Block privileged accounts from accessing the Internet

M.Stephens269491 — Wed, 17 Apr 2024 17:56:29 GMT

My company wants to block privileged accounts from accessing the internet on our servers using the Palo Alto firewalls. My first thought was to allow certain apps like ms-update and things of that nature to allow the access then block http and https right under that rule, but I'm not sure that would work. The company actually wants the privileged accounts blocked, not the server themselves. Is there an easy solution on the Palo Alto firewalls for this?

Re: Block privileged accounts from accessing the Internet

rmfalconer — Wed, 17 Apr 2024 22:29:54 GMT

You mean like using User-ID or something different?

Re: Block privileged accounts from accessing the Internet

BPry — Wed, 17 Apr 2024 23:36:20 GMT

@M.Stephens269491,

It sounds like what you're asking for is the ability to block user traffic for that privileged account while still allowing the server to send out everything else it's doing unaffected from any block you implement for the user account correct? If that's correct, the firewall isn't smart enough to do that. User-ID mapping is a one-to-one relationship, the firewall can't identify whether traffic attempting to traverse the network was spawned by the privileged account or some other server process.There's other agent based products that could block network traffic at this level before it leaves the host, but it isn't something that you could setup on the firewall itself.

What I would generally recommend doing on servers is limiting traffic to required resources, especially to the internet. Broadly speaking, a server shouldn't have wide open access to the internet regardless of which user is identified on it from a user-id aspect. They should be profiled to determine what they need access to and only ever have access to those resources.

You can accomplish this on the firewall through setting up categories for web resources and only allowing them to the categories that they require. You can accomplish this through custom URL categories and limiting access from the server to the identified categories, and it becomes a lot easier if you setup some tags and grouping so that a "Windows-Server" would automatically have access to resources like Microsoft or SCCM for updating, while a "Ubuntu-Server" would have access to apt-get and "RedHat-Server" would get access to yum and so forth. This allows you to have broader rules to capture common traffic and more targeted rules for your servers specific to their dedicates access requirements.

What it sounds like you're being asked for takes a bit of time to actually accomplish and is something that really should be implemented system by system if you weren't previously doing it and don't want to break anything. You'll find a lot of traffic that needs to be allowed for systems to function properly that wouldn't directly be obvious if you don't stop and think about it carefully (IE: You'll need to allow OCSP traffic on mail nodes to check certificate status).

If you just create a rule to allow ms-update traffic and drop all other traffic for all of your servers you're likely going to break functionality in anything but the most basic environment. Depending on what you're actually after you'll either need to spend a lot of time to get setup properly with just your firewall, or spend a lot of time and money and get something on the endpoint that can identify what is actually sending the traffic on the endpoint.

topic Re: Block privileged accounts from accessing the Internet in Next-Generation Firewall Discussions

Block privileged accounts from accessing the Internet

Re: Block privileged accounts from accessing the Internet

Re: Block privileged accounts from accessing the Internet