Академический Документы
Профессиональный Документы
Культура Документы
How do I upgrade from NetConnect to GlobalProtect? Users will need to install the GlobalProtect agent in order to upgrade. The connection will fail if a user attempts to connect to a GlobalProtect Portal with the NetConnect VPN. Installation of the GlobalProtect agent will automatically uninstall NetConnect, and NetConnect SSL-VPN settings on the firewall are automatically migrated into the corresponding GlobalProtect portal and gateway settings.
How is the user experience going to change? GlobalProtect provides a simplified user experience compared to NetConnect. All user-initiated connections will be performed through the system tray. The browser-based sign-in and java launch options have been removed. By default, GlobalProtect will use the same connection mode found in NetConnect in which the user must choose to establish a secure connection. This mode is known as on-demand mode. In addition, GlobalProtect can be configured in automatic (non-on-demand) mode, in which it will always stay connected to the corporate GlobalProtect gateway without any user interaction. This mode allows for the option to configure GlobalProtect as a transparent VPN.
I just downloaded PAN-OS 4.1 and cannot find NetConnect. NetConnect has been replaced by our new next generation secure access client product called GlobalProtect.
Does that mean that you are charging for SSL VPN/NetConnect? No. GlobalProtect provides more functionality for free than was found in NetConnect. The basic functionality of GlobalProtect, on-demand and transparent remote access, Single Sign On and single gateway support are part of the firewall you purchased at no extra charge. Advanced features, such as multi-gateway support and host information profile checking are premium features requiring a separate portal and gateway licenses.
If SSL VPN is now part of GlobalProtect, do I need to deploy portals and gateways (GlobalProtect)? Yes. GlobalProtect requires a firewall to act as a gateway and a firewall to act as a portal. A single firewall can be configured as both the portal and the gateway and use the same IP address. A firewall can be a gateway and/or a portal while continuing to perform its normal duties as a firewall. In an upgrade scenario, the existing SSL-VPN settings are automatically migrated into the appropriate GlobalProtect portal and gateway settings.
Page 1
How is GlobalProtect priced? Unlike most client security solutions, GlobalProtect is not priced on a per user basis, but rather is licensed as a subscription per Palo Alto Networks appliance. An organization will need to purchase a license for at least one GlobalProtect Portal, although more than one Portal is allowed. Then the organization will purchase GlobalProtect Gateway subscriptions for each firewall that will need to act as a Gateway for remote users.
WildFire: FAQ
What makes modern malware different than traditional malware? Modern malware has evolved in several ways to avoid traditional antivirus and network security solutions, but we see two overarching trends that define modern malware. First, a great deal of malware has become highly networked, meaning that it has the ability to remotely connect (and be controlled) by a remote attacker. Botnets are a perfect example of highly networked malware. This interconnectivity makes the malware highly resilient and far more dangerous because it can change and adapt based on the desires of the attacker. Secondly, modern malware strategies have evolved to avoid detection by traditional antivirus solutions. This is done largely through the use of targeted or polymorphic malware that can gain access into a network without triggering AV signatures. While these techniques arent completely new, they are being seen far more frequently in targeted, high-profile attacks.
Page 2
Is WildFire an appliance, feature or a service? WildFire is a new feature available in PAN-OS 4.1 that automatically detects malware based on the actual behavior of the executable as opposed to a signature.
Why did Palo Alto Networks develop WildFire? Modern malware has become one of the most important assets in targeted, professional attacks and socalled APTs (advanced persistent threats). In these cases the malware is often custom-built for the target network and since it has not been released in the wild, will not trigger traditional AV signatures. As a result, modern network security needs the capacity to determine if a file is benign or malicious even if the file has never been seen before. WildFire performs this analysis and provides IT with actionable intelligence and protections once a malicious file is found.
Does WildFire require any additional hardware? No. Users can submit samples of executables via their existing Palo Alto Networks or they can be uploaded to Palo Alto Networks WildFire Portal. The WildFire analysis is performed in the cloud and has no impact on the performance of the customers firewalls.
Does WildFire provide prevention capability or is it detection only? WildFire contains two critical components: The virtualized sandbox environment, which detects the presence of malicious behaviors, and an automated signature generator which will generate and fully test signatures which will be delivered through the standard Palo Alto Networks malware updates. In the future, these updates will be delivered in near-realtime, reducing the signatures to be delivered worldwide within an hour of the instance of a piece of malware.
How can I ensure the privacy of my information submitted to WildFire? All file transfers to the cloud are encrypted using Palo Alto Networks certificates. Once the file is received in the cloud it is passed into a heavily secured sandbox environment where all traffic is tightly regulated by multiple layers of security. After the analysis is complete, the file is immediately deleted (in most cases this will be 5 minutes or less). WildFire maintains a hash of the analyzed file so that it does not need to be analyzed again. If the file is seen again by another firewall, the firewall will check with the cloud to see if the file has already been analyzed before sending the file. WildFire will also initially be limited to the analysis of EXE and DLL file types. Policies can be set to only forward files coming from untrusted sources such as the Internet, while not sending executable files from internal segments which may contain proprietary information. Additionally, users can set exactly what information should or should not be included with samples submitted to WildFire such as target user, application or IP address.
Page 3
Will other OSs be supported? Yes, Windows XP is simply the first operating supported due to its popularity in the market and with malware authors.
Will the solution support other file formats such as PDFs? Yes, WildFire will steadily expand to include other file types that are commonly used in the malware lifecycle.
Are there any applications which cannot be used to submit samples to WildFire? Any files transferred over proprietarily encrypted traffic are not able to be analyzed by WildFire. These applications should be heavily regulated by the next-generation firewall for a variety of reasons including their ability to provide an avenue for malware infection. Palo Alto Networks does offer the ability to decrypt SSL, which will be required in order to submit samples to WildFire for analysis.
Can WildFire open a zipped file? Yes. Zipped and compressed HTTP (GZIP) will be inspected and any internal EXE and DLL files can be submitted for analysis
How does WildFire work in the continue page for Drive-by-download? Produce the comfort page, and continue, continue/forward.
How does a user know a file has been forwarded? File uploads to WildFire are logged (File Blocking).
Where can report and logs be viewed? Logs and reports are viewed in the Wildfire web portal.
Why is it called WildFire? The name speaks to the main challenge that WildFire was created to address. Namely that anti-malware solutions are based on the need to capture samples of malware in the wild before protections can be delivered. In the case of targeted or custom malware this is a serious problem because the malware will likely never show up in a traditional honeypot or honeynet. The target network is the only place where we know that the malware will have to reveal itself. As a result we needed to bring the concept of capturing malware in the wild down to the local level of the firewall.
Page 4
How does WildFire compare to FireEye? FireEye provides a very costly and incomplete approach to modern malware. FireEye requires a separate box at every ingress point, adding to the device sprawl when most organizations are looking to consolidate. The FireEye appliance is a Windows solution and as such is not suited as an in-line security device. Furthermore, FireEye lacks the next-generation firewalls ability to inspect all traffic on all ports and to decode more than 100 applications and protocols, meaning that it will miss file transfers that are intentionally hidden. Lastly, there is no coordination between the various FireEye boxes, meaning that when malware is found in one box, none of the other boxes receive any benefit from that intelligence. In short, the solution requires a lot of hardware with each piece acting as its own silo of information. When considering FireEye, there are several factors that prospects will want to consider. o FireEye Cant Enforce Traffic it Cant See. The most fundamental issue for FireEye is that they lack the visibility of App-ID to identify evasive traffic both in terms of infecting traffic and ongoing command and control. This means that they will miss traffic that knows how to hide or circumvent traffic today such as hiding within in SSL or proxying into the environment. FireEye Is Not Built for Inline Security Enforcement. FireEye is a Windows-based appliance, which will preclude it from many true security environments. Additionally, FireEye has little to no background as a high-performance and resilient environment. The next-generation firewall is purpose-built for the challenges of being deployed in-line including high throughput, low latency, routing, NAT and fail-over considerations. Overall Cost and Time to Protection. FireEye requires an additional appliance to be deployed at each ingress point, which makes the solution extremely expensive to only add an additional analysis capability with very little enforcement. Also, information is not shared between the devices deployed in separate ingress points, meaning that an ingress point will NOT be protected even once a malicious files has been detected at another ingress point. Palo Alto Networks uses the hardware that is already deployed and offloads the sandboxing functionality to virtualized system that are hosted in the cloud. As soon as a file is found to be malicious, a signature is generated and delivered to all other firewalls in order to provide protection.
What are some good examples of modern malware? There are quite a few examples that we cover in the Application and Threat Research Center http://www.paloaltonetworks.com/researchcenter/ so be sure to use this ongoing resource. A few key examples are listed below. o RSA and Aurora Attacks These are two very well-known targeted attacks. They provide a clear example of highly sophisticated attacks using previously unknown malware to break into enterprises. More info on high profile breaches is available here: http://www.paloaltonetworks.com/researchcenter/2011/05/a-few-thoughts-on-the-latest-databreaches/ o TDL-4 This is a good example of highly networked malware that uses a variety of tricks to avoid traditional security measures. A deeper analysis of TDL-4 can be found here: http://www.paloaltonetworks.com/researchcenter/2011/07/analyzing-the-indestructible-botnet/
Page 5