06-10-2011 03:39 PM
[SO] I'm putting together a configuration and I'm wondering if I'm doing any duplicate work that maybe some other PA customer has already done and may be willing to share. I'm creating service definitions that are IANA defined for example:
set service service-mstsc description "microsoft terminal services" protocol tcp port 3389
set service service-msds-smb description "Microsoft-DS SMB file sharing" protocol tcp port 445
set service service-ntp description "network time protocol" protocol udp port 123
set service service-ldap description "lightweight directory access protocol" protocol tcp port 389
set service service-ldaps description "secure lightweight directory access protocol" protocol tcp port 636
set service service-dns-udp description "domain name service udp" protocol udp port 53
set service service-dns-tcp description "domain name service tcp" protocol tcp port 53
set service service-sshd description "secure shell daemon" protocol tcp port 22
set service service-smtp description "simple mail transfer protocol" protocol tcp port 25
set service service-smtps description "secure simple mail transfer procotol" protocol tcp 465
set service service-kerb-auth description "kerberos authentication" protocol tcp 88
And as I type all of this out I can't help but wonder to myself..."Self, has someone else maybe already done this? Maybe there's a value in sharing resources like this with other users on the PA website..."
So, if no one else has done it, I'll do it, but I thought I'd toss the question out there to other engineers, have you guys done this before? Will you share?
Would you buy me beer if I make all the service definitions for you?
Feel free to chime in here.
Thanks!
06-12-2011 05:04 AM
Hi,
the most interesting question is: why would you have this traditional port based definitions? And why you don’t use the application definitions?
The art of PAN for this case is to use the application definitions in context with the "application default". This means, if you select for example the application "ssh", that the application default port (tcp 22) is open and the only allowed traffic is ssh. The application default ports are part of the application description.
Of cause you can have “any” in the service, this means that you can do ssh on any port. But on the other side, all tcp ports are open and if somebody did a tcp-syn scan to your DMZ servers, he or she can get more information than you would like. So I would recommend you to use always “application default” for rules granting access from the “outside” like the internet.
This is the way to get the value from PANs application inspection and reduces your efforts, because you don’t need to define the tcp services manually.
Best regards,
Florian
06-14-2011 12:29 PM
Not perfect but a fairly good reference.
http://media.packetlife.net/media/library/23/common_ports.pdf
06-14-2011 02:01 PM
I guess I would use the more traditional approach because I have worked on traditional firewalls in the past and a great deal of the rule base I'm seeing on the firewalls I'm trying to reconfigure are policies based on port and protocol. I will look more into the application definition, but as I understand it these are signature based, and protocol based correct?
SSH probably isn't the best example here, but Active Directory for example is, LDAP, LDAPs, KRB-AUTH, ICMP, DNS, etc
That can be defined as an "application" in the sense that I can group all of those protocols together to create an "active directory" application?
Is that what I should take from your post?
Edit-I just looked at "application definitions" and it seems that there isn't much difference between them and a service group...I mean unless you've applied a signature to the app def.
06-14-2011 03:23 PM
Hi,
keep in mind that PAN is a Next Generation Firewall, not a legacy firewall. PAN has a native (and you cannot disable it) application identification engine and everything is based on application definition, starting from security policy.
Services or service groups are objects based on port/protocol (just the header) not the payload, where PAN applies his signatures.
With this in your mind you don't have to take care of port or service. The only thing you need to know is the name of the application you want to control. For example, "active-directory" is a PAN application signature and you can (should) use it in your rulebase. You don't have to group protocolo you just have to think in terms of applications you already have on PAN DB. In addition to kerberos, msrpc and netbios applications is everything you need to control communication between clients and AD server.
Regards
06-14-2011 03:43 PM
Right, I see that I can leverage "application" within the rule sets, maybe I'm getting confused because if I define an application does service/service group/port/protocol (etc) within the policy become redundant?
Take for example, vmware view client-server connections (staying away from a definied application within the DB).
I have a number of ports/protocols that I need to allow in order for this service to work, and it should be accessed from a particular application, what is the method of going about configuring the firewall to allow a user to access this service?
If you ask vmware they will say open up 80,443,4172 (tcp/udp) -- assuming we're using a security server in between our client and infrastructure backend.
We'd expect the users to come from a view client of some sort.
Should I define a custom application? Should that custom application use services that I've configured (ports) or service groups that I've configured, along with some sort of signature in order to identify the traffic? So aren't those legacy service (port and protocol) definitions still valid? Which leads me to another thought, how do I define a custom signature?
I'm sure vmware view is a pretty popular application out there, does someone have a custom app for that? Is there a shared repository (that is validated/monitored/approved by PA) that I can download stuff from?
You'll have to forgive me, I'm still waiting on my class on these devices, which has now been rescheduled until July -_-
06-14-2011 04:00 PM
First of all, if in the PAN DB there is no application definition for your application you can:
- create a "custom application", including port and protocol used (optional), parent app (needed to decode the traffic. i.e parent app for some traffic across port 80 is web-browsing application) and, optionally, some signature context. Then, use this custom app in your rulebase or in application override section
- ask PAN an app-id request for that particula application
A trust repository of apps is, for sure, Applipedia on PAN site.
I suggest you start studing all the useful documentation you can find in the KP. Working with PAN is quite different than working with other legacy firewall 🙂
06-14-2011 11:47 PM
Hi Bjaming,
You would select "Application Default" in the Service column in this case.
Cheers,
Kelly
06-15-2011 05:33 AM
Hi,
here are some examples from my experience with migration a traditional rule base to PAN. Most services from traditional firewalls can be translated in the same application with application default. If one application is not working, look for this in the traffic monitor:
( addr.src in [client ip] ) and ( addr.dst in [server ip] ) and (action neq allow )
Here you can see if you need further applications or change the service from application-default to any.
For Active Directory to my domain controllers I have allowed the following applications from my clients and member servers:
For VMware I have seen the following apps between my vSphere client and the vCenter server:
So I would recommend you a rule like your vSphere clients to your vCenter server with applications ssl and web-browsing on any service.
In cases where I have no idea I create a rule with the client, server addresses, service any and application any. Then I monitor this rule. You can do this very easy by clicking on the application and change the ‘eq’ to ‘neq’. If you find no log entries anymore you have the list of needed applications. Enter these applications in a new rule before your monitoring rule and with service application-default. Verify your rule by controlling your monitoring rule, there should be no new entry anymore. If so you can delete the monitoring rule and you are ready.
Best regards,
Florian
06-15-2011 10:38 AM
I can certainly see the value of the monitor tab in the UI, it's very nice. What is troubling is the number of applications reported as "insufficient data" or "not applicable".
It would seem to me that VMWare View is a popular enough application that there should be some sort of signature for it (PcoIP, etc) and not just the ESX server heartbeat port (902). I guess it's just a learning curve I will have to deal with on this device. Hopefully the training course isn't delayed again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
