysis techniques to detect new malware. Including static analysis, dynamic analysis and bare metal analysis. The security profile group you see here was applied to our watch risky apps allow rule, so that any traffic that is allowed by the security rules is inspected and allowed only if it is safe. This is a best practice security profile group and can be applied to all the allow rules.

 

Nav:

This shows that with our next gen firewall you can apply not just application and user but also all these security capabilities in a single rule, which makes it simple to administer security and also to make changes.

 

Sam:

Let's pause for a quick recap. Nav, you were looking at overall network activity in the ACC and realized that Rapidshare was creating a significant amount of traffic. With just a few clicks. You showed how we could learn more about Rapidshare thanks to app ID technology. You also found that Marsha was a primary user of the application. You were able to quickly identify Marcia by name, thanks to our user ID capabilities. From the lab desktop computer, she was sending information to three regions. You also found that Marsha's computer was generating threat traffic. With just a few more clicks, you were able to examine the security rules.

 

Sam:

You also discussed how to modify them appropriately to ensure only sanctioned applications were allowed, while risky applications like Rapidshare are blocked. Did I get everything?

 

Nav:

Yes, I think you captured it all, good recap, Sam. Now let's take a look at some more capabilities of our next gen firewall, many of which are unique to Palo Alto networks. One of these unique capabilities is the ability to prevent credential theft, let's see how. To do this, let me click, "Cancel." Here, go back to objects and look at the URL filtering profiles. And let me show you one of these profiles which is default. Here you see the URL filtering profile, which can be applied to any security rule on our next gen firewall. Let's look at the column name, "User credentials submission.”

 

Nav:

Notice that some of the categories are blocked. For example, the command and control category. What this means is that if a user in your organization visits a phishing website, the next gen firewall will detect that the user is submitting valid corporate credentials to a URL that belongs in one of the blocked categories like command and control and will deny the transaction, even if you have an open internet policy in that particular website may in general be allowed in your organization. The user will see a message explaining why the transaction was blocked, which is that it was a phishing attempt.

 

Nav:

In addition, we also protect against any credentials that may get stolen despite your best efforts. In such cases, our next gen firewall can enforce multifactor authentication, so that the attacker is unable to use the stolen credentials to access sensitive data. These are both unique capabilities of our next gen firewall where we go much beyond identifying the user to protect the user's identity and protect the organization against misuse of stolen credentials. Now, since 80% or more of the total traffic is encrypted today, let's see how we can decrypt traffic without compromising privacy. For that, let me click, "Cancel." Here. Go back to the policies tab and look at the decryption policies.

 

Nav:

And let me click, "Add here." at the bottom, which will bring up a dialog box which shows you how to add a decryption policy rule. Here you can see information about the sources, the destination and URL category. Let's go through these. In this particular tab, what you can see is all the source users and groups from your active directory or from any user directory that you use. Here you can select the group whose traffic you want to start decrypting. For example, you could start by choosing IT users group here so that only their traffic is decrypted initially before you roll out decryption to the entire organization. You can also choose to decrypt traffic based on the URL category, let's see how. A best practice that we recommend to our customers is that you can decrypt traffic to the high risk category of URLs which is shown here.

 

Nav:

Here we also allow of a URL to be classified into multiple categories. For example, let's say a new website comes up which claims to do financial transactions. However, it is risky because it was registered less than 30 days ago and because of other indicators. By choosing the high risk category in this dropdown, you will be able to decrypt and inspect such high risk traffic even though that URL also belongs to a financial services URL category. The ability to categorize a URL into multiple categories is also a unique capability of our next gen firewall.

 

Sam:

So to recap, we saw how easy it is to selectively decrypt traffic based on user and URL category. This allows you to secure encrypted traffic safely and without compromising privacy.

 

Nav:

Exactly.

 

Sam:

Nav, can you spend a little time on the best way for our customers to get started with our NGFWs since so often they have hundreds or even thousands of existing rules?

 

Nav:

Sure. It's actually very easy. First, you will use a free tool called Expedition to move your rules to our next gen firewall. Expedition supports migrating from most competitive firewalls. After migrating your rules to our next generation firewall, you can use policy optimizer, an inbuilt tool to safely move from port-based legacy rules to application based rules which are secure and simple. Let's see how we can do that. For that, I'm going to hit, "Cancel." Here, go back to policies and look at the security tab. And I'm going to click under policy optimizer here which you see on the left hand navigation bar. I'm going to click, "No app specified.”

 

Nav:

This view shows you rules that do not use an application. In other words, these rules are based on ports. Since open ports can be easily misused by attackers, it is best to allow only sanctioned applications and block all other traffic. This reduces opportunities for attack. Let's see how we can achieve this. Let me choose a rule here and click the applications that have been seen on that port-based rule. We selected a rule here called, "Workstation app default." Which does not specify any applications. The policy optimizer automatically shows you all the applications that were detected matching this port-based rule.

 

Nav:

Perhaps this rule was created in the past for a sanctioned data center application, but it's used or misused by several applications including Rapidshare. From this rule, you can choose the applications that are indeed sanctioned and create a new rule to allow only those applications. Let me choose a couple applications here. By selecting these applications, if I wanted, I could easily create a new rule that only allowed IMAP and POP3 traffic that is used for email and block everything else, including Rapidshare. This would reduce opportunities for attack on your organization because you're not allowing unsanctioned applications.

 

Nav:

Let me show you another capability. The policy optimizer also shows you rules that are not being used and therefore may indicate over-provisioned access, which can be exploited by attackers. For example, this view shows you rules that have not been used in the last 30 days. You can monitor these rules and delete them once you're satisfied they're not in active use anymore. We also help you continuously monitor the adoption of best practices and give you a health assessment. Our customers use a free tool called, "Best practice assessment." To create a heat map of their best practice adoption. Our customers run the tool regularly, let's say every quarter, to see the progress they are making towards adoption of best practices and improving their organization's cyber hygiene.

 

Sam:

Okay. Let's recap one last time. Nav, you talked about how our audience can migrate their rules from their existing firewall to our NGFW by using a tool called Expedition and how our in-built tool policy optimizer helps them move from old port-based rules to new, more secure and simple app based rules. You also discussed how we help them improve cyber hygiene,

 

Nav:

Right? And note that we are using our next gen firewall's management console in this demo. As you start deploying more next gen firewalls, you may want to transition to Panorama, our central manager. The good news is that your user experience stays exactly the same, whether you are managing a single firewall or you start managing multiple firewalls centrally.

 

Sam:

That's great, and that concludes our demo. If you'd like to see our next generation firewalls in action on your own network, request a complimentary security lifecycle review go.paloaltonetworks.com/NGFWdemoSLR. Thank you for your time.