Create Best Practice Security Profiles for the Internet Gateway
Most malware sneaks onto the network in legitimate applications
or services. Therefore, to safely enable applications you must scan
all traffic allowed into the network for threats. To do this, attach
security profiles to all Security policy rules that allow traffic
so that you can detect threats—both known and unknown—in your network
traffic. The following are the recommended best practice settings
for each of the security profiles that you should attach to every
Security policy rule on your internet gateway policy rulebase.
Consider adding the best practice security
profiles to a default security profile group so that it
will automatically attach to any new Security policy rules you create.
Best Practice Internet Gateway File Blocking Profile
Use these File Blocking settings as a best practice at
your internet gateway.
Use the predefined strict file blocking profile to block files that
are commonly included in malware attack campaigns or that have no
real use case for upload/download. The predefined strict profile
blocks batch files, DLLs, Java class files, help files, Windows
shortcuts (.lnk), and BitTorrent files as well as Windows Portable
Executable (PE) files, which include .exe, .cpl, .dll, .ocx, .sys,
.scr, .drv, .efi, .fon, and .pif files. This profile allows download/upload
of executables and archive files (.zip and .rar), but forces users
to click continue before transferring a file to give them pause. The
predefined profile alerts on all other file types for visibility
into what other file transfers are happening so that you can determine
if you need to make policy changes.
Why do I need this profile?
There are
many ways for attackers to deliver malicious files: as attachments
or links in corporate email or in webmail, links or IMs in social
media, Exploit Kits, through file sharing applications (such as
FTP, Google Drive, or Dropbox), or on USB drives. Attaching the
strict file blocking profile reduces your attack surface by preventing
these types of attacks.
What if I can’t block all of the file types covered
in the predefined strict profile?
If you have mission-critical
applications that prevent you from blocking all of the file types
included in the predefined strict profile, you can clone the profile
and modify it for those users who must transfer a file type covered
by the predefined profile. If you choose not to block all PE files
per the recommendation, make sure you send all unknown files to
WildFire for analysis. Additionally, set the Action to continue
to prevent drive-by downloads, which is when an end user downloads content
that installs malicious files, such as Java applets or executables,
without knowing they are doing it. Drive-by downloads can occur
when users visit web sites, view email messages, or click into pop-up
windows meant to deceive them. Educate your users that if they are
prompted to continue with a file transfer they didn’t knowingly
initiate, they may be subject to a malicious download. In addition,
using file blocking in conjunction with URL filtering to limit the
categories in which users can transfer files is another good way
to reduce the attack surface when you find it necessary to allow
file types that may carry threats.
Best Practice Internet Gateway Antivirus Profile
Use these Antivirus security profiles settings as a best
practice at your internet gateway.
Attach an Antivirus profile to all
allowed traffic to detect and prevent viruses and malware from being
transferred over the HTTP, SMTP, IMAP, POP3, FTP, and SMB protocols.
The best practice Antivirus profile uses the default action when
it detects traffic that matches either an Antivirus signature or
a WildFire signature. The default action differs for each protocol
and follows the most up-to-date recommendation from Palo Alto Networks
for how to best prevent malware in each type of protocol from propagating.
By default, the firewall alerts on viruses found in SMTP traffic.
However, if you don’t have a dedicated Antivirus gateway solution
in place for your SMTP traffic, define a stricter action for this
protocol to protect against infected email content. Use the reset-both
action to return a 541 response to the sending SMTP server to prevent
it from resending the blocked message.
Why do I need this profile?
By attaching
Antivirus profiles to all Security rules you can block known malicious
files (malware, ransomware bots, and viruses) as they are coming
into the network. Common ways for users to receive malicious files
include malicious attachments in email, links to download malicious
files, or silent compromise with Exploit Kits that exploit a vulnerability and
then automatically deliver malicious payloads to the end user.
Best Practice Internet Gateway Vulnerability Protection Profile
Use these Vulnerability Protection security profile settings
as a best practice at your internet gateway.
Attach a Vulnerability Protection profile to all
allowed traffic to protect against buffer overflows, illegal code
execution, and other attempts to exploit client- and server-side
vulnerabilities. The best practice profile is a clone of the predefined
Strict profile, with single-packet capture (PCAP) settings enabled
to help you track down the source of any potential attacks.
Why do I need this profile?
Without strict
vulnerability protection, attackers can leverage client- and server-side
vulnerabilities to compromise end-users. For example, an attacker
could leverage a vulnerability to install malicious code on client
systems or use an Exploit Kit (Angler, Nuclear, Fiesta,
KaiXin) to automatically deliver malicious payloads to the end user. Vulnerability
Protection profiles also prevent an attacker from using vulnerabilities
on internal hosts to move laterally within your network.
Don’t
enable PCAP for informational activity because it generates a relatively
high volume of that traffic and it’s not particularly useful compared
to potential threats. Apply extended PCAP (as opposed to single
PCAP) to high-value traffic to which you apply the
alert
Action.
Apply PCAP using the same logic you use to decide what traffic to
log—take PCAPs of the traffic you log. Apply single PCAP to traffic
you block. The default number of packets that extended PCAP records
and sends to the management plane is five packets, which is the
recommended value. In most cases, capturing five packets provides
enough information to analyze the threat. If too much PCAP traffic
is sent to the management plane, then capturing more than five packets
may result in dropping PCAPs.Best Practice Internet Gateway Anti-Spyware Profile
Use these Anti-Spyware security profile settings as a
best practice at your internet gateway.
Attach an Anti-Spyware profile to
all allowed traffic to detect command and control traffic (C2) initiated
from spyware installed on a server or endpoint and prevents compromised
systems from establishing an outbound connection from your network.
The best practice Anti-Spyware profile resets the connection when
the firewall detects a medium, high, or critical severity threat
and takes a single-packet capture, and blocks or sinkholes any DNS queries
for known malicious domains.
Don’t enable PCAP for informational activity because it generates
a relatively high volume of that traffic and it’s not particularly
useful compared to potential threats. Apply extended PCAP (as opposed
to single PCAP) to high-value traffic to which you apply the
alert
Action.
Apply PCAP using the same logic you use to decide what traffic to
log—take PCAPs of the traffic you log. Apply single PCAP to traffic
you block. The default number of packets that extended PCAP records
and sends to the management plane is five packets, which is the
recommended value. In most cases, capturing five packets provides
enough information to analyze the threat. If too much PCAP traffic
is sent to the management plane, then capturing more than five packets
may result in dropping PCAPs.To create this profile, clone the predefined strict profile and
make sure to enable DNS sinkhole and packet capture
to help you track down the endpoint that attempted to resolve the
malicious domain.
Best Practice Internet Gateway URL Filtering Profile
Use these URL Filtering security profile settings as
a best practice at your internet gateway.
As a best practice, use PAN-DB URL filtering to prevent
access to web content that is at high-risk for being malicious.
Attach a URL Filtering profile to all rules that
allow access to web-based applications to protect against URLs that
have been observed hosting malware or exploitive content.
The best practice URL Filtering profile sets all known dangerous
URL categories to block. These include command-and-control, copyright-infringement,
dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers,
unknown, and parked. Failure to block these dangerous categories
puts you at risk for exploit infiltration, malware download, command
and control activity, and data exfiltration.
In addition to blocking known bad categories, you should also
alert on all other categories so that you have visibility into the
sites your users are visiting. If you need to phase in a block policy,
set categories to continue and create a custom response page to educate
users on your acceptable use policies and alert them to the fact
that they are visiting a site that may pose a threat. This will
pave the way for you to outright block the categories after a monitoring period.
What if I can’t block all of the recommended categories?
If
you find that users need access to sites in the blocked categories,
consider creating an allow list for just the specific sites, if
you feel the risk is justified. On categories you decide to allow,
make sure you set up credential phishing prevention to
ensure that users aren’t submitting their corporate credentials
to a site that may be hosting a phishing attack.
Allowing
traffic to a recommended block category poses the following risks:
- malware—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
- phishing—Known to host credential phishing pages or phishing for personal identification.
- dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
- unknown—Sites that have not yet been identified by PAN-DB, perhaps because they were just registered. However, oftentimes these are sites that are generated by domain generation algorithms and are later found to exhibit malicious behavior.
- command-and-control—Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
- proxy-avoidance-and-anonymizers—URLs and services often used to bypass content filtering products.
- copyright-infringement—Domains with illegal content, such as content that allows illegal download of software or other intellectual property. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
- extremism—Websites promoting terrorism, racism, fascism or other extremist views discriminating people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry.
- parked—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
Best Practice Internet Gateway WildFire Analysis Profile
Use these WildFire Analysis security profile settings
as a best practice at your internet gateway.
While the rest of the best practice security profiles
significantly reduce the attack surface on your network by detecting
and blocking known threats, the threat landscape is ever changing
and the risk of unknown threats lurking in the files we use daily—PDFs,
Microsoft Office documents (.doc and .xls files)—is ever growing.
And, because these unknown threats are increasingly sophisticated
and targeted, they often go undetected until long after a successful
attack. To protect your network from unknown threats, you must configure
the firewall to forward files to WildFire for analysis. Without
this protection, attackers have free reign to infiltrate your network
and exploit vulnerabilities in the applications your employees use
everyday. Because WildFire protects against unknown threats, it
is your greatest defense against advanced persistent threats (APTs).
The best practice WildFire Analysis profile sends all files
in both directions (upload and download) to WildFire for analysis.
Specifically, make sure you are sending all PE files (if you’re
not blocking them per the file blocking best practice), Adobe Flash
and Reader files (PDF, SWF), Microsoft Office files (PowerPoint,
Excel, Word, RTF), Java files (Java, .CLASS), and Android files
(.APK).
