Académique Documents
Professionnel Documents
Culture Documents
Content-ID
0-day Industry
Malware from Collaboration
WildFire (MAPP)
Malware Custom
& Vulnerability Signatures
Research
Check
Policy
Check
Decode
Signatures
Vulnerabilty Matches
Botnet/C&C Matches
Data Matches
URL Matches
Applications Exploits & Malware Dangerous URLs Unknown & Targeted Threats
• All traffic, all ports, all the time • Block threats on all ports • Malware hosting URLs • WildFire detection of unknown
• Application signatures • NSS Labs Recommended IPS • Newly registered domains and targeted malware
• Heuristics • Millions of malware samples • SSL decryption of high-risk sites • Unknown traffic analysis
• Decryption • Anomalous network behaviors
• Reduce the attack surface • Prevents known threats • Block known sources of threats • Pinpoints live infections and
• Remove the ability to hide • Exploits, malware, • Be wary of unclassified and targeted attacks
C&C traffic new domains
> > > > > > > > > > > > > > > > > > > > > > > > > > > Decreasing Risk > > > > > > > > > > > > > > > > > > > > > > > > > > >
Threat Prevention but it also can provide attackers with an encrypted channel
Enterprise networks are facing a rapidly evolving threat landscape to deliver exploits and malware. Palo Alto Networks ensures
full of modern applications, exploits, malware and attack strategies visibility by giving security organizations the flexibility to,
that are capable of avoiding traditional methods of detection. by policy, granularly look inside of SSL traffic based on
Threats are delivered via applications that dynamically hop ports, application or URL category.
use non-standard ports, tunnel within other applications or hide
within proxies, SSL or other types of encryption. These techniques • Control of circumventing technologies: Attackers and malware
can prevent traditional security solutions such as IPS and firewalls have increasingly turned to proxies, anonymizers and a variety
from ever inspecting the traffic, thus enabling threats to easily of encrypted proxies to hide from traditional network security
and repeatedly flow across the network. Additionally, enterprises products. Palo Alto Networks provides the ability to tightly
are exposed to targeted and customized malware, which may control these technologies and limit them to approved users,
pass undetected through traditional antivirus solutions. while blocking unapproved communications that could be
Palo Alto Networks Content-ID addresses these challenges with used by attackers.
unique threat prevention abilities not found in other security • Uniform threat signature format: Rather than use a separate
solutions. First, the next-generation firewall removes the methods set of scanning engines and signatures for each type of threat,
that threats use to hide from security through the complete Content-ID leverages a uniform threat engine and signature
analysis of all traffic, on all ports regardless of evasion, tunneling format to detect and block a wide range of malware including
or circumvention techniques. Simply put, no threat prevention viruses, spyware, and vulnerability exploits in a single pass.
solution will be effective if it does not have visibility into the traffic,
and only Palo Alto Networks ensures that visibility through the Secondly, Palo Alto Networks brings multiple security disciplines
identification and control of all traffic. into a single context and a single threat prevention engine. This
context enables security teams to easily see beyond individual
• Application decoders: Content-ID leverages the more than
security events and recognize the full extent of a threat. Security
100 application and protocol decoders in App-ID to look
managers can now see the interconnection of applications,
for threats hidden within streams of application data. This
exploits, malware, URLs, anomalous network behaviors and
enables the firewall to detect and prevent threats tunneled
management and reporting and ensures predictable performance
within approved applications that would pass by traditional
by analyzing traffic once instead of progressive scanning in
IPS or proxy solutions.
multiple engines.
• SSL decryption: More and more web traffic is encrypted with
SSL by default. This can provide some protection to end-users,
PAGE 2
PA L O A LT O N E T W O R K S : C o n t e n t - I D Te c h n o l o g y B r i e f
Policy E
ngine Single P
App-ID as
User-ID Softwares
Conten
t-ID
Network
ing
Manag Conten
ement t
Securi
ty
Contr
ol Pla
ne Networ
king Palo Alto Networks single pass
Data P
lane parallel processing architecture
accelerates content inspection
performance while minimizing latency.
PAGE 3
PA L O A LT O N E T W O R K S : C o n t e n t - I D Te c h n o l o g y B r i e f
Output
Stream-based scanning
Stream-based scanning helps
Latency
Latency minimize latency and maximize
Time Time throughput performance.
PAGE 4
PA L O A LT O N E T W O R K S : C o n t e n t - I D Te c h n o l o g y B r i e f
Policy-based Management
Content-ID is enabled on a per rule basis using individual or
group profiles to facilitate policy-based control over content
traversing the network.
URL Filtering
Complementing the threat prevention and application control Administrators can configure a custom block page to notify
capabilities is a fully integrated, on-box URL filtering database end users of any policy violations. The page can include refer-
that enables security teams to to not only control end-user web ences to the username, IP address, the URL they are attempting
surfing activities, but also combine URL context with application to access and the URL category. In order to place some of the
and user rules. The on-box URL database can be augmented to web activity ownership back in the user’s hands, administra-
suit the traffic patterns of the local user community with a custom, tors can allow users to continue after being presented with
1 million URL database. URLs that are not categorized by the a warning page, or can use passwords to override the URL
local URL database can be pulled into cache from a hosted, 180 filtering policy.
million URL database. In addition to database customization,
administrators can create custom URL categories to further tailor File and Data Filtering
the URL controls to suit their specific needs. URL categorization Data filtering features enable administrators to implement
can be combined with application and user classification to policies that will reduce the risks associated with the transfer
further target and define policies. For example, SSL decryption of unauthorized files and data.
can be invoked for select high-risk URL categories to ensure • File blocking by type: Control the flow of a wide range of
threats are exposed, QoS controls can be applied to streaming file types by looking deep within the payload to identify the
media sites, URL filtering visibility and policy controls can be file type (as opposed to looking only at the file extension).
tied to specific users through the transparent integration with
• Data filtering: Control the transfer of sensitive data patterns
enterprise directory services (Active Directory, LDAP, eDirec-
such as credit card and social security numbers in application
tory) with additional insight provided through customizable
content or attachments.
reporting and logging.
• File transfer function control: Control the file transfer
functionality within an individual application, allowing
application use yet preventing undesired inbound or outbound
file transfer.
PAGE 5
PA L O A LT O N E T W O R K S : C o n t e n t - I D Te c h n o l o g y B r i e f
3300 Olcott Street Copyright ©2013, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
Santa Clara, CA 95054 the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Main: +1.408.573.4000
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
Sales: +1.866.320.4788
or for any obligation to update information in this document. Palo Alto Networks
Support: +1.866.898.9087 reserves the right to change, modify, transfer, or otherwise revise this publication
www.paloaltonetworks.com without notice. PAN_TB_ContentID_050613