04-22-2016 07:35 AM
What is the best practice for blacklisting potentially harmful Application ID's(from "trust" to "untrust" over 80/443)?
I started blocking on specific App-ID's, but maintaining this blacklist per App-ID will be kind of cumbersome.
I'm thinking about using Application Filters to block based on Application subcategory. The only issue here is if I wanted to block say the "encrypted-tunnel", it will block common applications like "ssl".
04-22-2016 07:53 AM
Hi jambulo,
Ideally you would want to allow only the applications you want in your network, everything else will fall down to the default interzone rule and be denied. If you implement decryption then you'll have better visibility on the 443 SSL applications.
hope this helps,
Ben
04-22-2016 10:47 AM
When allowing your users out to the internet, are you specifying each App-ID that they can use? Or do you allow anything on 80/443, then block the known bad App-IDs?
Ideally, it would be nice to specify each App-ID allowed out to the internet, but that would be a management nightmare.
04-23-2016 08:29 PM
Given that Palo can classify over 2400 applications it seems you'd be better off "Whitelsiting" applications versus trying to blacklist them.
04-24-2016 04:40 AM
I think you have a good grasp of the issues with both approaches.
The whitelist only that which is allowed does can be difficult to implement the first time. This is especially true on a large or diverse user base. Finding out all the allowed applications and getting them onto the white list can take time. And in the process impede productivity and generate anger at IT in the user base along with a lot of help desk tickets. But companies use this approach because it will give them the best protection and visibility in the long run. And once the white list is finalized there are fewer hours spent because the policies are well known by this point and only need to change with new application needs.
The blacklist approach gives you a quick start to stopping the higher risk behavior. But as you note this can also be a permanent work load basically never ends. You have to keep up to date and review the new applications even after you have done the first task of choosing amoung the thousands of apps which to block.
Basically every company has to choose the appoarch that will work best for their situation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
