What Is a Best Practice Internet Gateway Security Policy?
A best practice internet gateway security policy has
two main security goals:
- Minimize the chance of a successful intrusion—Unlike legacy port-based security policies that either block everything in the interest of network security, or enable everything in the interest of your business, a best practice security policy leverages App-ID, User-ID, and Content-ID to ensure safe enablement of applications across all ports, for all users, all the time, while simultaneously scanning all traffic for both known and unknown threats.
- Identify the presence of an attacker—A best practice internet gateway security policy provides built-in mechanisms to help you identify gaps in the rulebase and detect alarming activity and potential threats on your network.
To achieve these goals, the best practice internet gateway security
policy uses application-based rules to allow access to specific
applications by user, while scanning all traffic to detect and block
all known threats, and send unknown files to WildFire to identify
new threats and generate signatures to block them:
The best practice policy is based on the following methodologies.
The best practice methodologies ensure detection and prevention
at multiple stages of the attack life cycle.
Best Practice Methodology | Why is this important? |
|---|---|
Inspect All Traffic for Visibility | Because you cannot protect against threats
you cannot see, you must make sure you have full visibility into
all traffic across all users and applications all the time. To accomplish
this:
The
firewall can then inspect all traffic—inclusive of applications,
threats, and content—and tie it to the user, regardless of location
or device type, port, encryption, or evasive techniques employed
using the native App-ID, Content-ID, and User-ID technologies. Complete
visibility into the applications, the content, and the users on
your network is the first step toward informed policy control. |
Reduce the Attack Surface | After you have context into the traffic
on your network—applications, their associated content, and the
users who are accessing them—create application-based Security policy
rules to allow those applications that are critical to your business
and additional rules to block all high-risk applications that have
no legitimate use case. To further reduce your attack surface,
enable attach File Blocking and URL Filtering profiles to all rules
that allow application traffic to prevent users from visiting threat-prone
web sites and prevent them from uploading or downloading dangerous
file types (either knowingly or unknowingly). To prevent attackers
from executing successful phishing attacks (the cheapest and easiest
way for them to make their way into your network), configure credential phishing
prevention. |
Prevent Known Threats | Enable the firewall to scan all allowed
traffic for known threats by attaching security profiles to all
allow rules to detect and block network and application layer vulnerability
exploits, buffer overflows, DoS attacks, and port scans, known malware
variants, (including those hidden within compressed files or compressed
HTTP/HTTPS traffic). To enable inspection of encrypted traffic,
enable decryption. In addition to application-based Security
policy rules, create rules for blocking known malicious IP addresses
based on threat intelligence from Palo Alto Networks and reputable
third-party feeds. |
Detect Unknown Threats | Forward all unknown files to WildFire for
analysis. WildFire identifies unknown or targeted malware (also
called advanced persistent threats or APTs)
hidden within files by directly observing and executing unknown
files in a virtualized sandbox environment in the cloud or on the
WildFire appliance. WildFire monitors more than 250 malicious behaviors
and, if it finds malware, it automatically develops a signature
and delivers it to you in as little as five minutes (and now that
unknown threat is a known threat). |
