How to evaluate the effectiveness of NGFW tuning
The most common task is to check how well your firewall is configured. To do this, there are free utilities and services from companies that deal with NGFW.
For example, below you can see that Palo Alto Networks has the ability to directly from run firewall statistics analysis - SLR report or best practice compliance analysis - BPA report. These are free online utilities that you can use without installing anything.
CONTENTS
Expedition (Migration Tool)
A more complicated option for checking your settings is to download a free utility (former Migration Tool). It is downloaded as a Virtual Appliance for VMware, no settings are required with it - you need to download the image and deploy it under the VMware hypervisor, run it and go to the web interface. This utility requires a separate story, only the course on it takes 5 days, there are so many functions now there, including Machine Learning and migration of various configurations of policies, NAT and objects for different Firewall manufacturers. About Machine Learning, I will write more later in the text.
Policy Optimizer
And the most convenient option (IMHO), which Iβll talk about in more detail today, is the policy optimizer built into the Palo Alto Networks interface itself. To demonstrate it, I installed a firewall in my home and wrote a simple rule: permit any to any. In principle, I sometimes see such rules even in corporate networks. Naturally, I enabled all NGFW security profiles, as you can see in the screenshot:
The screenshot below shows an example of my home unconfigured firewall, where almost all connections fall into the last rule: AllowAll, as can be seen from the statistics in the Hit Count column.
Zero Trust
There is an approach to security called . What this means: we must allow people within the network exactly the connections that they need and forbid everything else. That is, we need to add clear rules for applications, users, URL categories, file types; enable all IPS and antivirus signatures, enable sandbox, DNS protection, use IoC from available Threat Intelligence databases. In general, there are a decent amount of tasks when setting up a firewall.
By the way, the minimum set of required settings for Palo Alto Networks NGFW is described in one of the SANS documents: I recommend starting with it. And of course, there is a set of best practices for setting up a firewall from the manufacturer: .
So, I had a firewall at home for a week. Let's see what traffic is on my network:
If sorted by the number of sessions, then most of them are created by bittorent, then comes SSL, then QUIC. These are statistics for both incoming and outgoing traffic: there are a lot of external scans of my router. There are 150 different applications in my network.
So, it was all skipped by one rule. Now let's see what the Policy Optimizer says about this. If you looked at the screenshot of the interface with security rules above, then you saw a small window at the bottom left, which hints to me that there are rules that can be optimized. Let's click there.
What Policy Optimizer shows:
- Which policies were not used at all, 30 days, 90 days. This helps to make the decision to remove them altogether.
- Which applications were specified in the policies, but no such applications were found in the traffic. This allows you to remove unnecessary applications in allow rules.
- Which policies allowed everything in a row, but there really were applications that it would be nice to explicitly indicate according to the Zero Trust methodology.
Click on Unused.
To show how it works, I added a few rules and so far they haven't missed a single packet so far. Here is their list:
Perhaps, over time, traffic will pass there and then they will disappear from this list. And if they are on this list for 90 days, then you can decide to remove these rules. After all, each rule provides an opportunity for a hacker.
There is a real problem with the firewall configuration: a new employee comes, looks into the firewall rules, if they have no comments and does not know why this rule was created, is it really necessary, can it be deleted: suddenly the person is on vacation and through 30 days traffic will again go from the service it needs. And just this function helps him to make a decision - no one uses it - delete it!
Click on Unused App.
We click on Unused App in the optimizer and see that interesting information opens in the main window.
We see that there are three rules, where the number of allowed applications and the number of applications that actually passed this rule are different.
We can click and see a list of these applications and compare these lists.
For example, let's click on the Compare button for the Max rule.
Here you can see that facebook, instagram, telegram, vkontakte applications were allowed. But in reality, the traffic went only through part of the sub-applications. Here you need to understand that the facebook application contains several sub-applications.
The entire list of NGFW applications can be seen on the portal and in the firewall interface itself, in the Objects->Applications section and in the search, type the name of the application: facebook, you will get the following result:
So, NGFW saw some of these sub-applications, and some did not. In fact, you can separately disable and enable different facebook subfunctions. For example, allow you to view messages, but prohibit chat or file transfers. Accordingly, the Policy Optimizer talks about this and you can make a decision: not allow all Facebook applications, but only the main ones.
So, we realized that the lists are different. You can make sure that the rules allow only those applications that actually roam the network. To do this, you click the MatchUsage button. It turns out like this:
And you can also add applications that you consider necessary - the Add button on the left side of the window:
And then this rule can be applied and tested. Congratulations!
Click No Apps Specified.
In this case, an important security window will open.
There are most likely a lot of such rules where the L7 level application is not explicitly specified in your network. And in my network there is such a rule - let me remind you that I made it during the initial setup, specifically to show how the Policy Optimizer works.
The picture shows that the AllowAll rule missed 9 gigabytes of traffic over the period from March 17 to March 220, which is a total of 150 different applications in my network. And this is still not enough. Typically, a medium-sized corporate network has 200-300 different applications.
So, one rule misses as many as 150 applications. This usually means that the firewall is configured incorrectly, because usually 1-10 applications for different purposes are skipped in one rule. Let's see what these applications are: click the Compare button:
The most wonderful thing for the administrator in the Policy Optimizer feature is the Match Usage button - you can create a rule with one click, where you will enter all 150 applications into the rule. Doing it manually would take too long. The number of tasks for the administrator, even on my network of 10 devices, is huge.
I have 150 different applications running at home, transmitting gigabytes of traffic! And how much do you have?
But what happens in a network of 100 devices or 1000 or 10000? I have seen firewalls with 8000 rules and I am very glad that administrators now have such convenient automation tools.
You will not need some of the applications that the L7 application analysis module in NGFW saw and showed on the network, so you simply remove them from the list of the allow rule, or clone the rules with the Clone button (in the main interface) and allow in one application rule, and in Block other applications as if they are definitely not needed on your network. Such applications often become bittorent, steam, ultrasurf, tor, hidden tunnels like tcp-over-dns and others.
Well, click on another rule - what you can see there:
Yes, there are applications specific to multicast. We must allow them in order for video viewing over the network to work. Click Match Usage. Great! Thanks Policy Optimizer.
What about Machine Learning?
Now it is fashionable to talk about automation. What I described came out - it helps a lot. There is another possibility that I must mention. This is the Machine Learning functionality built into the Expedition utility mentioned above. In this utility, it is possible to transfer rules from your old firewall from another manufacturer. And there is also the ability to analyze existing Palo Alto Networks traffic logs and suggest which rules to write. This is similar to the Policy Optimizer functionality, but in Expedition it is even more advanced and you are offered a list of ready-made rules - you just need to approve them.
To test this functionality, there is a laboratory work - we call it a test drive. This test can be done by going to the virtual firewalls that Palo Alto Networks Moscow office staff will launch at your request.
The request can be sent to [email protected] and in the request write: "I want to make a UTD for the Migration Process."
In fact, there are several options for labs called Unified Test Drive (UTD) and they all after request.
Only registered users can participate in the survey. , you are welcome.
Do you want someone to help you optimize your firewall policies?
-
Yes
-
No
-
I will do everything myself
Nobody has voted yet. There are no abstentions.
Source: habr.com