Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions

To monitor and protect your network from most Layer 4 and Layer 7 attacks, here are a few recommendations.
  • Upgrade to the most current PAN-OS software version and content release version to ensure that you have the latest security updates. For evasion prevention, upgrade to PAN-OS 7.1.1 and Applications and Threats content release version 579. See Install Content and Software Updates.
  • Set up the firewall to act as a DNS proxy and enable evasion signatures:
    • When acting as a DNS proxy, the firewall resolves DNS requests and caches hostname-to-IP-address mappings in order to quickly and efficiently resolves future DNS queries.
    • Evasion signatures that detect crafted HTTP or TLS requests can alert when a client connects to a domain other than the domain specified in the original DNS request. Make sure that DNS proxy is configured if you choose to enable evasion signatures. Without DNS proxy enabled, evasion signatures can trigger when a DNS server in DNS load balancing configuration returns different IP addresses (for servers hosting identical resources) to the firewall and client in response to the same DNS request.
  • For servers, create Security policy rules to only allow the application(s) that you sanction on each server. Verify that the standard port for the application matches the listening port on the server. For example, to ensure that only SMTP traffic is allowed to your email server set the Application to
    smtp
    and set the Service to
    application-default
    . If your server uses only a subset of the standard ports (for example, if your SMTP server uses only port 587 while the SMTP application has standard ports defined as 25 and 587), you should create a new custom service that only includes port 587 and use that new service in your security policy rule instead of using application-default. Additionally, make sure to restrict access to specific source and destinations zones and sets of IP addresses.
  • Attach the following security profiles to your Security policy rules to provide signature-based protection.
    • Create a Vulnerability Protection profile to block all vulnerabilities with severity low and higher.
    • Create an Anti-Spyware profile to block all spyware with severity low and higher.
    • Create an Antivirus profile to block all content that matches an antivirus signature.
  • Block all unknown applications/traffic using Security policy. Typically, the only applications that are classified as unknown traffic are internal or custom applications on your network, or potential threats. Because unknown traffic can be a non-compliant application or protocol that is anomalous or abnormal, or a known application that is using non-standard ports, unknown traffic should be blocked. See Manage Custom or Unknown Applications.
  • Create a File Blocking profile that blocks Portable Executable (PE) file types for Internet-based SMB (Server Message Block) traffic from traversing the trust to untrust zones, (ms-ds-smb applications).�
    file-blocking-evasion-prevention.png
  • Create a Zone Protection profile that is configured to protect against packet-based attacks (
    Network
    Network Profiles
    Zone Protection
    ):
    • Select the option to drop
      Malformed
      IP packets (
      Packet Based Attack Protection
      IP Drop
      ).
      zone-protection-malformed.png
    • Remove TCP timestamps on SYN packets before the firewall forwards the packet. When you select the
      Remove TCP Timestamp
      option in a SYN packet, the TCP stack on both ends of the TCP connection will not support TCP timestamps. Therefore, by disabling the TCP timestamp for a SYN packet, you can prevent an attack that uses different timestamps on multiple packets for the same sequence number. (
      Packet Based Attack Protection
      TCP Drop
      ).
    • Select the option to drop
      Mismatched overlapping TCP segment
      . By deliberately constructing connections with overlapping but different data in them, attackers can attempt to cause misinterpretation of the intent of the connection. This can be used to deliberately induce false positives or false negatives. An attacker can use IP spoofing and sequence number prediction to intercept a user's connection and inject his/her own data into the connection. Selecting this option causes PAN-OS to discard such frames with mismatched and overlapping data. The scenarios where the received segment will be discarded are when the segment received is contained within another segment, the segment received overlaps with part of another segment, or the segment completely contains another segment.
      zone-protection-tcp-timestamp.png
  • Verify that support for IPv6 is enabled, if you have configured IPv6 addresses on your network hosts (
    Network
    Interfaces
    Ethernet
    IPv6
    ).
    ipv6-enable.png
    This allows access to IPv6 hosts and filters IPv6 packets that are encapsulated in IPv4 packets. Enabling support for IPv6 prevents IPv6 over IPv4 multicast addresses from being leveraged for network reconnaissance.
  • Enable support for multicast traffic so that the firewall can enforce policy on multicast traffic. (
    Network
    Virtual Router
    Multicast
    ).
    multicast-enable.png
  • Configure the firewall to
    Clear
    the
    Urgent Data Flag
    in the TCP header (
    Device
    Setup
    Session
    TCP Settings
    ).
    Many hosts use the urgent data flag in the TCP header to promote a packet for immediate processing, removing it from the processing queue and expediting it through the TCP/IP stack. This process is called out-of-band processing. However, the implementation of the urgent data flag varies from host to host. Configuring the firewall to clear this flag eliminates ambiguity in how the packet is processed on the firewall and the host, allowing the firewall sees the same stream in the protocol stack as the host for which the packet is destined. When the firewall clears this flag, it includes it in the payload and prevents the packet from being processed urgently.
  • Enable the
    Drop segments without flag
    option (
    Device
    Setup
    Session
    TCP Settings
    ).
    Illegal TCP segments without any flags set can be used to evade content inspection. When you enable this option, the firewall will drop packets that have no flags set in the TCP header.
  • Enable the
    Drop segments with null timestamp
    option (
    Device
    Setup
    Session
    TCP Settings
    ).
    The TCP timestamp records when the segment was sent and allows the firewall to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. When a TCP Timestamp is set to 0 (null) it could confuse either end of the connection, resulting in an evasion. The firewall drops packets with null timestamps with this setting enabled.
  • Disable the
    Forward segments exceeding TCP out-of-order queue
    option (
    Device
    Setup
    Session
    TCP Settings
    ).
    By default, the firewall forwards segments that exceed the TCP out-of-order queue limit of 64 per session. By disabling this option, the firewall instead drops segments that exceed the out-of-order queue limit.
    TCP-settings.png
  • Disable the
    Forward segments exceeding TCP App-ID inspection queue
    option (
    Device
    Setup
    Content-ID
    Content-ID Settings
    ).
    By default, when the App-ID inspection queue is full the firewall skips App-ID inspection—classifying the application as unknown-tcp—and forwards the segments. By disabling this option, the firewall instead drops segments when the App-ID inspection queue is full.
  • Disable the
    Forward datagrams exceeding UDP content inspection queue
    and
    Forward segments exceeding TCP content inspection queue
    options (
    Device
    Setup
    Content-ID
    Content-ID Settings
    ).
    By default, when the TCP or UDP content inspection queue is full the firewall skips Content-ID inspection for TCP segments or UDP datagrams that exceed the queue limit of 64. By disabling these options, the firewall instead drops TCP segments and UDP datagrams when the corresponding TCP or UDP content inspection queue is full.
  • Disable the
    Allow HTTP Header Range Option
    (
    Device
    Setup
    Content-ID
    Content-ID Settings
    ).
    The HTTP Range option allows a client to fetch part of a file only. When a next-generation firewall in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with a RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the firewall from triggering the same signature again due to the lack of context into the initial session, while at the same time allowing the web browser to reassemble the file and deliver the malicious content. Disabling this option prevents this from happening. Keep in mind that disabling this option should not impact device performance; however, HTTP file transfer interruption recovery may be impaired. In addition, disabling this option could also impact streaming media services, such as Netflix, Windows Server Updates Services (WSUS), and Palo Alto Networks content updates.
    content-id-settings.png

Related Documentation