Best practice for blacklisting App-IDs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Best practice for blacklisting App-IDs

L4 Transporter

What is the best practice for blacklisting potentially harmful Application ID's(from "trust" to "untrust" over 80/443)?

 

I started blocking on specific App-ID's, but maintaining this blacklist per App-ID will be kind of cumbersome.

 

I'm thinking about using Application Filters to block based on Application subcategory.  The only issue here is if I wanted to block say the "encrypted-tunnel", it will block common applications like "ssl".

4 REPLIES 4

L4 Transporter

Hi jambulo,

 

Ideally you would want to allow only the applications you want in your network, everything else will fall down to the default interzone rule and be denied. If you implement decryption then you'll have better visibility on the 443 SSL applications.

 

hope this helps,

Ben

When allowing your users out to the internet, are you specifying each App-ID that they can use? Or do you allow anything on 80/443, then block the known bad App-IDs?

 

Ideally, it would be nice to specify each App-ID allowed out to the internet, but that would be a management nightmare.

Given that Palo can classify over 2400 applications it seems you'd be better off "Whitelsiting" applications versus trying to blacklist them.

I think you have a good grasp of the issues with both approaches.

 

The whitelist only that which is allowed does can be difficult to implement the first time.  This is especially true on a large or diverse user base.  Finding out all the allowed applications and getting them onto the white list can take time.  And in the process impede productivity and generate anger at IT in the user base along with a lot of help desk tickets.  But companies use this approach because it will give them the best protection and visibility in the long run.  And once the white list is finalized there are fewer hours spent because the policies are well known by this point and only need to change with new application needs.

 

The blacklist approach gives you a quick start to stopping the higher risk behavior.  But as you note this can also be a permanent work load basically never ends.  You have to keep up to date and review the new applications even after you have done the first task of choosing amoung the thousands of apps which to block.

 

Basically every company has to choose the appoarch that will work best for their situation.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3711 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!