topic Re: WildFire - Confidentiality Concerns? in General Topics

WildFire - Confidentiality Concerns?

networkadmin — Thu, 19 Jun 2014 16:00:50 GMT

I'm interested in 6.0 mainly for the Wildfire improvements as it can now process PDF and Office documents.

I've read the PDF on how Palo Alto handle file security, I guess I'm interested in peoples "comfort levels" at submitting documents which are potentially confidential in nature to something like WildFire.

At some point it's basically a judgement call - love to know which way you've called it and why

Re: WildFire - Confidentiality Concerns?

HULK — Thu, 19 Jun 2014 16:16:56 GMT

Hello Networkadmin,

The PAN firewall will not send the actual file to the Wildfire cloud, instead , it will calculate the MD5 hash of the file and send to wildfire to analysis. Hence, there is no risk factor from "confidentiality" point of view.

For more detail info, please refer WildFire Administrator's Guide 6.0 (English) ---- Page No-6 (How Does WildFire Work?)

Thanks

Re: WildFire - Confidentiality Concerns?

networkadmin — Thu, 19 Jun 2014 16:22:50 GMT

But surely as with executables if it hasn't been seen it will upload it to check?

Re: WildFire - Confidentiality Concerns?

networkadmin — Thu, 19 Jun 2014 16:33:12 GMT

Well it has to upload it to test it if the checksum returns unknown surely? That's how it works with executables so I'm assuming the process would be the same with Office docs and PDFs else how can it test stuff it hasn't seen?

Re: WildFire - Confidentiality Concerns?

kfindlen — Thu, 19 Jun 2014 16:35:08 GMT

This is not correct. The file will be uploaded to the WildFire service if the MD5/SHA256 hash has not been previously analyzed. The process is the same for all supported file types.

Re: WildFire - Confidentiality Concerns?

gafrol — Thu, 19 Jun 2014 16:35:38 GMT

Whenever a file is transferred over a session that matches the security rule, the firewall

performs a file hash check with WildFire to see if the file has been previously analyzed. If the file is new, it is

forwarded for analyses, even if it is contained within a ZIP file or over compressed HTTP

From the WF Admin Guide. The file will be transferred to the WF Cloud if it has not seen before by WF.

Re: WildFire - Confidentiality Concerns?

jvalentine — Thu, 19 Jun 2014 16:41:18 GMT

The hash is used to determine whether or not the entire file needs to be sent for analysis. If the WildFire cloud already has a copy of the file - other firewalls don't need to send additional copies, consuming bandwidth and processing power. However, if the WildFire cloud has not yet seen the file, then your firewall (if configured) will forward the entire file to the cloud for full analysis/detonation.

For customers concerned with security/privacy, here are some of the options:

- Read Palo Alto Networks privacy and security statement concerning file retention & security measures taken in the WildFire Cloud

- Limit the files to be analyzed, ie: internally generated PDF files going out to the Internet do not get analyzed, but any file coming from the Internet into the environment are sent to WildFire.

- Use the WF-500 as a "private WildFire cloud" If you have a WF-500, all of the analysis occurs in your own environment. Further, you have the option of sharing nothing with Palo Alto Networks, or only the files with a "malicious" verdict.

Re: WildFire - Confidentiality Concerns?

networkadmin — Thu, 19 Jun 2014 16:48:10 GMT

Yes I've certainly read that guide, it wasn't so much a black and white "What do Palo Alto do?" question, rather that I wanted to check peoples comfort levels/paranoia about what is submitted.

Re: WildFire - Confidentiality Concerns?

Rick_Rutherford — Thu, 19 Jun 2014 18:00:08 GMT

I'm working in the National Cancer Institute, and we must, by law, prevent the transfer any file with "protected health information" in it.

Since we can't know beforehand which file might possibly contain protected health information, we have to prohibit the transfer of any file to the WildFire cloud.

Re: WildFire - Confidentiality Concerns?

pulukas — Thu, 19 Jun 2014 22:17:37 GMT

Being subject to restrictions in both PCI and PHI handling, we also are looking to test deploy of the internal WF-500.

Basic Wildfire shipping of executable is no issue. But the document formats pose too much of a compliance risk to automatically ship off-site.

Re: WildFire - Confidentiality Concerns?

HITSSEC — Fri, 20 Jun 2014 13:14:25 GMT

We would normally be more interested in the office and pdf documents coming down from public web sites or being sent inbound via email. In both cases there should not be confidential info. We have secure file transfer technologies for the secure transmission of documents so anyone sending confidential info inbound via standard email is in violation of policy. You could selectively not forward those potentially sensitive documents if the communication was internal (and crossing a firewall boundry). The other option is the WF-500 as mentioned above.

Phil