01-04-2011 05:26 AM
Is there a document or recommended approach that has been written down that provides a starting point for people building a policy from scratch or when converting from a legacy firewall? I'm referring to recommended approaches for building policy based on least privilege for apps instead of port and protocol. For example, let's say you place apps into 2 or 3 categories such as OK, maybe, and definitely not. Then as apps are identified flowing through they can be placed into the OK category if they are needed by the business. Someone in the past must have grouped the top 10 or 15 legitimate biz apps together into a chunk then implemented as a policy line.
Essentially I'm looking for a doc that is entitled something like, "Building policy PAN style when you're used to Cisco ASA (or Juniper or checkpoint)."
Thanks
03-17-2011 01:18 PM
My first step in a mid-sized conversion from another firewall (PIX/ASA/Sonicwall) is to put the new PA's in monitor mode on both the inside and outside interfaces for 2-3 days. Then, I evaluate the inbound flows by filtering for each previosly allowed inbound port to see what applications are running over them. I'll add a rule for each, so that 95% of inbound connectivity should work right away. I'll also find the 20-30 most common outbound applications and add them as well to the base configuration. This way, when you first turn on the PA, you have a very good baseline for what should be running. As far as typical categories for outbound connectivity, I do the following:
Create base Application Filters:
Peer2Peer (encrypted-tunnel, file-sharing) for peer-to-peer
SocialNetworking
Audio-Streaming
Video-Streaming
Application Groups:
MS-Networking (for inter-zone traffic as needed later)
Base Policies would be
Allow-SMTP-Outbound (mail server only)
Deny-SMTP-All (everyone else SMTP on any port)
Deny-KnownBad (Proxies, Peer2Peer)
Deny-HighBandwidth (Audio-Streaming,Video-Streaming)
Deny-BusinessInappropriate (Games, SocialNetworking)
Allow-Unrestricted (flexnet-installanywhere, soap, ocsp, Updates)
Allow-ByUserGroup (sharepoint-base, silverlight, office-live, linkedin-base, citrix, gotomeeting, facebook-base, gmail-base, gmail-enterprise, citrix-jedi, yahoo-toolbar, netsuite, KnownGood, GoogleApps)
Allow-All (but just temporarily)
Cleanup-Rule to deny all others and log
This covers most of the business needs, and you modify from there. I even built a base template with everything above (and a lot more), and use that when deploying new customer firewalls.
02-01-2011 06:11 PM
I would *really* like more discussion on this. For me it seems apples-to-oranges when comparing/migrating from anything to PAN.
02-22-2011 11:12 AM
We started out building port policies. Then after traffic was generated, we converted them to app rule.
03-08-2011 07:19 AM
I love gmoerschel's approach. I am a large non-profit in a major arena (extremely high profile)...we too have Cisco ASA's as our perimeter GW's. We have had PAN in our midst for a year and one half. We have had some majore learning issues, but our initial policies were based on app (Category) criteria. Out of the shut came gaming...cut it. Second was (sub category) type - which was file-sharing...cut it (we can make one off decisions about each case later). Third went the "technology" group...equating to peer-to-peer. I really did not want to see any of the p2p that had been working long before PAN to continue. The next day after implementing this....wow, HR tickets rose through the roof. I told HR prior...just route then to me directly. With policy "acceptable use" in hand...I took them on one by by one. No one to date, has come up with a viable defense against said policy. Policy enception date was July 1994.
Can I take my ASA rule set and convert them? IF I know what it is (back end programs) that is attempting to be converted? I have yet to find ONE Cisco SE who can weight in on this matter. How come Cisco has not acquired this company and made it a part of their security division? Layer 7 for most of us is a hindrance. Where are we to go to? Above the nexxus 7K(Cicso propietary) this is by far the best technology leap i've seen over the last 10 years. Join in and see why PAN can revolutionize your perimeter network. I am not a paid spokesman. Their technology is by far the best thing I've seen since heirachy. Don't believe me? I've been in this industry for over 16 years. I love my Cisco firewalls...they are unhampered. However, when it comes to IDS....even with AIP modules for the ASA, at best it's cludgy. PAN however, looks into the packet much like NetGen does. It gives you insight into what comes and goes, even if it's encrypted.
Encrypted did he say? YES. They have the ability to decrypt on the fly. AWESOME!!!! Can I say anymore? One thing that you will note...learning your perimeter takes time...wiht this device (no matter how small or large you go...it will take time to "learn" your environment.
03-17-2011 01:18 PM
My first step in a mid-sized conversion from another firewall (PIX/ASA/Sonicwall) is to put the new PA's in monitor mode on both the inside and outside interfaces for 2-3 days. Then, I evaluate the inbound flows by filtering for each previosly allowed inbound port to see what applications are running over them. I'll add a rule for each, so that 95% of inbound connectivity should work right away. I'll also find the 20-30 most common outbound applications and add them as well to the base configuration. This way, when you first turn on the PA, you have a very good baseline for what should be running. As far as typical categories for outbound connectivity, I do the following:
Create base Application Filters:
Peer2Peer (encrypted-tunnel, file-sharing) for peer-to-peer
SocialNetworking
Audio-Streaming
Video-Streaming
Application Groups:
MS-Networking (for inter-zone traffic as needed later)
Base Policies would be
Allow-SMTP-Outbound (mail server only)
Deny-SMTP-All (everyone else SMTP on any port)
Deny-KnownBad (Proxies, Peer2Peer)
Deny-HighBandwidth (Audio-Streaming,Video-Streaming)
Deny-BusinessInappropriate (Games, SocialNetworking)
Allow-Unrestricted (flexnet-installanywhere, soap, ocsp, Updates)
Allow-ByUserGroup (sharepoint-base, silverlight, office-live, linkedin-base, citrix, gotomeeting, facebook-base, gmail-base, gmail-enterprise, citrix-jedi, yahoo-toolbar, netsuite, KnownGood, GoogleApps)
Allow-All (but just temporarily)
Cleanup-Rule to deny all others and log
This covers most of the business needs, and you modify from there. I even built a base template with everything above (and a lot more), and use that when deploying new customer firewalls.
03-23-2011 12:52 PM
Very nice. I like the structure. Care to share that base template? Thanks
03-24-2011 05:03 AM
Would be very helpful.
Thanks.
08-10-2012 07:50 AM
Grant: Did you find anything? Can you share? I'm a new user having the same issue with building a policy from scratch.
Thanks,
Bill
08-10-2012 11:59 AM
If you check out jblum.2's answer higher in the thread, that is the way I do it.
08-10-2012 01:54 PM
Grant,
Do you know if jblum ever shared the base template he talks about? I sent him a message but didn't get a response yet.
Bill
09-12-2012 12:06 PM
Very nice. You could also add "encrypted tunnels" to your block application filter. Another nice application filter is to create an app filter that only contains browser based applications. Restricts general user internet access only to browser based applications and not any of the client server or network protocol applications.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
