Cloud NGFW for AWS Security Profiles
Table of Contents
Cloud NGFW for AWS Security Profiles
Cloud NGFW uses your rulestack definitions to protect your VPC traffic by a two-step
process. First, it enforces your rules to allow or deny your traffic. Second, it
performs content inspection on the allowed traffic (URLs, threats, files) based on what
you specify on the Security Profiles. Additionally, it helps you define how Cloud NGFW
should scan the allowed traffic and blocks threats such as viruses, malware, spyware,
and DDOS attacks.
IPS and Spyware Threat Protection
- IPS Vulnerability—(enabled by default and preconfigured based on best practices) an Intrusion Prevention System (IPS) vulnerability profile stop attempts to exploit system flaws or gain unauthorized access to systems. While Anti-Spyware profiles help identify infected hosts as traffic leaves the network, IPS Vulnerability profiles protect against threats entering the network. For example, Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection profile protects clients and servers from all known critical, high, and medium-severity threats.The following table describes the default best practice IPS Vulnerability configuration.Signature SeverityActionCriticalReset BothHighReset BothMediumReset BothInformationalDefaultLowDefault
- Anti-Spyware—(enabled by default and preconfigured based on best practices) an anti-spyware profile blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients.The following table describes the default best practice anti-spyware configuration.Signature SeverityActionCriticalReset BothHighReset BothMediumReset BothInformationalDefaultLowDefault
The following table lists all possible signatures for Vulnerability and Spyware
categories. These signatures are continuously updated on your NGFWs.
Threat Category | Description |
|---|---|
Vulnerability Signatures | |
brute force | A brute-force signature detects multiple occurrences of a
condition in a particular time frame. While the activity in
isolation might be benign, the brute-force signature indicates
that the frequency and rate at which the activity occurred is
suspect. For example, a single FTP login failure doesn’t
indicate malicious activity. However, many failed FTP logins in
a short period likely indicate an attacker attempting password
combinations to access an FTP server. |
code execution | Detects a code execution vulnerability that an attacker can use
to run code on a system with the privileges of the logged-in
user. |
code-obfuscation | Detects code that has been transformed to conceal certain data
while retaining its function. Obfuscated code is difficult or
impossible to read, so it’s not apparent what commands the code
is executing or with which programs it's designed to interact.
Most commonly, malicious actors obfuscate code to conceal
malware. More rarely, legitimate developers might obfuscate code
to protect privacy, intellectual property, or to improve user
experience. For example, certain types of obfuscation (like
minification) reduce file size, which decreases website load
times and bandwidth usage. |
dos | Detects a denial-of-service (DoS) attack, where an attacker
attempts to render a targeted system unavailable, temporarily
disrupting the system and dependent applications and services.
To perform a DoS attack, an attacker might flood a targeted
system with traffic or send information that causes it to fail.
DoS attacks deprive legitimate users (like employees, members,
and account holders) of the service or resource to which they
expect access. |
exploit-kit | Detects an exploit kit landing page. Exploit kit landing pages
often contain several exploits that target one or many common
vulnerabilities and exposures (CVEs), for multiple browsers and
plugins. Because the targeted CVEs change quickly, exploit-kit
signatures trigger based on the exploit kit landing page, and
not the CVEs. When a user visits a website with an exploit kit, the exploit kit
scans for the targeted CVEs and attempts to silently deliver a
malicious payload to the victim’s computer. |
info-leak | Detects a software vulnerability that an attacker could exploit
to steal sensitive or proprietary information. Often, an
info-leak might exist because comprehensive checks don’t exist
to guard the data, and attackers can exploit info-leaks by
sending crafted requests. |
insecure-credentials | Detects the use of weak, compromised, and manufacturer default
passwords for software, network appliances, and IoT devices. |
overflow | Detects an overflow vulnerability, where a lack of proper checks
on requests could be exploited by an attacker. A successful
attack could lead to remote code execution with the privileges
of the application, server, or operating system. |
phishing | Detects when a user attempts to connect to a phishing kit landing
page (likely after receiving an email with a link to the
malicious site). A phishing website tricks users into submitting
credentials that an attacker can steal to gain access to the
network. |
protocol-anomaly | Detects protocol anomalies, where a protocol behavior deviates
from standard and compliant usage. For example, a malformed
packet, poorly written application, or an application running on
a nonstandard port would all be considered protocol anomalies,
and could be used as evasion tools. |
sql-injection | Detects a common hacking technique where an attacker inserts SQL
queries into an application’s requests, in order to read from or
modify a database. This type of technique is often used on
websites that don’t comprehensively sanitize user input. |
Spyware Signatures | |
spyware | Detect outbound C2 communication. These signatures are either
auto-generated or are manually created by Palo Alto Networks
researchers. Spyware and autogen signatures both detect outbound C2
communication; however, autogen signatures are payload-based
and can uniquely detect C2 communications with C2 hosts that
are unknown or change rapidly. |
adware | Detects programs that display potentially unwanted
advertisements. Some adware modifies browsers to highlight and
hyperlink the most frequently searched keywords on web
pages-these links redirect users to advertising websites. Adware
can also retrieve updates from a command-and-control (C2) server
and install those updates in a browser or onto a client
system. |
autogen | These payload-based signatures detect command-and-control (C2)
traffic and are automatically-generated. Importantly, autogen
signatures can detect C2 traffic even when the C2 host is
unknown or changes rapidly. |
backdoor | Detects a program that allows an attacker to gain unauthorized
remote access to a system. |
botnet | Indicates botnet activity. A botnet is a network of
malware-infected computers (“bots”) that an attacker
controls. The attacker can centrally command every computer in a
botnet to simultaneously carry out a coordinated action (like
launching a DoS attack, for example). |
browser-hijack | Detects a plugin or software that is modifying browser settings.
A browser hijacker might take over auto search or track users’
web activity and send this information to a C2 server. |
cryptominer | (Sometimes known as cryptojacking or miners) Detects the download
attempt or network traffic generated from malicious programs
designed to use computing resources to mine cryptocurrencies
without the user's knowledge. Cryptominer binaries are
frequently delivered by a shell script downloader that attempts
to determine system architecture and kill other miner processes
on the system. Some miners execute within other processes, such
as a web browser rendering a malicious web page. |
data-theft | Detects a system sending information to a known C2 server. |
dns | Detects DNS requests to connect to malicious domains. |
downloader | (Also known as droppers, stagers, or loaders) Detects programs
that use an internet connection to connect to a remote server to
download and execute malware on the compromised system. The most
common use case is for a downloader to be deployed as the
culmination of stage one of a cyber attack, where the
downloader’s fetched payload execution is considered second
stage . Shell scripts (Bash, PowerShell, etc.), trojans,
and malicious lure documents (also known as maldocs) such as
PDFs and Word files are common downloader types. |
fraud | (Including form-jacking, phishing, and scams) Detects access to
compromised websites that have been determined to be injected
with malicious JavaScript code to collect sensitive user
information. (for example, Name, address, email, credit card
number, CVV, expiration date) from payment forms that are
captured on the checkout pages of e-commerce websites. |
hacktool | Detects traffic generated by software tools that are used by
malicious actors to conduct reconnaissance, attack or gain
access to vulnerable systems, exfiltrate data, or create a
command and control channel to surreptitiously control a
computer system without authorization. These programs are
associated with malware and cyber attacks. Hacking tools might
be deployed in a benign manner when used in Red and Blue Team
operations, penetration tests, and R&D. The use or
possession of these tools may be illegal in some countries,
regardless of intent. |
networm | Detects a program that self-replicates and spreads from system to
system. Net-worms might use shared resources or leverage
security failures to access target systems. |
phishing-kit | Detects when a user attempts to connect to a phishing kit landing
page (likely after receiving an email with a link to the
malicious site). A phishing website tricks users into submitting
credentials that an attacker can steal to gain access to the
network. |
post-exploitation | Detects activity that indicates the post-exploitation phase of an
attack, where an attacker attempts to assess the value of a
compromised system. This might include evaluating the
sensitivity of the data stored on the system, and the system’s
usefulness in further compromising the network. |
webshell | Detects web shells and web shell traffic, including implant
detection and command and control interaction. A malicious actor
implants a web shell onto the compromised host, most often
targeting a web server or framework. Subsequent communication
with the web shell file frequently enables a malicious actor to
establish a foothold in the system, conduct service and network
enumeration, data exfiltration, and remote code execution in the
context of the web server user. The most common web shell types
are PHP, .NET, and Perl markup scripts. Attackers can also use
web shell-infected web servers (the web servers can be both
internet-facing or internal systems) to target other internal
systems. |
keylogger | Detects programs that allow attackers to secretly track user
activity, by logging keystrokes and capturing screenshots. Keyloggers use various C2 methods to periodically sends logs and
reports to a predefined e-mail address or a C2 server. Through
keylogger surveillance, an attacker could retrieve credentials
that would enable network access. |
Malware and File-based Threat Protection
- Antivirus—(enabled by default and preconfigured based on best practices) antivirus profiles protect against viruses, worms, and trojans as well as spyware downloads. Using a stream-based malware prevention engine, which inspects traffic the moment the first packet is received, the Palo Alto Networks antivirus solution can provide protection for clients without significantly impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and JavaScript viruses, including support for scanning inside compressed files and data encoding schemes.The following table describes the default best practice antivirus configuration.ProtocolActionFTPReset BothHTTPReset BothHTTP2Reset BothIMAPReset BothPOP3AlertSMBReset BothSMTPReset Both
- File Blocking—a file blocking profile allows you to identify specific file types that you want to block or monitor. The firewall uses file blocking profiles to block specific file types over specified applications and in the specified session flow direction (inbound/outbound/both). You can set the profile to alert or block on upload and/or download and you can specify which applications will be subject to the file blocking profile.
- Alert—when the specified file type is detected, a log is generated in the data filtering log.
- Block—when the specified file type is detected, the file is blocked. A log is also generated in the data filtering log. For information about changing your file blocking profile, see Setup File Blocking.
The following table describes the default best practice file blocking configuration.File TypesApplicationDirectionActionAll risky file types:- 7z
- bat
- cab
- chm
- class
- cpl
- dll
- exe
- flash
- hip
- hta
- msi
- Multi-Level-Encoding
- ocx
- PE
- pif
- rar
- scr
- tar
- torrent
- vbe
- wsf
- encrypted-rar
- encrypted-zip
AnyBoth (upload and download)BlockAll remaining file typesAnyBoth (upload and download)Alert
The following table lists all possible signatures for Antivirus category. These
signatures are continuously updated on your NGFWs.
Threat Category | Description |
|---|---|
Antivirus Signatures | |
apk | Malicious Android Application (APK) files. |
MacOSX | Malicious MacOSX files, including:
|
flash | Adobe Flash applets and Flash content embedded in web pages. |
jar | Java applets (JAR/class file types). |
ms-office | Microsoft Office files, including documents (DOC, DOCX, RTF),
workbooks (XLS, XLSX), and PowerPoint presentations (PPT, PPTX).
This also includes Office Open XML (OOXML) 2007+ documents. |
pdf | Portable Document Format (PDF) files. |
pe | Portable executable (PE) files can automatically execute on a
Microsoft Windows system and should be only allowed when
authorized. These files types include:
|
linux | Executable and Linkable Format (ELF) files. |
archive | Roshal Archive (RAR) and 7-Zip (7z) archive files. |
Web-based Threat Protection
- URL Categories and Filtering—URL Filtering profiles enable you to monitor and control how users access the web over HTTP and HTTPS. The firewall comes with a default profile that is configured to block websites such as known malware sites, phishing sites, and adult content sites. URL filtering Profile is not enabled by default. When you enable URL Filtering profile in your rulestack, Cloud NGFW enforces the best-practices URL Filtering profile on your traffic. You have an option to modify the default access option on each of the categories, based on your needs
The following table describes the default best practice URL filtering configuration.URL CategoriesSite AccessCredential SubmissionsMalicious and exploitative categories:- adult
- command-and-control
- copyright-infringement
- dynamic-dns
- extremism
- malware
- parked
- phishing
- proxy-avoidance-and-anonymizers
- unknown
BlockBlockAll other URL CategoriesAlertAlert
Encrypted Threat Protection
- Outbound Decryption—an Outbound Decryption profile enables you to specify traffic to decrypt by destination, source, service, or URL category, and to block, restrict, or forward the specified traffic according to the security settings in the associated Decryption profile. An Outbound Decryption profile controls SSL protocols, certificate verification, and failure checks to prevent traffic that uses weak algorithms or unsupported modes from accessing the network. Cloud NGFW resources uses certificates to decrypt traffic to plaintext. Then it enforces App-ID and security profiles on the plaintext traffic, including Decryption, Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking profiles. After decrypting and inspecting traffic, the firewall re-encrypts the plaintext traffic as it exits the firewall to ensure privacy and security.
