Documente Academic
Documente Profesional
Documente Cultură
Implementation of the
Palo Alto Networks
Firewall
PA-EDU-201 rev b
• Day 1 • Day 2
1. Introduction 6. SSL Decryption
2. Firewall Deployment 7. VPN
3. Application Control 8. Advanced Deployment
Options
4
4. Content Identification
9. Management
5. User Identification
10. Data Mining
L
•Port 6681
L •Blocked
Page 4 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 6 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 7 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
RAM
RAM
Flash Matching HW Engine
Flash RAM
Dedicated Control Plane Matching • Palo Alto Networks’ uniform
• Highly available mgmt RAM signatures
Engine
• High speed logging and • Multiple memory banks – memory
route updates RAM bandwidth scales performance
1Gbps
RAM
RAM CPU
1
CPU
2
CPU
3
CPU
4 Multi-Core Security Processor
^ƉĞĐƐ 'ĞŶĞƌĂůŚĂƌĚǁĂƌĞ
Dual-core RAM
RAM • High density processing for flexible
CPU
security functionality ϮϱϬD&tͬϭϬϬDsWEͬϭϬϬDƚŚƌĞĂƚ ϭhƌĂĐŬŵŽƵŶƚĂďůĞ
HDD SSL IPSec • Hardware-acceleration for standardized
complex functions (SSL, IPSec) ϱϬ͕ϬϬϬƐĞƐƐŝŽŶƐ ^ŝŶŐůĞŶŽŶͲŵŽĚƵůĂƌƉŽǁĞƌƐƵƉƉůLJ
1Gbps ϮϱϬsWEƚƵŶŶĞůƐ ϴϬ'ŚĂƌĚĚƌŝǀĞ
Route, Network Processor
ϴĐŽƉƉĞƌŐŝŐĂďŝƚŝŶƚĞƌĨĂĐĞƐ ĞĚŝĐĂƚĞĚŵŐŵƚƉŽƌƚ
ARP, • Front-end network processing
MAC
NAT
offloads security processors ZƵŶƐWEͲK^ϯ͘ϬĂŶĚůĂƚĞƌ Z:ͲϰϱĐŽŶƐŽůĞƉŽƌƚ
lookup
• Hardware accelerated route lookup,
MAC lookup and NAT
Single Pass
Operations once per packet
- Traffic classification (app
identification)
Page 12 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 13 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Thank You
• Application, user and content • IPS with app visibility & control • Firewall replacement with app
visibility without inline • Consolidation of IPS & URL visibility & control
deployment filtering • Firewall + IPS
© 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Firewall + IPS + URL filtering
Page 14 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 15 |
• Security Zones
• L3 Interface Configuration
• Virtual Routers
• Security Policy Basics
• NAT Policy
• Zones represent networks of differing trust levels • An Interface must be in a Security Zone
• A Security Zone can have multiple Interfaces
DMZ
•Internet
Page 3 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 4 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Vrouter A DMZ
192.168.100.0
Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 6 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Interface
Type
Select
Interface IP Address
Virtual Range
Router
IP Address
Zone Lease
Options
Page 7 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 8 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• All traffic going between security zones require an allow • Address Objects
policy - Hosts ( /32 mask)
• The policy list is evaluated from the top down - Networks
• The first rule that matches the traffic is used - Can be named
- Can be added to groups
• No further rules are evaluated after the match
• Users
• Applications
- Represent content
- Includes Static and Dynamic Groups
• Services
- Represent L4 addresses
Page 9 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 10 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
•Private IP’s
•Public IP’s
Page 11 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 12 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
SA DA SP DP
SA DA SP DP •Pre NAT – From L3-untrust -> L3-untrust
•Pre NAT – From L3-trust -> L3-untrust 12.67.5.2 64.10.11.103 5467 80
10.1.1.47 4.2.2.2 43778 80
SA DA SP DP SA DA SP DP
•Post NAT – From L3-trust -> L3-untrust •Post NAT – From L3-untrust -> L3-trust
64.3.1.22 4.2.2.2 1031 80 12.67.5.2 192.168.10.100 5467 80
Page 13 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 14 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 15 |
• What is an Application?
• Application Control Center (ACC)
• Application Identification
• Single Pass Architecture and Packet Flow
• Application groups and Filters
• Security Policy Examples
• Application Override Policy
GMail
GTalk
Google Calendar
iGoogle
Central location to view
the state of the Network
Lotus Notes
eMule
UltraSurf
Protocol Decoders
Application Signatures
Mode shift
• Detect applications initiating
Webex desktop sharing
Heuristics
Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 6 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Initial Source
Forwarding Destination
Packet Zone /
Lookup Zone
NAT Policy
Encrypted Bittorrent Processing Address
Page 7 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 8 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Destination Address 00 30 d1 29 40 00 80 06 8f 60 0a 10 00 6e d0 51
bf 6e 3a 52 01 bb 31 d7 06 19 00 00 00 00 70 02
• Destination Address
ff ff 74 e4 00 00 02 04 05 b4 01 01 04 02
• Destination Port • Destination Port
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45 00
00 3b d1 26 00 00 80 11 54 18 0a 10 00 6e 0a 00 • Application Data syn ack • Application Data
00 f6 c1 76 00 35 00 27 c7 5a a3 24 01 00 00 01
ack
00 00 00 00 00 00 03 77 77 77 05 6d 65 65 62 6f
03 63 6f 6d 00 00 01 00 01 get
Meebo
1f 8b 08 00 00 00 00 00 00 03 b4 57 fd 6f db 36
13 fe 57 ae 1a 36 3b 99 2d 35 fb 00 da c4 f6 b0 .
26 e9 bb bc 48 9a 60 75 57 0c 7d 8b 81 92 4e 12
63 89 54 49 2a ae 57 e4 7f df 1d 25 39 b2 f7 91
fe b0 37 08 60 ea 78 3c de 3d 7c ee 78 9c 3d 39
bb 3e 5d fe 7a 73 0e 3f 2d af 2e e1 e6 cd 8b cb
...........................................
Page 10 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 11 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Individual
Application
Static Group
Page 12 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 13 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 14 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 15 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Application Override
- Bypasses App ID for internal port based applications
• Customizing Application settings
- Changing time out
• First rule allows specific good applications
- Adjusting Risk
• Second rule blocks applications that are obviously • Defining new HTTP applications
unwanted - New App-ID signatures for specific HTTP based applications
• Third rule catches all other applications – could be - User defined regexp
allow or block based on environment - Contextual signature engine