What Is a Best Practice Internet Gateway Security Policy?
A best practice internet gateway security policy has two main security goals:
- Minimize the chance of a successful intrusion—Unlike legacy port-based security policies that either block everything in the interest of network security, or enable everything in the interest of your business, a best practice security policy leverages App-ID, User-ID, and Content-ID to ensure safe enablement of applications across all ports, for all users, all the time, while simultaneously scanning all traffic for both known and unknown threats.
- Identify the presence of an attacker—A best practice internet gateway security policy provides built-in mechanisms to help you identify gaps in the rulebase and detect alarming activity and potential threats on your network.
To achieve these goals, the best practice internet gateway security policy uses application-based rules to allow access to whitelisted applications by user, while scanning all traffic to detect and block all known threats, and send unknown files to WildFire to identify new threats and generate signatures to block them:
The best practice policy is based on the following methodologies. The best practice methodologies ensure detection and prevention at multiple stages of the attack life cycle.
Best Practice Methodology
Why is this important?
Inspect All Traffic for Visibility
Because you cannot protect against threats you cannot see, you must make sure you have full visibility into all traffic across all users and applications all the time. To accomplish this:
The firewall can then inspect all traffic—inclusive of applications, threats, and content—and tie it to the user, regardless of location or device type, port, encryption, or evasive techniques employed using the native App-ID, Content-ID, and User-ID technologies.
Complete visibility into the applications, the content, and the users on your network is the first step toward informed policy control.
Reduce the Attack Surface
After you have context into the traffic on your network—applications, their associated content, and the users who are accessing them—create application-based Security policy rules to allow those applications that are critical to your business and additional rules to block all high-risk applications that have no legitimate use case.
To further reduce your attack surface, enable attach File Blocking and URL Filtering profiles to all rules that allow application traffic to prevent users from visiting threat-prone web sites and prevent them from uploading or downloading dangerous file types (either knowingly or unknowingly). To prevent attackers from executing successful phishing attacks (the cheapest and easiest way for them to make their way into your network), configure credential phishing prevention.
Prevent Known Threats
Enable the firewall to scan all allowed traffic for known threats by attaching security profiles to all allow rules to detect and block network and application layer vulnerability exploits, buffer overflows, DoS attacks, and port scans, known malware variants, (including those hidden within compressed files or compressed HTTP/HTTPS traffic). To enable inspection of encrypted traffic, enable SSL decryption.
In addition to application-based Security policy rules, create rules for blocking known malicious IP addresses based on threat intelligence from Palo Alto Networks and reputable third-party feeds.
Detect Unknown Threats
Forward all unknown files to WildFire for analysis. WildFire identifies unknown or targeted malware (also called
advanced persistent threatsor
APTs) hidden within files by directly observing and executing unknown files in a virtualized sandbox environment in the cloud or on the WildFire appliance. WildFire monitors more than 250 malicious behaviors and, if it finds malware, it automatically develops a signature and delivers it to you in as little as five minutes (and now that unknown threat is a known threat).