WildFire - Confidentiality Concerns?

cancel
Showing results for 
Search instead for 
Did you mean: 

WildFire - Confidentiality Concerns?

L4 Transporter

I'm interested in 6.0 mainly for the Wildfire improvements as it can now process PDF and Office documents.

I've read the PDF on how Palo Alto handle file security, I guess I'm interested in peoples "comfort levels" at submitting documents which are potentially confidential in nature to something like WildFire.

At some point it's basically a judgement call - love to know which way you've called it and why :smileyhappy:

10 REPLIES 10

L7 Applicator

Hello Networkadmin,

The PAN firewall will not send the actual file to the Wildfire cloud, instead , it will calculate the MD5 hash of the file and send to wildfire to analysis. Hence, there is no risk factor from "confidentiality" point of view.

For more detail info, please refer WildFire Administrator's Guide 6.0 (English)  ---- Page No-6 (How Does WildFire Work?)

Thanks

But surely as with executables if it hasn't been seen it will upload it to check?

Well it has to upload it to test it if the checksum returns unknown surely?  That's how it works with executables so I'm assuming the process would be the same with Office docs and PDFs else how can it test stuff it hasn't seen?

This is not correct.  The file will be uploaded to the WildFire service if the MD5/SHA256 hash has not been previously analyzed.  The process is the same for all supported file types.

Whenever a file is transferred over a session that matches the security rule, the firewall

performs a file hash check with WildFire to see if the file has been previously analyzed. If the file is new, it is

forwarded for analyses, even if it is contained within a ZIP file or over compressed HTTP

From the WF Admin Guide. The file will be transferred to the WF Cloud  if it has not seen before by WF.

L7 Applicator

The hash is used to determine whether or not the entire file needs to be sent for analysis.  If the WildFire cloud already has a copy of the file - other firewalls don't need to send additional copies, consuming bandwidth and processing power.  However, if the WildFire cloud has not yet seen the file, then your firewall (if configured) will forward the entire file to the cloud for full analysis/detonation. 

For customers concerned with security/privacy, here are some of the options:

- Read Palo Alto Networks privacy and security statement concerning file retention & security measures taken in the WildFire Cloud

- Limit the files to be analyzed, ie: internally generated PDF files going out to the Internet do not get analyzed, but any file coming from the Internet into the environment are sent to WildFire.

- Use the WF-500 as a "private WildFire cloud"  If you have a WF-500, all of the analysis occurs in your own environment.  Further, you have the option of sharing nothing with Palo Alto Networks, or only the files with a "malicious" verdict. 

Yes I've certainly read that guide, it wasn't so much a black and white "What do Palo Alto do?" question, rather that I wanted to check peoples comfort levels/paranoia about what is submitted.

L1 Bithead

I'm working in the National Cancer Institute, and we must, by law, prevent the transfer any file with "protected health information" in it.

Since we can't know beforehand which file might possibly contain protected health information, we have to prohibit the transfer of any file to the WildFire cloud.

Being subject to restrictions in both PCI and PHI handling, we also are looking to test deploy of the internal WF-500.

Basic Wildfire shipping of executable is no issue.  But the document formats pose too much of a compliance risk to automatically ship off-site.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!