- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
The Cloud Network Analyzer engine on Prisma Cloud helps determine the Network exposure of your cloud assets and secure them from Network threats by providing an end-to-end path analysis. At the time of this blog, the Network Analyzer is only supported for AWS environments, however, we are working on a release to support Azure environments as well. In this blog, we will go over some remarkable features regarding the network analyzer, network exposure, and ultimately how to do an investigation and create custom network policies.
Figure 1: Network Analyzer_palo-alto-networks
Legacy CSPM solutions generate alerts for any permissive or exposed cloud virtual firewalls (such as an AWS security group), even if the security group is not attached to a Compute instance or if the Compute instance isn’t necessarily exposed to the internet in the first place. The original process sent out many false positives and with proper network exposure, our goal is to mitigate those challenges.
The Cloud Network Analyzer engine takes a multi-dimensional approach to identifying overly-exposed resources by providing:
The CNA engine correlates multiple data points, including routing path(s) & security policy configuration(s) using graph-based modeling and then running a complex calculation to evaluate the net effective action (ALLOW or DENY) for an IP packet from Source-A to Destination-B. The true network exposure evaluation is based on parsing the configuration of the resource(s) to determine all possible network paths. This is a key feature since Prisma Cloud does not have to send actual traffic or read network logs in order to perform a network path analysis, the above process provides a more accurate result.
Figure 2: Network Analysis_palo-alto-networks
Determining true Network exposure with end-to-end path analysis on Prisma Cloud can help your organization in significant ways.
Some of the significant use-cases Prisma Cloud can help you address are:
The ‘Network Config Analyzer’ engine calculates exposure using two main factors:
To investigate TRUE Network Exposure of a cloud resource do the following steps:
Let's go through an example of a network exposure investigation query.
Figure 3: Network Exposure Investigation_palo-alto-networks
Figure 4: Actions_palo-alto-networks
Figure 5: Drill Down_palo-alto-networks
Prisma Cloud offers a handful of out-of-the-box policies that you can utilize to get started with network exposure, head over to the policies tab and set a filter for policy type being network. Feel free to utilize these out-of-the-box policies or you can always create a custom policy as well to build a new network exposure policy.
To create a custom network exposure policy:
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Interface' and dest.cloud.type = 'AWS' and dest.tag = 'env=prod'
Once you have successfully created a policy, that policy will be available in the policies tab as previously mentioned.
Key Benefits of Network Exposure
Comprehensive Visibility
With Network Exposure utilizing the network analyzer, you can expect to spend less time combing through configurations and manually stitching together resource mappings to understand the cloud network. Prisma Cloud builds a complete network path to and from cloud resources to give you easy-to-understand visibility.
Easily identify open pathways that allow lateral movement across the cloud infrastructure and make informed security decisions that help you reduce the attack surface radius and partition the network.
Stop false positives and move away from alerts against single network points. Adopt a model that evaluates network exposure of resources before generating an alert giving you more accurate results.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |