Thinking of policy PAN-style (instead of Cisco-style)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Thinking of policy PAN-style (instead of Cisco-style)

Not applicable

Is there a document or recommended approach that has been written down that provides a starting point for people building a policy from scratch or when converting from a legacy firewall?  I'm referring to recommended approaches for building policy based on least privilege for apps instead of port and protocol. For example, let's say you place apps into 2 or 3 categories such as OK, maybe, and definitely not. Then as apps are identified flowing through they can be placed into the OK category if they are needed by the business. Someone in the past must have grouped the top 10 or 15 legitimate biz apps together into a chunk then implemented as a policy line.

Essentially I'm looking for a doc that is entitled something like, "Building policy PAN style when you're used to Cisco ASA (or Juniper or checkpoint)."

Thanks

1 accepted solution

Accepted Solutions

Not applicable

My first step in a mid-sized conversion from another firewall (PIX/ASA/Sonicwall) is to put the new PA's in monitor mode on both the inside and outside interfaces for 2-3 days.  Then, I evaluate the inbound flows by filtering for each previosly allowed inbound port to see what applications are running over them.  I'll add a rule for each, so that 95% of inbound connectivity should work right away.  I'll also find the 20-30 most common outbound applications and add them as well to the base configuration.  This way, when you first turn on the PA, you have a very good baseline for what should be running.  As far as typical categories for outbound connectivity, I do the following:

Create base Application Filters:

Updates

Proxies

Peer2Peer (encrypted-tunnel, file-sharing) for peer-to-peer

Games

SocialNetworking

Audio-Streaming

Video-Streaming

Application Groups:

KnownGood

  • web-browsing
  • ssl
  • ftp
  • ping
  • ntp
  • dns
  • flash

MS-Networking (for inter-zone traffic as needed later)

  • netbios-dg
  • netbios-ss
  • ms-ds-smb

GoogleApps

  • google-analytics
  • google-calendar
  • google-docs
  • google-toolbar
  • google-translate

Base Policies would be

Allow-SMTP-Outbound (mail server only)

Deny-SMTP-All (everyone else SMTP on any port)

Deny-KnownBad (Proxies, Peer2Peer)

Deny-HighBandwidth (Audio-Streaming,Video-Streaming)

Deny-BusinessInappropriate (Games, SocialNetworking)

Allow-Unrestricted (flexnet-installanywhere, soap, ocsp, Updates)

Allow-ByUserGroup (sharepoint-base, silverlight, office-live, linkedin-base, citrix, gotomeeting, facebook-base, gmail-base, gmail-enterprise, citrix-jedi, yahoo-toolbar, netsuite, KnownGood, GoogleApps)

Allow-All (but just temporarily)

Cleanup-Rule to deny all others and log

This covers most of the business needs, and you modify from there.  I even built a base template with everything above (and a lot more), and use that when deploying new customer firewalls.

View solution in original post

11 REPLIES 11

Not applicable

I would *really* like more discussion on this. For me it seems apples-to-oranges when comparing/migrating from anything to PAN.

L4 Transporter

We started out building port policies. Then after traffic was generated, we converted them to app rule.

+1 on that!

L0 Member

I love gmoerschel's  approach.  I am a large non-profit in a major arena (extremely high profile)...we too have Cisco ASA's as our perimeter GW's.  We have had PAN in our midst for a year and one half.  We have had some majore learning issues, but our initial policies were based on app (Category) criteria.  Out of the shut came gaming...cut it.  Second was  (sub category) type - which was file-sharing...cut it (we can make one off decisions about each case later). Third went the "technology" group...equating to peer-to-peer.  I really did not want to see any of the p2p that had been working long before PAN to continue.  The next day after implementing this....wow, HR tickets rose through the roof.  I told HR prior...just route then to me directly.  With policy "acceptable use" in hand...I took them on one by by one.  No one to date, has come up with a viable defense against said policy.  Policy enception date was July 1994.

Can I take my ASA rule set and convert them? IF I know what it is (back end programs) that is attempting to be converted?  I have yet to find ONE Cisco SE who can weight in on this matter.  How come Cisco has not acquired this company and made it a part of their security division?  Layer 7 for most of us is a hindrance.  Where are we to go to?  Above the nexxus 7K(Cicso propietary) this is by far the best technology leap i've seen over the last 10 years.  Join in and see why PAN can revolutionize your perimeter network. I am not a paid spokesman.  Their technology is by far the best thing I've seen since heirachy.  Don't believe me?  I've been in this industry for over 16 years.  I love my Cisco firewalls...they are unhampered.  However, when it comes to IDS....even with AIP modules for the ASA, at best it's cludgy.  PAN however, looks into the packet much like NetGen does.  It gives you insight into what comes and goes, even if it's encrypted. 

Encrypted did he say?  YES.  They have the ability to decrypt on the fly.  AWESOME!!!!  Can I say anymore?   One thing that you will note...learning your perimeter takes time...wiht this device (no matter how small or large you go...it will take time to "learn" your environment.

Not applicable

My first step in a mid-sized conversion from another firewall (PIX/ASA/Sonicwall) is to put the new PA's in monitor mode on both the inside and outside interfaces for 2-3 days.  Then, I evaluate the inbound flows by filtering for each previosly allowed inbound port to see what applications are running over them.  I'll add a rule for each, so that 95% of inbound connectivity should work right away.  I'll also find the 20-30 most common outbound applications and add them as well to the base configuration.  This way, when you first turn on the PA, you have a very good baseline for what should be running.  As far as typical categories for outbound connectivity, I do the following:

Create base Application Filters:

Updates

Proxies

Peer2Peer (encrypted-tunnel, file-sharing) for peer-to-peer

Games

SocialNetworking

Audio-Streaming

Video-Streaming

Application Groups:

KnownGood

  • web-browsing
  • ssl
  • ftp
  • ping
  • ntp
  • dns
  • flash

MS-Networking (for inter-zone traffic as needed later)

  • netbios-dg
  • netbios-ss
  • ms-ds-smb

GoogleApps

  • google-analytics
  • google-calendar
  • google-docs
  • google-toolbar
  • google-translate

Base Policies would be

Allow-SMTP-Outbound (mail server only)

Deny-SMTP-All (everyone else SMTP on any port)

Deny-KnownBad (Proxies, Peer2Peer)

Deny-HighBandwidth (Audio-Streaming,Video-Streaming)

Deny-BusinessInappropriate (Games, SocialNetworking)

Allow-Unrestricted (flexnet-installanywhere, soap, ocsp, Updates)

Allow-ByUserGroup (sharepoint-base, silverlight, office-live, linkedin-base, citrix, gotomeeting, facebook-base, gmail-base, gmail-enterprise, citrix-jedi, yahoo-toolbar, netsuite, KnownGood, GoogleApps)

Allow-All (but just temporarily)

Cleanup-Rule to deny all others and log

This covers most of the business needs, and you modify from there.  I even built a base template with everything above (and a lot more), and use that when deploying new customer firewalls.

Very nice. I like the structure. Care to share that base template?  Thanks

L3 Networker

Would be very helpful.

Thanks.

L0 Member

Grant: Did you find anything?  Can you share?  I'm a new user having the same issue with building a policy from scratch.

Thanks,

Bill

If you check out jblum.2's answer higher in the thread, that is the way I do it.

Grant,

Do you know if jblum ever shared the base template he talks about?  I sent him a message but didn't get a response yet.

Bill

Very nice. You could also add "encrypted tunnels" to your block application filter. Another nice application filter is to create an app filter that only contains browser based applications. Restricts general user internet access only to browser based applications and not any of the client server or network protocol applications.

browser based applications.PNG

  • 1 accepted solution
  • 7446 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!