Palo Alto Networks - How to Safely Enable Applications - Part II

My previous post details the problems associated with a legacy layer 4-based security policy approach, and how organizations can move to a layer 7-based positive control model that reduces attack surface via a manual, but very methodical way. 

If you haven't read that post yet, I would recommend you do so prior to continuing with this one.

With the release of PAN-OS 9.0, a new feature called Policy Optimizer is now available. This capability allows for organizations to take the same approach that is detailed in my previous post, but in a much more automated way.

In the scenario above, there is a rule allowing any application over any port out to the Internet. On the same page (Policies tab), administrators can now navigate to Policy Optimizer to begin migrating legacy rules to App-ID.

Selecting the No App Specified option will allow administrators to begin to analyze applications hitting different security policy rules. Selecting the compare option of a specific rule will bring up the following window: 

As shown above, 81 different applications have matched the trust-untrust - allow - home rule since it was created, and can now be either be added to the existing rule, or used to create a clone. My recommendation is similar to my previous post from a process standpoint. The best option is to create a clone, as that will provide a failsafe for anything that is missed by the new rule to match the previous legacy rule below it and not disrupt production traffic (below). As time goes on, the original rule can slowly be phased out.

This approach essentially provides organizations with a way to take the same methodical approach described in my previous post, but in a more automated way. 

Palo Alto Networks - How to Safely Enable Applications - Part I

In the field, I tend to run into the following security policy scenario quite often because administrators either just migrated away from a legacy, port-based firewall, and/or they do not know how to effectively get to the Palo Alto Networks best practice of safe application enablement:

This is a pretty rudimentary example, but it does a good job of illustrating the problem. Every application other than a few known bad ones are being allowed over any port on the network. This results in a very large attack surface (there are many applications over which an attack can be delivered), and the ability to block unsanctioned applications requires a very manual response (every bad application has to be identified and added to the block rule).

The recommended action is to take the opposite approach, by only allowing applications that are sanctioned by the organization. This results in a much smaller attack surface (anything not explicitly allowed is implicitly denied), and the ability to block unsanctioned applications is automatic (whether it is known or unknown). All that said, how do we get there? The following methodology can be used in any organization, but it does require buy-off from management in order to determine what applications should be sanctioned vs. unsanctioned.

As shown above, all sanctioned applications are manually defined and added to the first rule. All unsanctioned applications are manually defined and added to the second rule. Finally, all other traffic hits the third rule. The third rule is reserved for applications that are either traversing non-standard ports or have not yet been added to the sanctioned or unsanctioned rules. A custom report referencing the rule can be created and ran to gather all applications identified via the tolerated rule over a certain period of time (i.e. 30 days). 

Over time, all applications will be identified and can be added to either the Sanctioned or Unsanctioned rules. There may be some instances where administrators will have to create secondary sanctioned rules for applications that are sanctioned, but are traversing non-standard ports (i.e. a web server that is accessed over TCP port 8080). Once you are satisfied, Unsanctioned and Tolerated rules can be deleted, as anything that is not explicitly allowed in the Sanctioned rule will be implicitly denied in the default deny rule.

This is a great way to migrate from a legacy blacklist, layer 4-based policy approach, to a positive control model that reduces attack surface and leverages the platform the way it was intended. 

My next post details how to leverage the new Policy Optimizer feature (available in PAN-OS 9.0) that makes migrating to App-ID and a positive control model even easier.