What Is a Best Practice Internet Gateway Security Policy?

A best practice internet gateway security policy has two main security goals:
  • Minimize the chance of a successful intrusion
    —Unlike legacy port-based security policies that either block everything in the interest of network security, or enable everything in the interest of your business, a best practice security policy leverages App-ID, User-ID, and Content-ID to ensure safe enablement of applications across all ports, for all users, all the time, while simultaneously scanning all traffic for both known and unknown threats.
  • Identify the presence of an attacker
    —A best practice internet gateway security policy provides built-in mechanisms to help you identify gaps in the rulebase and detect alarming activity and potential threats on your network.
To achieve these goals, the best practice internet gateway security policy uses application-based rules to allow access to specific applications by user, while scanning all traffic to detect and block all known threats, and send unknown files to WildFire to identify new threats and generate signatures to block them:
The best practice policy is based on the following methodologies. The best practice methodologies ensure detection and prevention at multiple stages of the attack life cycle.
Best Practice Methodology
Why is this important?
Inspect All Traffic for Visibility
Because you cannot protect against threats you cannot see, you must make sure you have full visibility into all traffic across all users and applications all the time. To accomplish this:
  • Deploy GlobalProtect to extend the next-generation security platform to users and devices no matter where they are located.
  • Enable decryption so the firewall can inspect encrypted traffic (every year a higher percentage of enterprise web traffic is encrypted and more new malware campaigns use encryption).
  • Enable User-ID to map application traffic and associated threats to users/devices.
  • If company policy allows users’ devices on the network (BYOD or corporate devices without GlobalProtect or other management applications installed), the unsanctioned device access control service enables users to access your cloud applications from personal devices, from any location, without inadvertently putting your data or organization at risk. The service redirects traffic through the firewall for policy enforcement and threat prevention.
The firewall can then inspect all traffic—inclusive of applications, threats, and content—and tie it to the user, regardless of location or device type, port, encryption, or evasive techniques employed using the native App-ID, Content-ID, and User-ID technologies.
Complete visibility into the applications, the content, and the users on your network is the first step toward informed policy control.
Reduce the Attack Surface
After you have context into the traffic on your network—applications, their associated content, and the users who are accessing them—create application-based Security policy rules to allow those applications that are critical to your business and additional rules to block all high-risk applications that have no legitimate use case.
To further reduce your attack surface, enable attach File Blocking and URL Filtering profiles to all rules that allow application traffic to prevent users from visiting threat-prone web sites and prevent them from uploading or downloading dangerous file types (either knowingly or unknowingly). To prevent attackers from executing successful phishing attacks (the cheapest and easiest way for them to make their way into your network), configure credential phishing prevention.
Prevent Known Threats
Enable the firewall to scan all allowed traffic for known threats by attaching security profiles to all allow rules to detect and block network and application layer vulnerability exploits, buffer overflows, DoS attacks, and port scans, known malware variants, (including those hidden within compressed files or compressed HTTP/HTTPS traffic). To enable inspection of encrypted traffic, enable decryption.
In addition to application-based Security policy rules, create rules for blocking known malicious IP addresses based on threat intelligence from Palo Alto Networks and reputable third-party feeds.
Detect Unknown Threats
Forward all unknown files to WildFire for analysis. WildFire identifies unknown or targeted malware (also called advanced persistent threats or APTs) hidden within files by directly observing and executing unknown files in a virtualized sandbox environment in the cloud or on the WildFire appliance. WildFire monitors more than 250 malicious behaviors and, if it finds malware, it automatically develops a signature and delivers it to you in as little as five minutes (and now that unknown threat is a known threat).

Recommended For You