This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Application-based DoS capabilities?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application-based DoS capabilities?

mmartin
L1 Bithead

‎03-30-2012 02:19 PM

I am seeing several atempts by the same IP address utilizing t.120 to connect via port 3389 to the various Windows Servers that I have with external IP addresses (and, yes, some are actual Terminal Servers).  I would love to be able to configure a threshold of denying this type of activity via the application with an activity threshold similar to the DoS Protection policies. 

Is that feature available?  Will it be available in future releases?

Attached files shows the Threat log entries of similar entries that I see all of the time.  The IP's have been partially erased to mask the identity of the guilty party and victim.  Smiley Wink

Preview file
51 KB
0 Likes Likes
3 REPLIES 3

mikand
L6 Presenter

‎03-30-2012 02:27 PM

I assume that you have already setup the "service" part for each security rule so it will only allow the ip and port which is expected and then the appid is applied to only allow correct application through that port?

I mean so you dont use "service:any" for all your rules?

This way only legitime clients can use legitime ports on legitime servers using legitime application Smiley Happy

Which also gives that if a non authorized client attempts to connect their attempt will simply be denied (and logged if you enable logging of denied connections).

0 Likes Likes

mmartin
L1 Bithead
In response to mikand

‎03-30-2012 02:35 PM

My problem with that is that the servers in question are for our remote sales force that may be appearing from any IP address.  I have not had any luck getting the VP of Sales to let me place VPN on the sales laptops.

0 Likes Likes

mikand
L6 Presenter
In response to mmartin

‎03-30-2012 03:00 PM

Yeah that was what first comes to mind... using RDP over Internet for sensitive data... are you nuts? :smileygrin:

VPN seems to be the proper way to handle this. Which will also include authentication of the client ip before it can even handshake a RDP session with the servers.

If im not mistaken there is a "free of charge" PA Globalprotect Client which you can enable in your PA device in order to use SSL-VPN (this free client is limited to only do the SSL VPN stuff - the other nifty stuff of Globalprotect is not included until you throw some money at PAN for a license).

Your sales person will point their browser to your PA ip address (or dns entry pointing to your ip) and after login they will have a javabased SSL running between their box and your PA. Then they will be able to (through the VPN tunnel) access your RDP servers.

A hint here (even if it will cost some more money) is to integrate the authentication stuff with some sort of OTP solution. Nordic-Edge (among others) have such solutions, look here for a video explaining of how it works: http://nordicedge.se/2010/06/11/palo-alto-networks-integration-till-nordic-edge-one-time-password-se...

0 Likes Likes
  • 2775 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks