Wednesday, March 7, 2018

Palo Alto Networks - How to Safely Enable Applications - Part I

In the field, I tend to run into the following security policy scenario quite often because administrators either just migrated away from a legacy, port-based firewall, and/or they do not know how to effectively get to the Palo Alto Networks best practice of safe application enablement:


This is a pretty rudimentary example, but it does a good job of illustrating the problem. Every application other than a few known bad ones are being allowed over any port on the network. This results in a very large attack surface (there are many applications over which an attack can be delivered), and the ability to block unsanctioned applications requires a very manual response (every bad application has to be identified and added to the block rule).

The recommended action is to take the opposite approach, by only allowing applications that are sanctioned by the organization. This results in a much smaller attack surface (anything not explicitly allowed is implicitly denied), and the ability to block unsanctioned applications is automatic (whether it is known or unknown). All that said, how do we get there? The following methodology can be used in any organization, but it does require buy-off from management in order to determine what applications should be sanctioned vs. unsanctioned.


As shown above, all sanctioned applications are manually defined and added to the first rule. All unsanctioned applications are manually defined and added to the second rule. Finally, all other traffic hits the third rule. The third rule is reserved for applications that are either traversing non-standard ports or have not yet been added to the sanctioned or unsanctioned rules. A custom report referencing the rule can be created and ran to gather all applications identified via the tolerated rule over a certain period of time (i.e. 30 days). 



Over time, all applications will be identified and can be added to either the Sanctioned or Unsanctioned rules. There may be some instances where administrators will have to create secondary sanctioned rules for applications that are sanctioned, but are traversing non-standard ports (i.e. a web server that is accessed over TCP port 8080). Once you are satisfied, Unsanctioned and Tolerated rules can be deleted, as anything that is not explicitly allowed in the Sanctioned rule will be implicitly denied in the default deny rule.

This is a great way to migrate from a legacy blacklist, layer 4-based policy approach, to a positive control model that reduces attack surface and leverages the platform the way it was intended. 

My next post details how to leverage the new Policy Optimizer feature (available in PAN-OS 9.0) that makes migrating to App-ID and a positive control model even easier.


Palo Alto Networks - Querying Multiple URL Categories at Once

Palo Alto Networks offers a way to query a URL via https://urlfiltering.paloaltonetworks.com/. However, if you want to query multiple URLs at the same time, then you need to leverage the API.
  • Generate the API key for the firewall. See this link for instructions.
  • Create a text file with all the URLs you want to check. For example, create a file called urls.txt with the URLs entered in the following format:
www.google.com
www.facebook.com
www.yahoo.com
purple.com
chase.com

  • Create a bash file to query PAN-DB using the text file created in the previous step. For example, create a file called url_checker with the following details:
#!/bin/bash
for url in $(cat urls.txt); 
do curl -k 'https://{firewall ip}/api/?type=op&cmd=<test><url>'$url'</url></test>&key={api key here}'; 
done
  • From the command line, run the bash script. For example, in OSX, ./url_checker
  • The output should give you a list of all URLs in the file and their corresponding categories.
SJCMACF0UPG8WM:Desktop smitchell$ ./url_checker
<response cmd="status" status="success"><result>www.google.com search-engines (Base db) expires in 3000 seconds
www.google.com search-engines (Cloud db)
</result></response><response cmd="status" status="success"><result>www.facebook.com social-networking (Base db) expires in 3000 seconds
www.facebook.com social-networking (Cloud db)
</result></response><response cmd="status" status="success"><result>www.yahoo.com internet-portals (Base db) expires in 3000 seconds
www.yahoo.com internet-portals (Cloud db)
</result></response><response cmd="status" status="success"><result>purple.com home-and-garden (Base db) expires in 0 seconds
purple.com home-and-garden (Cloud db)
</result></response><response cmd="status" status="success"><result>chase.com financial-services (Base db) expires in 9000 seconds
chase.com financial-services (Cloud db)
</result></response>SJCMACF0UPG8WM:Desktop smitchell$