Idea to use Palo Alto for IDS replacement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Idea to use Palo Alto for IDS replacement

L3 Networker

I have a idea to use the Palo Alto Firewall Vulnerability Protection Profile has a IDS sensor. 

Here is the idea I have what to run this by anyone. Also need help to know if this will work. 

 

Vulnerability
vulenerability Protection Profile
Create a Rule
Rule Name: IDS Test
Threat Name: any
Action: Alert
Host Type: ?
Category: brute-force, DOS, scan

create a zone for user pc and laptops

create a zone for all servers and equipment 

then assign that profile to these zones

 

Then using the logging from the palo alto to send it to a seim where you can setup a alert to be sent out correct people to look into this issue.

 

Questions

If a pc is scanning a bunch of other pc's will that create a alert? Reason I ask to see if this will work inside its own zone.

 

 

18 REPLIES 18

Cyber Elite
Cyber Elite

Hello,

In my experience, the answer is maybe. It all depends on if the traffic traverses the firewall between zones or interfaces. If you have two laptops on the same subnet, the firewall may not 'see' the traffic between them. Since the PAN's are limited on the number of 'zones', what we have done in tehe past is to use small subnets say a /29 and put the devices we wanted to protect in them, then we just wrote rules that applied to the /29 addresses. That way it wasnt a different zone, but it did traverse security policies so the traffic got scanned. 

 

Since you are dealing with client machines a small subnet may not work and depending on your topology, it maybe difficult to scan/sniff traffic between two machines on the same subnet/switch. While the PAN is a great border device, you might be better off using a client based solution?

 

Just a thought.

L6 Presenter

You didn't say how it will be connectred. Through 2 ports in Virtual wire? Then just assign diferent zone to each interface and all traffic passing through PA will be checked as requested by your security profiles.

 

And you don't assign security profile (like IPS) to a zone, you assign it to a rule.

@santonic has the right answer as far as a new design standpoint goes. I would really question the PA's ability to fully replace a dedicated IDS though. As good of a job as the PA does, IDS is not it's primary focus and therefore it likely isn't going to work as well as a dedicated IDS that you may already have in place. 

As far as IPS for server protection is concerned I agree that dedicated IPS can do a better job, especialy for fine tuning policies and signatures. 

For client side IPS protection PA does a great job, i would prefer it over dedicated IPS solutions.

 

 

We have been using a Palo Alto as an IDS sensor for about 5 years now.  We also have Sourcefire running along side of it.  They are both fed span and tap data from various locations.  I can honestly say that the PA does a pretty good job at identifying informational type traffic as well as critical threats.  We probably have gained more value out of the PA than Sourcefire.

Well current setup on the Palo Alto do not alert on someone scanning inside the network. 

If I scan across zones no alert there as well, does not show up in the threat logging either. 
I did a test run on that nothing happen. 

 

Can you provide more infomation on your idea using 2 ports in Virtual wire?

 

Well trying to use the PAN's so we can get rid of the old IDS that will not work with the upgrade core devices. 

Can you recommend a good IDS that will work with IP addresses instead of VLANS? 

Jambulo how do you get the alerts to let you know if something is happen when you are not able to look at the screen for this traffic?

Based on your original question, you need to provide more information on what you are attempting to do and how your network is configured.

 

As someone else briefly pointed out, a lot of this depends on your logical network configuration. Unless you are using the Palo Alto as a layer 2 switch, the inherent problem is this:

 

Say you have 2 computers, one with an IP of 192.168.0.100/24  and another with an IP of 192.168.0.200/24. Under most network configurations, the Palo Alto will never see these two computers talking to each other because they are on the same subnet and so they will not pass through the gateway IP. This is a general issue that affects all networking and lends itself to the concept of microsegmentation. From a security perspective, this means that if one PC is compromised, the only line of defense preventing it from attacking other PCs on the same network are host-based firewalls/IPS. Microsegmentation, on the other hand, will ensure that the Palo Alto sees all traffic between nodes, but this is only possible in virtual environments, such as NSX and Azure (and potentially others).

 

An IDS could be possible even in these environments by using a tap on the switch level (again, this all depends on your network configuration), but not sure PA a practical answer,

 

So you will almost never be able to fully guard the network, so you have to reduce the attack surface by classifying, identifying and protecting critical assets.

 

As for getting alerts, traditionally you would set up a log forwarding profile and send the logs to a SIEM device which can be configured to respond to certain events with alerts, etc.

@AdamCoombs

If configured and connected correctly PA will detect scanning (TCP port scan, UDP port scan, service sweeps, sercurity scans...).

Please provide us basic network diagram and PA position. Then we can help you set it up properly.

 

 

Well the standard setup 

Core 6500 series that connects firewall, IDS sensor, etc...

Palo Alto has different zones for internal for different services and external zones as well.

Palo Alto L3 interfaces and sub-interfaces 

 

New setup Idea nexus 9000 with ACI

Palo Alto no changes 

since ACI does not does support SPAN or RSPAN which is use for the IDS sensor. 

 

 

If PA is in L3 mode then it will see only traffic travelling between networks configured on that FW.

Local traffic within same broadcast domain will never reach FW. You would need SPAN/TAP ports for that.

 

santonic

Span option is not going to be a option in the new upgrade, only L3 is going to be a option.

 

@AdamCoombsWe have all of the Palo Alto logs syslogging to our SIEM.  In our SIEM, we have created rules to fire off an email alert and/or generate an "offense" based on what is in the syslog payload.

@jambulo

The problem in this case is getting the traffic to the PA first. PA can do a great job analysing the traffic it sees.

  • 6660 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!