Custom Application ports secure at Layer 7?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom Application ports secure at Layer 7?

L4 Transporter

Hi folks,

 

We have created an Application override and custom Application for SIP and RTP traffic.  We also have Security/NAT rules that allow only this application (ports 5060, 5061, and 6000-8000) access to an internal VM with public IP directly.

 

As I am still learning PA, wanted to ask.  Since we are using an Application (and override) that we created to open these ports, does PA still protect at the Application layer 7?

 

Will PA reject traffic from any other application to this server destination that may be using these same ports (maliciously)?

 

Application override policy rule.  Added ports 6000-8000.

SIP1.jpg

 

Application itself.  Added ports 6000-8000

SIP2.jpg

 

Security rule for Inbound SBC traffic.

pasbcrule.jpg

 

NAT rule for Inbound SBC traffic.

PAnatrule.jpg

1 accepted solution

Accepted Solutions

L4 Transporter

So there's a lot going on here, so please feel free to correct me on anything I may be misunderstanding here.

 

First and foremost, by using an application override policy, that traffic is now exempt from _both_ AppID and ContentID inspection. So yes, you lose layer 7 protection by using the application override policy. If it was strictly a custom App, it would still be subject to ContentID.

 

(ETA: I'm struggling to find the exact phrasing as such anywhere, but I am fairly confident this is the case. The closest I could find is this:

 

An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. Instead it forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4, and thereby saves application processing time.

 

from https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/app-id/manage-custom-or-unknown-appl... )

 

 

Second, barring being more specific with source/destination, any traffic using those UDP ports will be automatically identified as the app and subsequently not inspected.

 

So you need to be very careful about this.

 

A custom App is the best approach. If you can correctly identify signatures in the traffic so the PA can reliably identify it as your custom app, you will have full protection.

--
CCNA Security, PCNSE7

View solution in original post

12 REPLIES 12

L6 Presenter

These two articles are a good start. PA will not use an app-id scanner for any override application. Your app simply will be identified based on matching UDP port (you told PA identify your app based on layer 4 TCP/UDP ports by creating app override rule). Your security profiles l believe still will take an action on allow traffic. 

L4 Transporter

So there's a lot going on here, so please feel free to correct me on anything I may be misunderstanding here.

 

First and foremost, by using an application override policy, that traffic is now exempt from _both_ AppID and ContentID inspection. So yes, you lose layer 7 protection by using the application override policy. If it was strictly a custom App, it would still be subject to ContentID.

 

(ETA: I'm struggling to find the exact phrasing as such anywhere, but I am fairly confident this is the case. The closest I could find is this:

 

An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. Instead it forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4, and thereby saves application processing time.

 

from https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/app-id/manage-custom-or-unknown-appl... )

 

 

Second, barring being more specific with source/destination, any traffic using those UDP ports will be automatically identified as the app and subsequently not inspected.

 

So you need to be very careful about this.

 

A custom App is the best approach. If you can correctly identify signatures in the traffic so the PA can reliably identify it as your custom app, you will have full protection.

--
CCNA Security, PCNSE7

@bradk14 Good point regarding the security profiles. I must say l am not sure if security profiles actually taking an action with the policy override option or not. I can see you do have an option to use them while creating your custom app:

 

APP.PNG

 

But when your traffic is matching the app override policy (your custom app) not sure if only app-id stops doing identification or as well as security profiles withing the normal policy also ignored.

As usual, thank you so much for your feedback, and so timely.

 

This Application and override was already in place when I arrived.

Based on feedback and my reading today, thinking of these questions now.

 

Why do we even have an Application override in this case?  Could we just use the custom Application we created?

 

Just to confirm, given the fact we are using an Application override, means that technically not as secure for these ports since there is no App-ID associated with it, correct?

 

If you guys have additional feedback would be appreciated.  Thanks again.

@TranceforLife_technically_ the security profiles would 'work' for an application override, but since there is no layer 7 inspection, they won't have any effect. it's like assigning security profiles to a deny policy (only it's being allowed).

 


Just to confirm, given the fact we are using an Application override, means that technically not as secure for these ports since there is no App-ID associated with it, correct?

 

 

@OMatlock

 

I believe it's worse than that. You are assigning an app to it, so if someone were to send syslog over 7000 for example, it would become BroadVoice-SIP and be sent to the fastpath. So there's a trickle down effect in that logs would be incorrect, as an example, your security policies may not be applied appropriately depending on their order, etc.

 

Absolutely the best course of action is always a custom app (without the override policy), but it's also the most challenging (but if it's already been done for you, then run with it). Actually the best course of action would be to submit a request to PA to create an app, but if it's inhouse or a standard app using non-standard ports, they won't be as inclined to to indulge the request.

--
CCNA Security, PCNSE7

So I imagine that your custom application is simply made so that you actually have an application to override *to*. Your custom app-id likely won't actually match the traffic by itself. Take a look at the signatures and maybe attempt to find out if your custom application will actually match traffic or not; if you have an application override policy in place then you likely actually don't have the app-id setup correctly. 

L6 Presenter

You all typing quicker than l do :0 Yeah my understanding is if you create a custom app, without actually putting any signatures etc, purely based on ports - your traffic will not match as app-id engine will try to identify the traffic and will look not only at the ports. 

Thank folks!

 

I am getting a better idea of how its working.

There are no signatures configured for this Custom Application. 

So I thinking that since an Application override was created this custom Application would not do App-ID processing.

Therefore, this traffic is not identified at Layer 7 and only doing Layer 4 processing.

 

Sounds like I would need to go through the process of reading traffic and creating signatures for the custom Application if we want it secure at Layer 7.

 

 

Last question(s) on this point.  🙂

 

Since we have rules that specifiy the source and destination IP addresses specifically for these ports and traffic, would that be our only exposure?

 

I mean, this path could only be compromised by the source IPs defined, correct?  Therefore limiting our exposure if we wanted to live with the Application override (and lack of Layer 7 inspection)?

yes, your security policy is your first line of defense and will restrict traffic accordingly.

 

--
CCNA Security, PCNSE7

@OMatlock to add to what @bradk14 said some admins that don't have experiance building application sigantures will use this as a work around, and depending on the security of the application and the subset of devices that are listed in the security policy application override is a perfectly acceptable process. 

If I created a custom application for everything our dev team whipped up then I would need at least two other people that were actually capable of creating signatures for everything. 

Thank you for that.  I think that is what happened here.  Instead of creating a signature, they created an override, which would therefore remove that traffic from App-ID processing.

  • 1 accepted solution
  • 5392 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!