palo alto-review
DESCRIPTION
TRANSCRIPT
Palo Alto Networks Technology Review
Nebulas Solutions Group - 18/01/10
1
Contents
Contents Contents ...................................................................................................................................................... 1 Introduction ................................................................................................................................................ 2
App-ID ..................................................................................................................................................... 2 User-ID .................................................................................................................................................... 2 Content-ID ............................................................................................................................................. 2
Product Range ............................................................................................................................................ 4 Deployment/Infrastructure ...................................................................................................................... 4
Networking options ............................................................................................................................. 4 High Availability ..................................................................................................................................... 5 Licensing .................................................................................................................................................. 5 Management ........................................................................................................................................... 5
Usability ........................................................................................................................................................ 5 User Interface ........................................................................................................................................ 5 Policy Building ........................................................................................................................................ 6 Logging/Reporting ................................................................................................................................. 6
Functionality ................................................................................................................................................ 7 The Application Command Center (ACC) ..................................................................................... 7 NAT ......................................................................................................................................................... 8 QoS .......................................................................................................................................................... 8 VPNs ........................................................................................................................................................ 8
Security Profiles ......................................................................................................................................... 9 Antivirus .................................................................................................................................................. 9 Anti-Spyware .......................................................................................................................................... 9 Vulnerability Protection ..................................................................................................................... 10 URL filtering ......................................................................................................................................... 10 File Blocking .......................................................................................................................................... 10 Data Filtering ........................................................................................................................................ 11
Summary .................................................................................................................................................... 12
2
Introduction
Perimeter Security Solutions seem to fall into one of two camps - either a firewall with various point solutions or a Unified Threat Management (UTM) device. Both of these infrastructures have their own problems - the first requires multiple layers of technologies and multiple systems to administer and manage whilst the second often struggles to retain the desired performance and throughput the moment you enable the extra features. Well, it seems there's now a third option - Palo Alto have released their 'Next Generation Firewall'.
Palo Alto Networks was founded in 2005 by Nir Zuk with a mission to 're-invent the firewall’. They aim to provide visibility and control of all applications and content – by user, not just IP Address - at high speed with no performance degradation. Palo Alto Networks are able to start providing increased visibility and control through the use of three technologies: App-ID, User-ID, and Content-ID. These technologies allow Palo Alto Networks users to configure their firewalls in line with business relevant elements such as applications, users and content rather than ports and protocols that don't necessarily represent or permit what they're supposed to. These technologies are described briefly below: App-ID Traditional firewalls rely on a convention that a given port corresponds to a given service (e.g. TCP port 80 corresponds to HTTP) however, this isn’t always the case. As such, they are often incapable of distinguishing between different applications that use the same port/service. App-ID can identify more than 900 applications across five categories and 25 sub categories and allow for security policies to be configured based upon application rather than just a port/service. User-ID Palo Alto Networks can integrate with an Active Directory infrastructure and then manage and enforce security policies based upon user and/or Active Directory Group. Users are no longer defined solely by their IP addresses. Content-ID As its name suggests, Content-ID can scan network traffic for a broad range of threats (including vulnerability exploits, viruses, and spyware) as well as controlling file transfers (by file type) and scanning for other content such as credit card numbers. There is also an onboard URL database for categorized web filtering. This means that these devices will be doing quite a lot of work compared to a standard firewall, so it begs the obvious question "How is it any different from a normal UTM device?”. The simple answer to this is through their Single-Pass Parallel Processing (SP3) Architecture. Whereas normal UTM firewalls will pass packets through multiple policies in series, one after another, Palo Alto Networks' SP3 is able to pass the packet through all of its processes in parallel, using a single engine. This means the performance decrease normally associated with running multiple functions on a firewall isn’t anywhere near as
3
significant with Palo Alto Networks. Typically, even with all policies and profiles turned on, impressive throughput speeds can still be achieved.
This document sets out to discuss some of the features of the Palo Alto Networks solutions supplemented by some of our thoughts.
4
Product Range
There a 6 different models of appliance, split into 3 different categories: • The PA-4000 Series - available in three models. Suitable for large enterprise networks,
with maximum throughput of up to 10Gbps. • The PA-2000 Series - available in two models. Suitable for the branch offices of large
enterprises and for mid-sized organizations. • The PA-500 - ideal for mid-sized businesses and branch office environments. The diagram below shows the different models and their performance speeds. You can see that even with all of the threat prevention protections turned on users can still expect to achieve high performance (up to 5Gbps).
Deployment/Infrastructure Networking Options Palo Alto Networks’ solution offers a flexible range of deployment options including an out-of-band ‘visibility-only’ mode, transparent in-line operation, and a fully active in-line firewall configuration. It also supports dynamic routing (OSPF, RIPv2), 802.1Q VLANs, and trunked ports. It utilises a concept of security 'zones' which will be familiar to any Juniper/NetScreen users. The visibility-only mode is particularly interesting as it allows users to become familiar with the product and the visibility is provides without disrupting an existing network infrastructure. The box ships with vWire (Palo Alto's Layer 2 mode) already configured with eth1 and eth2 as vWire interface types in untrust and trust zones. This again allows for layer 2 deployment
5
in an existing network without causing disruption to existing infrastructure. This may be of particular interest to anyone looking to implement firewalling around a network segment without having to change IP addresses - for example, protecting card payment networks as part of a PCI project. Whilst other firewall solutions can operate at L2 many of them cannot fully integrate L2, high-availability and IDP functionality. One point to note though is that vWire is the only mode today in which multicast is supported. Palo Alto cannot route multicast and don't have any PIM Sparse/Dense mode support (PIM Sparse mode is on the roadmap though).
High Availability Palo Alto Networks solutions offer an active/passive High Availability option. There is no active/active load sharing option available. Two ports per appliance are dedicated to implementing HA, one is used for synchronising session information and the other for configuration synchronisation. The configuration is set on one of the devices and is then synchronised to the HA partner so the policy only needs to be defined once. The systems issue a virtual MAC and IP address in a similar way to VRRP. Licensing Palo Alto offers a large range of functionality (including Firewall, SSL VPN, QoS, Antivirus, Anti-spyware, Vulnerability Protection, URL Filtering, File Blocking, and Data Filtering) but thankfully the licensing model appears relatively straightforward. The only components that require licensing are the threat and URL filtering components (each licensed at 20% of the cost of the box per annum), virtual systems and the implementation of centralised management. All other functionality is available as part of the purchased solution. Management Palo Alto's centralised management system is called Panorama. Only available as a VM appliance, Panorama looks and feels very similar (almost identical in fact) to the GUI used for administering standalone systems. It can reference up to 2TB of log data and manage up to 25 systems and is licensed according to how many systems it is managing. One can configure almost all the required configuration for a gateway from Panorama although strangely it appears that this isn’t the case for NAT - this needs to be done on the gateway itself. Usability
User Interface The systems are administered either from the CLI or a browser based UI (Widget based using AJAX). The administration is broken down into seven tabs (Dashboard, ACC, Monitor, Policies, Objects, Network, and Device) and feels pretty slick to navigate - it is pretty intuitive and it is easy to work out where to find what you are looking for. The Dashboard tab gives an overview of the system status and presents some useful information
6
such as the status of the device interfaces, the top applications being seen, system network settings, etc. The appliances have full role-based user management configurability with profiles that can be setup to control CLI and GUI roles. Access on the GUI can be granularly controlled to enable, disable or permit read-only access to the different areas of the GUI. Policy Building The operation of the firewall is controlled by several types of policies and profiles. The policies include: • Security policies to block or allow a network session based on the application, the
source and destination zones and addresses, and optionally the service (port and protocol). Zones identify the physical or logical interfaces that send or receive the traffic.
• Network Address Translation (NAT) policies to translate addresses and ports, as needed.
• SSL Decryption policies to specify the SSL traffic to be decrypted so that security policies can be applied. Each policy can specify the categories of URLs for the traffic you want to decrypt.
Security policies can be built in the usual manner with a graphical interface listing all rules. Rules are created at the bottom of the rulebase and then have to be relocated to the relevant location in the rulebase. This is most easily done using an 'insert before/after' option, but cut and paste cannot be used. Rules have the following fields which can be populated: • Name • Source Zone • Destination Zone • Source Address • Source User • Destination Address • Application • Service (can be set to Any, Application Default, or User Defined) • Action (can be set to Allow, Deny, Block or Alert) • Profile (where you can define which Security Profiles are to be applied to the rule) • Options (including logging options, scheduling, QoS Marking, etc)
For users familiar with Check Point policies, there are a few things that might be missed. For example, an object list for dragging and dropping objects into the policy is not available, rules cannot be grouped with headings and objects cannot be negated. Despite this, creating a rulebase is still a relatively straightforward exercise.
Logging/Reporting 'Traditional' firewall logging is of course available but it is split into four different logs - Traffic, Threat, URL Filtering, and Data Filtering. Unfortunately, you cannot look at all of these logs in a single view. Whilst all the information a security administrator will expect is
7
available, the log viewers aren't quite as mature as Check Point veterans will be used to. For example, logs aren't colour coded differently for allowed or denied packets and columns cannot be dragged and dropped to different locations. However filters can be applied fairly easily using a filter expression tool which offers the expected options including logical operators. Where the product really does provide some impressive visibility is though the reporting. It is here that you start to see all sorts of patterns and trends that your traditional firewall does not provide. Having such a range of functionally on one box allows the information collected to be combined and given real context. You can very quickly see which applications are consuming bandwidth, if any applications have increased their connection usage significantly, which AD users are associated to the top talkers, and a whole range of custom reports. There are also some really useful summary reports that could be used to give a regular snapshot of an infrastructure's security status. Reports can be scheduled and emailed to appropriate users. Regarding the log management, there are a few things worth noting. Firstly, the logs roll over at timed intervals - they can be forwarded off box to Panorama and (typically) a syslog server but it doesn't appear possible to re-import logs back into the GUI for analysis. Palo Alto Networks work with Sawmill for off box reporting although I expect other SIEM solutions could be used for a similar purpose. Functionality The Application Command Center (ACC) The ACC tab provides details about the Application, URL Filtering, Threat Prevention, and Data Filtering visibility and controls from the device. It gives 'at a glance' visibility about the types of connections that the device can see. What is really nice is that most of the items listed on this tab can be clicked on for further contextualised detail. For example, clicking on the top URL category takes you to a screen that lists the applications in which that category has been seen as well as the top sources, destinations and users for that particular category. Clicking on an application from the ACC lists provides detail but also provides security information relating to that application - for example, can it be used for file transfer? Is it prone to misuse? Does it have known vulnerabilities?
8
Palo Alto Networks can currently identify in excess of 900 applications and release support for new applications at a rate of approximately 5 applications per week. For those applications it doesn’t recognise, it is possible for users to write their own identifiers (although this is currently only available for HTTP applications).
NAT NAT is configured from a separate section under the 'Policies' tab and is relatively straightforward to configure. It is configured in a similar way to the security policy, using rules. The fields include: • Source Zone • Destination Zone • Source Address (for original and translated packets) • Destination Address (for original and translated packets) • Service
Proxy ARPs are automatically created when NATs are configured.
QoS Palo Alto supports QoS settings for traffic upon egress from the firewall. QoS profiles are attached to physical interfaces to specify how traffic classes map to bandwidth (guaranteed, maximum) and priority. This is particularly nice when these profiles are associated with applications in the security policy. VPNs All of Palo Alto Networks platforms support site-to-site IPSec VPNs. There are working examples of site-to-site VPNs with most of the other major firewall vendors. One point worth noting is that certificate based VPNs are not currently supported. Palo Alto Networks do not provide any client to site VPN connectivity and are unlikely to ever include this functionality. The platforms also function as SSL VPN endpoints. SSL VPNs are available for XP and Vista clients only (MAC clients are not currently supported). Users can authenticate to either a
9
local user database or a profile for RADIUS authentication can be set up. There is no host checking available at present which may limit its use as a corporate solution, but the SSL VPN tool is an integrated part of the Palo Alto Networks solution - there is no additional license or cost.
Security Profiles Each security policy can specify one or more security and logging profiles. Security profiles defend the network against viruses, spyware, and other known threats. The profiles include:
• Antivirus profiles to protect against worms and viruses. • Anti-spyware profiles to block spyware downloads and attempts by spyware to
access the network. • Vulnerability protection profiles to stop attempts to exploit system flaws or gain
unauthorized access to systems. • URL filtering profiles to restrict access to specific web sites and web site categories. • File blocking profiles to block selected file types. • Data filtering profiles that help prevent sensitive information such as credit card or
social security numbers from leaving the area protected by the firewall.
Antivirus
Antivirus profiles can be created and applied to different rules within a security policy. There are specific decoders for FTP, HTTP, IMAP, POP3, SMP and SMTP and within a security profile different actions (allow, alert or block) can be applied per decoder. There isn't any option to action either quarantining or cleaning of identified infections. The Antivirus engine is Palo Alto Networks’ own, they write their own signatures (they currently have circa 4 million) - 3rd party scanning engines cannot be used. Palo Alto Networks use stream-based as opposed to file-based antivirus scanning. The main advantage to this approach is the ability to maintain high throughput. The disadvantage is that they can only block files down to two levels of decompression. Beyond this, alerts can be issued though a virus infected file would be allowed through. The appliances currently receive AV updates weekly, although this frequency will be increasing to daily in Q1 2010.
Anti-Spyware
The Anti-spyware profile can be configured using the same decoders and actions as the antivirus security profile. Different actions can be applied for Adware and Spyware within the same profile. There is also a separate tab within the configuration of the profile that allows for 'Phone Home Protection' settings to be applied to stop any known applications or software phoning home. One really nice touch here is that the 'Phone Home Protection' settings can either be configured using a simple option or a granular, custom rule type. Exceptions can also be set up within a profile if required.
10
Vulnerability Protection The Vulnerability Protection profile can also be configured using either a simple or custom rule type. The simple rule type allows for the standard action options to be applied depending on the criticality of the vulnerability and can be set on either the client or the server. The custom rule option allows for more granular actions to be applied per CVE. The additional actions include options such as drop-all-packets, reset-client, reset-server, and reset-both. URL filtering
Palo Alto Networks have OEM'd the BrightCloud database (also recently selected by Microsoft) for their URL filtering profile. They have circa 20million URLs on the box and around 80 predefined categories ranging from 'hunting-and-fishing' to 'open-http-proxies'. Palo Alto Networks can cache URLs on box but also have a 'Dynamic URL Filtering' option which, if checked, dynamically checks a URL with a cloud based server for unknown URLs (similar to technologies such as Blue Coat WebPulse and Cisco IronPort Web Usage Controls There are various actions that can be issued per category, these are given below: • Allow - allows, however allow does not log • Block - block • Continue - displays warning page and allows to continue • Override - can put in a one-time password to go through • Alert – allows and generates a log
One slight gripe is that you're not able to create your own custom categories. We understand that Palo Alto are looking to introduce this functionality early in 2010, but in the mean time, there is an option to create a white list and black list per profile so we can see this as being able to address most of our customers' URL filtering requirements. Some other points worth noting are that the URL filtering is licensed per box and not per seat, as with many web filtering vendors. By creating the necessary rule in the security policy you can implement time based scheduling, for example allowing a particular user (or group) to visit a particular URL category (i.e. Games) between certain hours. You cannot, however, issue time based quota - i.e. to allow User A to visit Facebook for 1 hour per day.
File Blocking
The File Blocking profile allows for file blocking rules to be created within a single profile which can then be associated to rules within the security policy. Rules can be configured to look for nearly all common file types (truly identifying the file type rather than just looking at the extension) within all known applications. The direction of the file transfer can also be specified (upload or download) and the rule can be configured to either block the defined file transfer or to generate an alert.
11
Data Filtering
The Data Filtering profile allows for pattern matches to be identified within data and then 'weighted'. Once certain weight thresholds have been hit, data can be blocked or alerts can be issued. Patterns are defined and identified using regular expressions and patterns can be configured to look at specific applications and/or file types and in either (upload or download) or both directions.
12
Summary
We agree with Palo Alto Networks’ idea that a change of attitude is needed when it comes to our firewalls. Implementing rules based on IP addresses and ports doesn't really offer the protection that many people think and often leads to security policies that can grow beyond control relatively quickly. The ability to create policies based upon users, applications and content seems to make sense - these are the things that the business understands. When security and the business are speaking the same language then that surely has to be a good thing. If we can also do this with high performance speed on a single platform, then all the better. Some people of course, are going to want to retain best of breed solutions for performing the various different functions of perimeter security - for example, Blue Coat for their URL filtering, Sourcefire for IDP functionality and an SSL VPN from the likes of Juniper or F5. These solutions are specialists in their areas and have functionality above and beyond that which Palo Alto Networks can provide in these areas. For many, the level of additional functionality that a specialist solution can provide above and beyond Palo Alto Networks' offering may not be of relevance to them. There are also some other factors to consider around the benefits that having these functions on one platform offers - a single platform to administer; a single layer or technology means a simpler network infrastructure. There is also the fact that Palo Alto can take the information gathered and give it context - for example, it could take information from its URL filtering policy and then report upon it with context to users, applications and other content. There are definitely some areas for improvement in the product (which will inevitably come with future version releases) but the visibility that Palo Alto Networks solutions can provide is impressive. Whilst we may not necessarily be seeing enterprise customers yet using Palo Alto Networks firewalls as their externally facing firewalls on their main Internet connections, it is ideal for branch networks and for securing networks such as those hosting credit card information. As future versions of the product are released and confidence in the product grows, we may well see it deployed on enterprise gateways.