PALO ALTO – NEW GENERATION CLOUD DATA SECURITY PLATFORM (Part 02)

PALO ALTO FEATURES:

1. Application identification:

Palo Alto Next Generation Firewall: All data that passes through Palo Alto is classified by application regardless of protocol, port, encrypted or unencrypted. And Palo Alto security policies are based on application information to process. Palo Alto does not rely solely on a database to identify applications, but uses four different stages to determine exactly which applications are active:

– Application Protocol Detection / Decryption: Detect application protocol such as HTTPS, HTTP, FPT…

– Application Protocol Decoding: Decode protocols to identify applications in that protocol (decode SSH, SSL)

– Application Signature: Identify which application belongs to which site, for example, Google or Facebook

– Heuristics (Diagnosis): Analyze whether the application’s behavior violates the established policies?

Other firewalls: Other firewalls are built on the old architecture, the application recognition is just an additional layer behind the traditional firewall module. Data before being recognized by the application is still classified and processed according to traditional ports and protocols. And the recognition technology is still completely based on comparing with samples in the database.

Application recognition feature is usually an extension, users have to pay annual license fee.

2. Control unknown applications:

These unknown apps could be newly developed apps or malware.

Palo Alto Next Generation Firewall: By default, all data passing through Palo Alto is classified by application. For data that cannot be identified by application, Palo Alto records it in the system log and can block or pass it at the administrator’s request.

Other firewalls: Since it is basically still a traditional firewall, the application recognition module is only added behind and works according to the IPS mechanism, which means it only controls what it knows and what it does not know will be passed. Therefore, if these unknown applications operate on the port range or protocol that the traditional firewall layer allows, these applications will pass through the system without being detected or recorded.

3. User Identification:

Palo Alto New Generation Firewall: Palo Alto integrates user identification feature on the device, not only supports retrieving user information from AD, Exchange, LDAP… but also from syslog servers, authentication tools or directly from the Captive Portal window for logged-in users.

Palo Alto not only supports user synchronization but can also synchronize to user groups, allowing administrators to set policies more quickly and efficiently.

Other firewalls: Restrict the input sources, some only recognize people by name, not by user groups. And other products often require customers to pay an additional license fee to use the user recognition feature.

4. Control of encrypted data:

Palo Alto Next Generation Firewall: With a completely new architecture, Palo Alto Next Generation Firewall is equipped with specialized hardware to handle encrypted data without reducing system performance.

All encrypted data will be strictly controlled, ensuring compliance with company policies, while preventing threats hidden in these encrypted data.

Other firewalls: Due to the old hardware architecture, there is no specialized hardware, so when enabling SSH/SSL decryption feature, the processing speed will be greatly reduced.

5. Real-time threat prevention:

The ability to identify and control applications using App-ID only partially solves the problem of interoperability and control in IP systems that administrators face in today’s Internet environment. Reviewing the content of application data that is allowed to enter the system becomes the next challenge. Content-ID helps to solve this challenge to prevent threats (Anti-malware, anti-virus, IPS …), URL filtering and data filtering.

Current gateway threat prevention or attack prevention products often proxy the entire load before scanning for viruses, spyware, and malware, causing delays in processing. Due to the lack of high-speed processing capabilities, businesses are forced to rely on many separate devices, causing difficulties in management.

Palo Alto firewall integrates Threat Prevention into the firewall with the following features:

– Detect and block viruses, spyware, worms, and application vulnerabilities

– Control the transfer of files or sensitive information out of the system

– High processing speed.

– Reduce operating and administrative costs with one management interface

Palo Alto firewall’s threat prevention technology uses stream-based scanning technology, unlike file-based technology, which performs scanning as soon as the first packet arrives. At the same time, instead of scanning data multiple times for different types of threats, Palo Alto firewall develops a uniform signature format that allows finding many types of threats (viruses, malware, spyware, application vulnerabilities, etc.) in one scan.

In addition, the application vulnerability protection function combines many IPS features to prevent attacks that exploit security vulnerabilities at the application and network layers such as buffer overflow, DoS, port scan. IPS mechanisms include:

– Protocol anomaly detection

– Stateful pattern matching

– Statistical anomaly detection

– Heuristic-based analysis

– Block invalid or malformed packets

– IP defragmentation and TCP reassembly

Palo Alto’s threat prevention technology is made possible by low latency and the ability to handle large amounts of data thanks to parallel processing and advanced software features. Palo Alto’s threat prevention mechanism places a heavy emphasis on application identification in accurately and efficiently tracing the source of threats.

6. Appiance URL Filtering – based URL filtering:

Monitoring and controlling web surfing activity is a key element in protecting corporate networks from security risks and standards violations. However, IT departments are facing many difficulties with server-based solutions that limit the ability to enforce regulations.

Palo Alto provides highly effective URL Filtering with ease of use with features:

– Track web browsing activity without affecting response time and user experience.

– Allow/deny policies for sites are implemented in-line in real time.

– Allows increasing the number of users without having to buy additional licenses like Proxy

– Enable QoS- Manage bandwidth on each website. This is especially important when users use many media websites such as Youtube… to ensure system bandwidth.

– Apply SSL decryption to control and filter information when users use HTTPS.

– Apply URL filtering policy even when users use Google’s auto-translate feature or view cached web pages from search engines.

– The database allows flexible customization by the administrator.

Palo Alto integrates a database of over 20 million URLs with over 76 categories into the firewall, allowing for URL filtering controls in addition to rules-based application control capabilities that protect businesses from compliance with a number of standards, as well as increase productivity and reduce the risk of harm to corporate resources.

If the incoming URL is not in the box’s URL database, the firewall can query another database of over 180 million URLs. That URL can then be stored in a separate, dynamic database of 1 million URLs.

7. One Policy Mechanism:

Palo Alto Next Generation Firewall: With Palo Alto, a single security policy allows users to establish decisions related to:

– Application: Allow or block the application

– Security zone, address

– User information:

– Scan for viruses, spyware, IPS, File Fitlering, URL Filtering

And the user only has to set up a single security policy, Security Policy , in a single window.

Other firewalls: There are many policies that have to be set up separately in different locations. For example:

– Set up firewall policies to open ports for incoming data

– Set up policies related to enabling and disabling IPS

– Set up policies related to enabling web filtering

– Set up policies related to enabling Anti Virus and Anti Spyware features.

These policies are separate, leading to time-consuming and often conflicting policies.

8. Tightly connect the components:

Palo Alto Next Generation Firewall:

Logs are an important component of the system, logs will let administrators know everything that has happened and is happening on the system. However, each individual device has its own type of logs and linking these logs together to create a unified, logical information is extremely difficult.

With Palo Alto, the Firewall, IPS, Anti Virus, Data Filtering, WildFire components are all built on the same platform, share the same database, and the logs of these components are linked and unified closely together to help administrators have a unified, complete view of any object in the system. This is extremely important in system administration, threat control and in investigation services to find traces.

ACC – Application Command Center is an interactive interface of Palo Alto that allows administrators to search and analyze all information about an object on the system. In the main interface, ACC lists TOP applications, users, destination addresses, Threats, Data filtering, URLs on the system:

With the ability to interact, when needing to search for information about an object, the administrator just needs to click on the object, then all information related to the object such as applications, URL Categories, Threats, destination addresses, source addresses will appear.

For example, when we need to find information related to the Web Browsing application on the system:

First, there will be information about the application, top source addresses (users) using this application:

Next are the top destination addresses, which users using the Web Browsing application access to, along with information converted from IP address to geographic region (Source Countries, Destination Countries):

Next is information about the web categories that users access and especially the Threats related to Web Browsing applications (viruses, spyware, Vulnerability):

The list of file types that can be transferred via the Web Browsing application is also listed:

Other firewalls: The components on the firewall operate independently of each other, so their logs are also completely separate. To link them together, a tool is needed to centrally manage logs, but it has many limitations and causes many inconveniences for administrators.

Advanced, powerful architecture

For many years, the goal of integrating Threat prevention including IPS, anti-virus, anti-spyware into firewalls has always been of interest to reduce the number of devices as well as costs. Currently, UTM firewalls aim at this integration. However, these solutions face the problem of device processing capacity. The firewall function can handle very large throughput, but when other security features are enabled, the processing capacity drops significantly with large latency.

Optimal data processing:

Palo Alto introduced a “single pass parallel processing” architecture to address the integration and performance challenges; using a “single pass” approach to packet processing along with hardware designed for parallel processing.

Single pass software:

This is a unique processing architecture designed by Palo Alto. This approach performs traffic scanning and handles one-time tasks including:

– Networking and management

– User-ID: maps IP address and user information to identify user or group

– App-ID: combines 4 identification mechanisms. This identification process is performed simultaneously with the Content-ID function to scan and check the application to comply with the set policy.

– Content-ID: a hardware-accelerated signature matching tool used to scan for data (such as credit card numbers, ID numbers, or some predefined data), scan for threats (security vulnerabilities, viruses, spyware) plus URL classification to perform URL filtering.

– Policy engine: based on parameters of networking, management, User-ID, App-ID and Content-ID, the policy engine will apply corresponding policies. For Palo Alto, there is only one policy table to help administrators easily design management policies.

Other firewalls: Use sequential processing mechanism through each module, each module has a completely separate packet processing mechanism. For example, at the firewall layer: When arriving, the packet must be unpacked, go through the network section, check the port, IP, protocol, then compare with the Firewall Policy, if the packet is valid, it will be packaged and sent to the next module.

At the next module, the packet is again unpacked, checking information about the port, protocol, then continuing to check the information behind… The checking process repeats like that until the packet leaves the device.

Testing too many layers, repeating too many processes increases latency, reduces system performance and lacks coherence between components in the same device.

High-speed dedicated hardware:

Palo Alto’s hardware is designed to process tasks in parallel, with each task being handled separately by each CPU.

Networking: flow control, routing, ARP, NAT… are performed on dedicated processors.

User-ID, App-ID, and policy engine are handled by a multicore security processor, with hardware designed to accelerate encryption, decryption, and decompression.

Content-ID performs signature detection on FPGA hardware with dedicated memory.

Management: configuration, logging, and reporting are performed through a dedicated control plane processor, separate from the data plane for data processing.

Other Firewalls: Other firewalls still basically operate in a Server Based fashion, with a central processor performing all the tasks.

Separating the Control Plane and Data Plane not only helps Palo Alto have extremely high processing performance even when running a series of heavy tasks such as application identification, virus scanning, enabling IPS function or even SSL/SSH decryption, but also helps to better withstand attacks. For example, when the system is attacked by DDoS at extremely high speed, for traditional firewalls, due to the large amount of incoming attack data, the system is very easy to overload, the administrator cannot connect to the administration interface and will even hang.

As for Palo Alto, due to the specialized hardware structure optimized for each task, the processing speed will be much higher than using common processors. At the same time, because the Control Plane is completely separate from the Data Plane, even when the device is operating at full capacity, the administrator can still connect to the administration interface to search for attack sources and prevent them in time.

9. Built-in advanced reporting tools:

Palo Alto New Generation Firewall: Palo Alto has a built-in report export tool with many formats PDF, XML, CSV and the ability to flexibly customize the report content according to usage needs. At the same time, Palo Alto also integrates a series of diverse report templates to help administrators export reports quickly and conveniently.

Other Firewalls: Most other firewalls require the use of an external support tool to generate these reports, and many even require additional licensing.

User activity report:

In addition to general reports, Palo Alto allows exporting detailed reports by user as some of the following examples:

Application usage: allows reporting of the types of applications that the user uses along with details about the category, bandwidth, number of sessions and the risk level of that application: