The Traditional Approach
The Best Practice Approach
Create port-based security policy.
Malicious applications access the network by spoofing port numbers, tunneling through a port, or using port hopping to avoid detection.
Application allow rules prevent applications from running on non-standard ports. Log and monitor allow list violations.
When you transition from port-based to application-based rules, in the rulebase, place the application-based rule above the port-based rule it will replace. Reset the policy rule hit counter for both rules. If traffic hits the port-based rule, its policy rule hit count increases. Tune the application-based rule until no traffic hits the port-based rule for a period of time, then remove the port-based rule.
An Intrusion Prevention System (IPS) is often deployed as an Intrusion Detection System (IDS).
An IPS is an in-band detection and prevention system, while an IDS is an out-of-band detection system. Deploying an IPS as an IDS takes intrusion detection out of the direct communication path between the source and the destination, so real-time prevention can’t occur and threats can enter the data center.
In-band on the firewall, use Palo Alto Networks App-ID, User-ID, and Content-ID to create application allow list security policies that tightly control access. Apply the security profiles to stop known and new threats.
A web application firewall is sufficient to protect the data center.
An attacker places command-and-control (C2) software onto a compromised data center endpoint, opening the network to attack and potentially serving client-side exploits in a watering-hole attack.
Stop attackers from placing C2 software on data center endpoints simply by assigning the strict Anti-Spyware security profile to the security policy rule that controls the traffic. This profile is one of the firewall’s included features, so it costs you nothing extra to apply this protection.