Palo Alto Networks delivering on their promise to bring machines to a machine fight
Last year Palo AltoNetworks were preaching that it is impossible to win the cybersecurity fight with humans at the battle front, especially when attackers and attacks are getting more sophisticated and automated. This year with the recent launch of PAN-OS 9.0 we can see the machines are taking over and it is exciting to see how the entire platform is coming together to protect your business, your data, your assets and not only your network. With over 60 new features there is plenty information to absorb, so in this article we are going to discuss a few new features we think can be easily adopted and will reduce your environment attack surface.
Are you using your NGFW as an Old Generation Firewall?
At Basis Networks we have helped many clients migrate from old platforms to Palo Alto Networks (PANW),with many utilising our services to adopt most of the next generation features they bought the platform for. This always give a great result, but we are also often engaged by customers who have bought into the PAN platform and only done a basic migration where they are still using traditional port-based security policies. There are various reasons for this, including time constraints and alack of understanding on how best to convert policy from port to application based (APP-ID) rules without impacting production services. The latest PANOS 9.0 will help customers with the adoption of APP-ID with its built-in policy optimizer. With this feature, you can now use firewall or Panorama to see what applications are matching those port-based policies without installing external tools. This significantly reduces the complexity for the adoption of APP-ID and is a huge value add for the platform. Not everyone will move to PAN-OS 9.0 straight away, so the good news is you can upgrade Panorama and keep your firewalls on the current version. As long as the logs are being forwarded to Panorama you are good to go!
DNS. A necessary evil
“DNS-based attacks have been commonly used since the early 2000’s, but over 40% of firms still fall prey toDNS tunnelling attacks.” Infoblox
PANWs approach to prevent increasing DNS tunnelling attacks is the new DNS Security subscription service. In this case the firewall is used as a sensor and the service is delivered from the cloud and ,similar to Wildfire, it is transparent to the enduser. DNS Security provides real-time analysis of DNS requests to effectively defend your network against newly generated malicious domains. If you are testing PANOS 9.0 before deploying it in your environment DNS Security can be enabled if you have a valid threat prevention subscription.
Web Proxy got smarter
A popular feature of PANW is URL filtering which is used to replace legacy web proxies, and this has now been further improved with capabilities that go beyond allow or denying access to certain domains. PAN-OS 9.0 automatically examines multiple attributes for each website and allows a more granular policy to be configured. Now a website can be part of multiple categories, have different risk ratings, and indicate if the domain was recently created. This opens the possibility of having URL policies that automatically block sites using dynamic-DNS even if their category is allowed, automatically block recently registered sites or allow all finance sites but block them if they are hosted on bulletproof ISPs for example.
The PANW platform continues to mature and expand, and their highly rated firewalls are just the beginning. With products like Aperture to protect SaaS applications, RedLock for cloud compliance and Global Protect Cloud Services to secure the SD-WAN we can help you to bring machines to a machine fight and free up time from your security department so they can focus on more important tasks. If you would like some expert advice on your Palo Alto Networks deployment, or are considering the platform, please get in touch so we can give you some assistance.
Jonathan Cardenas is a Senior Consultant at Basis Networks, a Palo Alto Networks Certified Network Security Consultant (PCNSC) and a Cyberforce Defender.