1

Netwerkbeveiliging
Sven Sanders

Application Identification

Sven Sanders - Odisee

Initial Packet
Processing

Source Zone/
Address/ UserID

PBF/
Forwarding
Lookup

Security
Pre-Policy

Check Allowed
Ports

Session
Created

Application

Check for
Encrypted
Traffic

Decryption
Policy

Security Policy

Check Security
Policy

Check Security
Profiles

Post Policy
Processing

Re-Encrypt
Traffic

NAT Policy
Applied

Destination
Zone

NAT Policy
Evaluated

Application
Override Policy

App-ID/
Content-ID
Labeling

Packet
Forwarded

Sven Sanders - Odisee

Packet filtering firewall

Port 5050
Blocked

Yahoo Messenger
Port 80
Open

BitTorrent Client

Port 6681
Blocked

Port-Based Firewall

Sven Sanders - Odisee

Scenario 1
Palo Alto Networks Firewalls
with App-ID

Traditional
Firewalls
Firewall Rule: ALLOW Port 53
DNS

DNS

Firewall Rule: ALLOW DNS

DNS

Firewall
BitTorrent

DNS

Firewall
BitTorrent

Packet on Port 53: Allow

Packet on Port 53: Allow
Visibility: Port 53 allowed

BitTorrent

DNS = DNS: Allow

BitTorrent DNS: Deny
Visibility: BitTorrent detected and blocked

Sven Sanders - Odisee

Scenario 2
Traditional
Firewalls

Firewall Rule: ALLOW Port 53

Application IPS Rule: Block BitTorrent
DNS

BitTorre
nt

DNS

DNS

Firewall

BitTorre
nt

App IPS

Palo Alto Networks Firewalls with

App-ID
Firewall Rule: ALLOW DNS

DNS

BitTorre
nt

DNS

Firewall

DNS=DNS: Allow
Packet on Port 53:Allow
BitTorrent DNS:
Deny
BitTorrent: Deny
sibility: BitTorrent detected and blocked Visibility: BitTorrent detected and blocke

Sven Sanders - Odisee

Scenario 3
Legacy
Firewalls

Firewall Rule: ALLOW Port 53

Application IPS Rule: Block BitTorrent

BitTorrent
Zero-day
C&C

Firewall Rule: ALLOW DNS

Firewall

App IPS

Firewall
DNS

Palo Alto Networks Firewalls with AppID

DNS
BitTorrent
Zero-day
C&C

DNS

DNS
BitTorrent

Zero-day
C&C

Packet on Port 53: Allow

C & C BitTorrent: Allow
Visibility: Packet on port 53 allowed

Zero-day
C&C

DNS

DNS=DNS: Allow
Command & Control DNS: Deny
Visibility: Unknown traffic detected
and blocked

Sven Sanders - Odisee

App ID flow

Sven Sanders - Odisee

Application shift

HTTP
Protocol Decoders

Application Shift
Facebook-base

Application
Signatures
Heuristics

Application Shift
Facebookchat

Sven Sanders - Odisee

10

Application depencies
Web-browsing

Allow | Deny

Application shift

Google-translate-base

Allow | Deny

Sven Sanders - Odisee

11

Implicit applications

Sven Sanders - Odisee

12

Onderscheid

https://urlfiltering.paloaltonetworks.com/testASite.aspx

Sven Sanders - Odisee

13

App definition updates

Sven Sanders - Odisee

14

Policies aanpassen
Na download nieuwe app definities

Sven Sanders - Odisee

15

App filter

Sven Sanders - Odisee

16

App group
Eigen statische groepering applicaties

Sven Sanders - Odisee

17

Content-ID

Sven Sanders - Odisee

18

Initial Packet
Processing

Source Zone/
Address/
User-ID

PBF/
Forwarding
Lookup

Security
Pre-Policy

Check
Allowed Ports

Session
Created

Application

Check for
Encrypted
Traffic

Decryption
Policy

Security Policy

Check
Security
Policy

Check
Security
Profiles

Post Policy
Processing

Re-Encrypt
Traffic

NAT Policy
Applied

Destination
Zone

NAT Policy
Evaluated

Application
Override
Policy

App-ID/
Content-ID
Labeling

Packet
Forwarded

Sven Sanders - Odisee

19

Content-ID
Stream based

Sven Sanders - Odisee

20

Security profiles

Antivirus

URL Filtering

Anti-Spyware

File Blocking

Vulnerability

WildFire Analysis

Security Profile Group

Data Filtering

Sven Sanders - Odisee

21

URL filtering

Sven Sanders - Odisee

22

URL filtering volgorde

1
2

4
3
Sven Sanders - Odisee

23

Custom category

Accepts wildcards
and IP addresses

Sven Sanders - Odisee

24

URL filter acties

Sven Sanders - Odisee

25

Response pages
Blocked

Continue

Override
Sven Sanders - Odisee

26

URL filtering log

Sven Sanders - Odisee

27

Override password
Device > Setup > Content-ID > Add

Sven Sanders - Odisee

28

Antivirus

Sven Sanders - Odisee

29

Anti-Spyware

Sven Sanders - Odisee

30

Anti-Spyware
Objects > Security Profiles > Anti-Spyware

Categories
Adware
Any
Backdoor
Botnet
Browser-hijack
Data-theft
Keylogger
Net-worm
p2p-communication
Spyware

Actions
Default
Allow
Alert
Drop
Reset-Client
Reset-Server
Reset-Both
Block IP
Sven Sanders - Odisee

31

File blocking
Objects > Security Profiles > File Blocking

Sven Sanders - Odisee

32

Logging
Monitor > Logs > Data Filtering

Sven Sanders - Odisee

33

Drive-by-download protection

User attempts to
download a file
through the browser

User clicks
Continue

Website initiates an
automatic file
download

Continue response page

presented to user

File download
proceeds

User exits
response
page

File download is cancelled

Log updated

Sven Sanders - Odisee

34

Unknown threats
Moderne malware
Advanced Persistent Threats

Stealthy
Persistent
Adaptable
Detection avoidance
Ihb signature based

Sven Sanders - Odisee

35

Wildfire

Sven Sanders - Odisee

36

Wildfire flow: identify

File
downloaded
over user
session
Security policy allow
WildFire Analysis
profile enabled
Antivirus
profile enabled
on security
policy

yes

File sent to
Content-ID engine
for
antivirus scanning

no
no

File sent for

WildFire
processing

Virus
detected and
the profile
set to block?

yes

File download
terminated;
entry made in
threat log

File
downloaded

Sven Sanders - Odisee

37

Wildfire workflow: assess

1
File signed
by trusted
signer?
no

yes
File download logged in
data filtering log
Actions: forward
WildFireupload-skip

File hash sent to

WildFire and
compared to
previous entries
Hash sent for
WildFire
processing
Match?
no

no
yes

Classified
as threat

yes

Session
sent to
WildFire

File download
logged in
data filtering log
Action: WildFireupload-skip

Sven Sanders - Odisee

38

Wildfire workflow: analyzed

2
File and
session sent
to WildFire
File download logged in
data filtering log
Action: WildFire-uploadsuccess
WildFire process file
in sandbox to
determine if
malicious
no
File logged as
benign
log sent to firewall
(if enabled)

yes

Forensics report
generated in Web
portal and email
sent (if enabled)

Threat
signature
generated and
tested

Sven Sanders - Odisee

39

E-mail
Header info
Analyse body

Sender/Receiver; Subject; Fields

Links
attachments

URL / Attachments

WildFire
Mail Server

Exploit
BLOCK

Compromised Host

Sven Sanders - Odisee

40

Submission log
Monitor > Logs > WildFire Submissions

Upload nagaan: via CLI (ogenblikkelijk):debug wildfire upload-log

Sven Sanders - Odisee

41

DNS sinkhole
Public DNS Server

Malicious
Server

Internet

DNS Signature Match

Sinkhole Address Returns

Firewall

Infected
host easily identified
in traffic logs!

Switch

Host Contacts Sinkhole

IP Address

DNS Query for

Malicious Server
Infected Host

Sven Sanders - Odisee

42

Vulnerabilitry protection profile

Sven Sanders - Odisee

43

Threat logs
Monitor > Logs > Threat

Sven Sanders - Odisee