topic Re: Thinking of policy PAN-style (instead of Cisco-style) in Automation/API Discussions

Thinking of policy PAN-style (instead of Cisco-style)

gmoerschel — Tue, 04 Jan 2011 13:26:34 GMT

Is there a document or recommended approach that has been written down that provides a starting point for people building a policy from scratch or when converting from a legacy firewall? I'm referring to recommended approaches for building policy based on least privilege for apps instead of port and protocol. For example, let's say you place apps into 2 or 3 categories such as OK, maybe, and definitely not. Then as apps are identified flowing through they can be placed into the OK category if they are needed by the business. Someone in the past must have grouped the top 10 or 15 legitimate biz apps together into a chunk then implemented as a policy line.

Essentially I'm looking for a doc that is entitled something like, "Building policy PAN style when you're used to Cisco ASA (or Juniper or checkpoint)."

Thanks

Re: Thinking of policy PAN-style (instead of Cisco-style)

gregory_zill — Wed, 02 Feb 2011 02:11:56 GMT

I would *really* like more discussion on this. For me it seems apples-to-oranges when comparing/migrating from anything to PAN.

Re: Thinking of policy PAN-style (instead of Cisco-style)

mharding — Tue, 22 Feb 2011 19:12:53 GMT

We started out building port policies. Then after traffic was generated, we converted them to app rule.

Re: Thinking of policy PAN-style (instead of Cisco-style)

LCMember1607 — Wed, 23 Feb 2011 20:49:41 GMT

+1 on that!

Re: Thinking of policy PAN-style (instead of Cisco-style)

migration — Tue, 08 Mar 2011 15:19:12 GMT

I love gmoerschel's approach. I am a large non-profit in a major arena (extremely high profile)...we too have Cisco ASA's as our perimeter GW's. We have had PAN in our midst for a year and one half. We have had some majore learning issues, but our initial policies were based on app (Category) criteria. Out of the shut came gaming...cut it. Second was (sub category) type - which was file-sharing...cut it (we can make one off decisions about each case later). Third went the "technology" group...equating to peer-to-peer. I really did not want to see any of the p2p that had been working long before PAN to continue. The next day after implementing this....wow, HR tickets rose through the roof. I told HR prior...just route then to me directly. With policy "acceptable use" in hand...I took them on one by by one. No one to date, has come up with a viable defense against said policy. Policy enception date was July 1994.

Can I take my ASA rule set and convert them? IF I know what it is (back end programs) that is attempting to be converted? I have yet to find ONE Cisco SE who can weight in on this matter. How come Cisco has not acquired this company and made it a part of their security division? Layer 7 for most of us is a hindrance. Where are we to go to? Above the nexxus 7K(Cicso propietary) this is by far the best technology leap i've seen over the last 10 years. Join in and see why PAN can revolutionize your perimeter network. I am not a paid spokesman. Their technology is by far the best thing I've seen since heirachy. Don't believe me? I've been in this industry for over 16 years. I love my Cisco firewalls...they are unhampered. However, when it comes to IDS....even with AIP modules for the ASA, at best it's cludgy. PAN however, looks into the packet much like NetGen does. It gives you insight into what comes and goes, even if it's encrypted.

Encrypted did he say? YES. They have the ability to decrypt on the fly. AWESOME!!!! Can I say anymore? One thing that you will note...learning your perimeter takes time...wiht this device (no matter how small or large you go...it will take time to "learn" your environment.

Re: Thinking of policy PAN-style (instead of Cisco-style)

jblum_2 — Thu, 17 Mar 2011 20:18:41 GMT

My first step in a mid-sized conversion from another firewall (PIX/ASA/Sonicwall) is to put the new PA's in monitor mode on both the inside and outside interfaces for 2-3 days. Then, I evaluate the inbound flows by filtering for each previosly allowed inbound port to see what applications are running over them. I'll add a rule for each, so that 95% of inbound connectivity should work right away. I'll also find the 20-30 most common outbound applications and add them as well to the base configuration. This way, when you first turn on the PA, you have a very good baseline for what should be running. As far as typical categories for outbound connectivity, I do the following:

Create base Application Filters:

Updates

Proxies

Peer2Peer (encrypted-tunnel, file-sharing) for peer-to-peer

Games

SocialNetworking

Audio-Streaming

Video-Streaming

Application Groups:

KnownGood

web-browsing
ssl
ftp
ping
ntp
dns
flash

MS-Networking (for inter-zone traffic as needed later)

netbios-dg
netbios-ss
ms-ds-smb

GoogleApps

google-analytics
google-calendar
google-docs
google-toolbar
google-translate

Base Policies would be

Allow-SMTP-Outbound (mail server only)

Deny-SMTP-All (everyone else SMTP on any port)

Deny-KnownBad (Proxies, Peer2Peer)

Deny-HighBandwidth (Audio-Streaming,Video-Streaming)

Deny-BusinessInappropriate (Games, SocialNetworking)

Allow-Unrestricted (flexnet-installanywhere, soap, ocsp, Updates)

Allow-ByUserGroup (sharepoint-base, silverlight, office-live, linkedin-base, citrix, gotomeeting, facebook-base, gmail-base, gmail-enterprise, citrix-jedi, yahoo-toolbar, netsuite, KnownGood, GoogleApps)

Allow-All (but just temporarily)

Cleanup-Rule to deny all others and log

This covers most of the business needs, and you modify from there. I even built a base template with everything above (and a lot more), and use that when deploying new customer firewalls.

Re: Thinking of policy PAN-style (instead of Cisco-style)

gmoerschel — Wed, 23 Mar 2011 19:52:19 GMT

Very nice. I like the structure. Care to share that base template? Thanks

Re: Thinking of policy PAN-style (instead of Cisco-style)

LCMember1607 — Thu, 24 Mar 2011 12:03:50 GMT

Would be very helpful.

Thanks.

Re: Thinking of policy PAN-style (instead of Cisco-style)

bill.young — Fri, 10 Aug 2012 14:50:28 GMT

Grant: Did you find anything? Can you share? I'm a new user having the same issue with building a policy from scratch.

Thanks,

Bill

Re: Thinking of policy PAN-style (instead of Cisco-style)

gmoerschel — Fri, 10 Aug 2012 18:59:14 GMT

If you check out jblum.2's answer higher in the thread, that is the way I do it.

Re: Thinking of policy PAN-style (instead of Cisco-style)

bill.young — Fri, 10 Aug 2012 20:54:51 GMT

Grant,

Do you know if jblum ever shared the base template he talks about? I sent him a message but didn't get a response yet.

Bill

Re: Thinking of policy PAN-style (instead of Cisco-style)

Quinton — Wed, 12 Sep 2012 19:06:20 GMT

Very nice. You could also add "encrypted tunnels" to your block application filter. Another nice application filter is to create an app filter that only contains browser based applications. Restricts general user internet access only to browser based applications and not any of the client server or network protocol applications.