Académique Documents
Professionnel Documents
Culture Documents
Netwerkbeveiliging
Sven Sanders
Application Identification
Initial Packet
Processing
Source Zone/
Address/ UserID
PBF/
Forwarding
Lookup
Security
Pre-Policy
Check Allowed
Ports
Session
Created
Application
Check for
Encrypted
Traffic
Decryption
Policy
Security Policy
Check Security
Policy
Check Security
Profiles
Post Policy
Processing
Re-Encrypt
Traffic
NAT Policy
Applied
Destination
Zone
NAT Policy
Evaluated
Application
Override Policy
App-ID/
Content-ID
Labeling
Packet
Forwarded
Port 5050
Blocked
Yahoo Messenger
Port 80
Open
BitTorrent Client
Port 6681
Blocked
Port-Based Firewall
Scenario 1
Palo Alto Networks Firewalls
with App-ID
Traditional
Firewalls
Firewall Rule: ALLOW Port 53
DNS
DNS
Firewall
BitTorrent
DNS
Firewall
BitTorrent
BitTorrent
Scenario 2
Traditional
Firewalls
BitTorre
nt
DNS
DNS
Firewall
BitTorre
nt
App IPS
DNS
BitTorre
nt
DNS
Firewall
DNS=DNS: Allow
Packet on Port 53:Allow
BitTorrent DNS:
Deny
BitTorrent: Deny
sibility: BitTorrent detected and blocked Visibility: BitTorrent detected and blocke
Scenario 3
Legacy
Firewalls
BitTorrent
Zero-day
C&C
Firewall
App IPS
Firewall
DNS
DNS
BitTorrent
Zero-day
C&C
DNS
DNS
BitTorrent
Zero-day
C&C
Zero-day
C&C
DNS
DNS=DNS: Allow
Command & Control DNS: Deny
Visibility: Unknown traffic detected
and blocked
App ID flow
Application shift
HTTP
Protocol Decoders
Application Shift
Facebook-base
Application
Signatures
Heuristics
Application Shift
Facebookchat
10
Application depencies
Web-browsing
Allow | Deny
Application shift
Google-translate-base
Allow | Deny
11
Implicit applications
12
Onderscheid
https://urlfiltering.paloaltonetworks.com/testASite.aspx
13
14
Policies aanpassen
Na download nieuwe app definities
15
App filter
16
App group
Eigen statische groepering applicaties
17
Content-ID
18
Initial Packet
Processing
Source Zone/
Address/
User-ID
PBF/
Forwarding
Lookup
Security
Pre-Policy
Check
Allowed Ports
Session
Created
Application
Check for
Encrypted
Traffic
Decryption
Policy
Security Policy
Check
Security
Policy
Check
Security
Profiles
Post Policy
Processing
Re-Encrypt
Traffic
NAT Policy
Applied
Destination
Zone
NAT Policy
Evaluated
Application
Override
Policy
App-ID/
Content-ID
Labeling
Packet
Forwarded
19
Content-ID
Stream based
20
Security profiles
Antivirus
URL Filtering
Anti-Spyware
File Blocking
Vulnerability
WildFire Analysis
Data Filtering
21
URL filtering
22
1
2
4
3
Sven Sanders - Odisee
23
Custom category
Accepts wildcards
and IP addresses
24
25
Response pages
Blocked
Continue
Override
Sven Sanders - Odisee
26
27
Override password
Device > Setup > Content-ID > Add
28
Antivirus
29
Anti-Spyware
30
Anti-Spyware
Objects > Security Profiles > Anti-Spyware
Categories
Adware
Any
Backdoor
Botnet
Browser-hijack
Data-theft
Keylogger
Net-worm
p2p-communication
Spyware
Actions
Default
Allow
Alert
Drop
Reset-Client
Reset-Server
Reset-Both
Block IP
Sven Sanders - Odisee
31
File blocking
Objects > Security Profiles > File Blocking
32
Logging
Monitor > Logs > Data Filtering
33
Drive-by-download protection
User attempts to
download a file
through the browser
User clicks
Continue
Website initiates an
automatic file
download
File download
proceeds
User exits
response
page
34
Unknown threats
Moderne malware
Advanced Persistent Threats
Stealthy
Persistent
Adaptable
Detection avoidance
Ihb signature based
35
Wildfire
36
File
downloaded
over user
session
Security policy allow
WildFire Analysis
profile enabled
Antivirus
profile enabled
on security
policy
yes
File sent to
Content-ID engine
for
antivirus scanning
no
no
Virus
detected and
the profile
set to block?
yes
File download
terminated;
entry made in
threat log
File
downloaded
37
yes
File download logged in
data filtering log
Actions: forward
WildFireupload-skip
no
yes
Classified
as threat
yes
Session
sent to
WildFire
File download
logged in
data filtering log
Action: WildFireupload-skip
38
yes
Forensics report
generated in Web
portal and email
sent (if enabled)
Threat
signature
generated and
tested
39
E-mail
Header info
Analyse body
Links
attachments
URL / Attachments
WildFire
Mail Server
Exploit
BLOCK
Compromised Host
40
Submission log
Monitor > Logs > WildFire Submissions
41
DNS sinkhole
Public DNS Server
Malicious
Server
Internet
Infected
host easily identified
in traffic logs!
Switch
42
43
Threat logs
Monitor > Logs > Threat