Block privileged accounts from accessing the Internet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block privileged accounts from accessing the Internet

My company wants to block privileged accounts from accessing the internet on our servers using the Palo Alto firewalls.  My first thought was to allow certain apps like ms-update and things of that nature to allow the access then block http and https right under that rule, but I'm not sure that would work.  The company actually wants the privileged accounts blocked, not the server themselves.  Is there an easy solution on the Palo Alto firewalls for this?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@M.Stephens269491,

It sounds like what you're asking for is the ability to block user traffic for that privileged account while still allowing the server to send out everything else it's doing unaffected from any block you implement for the user account correct? If that's correct, the firewall isn't smart enough to do that. User-ID mapping is a one-to-one relationship, the firewall can't identify whether traffic attempting to traverse the network was spawned by the privileged account or some other server process.There's other agent based products that could block network traffic at this level before it leaves the host, but it isn't something that you could setup on the firewall itself.

 

What I would generally recommend doing on servers is limiting traffic to required resources, especially to the internet. Broadly speaking, a server shouldn't have wide open access to the internet regardless of which user is identified on it from a user-id aspect. They should be profiled to determine what they need access to and only ever have access to those resources.

You can accomplish this on the firewall through setting up categories for web resources and only allowing them to the categories that they require. You can accomplish this through custom URL categories and limiting access from the server to the identified categories, and it becomes a lot easier if you setup some tags and grouping so that a "Windows-Server" would automatically have access to resources like Microsoft or SCCM for updating, while a "Ubuntu-Server" would have access to apt-get and "RedHat-Server" would get access to yum and so forth. This allows you to have broader rules to capture common traffic and more targeted rules for your servers specific to their dedicates access requirements.

 

What it sounds like you're being asked for takes a bit of time to actually accomplish and is something that really should be implemented system by system if you weren't previously doing it and don't want to break anything. You'll find a lot of traffic that needs to be allowed for systems to function properly that wouldn't directly be obvious if you don't stop and think about it carefully (IE: You'll need to allow OCSP traffic on mail nodes to check certificate status).

If you just create a rule to allow ms-update traffic and drop all other traffic for all of your servers you're likely going to break functionality in anything but the most basic environment. Depending on what you're actually after you'll either need to spend a lot of time to get setup properly with just your firewall, or spend a lot of time and money and get something on the endpoint that can identify what is actually sending the traffic on the endpoint.

View solution in original post

2 REPLIES 2

L5 Sessionator

You mean like using User-ID or something different?

Cyber Elite
Cyber Elite

@M.Stephens269491,

It sounds like what you're asking for is the ability to block user traffic for that privileged account while still allowing the server to send out everything else it's doing unaffected from any block you implement for the user account correct? If that's correct, the firewall isn't smart enough to do that. User-ID mapping is a one-to-one relationship, the firewall can't identify whether traffic attempting to traverse the network was spawned by the privileged account or some other server process.There's other agent based products that could block network traffic at this level before it leaves the host, but it isn't something that you could setup on the firewall itself.

 

What I would generally recommend doing on servers is limiting traffic to required resources, especially to the internet. Broadly speaking, a server shouldn't have wide open access to the internet regardless of which user is identified on it from a user-id aspect. They should be profiled to determine what they need access to and only ever have access to those resources.

You can accomplish this on the firewall through setting up categories for web resources and only allowing them to the categories that they require. You can accomplish this through custom URL categories and limiting access from the server to the identified categories, and it becomes a lot easier if you setup some tags and grouping so that a "Windows-Server" would automatically have access to resources like Microsoft or SCCM for updating, while a "Ubuntu-Server" would have access to apt-get and "RedHat-Server" would get access to yum and so forth. This allows you to have broader rules to capture common traffic and more targeted rules for your servers specific to their dedicates access requirements.

 

What it sounds like you're being asked for takes a bit of time to actually accomplish and is something that really should be implemented system by system if you weren't previously doing it and don't want to break anything. You'll find a lot of traffic that needs to be allowed for systems to function properly that wouldn't directly be obvious if you don't stop and think about it carefully (IE: You'll need to allow OCSP traffic on mail nodes to check certificate status).

If you just create a rule to allow ms-update traffic and drop all other traffic for all of your servers you're likely going to break functionality in anything but the most basic environment. Depending on what you're actually after you'll either need to spend a lot of time to get setup properly with just your firewall, or spend a lot of time and money and get something on the endpoint that can identify what is actually sending the traffic on the endpoint.

  • 1 accepted solution
  • 1249 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!