1
Palo Alto Lab Guide Version 8.0
Part-5Content-ID
2
Agenda 1. Brief on Anatomy of Attack 2. Configure and test an Antivirus Security Profile 3. URL Filtering 4. Configure and test a file Blocking Security Profile5. Generate threats and observe the actions taken6. Zone Protection
FLOW
3
SECURITY PROFILES
5
CONTENT-ID
4
6
Content Based Inspection • Content can be data passing in IP packet • Content can be inserted or malformed headers• So the entire content passing through the firewall will get checked against the enabled
content signatures. • In Content filtering 1st priority is given to URL filtering in security group.
What is signature?• Signatures are exploited codes executed by attackers.• To understand signature we need to understand anatomy of Attack.• Lets take example of Vulnerability • Vulnerability is security weakness which is going to get compromised by Hackers by using
exploits.
6
How a vulnerability attack will be identified by signatures present in Firewall?• Lets take an example: You found the vulnerability in Microsoft Office with POC (Proof of
Concept) & submitted to Microsoft company.• Now Microsoft will inform you please don’t disclose this vulnerability until an unless we don’t
find a solution.• Microsoft will identify the POC and check where vulnerability is & what kind of vulnerability it
is.• Microsoft designs a solution which we call it bug fix or Patch.• Once Patch is developed it, is it possible to call each & every vendor & patch the
vulnerability? answer is no.• So Microsoft approaches to NVD (National Vulnerability Database) which is maintained by
US CERT (Computer Emergency Response Team). https://nvd.nist.gov/• Microsoft will inform NVD my product is having Vulnerability & this is a solution for it.
• NVD will provide CVE (Common Vulnerabilities and Exposures) request web form https://cveform.mitre.org/ . CVE is unique identity for each & every Vulnerability.
6
• Microsoft needs to fill the form with information like types & number of vulnerability etc
• Once the CVE is submitted & verified & unique identity is generated which cab be checked in following site http://www.securityfocus.com/
• Exploits designed by attackers can be found https://www.exploit-db.com/ & for this exploits patch or bug fix are designs as explained above.
• This exploits are designed as a signature so that when such type of attack is occurred it gets matched with the signature & gets prevented.
6
Anomaly Based Detection:-Based on behavior access base line is created, if any abnormal activity is detected beyond the baseline it is called Anomaly based detection.
Zero Day Vulnerability:- A vulnerability is identified & solution is not yet designed, that particular Vulnerability is called zero day vulnerability.Example:- Hacker found vulnerability in Microsoft windows 10 instead of reporting Microsoft attacker is selling in the black market to spoil the reputation. www.0day.today site can be visited to see zero day vulnerability. This sites can be browsed only by Tor browser & it keep on changing.
▪ License is required for Content ID signatures & it maintains all the signatures in PAN-DB (Palo-alto Network Data Base)
▪ 0-day Malware From Wildfire:- Wildfire is like a sandbox, a testing environment. If any suspicious packet comes & not identified by PAN-DB signatures, than packet is send to Wildfire & executed in isolated environment, how it is behaving, based on the behavior it will identify it is malicious or not.
▪ If it is malicious it will be added to signature database, next time onwards if this kind of packet is coming it will be directly take action as defined. If it is non-malicious it will be white-listed & send to recipient.
6
Botnet:- Network of attack which is maintained by command control server.• Example:- Attacker found any server as vulnerable he is going to configure BOT attack with
combination of multiple mechanism likeI. Virus II. Trojan III. RootkitIV. Malware V. Spyware VI. Adware VII. Ransomware VIII. Worm IX. Backdoor
6
I. Virus:- Self replication of data, it is going to create unnecessary data. Example- Under one folder .exe folder will be created. It does not corrupt the data. Like I love you virus.
II. Trojan:- A piece of code which sits in system and gives remote access to Hackers. To hide an identity Hackers will get access on other PC & perform attack. Like Beast, Prorat Trojan.
III. Rootkit:- Root kit is widely use to capture boot process & login password which sits in registry and captures entire boot process & login credentials. Like fakegina.dll
IV. Malware:- software which is specifically designed to corrupt data V. Spyware:- Spyware is software that spies on you. Tracking your internet activities in order to
send adware back to your system. Like BPK keylogger.VI. Adware/Graware:- There are advertisements VII. Ransomware:- If you see this screen that warns “you have been locked out of your
computer until you pay” for your cybercrimes. Your system is infected with ransomwre. VIII.Worm:- A program that replicates is self & destroy data & files on the computer. Worms
work to “eat” the system operating files & data until the drive is empty.IX. Backdoor:- Backdoor are much as Trojan, except that they open a backdoor onto a
computer providing a network connection for hackers or malware to enter. Like NetcatPalo alto is designed to filter content for all above attacks.
6
Palo Alto Device registration for License https://support.paloaltonetworks.com/UserAccount/PreRegister
6
After getting device registered with license all content ID stuffs will be seen here
6
Content-ID settings
6
In content-ID will see AntivirusConfigure and test an Antivirus Security Profile Follow the Steps I. Test HTTP/HTTPS based Virus can pass through the firewallII. To prevent Virus Create Antivirus Profile & apply it to Security Profile Rule (LAN_TO_WAN).III. Test the firewall scan for viruses on traffic matching a security policy rule.
6
I. Test HTTP/HTTPS based Virus can pass through the firewall
6
HTTP based virus downloaded
6
II. To prevent Virus Create Antivirus Profile & apply it to Security Profile Rule (LAN_TO_WAN).
Note:-• default Antivirus profile is predefined which can be used, but we are not going use it • Create Custom Security Profile with name of LLK_ANTIVIRUS_PROFILE
6
6
Apply Anti-virus Profile to Security Profile Rule (LAN_TO_WAN).
6
Test the firewall scan for viruses on traffic matching a security policy rule.
Note:-• As of now HTTPS can’t be done because we haven’t enabled decryption engine.• By default HTTPS packet will be bypassed.• You can test by downloading HTTPS based virus file.
6
Note:-• To do URL Filtering, Application should be allowed in Security Policy Rule• On Palo Alto VM we don’t have License so URL Category Filtering will not work.• To Block any web site we can create Override Block list. • www.youtube.com is google based which is already allowed in Application.
Task:-• Browse & check www.youtube.com should open• Create URL override Policy to block www.youtube.com• Apply URL Policy to Security Policy Rule (LAN_TO_WAN)• Verify www.youtube.com blocking
URL Filtering
6
6
Apply URL Policy to Security Policy Rule (LAN_TO_WAN)
Verify www.youtube.com it will get blocked.
6
Configure and test a file Blocking Security Profile
• Task Block exe file while downloading/uploading • Follow the Steps o Create File Blocking Profile for exeo Apply File Blocking Profile to Security Profile Rule (LAN_TO_WAN).o Test downloading any exe file from TEST_PC
6
o Create File Blocking Profile for exe
6
Apply File Blocking Profile to Security Profile Rule (LAN_TO_WAN).
6
Test downloading any exe file from TEST_PC
6
Zone Protection
• Zone Protection can be applied according to requirement & based on attack for following o Flood Protection o Reconnaissance Protection o Packet Based Attack Protection o Protocol Protection
6
Task:- Create Zone security Profile apply it to WAN interface
6
Apply Zone Security Profile to WAN interface
END OF MODULE THANK YOU !
65