I think much of the misunderstanding has to do with the definition of the firewall.  Roger uses an implementation-specific definition for the firewall.  An implementation-specific definition describes the firewall as something that opens and closes ports in an attempt to reduce the attack surface of the network.  We all know that open and closing ports doesn’t limit the attack surface of the network – and hasn’t for years.  So, if you stick to the implementation-specific definition (a stateful inspection, port-based firewall), I agree – the firewall fails to provide much help in securing the network – and for most intents and purposes, is dead.

If, however, you look at an architectural definition of the firewall – an infrastructure component that:

1. Defines the boundary between trust zones
2. Sees all of the traffic
3. Has a positive security model (i.e., default deny)
4. And most importantly, meaningfully reduces the attack surface of the network

Viewed this way, the firewall is alive and well, and more necessary than ever.

Jody Brazil at FireMon correctly points out a couple of relevant pieces (disclosure – FireMon is a Palo Alto Networks partner):

1. Next-generation firewalls are relevant
2. Firewall management is a problem

On the first point, Grimes dismisses “deep packet inspection” out of hand, again proving his implementation-specific understanding of the firewall.  If a firewall allows all port 80 traffic, then scans for a bunch of attacks or undesirable applications with an after-firewall IPS-style engine, then I agree – the firewall aspect is useless.  But identifying the application PRIOR to allowing the traffic – in effect, classifying the traffic not by port, but by application, then making an access decision – is fundamentally different.  Not only does it reduce the attack surface of the network (allow traffic from/to these twenty applications into my data center, all else deny) but it also goes a long way to address the management issues that Grimes and Brazil both highlight – namely that too many arcane port-based firewall rules exist, and far too many are left alone because nobody understands what they do.  This results in poor security, and major management issues across thousands of port-based firewall rules, and countless policies across the ever-increasing other network security devices that organizations put in place to compensate for the port-based firewall’s irrelevance.

When a firewall rule reads “allow sales to use GoToMeeting,” or “allow IT to use BitTorrent,” there’s no confusion of the intent of the rule due to obscure port assignments.  This enables easy understanding, reduced rulesets, and the important “all else deny” statement at the end of the rulebase (which Grimes laments the loss of).  It also makes it far easier to stop the kinds of attacks that Grimes and Brazil talk about – the first rule of defense is to control the avenues of attack (which, in today’s world, are applications), not by blocking the applications the business values, but by only allowing the applications the business values, and then scanning those for threats of all sorts.  Wade Williamson does a good job of explaining this in detail.

Doing this well, in the firewall, enables organizations to rationalize network security infrastructure investments, but that’s a different topic.

He makes several points that Brian, Matt, and I have been blogging about/around recently – the accessibility of applications and devices, the consumerization of IT, and the disintermediation of IT and the requisite role changes associated with adapting to all of the above.  I’d argue there’s one thing to add, and another I’d like to expand on.

The addition:  users are more adept than ever.  As younger employees come into the workplace, and all users are far more comfortable with technology, end users are often in a position to be more effective at selecting and employing the technology that they need to do their jobs better, faster, or cheaper.  This only adds velocity to many of the dynamics Evans mentions.

The expansion:  IT’s role. Just like CIOs, IT must also focus on the non-traditional/poorly-understood aspects of IT, and let go of the more traditional, commoditized aspects.  To expand a bit on a couple of the governance point Evans makes, IT means helping the business to understand the risks (users already understand the benefits) associated with their chosen tech, compliance issues, possible risk mitigation measures, and implementing and managing visibility and control of that technology – all in a way that enables, not hinders the business.

I think when you add the user sophistication bit, and IT takes on a safe enablement posture as outlined in the immediately above paragraph, then Evans’ final point about IT being more strategic becomes even more powerful.

It’s clear that the network is the right place for IT to enforce control between applications and users, and that’s true regardless of what device is being used. What the traditional network lacks, however, is the control structure to address applications, users or devices as policy criteria. For example, the legacy firewall can’t make the determination of what applications, users and devices are on the network, even though it is in the right location for enforcement. A VPN might know who wants access to a network after asserting authentication credentials, but it has no idea how to tie identity to the firewall’s enforcement of what traffic may pass. Device identification and blocking methods range from the ineffective (such as MAC address filtering) to the impractical (such as network access control). And some controls for handling consumerization, such as identifying whether an application is being accessed from an IT managed asset (and thus permitted to locally store application data), are not addressed by any traditional network security product.

The next-generation firewall takes a fundamentally different approach towards traffic classification and policy enforcement. Using App-ID, User-ID and Content-ID as its core technologies, the next-generation firewall provides visibility and control in a manner not found in any combination of existing traditional network security products. To understand how this enforcement is possible, let’s revisit the scenario from the previous article, namely a company wants to protect a financial application in the data center, restricting access to accounting employees using an IT-managed endpoint. In addition, in order to reduce the risk of data breaches, the organization wants to make sure that this class of applications is only accessed from a managed, corporate-imaged endpoint with disk encryption, operating system patches, and up-to-date endpoint security signatures.

All of this can be done in a single policy in the next-generation firewall.  That’s because that the next-generation firewall is using App-ID for application traffic identification rather than blindly trusting port assignments. It identifies the application traffic itself, rather than the port it uses, and as such, it can zero in on letting the specific financial application through while stopping the traffic that does not belong. With User-ID, the firewall policy incorporates users or group information from a corporate directory to determine who is a part of the accounting organization. Content-ID can check for the flow of inappropriate data (using a regular expression or predefined pattern matches for personally identifiable information) and stop dangerous or inappropriate traffic, such as malware.

GlobalProtect adds two important capabilities to address the dramatic impact that consumerization has on mobile computing. First, GlobalProtect provides the capabilities for endpoints and mobile devices to connect to the next generation firewall from anywhere. This combination provides both remote access and network security, ensuring that the firewall provides consistent enforcement of policy whether the user is on the local LAN or on the road. More specifically, location now becomes a policy enforceable element as well, allowing an organization to specify whether there are additional restrictions in place for external users. GlobalProtect has an extensive set of remote access capabilities that I’ll cover more in depth in a future blog post.

The second component added by GlobalProtect is the ability to use the state of the endpoint when evaluating firewall policy, whether connecting from an internal or external location. The client checks for the presence and state of various security features, and generates a Host Information Profile (HIP). The next-generation firewall uses this information as part of the policy evaluation. Going back to our example, this allows an organization to check for the presence of valid user on a properly managed endpoint before allowing network access to the application in the data center.

GlobalProtect pairs nicely with mobile device management (MDM) solutions from our partners, which include MobileIron and Zenprise. MDM can bring an unmanaged device to a managed state, and in the process, establish connectivity to GlobalProtect through the installation of an authentication certificate. If you want to learn more, MobileIron has a video that’s available to illustrate how the next-generation firewall works together with its mobile device management platform.

That concludes the three part series on the role of the next-generation firewall as it pertains to the issues of consumerization and BYOD, but consider this more of the starting point rather than the end. There’s still a lot more to talk about, on both policy, process, and tech, and I’ll be writing more about these topics in upcoming blog entries. In the meantime, if you’re interested in learning more about the impacts of consumerization, check out the webcast “Coming to Grips with Consumerization” with Nir Zuk and Rich Mogull.

It’s been a busy week at InfoSec Europe, the security event held at Earl’s Court in Kensington, London. The show continues to bring together some of the best and brightest minds in security, and that’s reflected by the level of conversations that we’ve had. Day after day, the crowds were running at a constant high, and we worked tirelessly to make sure that every guest got the answers they needed.

It was a great honor to meet Deputy Chief of Mission Barbara Stephenson for the US Embassy in London. She has been working to build ties between European and US businesses, and she came by to the Palo Alto Networks booth to discuss the state of network security and learn about what we do. We talked about the nature of the problem that businesses face in protecting against modern malware, and the concepts behind the next-generation firewall, and I can report that the Deputy Ambassador is exceptionally well-informed about computer security.

In conversation with some of the show attendees, I noticed a number of important trends. The first is that many companies are not talking about what they need to add to make their environment more secure, but rather what they can remove, starting with their traditional firewall.   Typically the conversation about simplifying an environment revolves around cost reduction, but at the show, many people talked about how an excess of complexity led to problematic security compromises. In order to make their security program more effective, they needed to get a better handle on visibility and control, and that was precisely the reason they wanted to get a better understanding of what the next-generation firewall can do.

A second trend I noticed was the number of discussions that we had around mobility. It’s interesting because many talks had two components – how to get more users on the network, and how to keep unwanted devices off the network. The discussion around the use of GlobalProtect with the next-generation firewall led to conversations that ranged around security, compliance, and remote access. This has been coming up as a popular topic with our customers, and I highly recommend watching Nir Zuk and Rich Mogull of Securosis discuss mobility and consumerization from our recent webcast.

Third, there was a lot of talk about being preemptive rather than reactive to new threats. For example, I talked to a number of attendees about the difference between behavioral-based malware detection and signature-based detection, and the time delta between patient zero and protection. WildFire closes the gap providing continuous system for malware detection and corrective action, and I had many good talks with people who wanted to see how it works.

Thanks to all of you who came by to visit us this year. If you missed this event, feel free to drop us a line and we’ll set up a 1 on 1 conversation with you. Even though we had a great turn out this year, next year promises to be even better, and we look forward to seeing you there.

But sometimes, something interesting stands out. That was the case when our research team discovered 42 samples of what we are now calling the “Jericho” botnet, which Bill Brenner from CSO blogged about the botnet this morning on his Salted Hash blog. Jericho is a variant of well-known banking Trojans such as the stealthy Jorik Trojan.

Jericho was detected by WildFire, our cloud-based analysis engine that was released late last year. WildFire detected more than 42 unique, but related banking botnet samples that were part of an ongoing criminal enterprise, aimed at stealing passwords and login credentials for financial institutions and other valuable sites. Disassembly of the samples revealed well over 100 domains that are targeted with the vast majority belonging to banking and financial sites. As a result, we believe that the core goal of this botnet is related to financial theft.

For those of you who don’t know, the WildFire feature of Palo Alto Networks next-generation firewalls allows the firewall to capture unknown files for analysis in a virtualized malware sandbox, where new malware can be identified based on over 80 different behaviors.

Jericho’s background is somewhat interesting: all infections were delivered from Israeli IP space, however the engineering of the file appears to be of Romanian origin. And there was actually a connection between the two: the vast majority of the URLs used to deliver the malware ended in ierihon(dot)com and Ierihon is the word for “Jericho” in Romania. Hence the name.

But what’s really interesting about Jericho is that like many other contemporary pieces of modern malware, Jericho demonstrates a number of behaviors that are designed for stealth, persistence and avoidance of traditional signature-based approaches to malware detection.

The malware is able to inject itself into the Windows logon to maintain persistence on the infected host after a reboot. What was a bit more interesting was just how efficient the malware was at injecting itself into valid applications such as Firefox, Chrome, Java, Outlook and Skype, and then repurpose their capabilities. This not only enables the malware to hide within approved applications during run time, but it also means that standard methods for observing Windows API calls are subverted. This allows for a more stealth presence in the system– and can significantly slow down the study of the sample itself.

It appears that this combination of a stealthy program and piggybacking on common applications, and what was likely a rapid-iteration process of the malware writers, enabled this botnet to avoid the scrutiny of most antivirus vendors. In fact, Jericho demonstrated the ability to avoid industry AV signatures for multiple days. Of the 42 samples analyzed by Palo Alto Networks, the top AV solutions only achieved a 3.2 percent detection rate on the day the sample was first detected by WildFire. AV coverage seemed to slowly but steadily improve over time, with coverage improving to 39 percent over seven days. However this data is skewed by the fact that 12 of the 42 signatures were not detected at all over a seven-day span.

Poor Coverage of Jericho by Traditional AV Solutions

This trend seems to indicate that this particular criminal operation is cognizant of the AV coverage for their malware and has established a delivery strategy that minimizes collection by AV vendors, and refreshes the malware on a steady schedule to avoid newly released signatures.

Note that all Palo Alto Networks customers with a valid Threat Prevention license are already protected if they have applied the latest AV updates. WildFire is a free feature, and users benefit from protections from threats seen by all Palo Alto Networks customers worldwide.

I’ll be going in-depth on the “nuts and bolts” of the Jericho botnet in my next column for SecurityWeek.

If you haven’t been to InfoSec Europe before, you’ll find that it has a number of elements that make it stand out. It’s a top class event that draws crowds in excess of 10,000 people, and that makes for a crackling show. It’s also big in terms of spectacle, because the booth designs are some of the tallest and most elaborate around. Nearly every design climbs towards the ceiling, so it’s easy to get overwhelmed by it all.

But the main reason I love InfoSec Europe is the quality of discussions that I have with security professionals. We typically see conversations that span the spectrum, ranging from ways to deal with risks to the business to technical discussions about the next-generation firewall. This year, it’ll be even easier to find us, as we’ve got a new 7 meter square booth located at the show perimeter.

I’ll be there at InfoSec Europe, and I look forward to seeing you as well. Come see Palo Alto Networks at booth K50 to talk to our experts, see a demo of the next-generation firewall, and find out what it can do for you.

Given the innovation expected from modern CIOs, shouldn’t CIOs be interested in enabling an organization to adopt new technology without adopting too much risk?  Doesn’t that help CIOs achieve their goal of bringing innovation to business?  I think there are some real, and some perceived problems.

From the CIOs perspective, there are three problems with network security today:

1. Security is an impediment.  In many organizations, there is a certain inflexibility around security: everything is black and white, everything new is dangerous and bad, and when in doubt, block it.
2. Security is a requirement.  Compliance, the need to maintain the organization’s image (i.e., keep the company out of data breach articles in the press), and the increasing awareness that cybercriminals are out to do enterprises harm all point to the need for good (better?) security.
3. Security is a pain.  Given the rate of innovation in technologies enterprises adopt, how they adopt them, the risks that accompany them, and the failure of basic network security infrastructure to adapt, security has become expensive, complex, and slow.

All of this adds up to something that is necessary, painful, and slows down the key initiative of the “Chief Innovation Officer”.  There are solutions to these problems, but they require some changes in the way organizations think about security (policies) and the way security is enforced (controls).  Regarding policies, organizations need to shift to:

1. Policies that enable.  Applications aren’t threats, and in fact, in many cases, they are how folks get their jobs done in better, faster, and cheaper ways.  Enable that!  But limit unnecessary risk.
2. Policies that can be enforced.  Nothing breeds contempt (or legal action)  like unenforced policies.  Policies have to be enforceable.  Which often means new, or upgraded controls to contend with the innovation we’ve all seen in applications and the increasing sophistication of threats.  Policies also have to be fine-grained enough to enable innovation, yet limit function, users, or content in a way that reduces the unnecessary risk carried by that innovation.
3. Policies that live in the firewall.  IT executives are tired of the “see a new technology, add another security appliance” stance that the network security industry has taken.  Given that the firewall is the only device that can enable (everything else has a negative security model) and is often the only device that sees all traffic, the firewall is the right place to meet the two requirements immediately above; therefore these policies must be enforced in the firewall.  It goes without saying that traditional port-based stateful inspection firewalls can’t do this, nor can devices that are based on stateful inspection (UTM).  Next-generation firewalls use application-based traffic classification – which opens the door to safe enablement.

So if an organization does address the issues with network security in the above ways, CIOs should expect to be able to: enable strategic initiatives (i.e., security is no longer an impediment), reduce the risk without reducing the benefit of those initiatives (i.e., meet the requirement for security), and simplify both security infrastructure and operations (i.e., reduce the pain of implementing and operating network security).  I think this is where network security could start to get interesting for CIOs.

Keep DoS Attacks as Far Away From the Network As Possible
While of course, we tend to focus on the protections that we can provide at Palo Alto Networks, its very important to acknowledge that DDoS protection must begin before traffic ever reaches your network. ISPs are increasingly important partners in the fight against DDoS, and they have the ability to keep some DDoS traffic from reaching the intended target. ISPs can monitor Internet links and can filter or blackhole traffic to protect the customer network. Preparing for DDoS really does require looking beyond our own perimeter, and the working with your ISP is a great way to keep DoS traffic as far away from your network as possible.

DDoS Protection Profiles
Of course, DoS attempts will eventually end up on your doorstep, and you will need to repel the attack and protect your assets. This is where the DoS protection profiles in the next-generation firewall are particularly powerful. The DoS profiles allows you to control various types of traffic floods such as SYN floods, UDP, and ICMP floods. You can also set rules for the maximum number of concurrent sessions to ensure that sessions can’t overwhelm resources as well. However, the real power of the DoS protection profiles is the ability to set independent limits on aggregate as well as same-source sessions. As an example, you can set an overall ceiling of SYN packets that should be allowed that applies to all devices protected by a particular rule. Then you can set a much more targeted rule for the total SYN packets that should be allowed going to a specific IP address. You can apply these “classified” rules based on source IP, destination IP, or source-destination pair.  By combining aggregate and classified DoS protections you can build in a great deal of protection not only for the network in general but also the critical systems and services that the network can’t live without.

Detection of DDoS Tools
The next step is identify and block DDoS tools used by attackers. Hacktivist groups will often rely on very simple tools or easily distributable scripts which can be used by users with basic computer skills. LOIC (the low-orbit ion cannon) has been a popular tool in various Anonymous projects as well as other hacktivist operations. Palo Alto Networks is able to identify attacks driven by LOIC, Trinoo and others and  automatically block their DDoS traffic at the firewall.

Blocking DoS Exploits
The simplest step is to block exploits that can lead to DoS conditions. Palo Alto Networks vulnerability protection profiles provide inline protection from well over 400 different vulnerabilities in both servers and clients that cause a denial of service condition. Defending against these types of vulnerabilities is relatively straight-forward and is likely already a component of your IPS and threat prevention profiles on your Palo Alto Networks devices.

Controlling Botnets to Control DDoS
While its paramount to be prepared for the DDoS against your network, its also important to ensure that your network doesn’t contribute to an attack elsewhere. Many DDoS attacks are the work of botnets that leverage an army of infected machines to send traffic to a specific source. Palo Alto Networks provides blocking of malware command-and-control traffic and offers the behavioral botnet report to expose devices in the network that are likely infected by a bot. These efforts will ensure you don’t unwittingly contribute to a DDoS attack.

When it comes to DDoS is always important to remember that there is will likely never be a single silver bullet. Stopping DDoS attacks require a blend of strong local security controls as well as efforts to mitigate the attack upstream. Using these techniques in coordinated way will help you to build an overall approach to coping with a DDoS attack.

But when I was in South America last week as part of the Palo Alto Networks launch into Chile and Argentina, I had a long conversation with a “chief innovation officer” at a large bank, who was focused completely on the other three squares of the 2×2 matrix.  Basically, the internal/ops stuff was a forgone conclusion, and this large Chilean bank was focused on how our products could enable many of the external strategic and external operational bits, such as:  a) feeding existing banking customers the right information about new products and services at the right time; b) presenting the bank’s services to prospective new customers at a time when they are most likely to transition their accounts and other financial services; and c) doing all of this through the channels that the customer is using, not that the bank dictates.

Sure, there was interest in the internal tasks associated with network security, but the illuminating thing to me was that we were having a discussion about enablement – enablement of the kinds of initiatives that will make the difference between average performance and excelling in the market.  To me, this substantiates Irving’s point – it requires technical knowledge in the CIO function, and re-states the strategic importance of the role – either you have somebody that can lead the disruption via technology, or you get disrupted.

This is the second of a three-part blog series exploring the issues and challenges with consumerization and BYOD. Part 1 is available here.  This blog entry will explore the role of the network in addressing unmanaged devices.

“Why do I need Mobile Device Management?”, said the man sitting across the table from me.

I recently spent some time with one of our customers, and the director of network security opened the meeting in that manner. At first, I thought he was asking me a question, and I started to talk about the important role that Mobile Device Management plays with respect to managed device policy, and how that integrates with the Palo Alto Networks firewall. However, I later realized that he was opening a discussion to talk about his perspectives on BYOD.

We started talking about how there’s a general belief that consumerization and BYOD are a device proliferation problem that needs to be controlled. As we talked, we both agree that the heart of the matter, the real issue is dealing with unmanaged devices, and that’s a network control problem.

“The problem with BYOD is that the company doesn’t have any control over what users do with their own devices. That means you can’t count on the user installing anything to bring it under management”, the customer said. “I can’t control what users do, but I control the network, and that’s where I’m going to tackle the problem.”

We got into a discussion about network access control (NAC), and its use cases. NAC can restrict what devices get on a network, but is that a good way to tackle BYOD and unmanaged devices? The tough part isn’t blocking what doesn’t belong, but managing what should be allowed. NAC works best when you have a closed, static environment with company-owned devices. Under these conditions, it’s relatively easy to define what devices should be plugged in. A company that has hundreds of retail stores may have a standard set of equipment at each location. For example, each store might have 3 cash registers, 3 point of sale devices, one PC for the manager’s office, and 2 Internet kiosks.  The employees may change over time, but the equipment doesn’t. NAC can make sure these are the only devices running at the store, and no BYOD issues crop up because nothing else should be brought online. The challenge with NAC is handling variety, and corporate network is a much different story than the retail environment. At headquarters, there’s a broader landscape of users, applications and devices, and it can get very tricky very quickly trying to manage what’s what.

The next-generation firewall realigns expectations about how to build appropriate controls in the network. Because the next-generation firewall is application aware, it can determine which traffic may pass and which may not. In the BYOD scenario, a general purpose policy might allow access to low-value applications (such as the cafeteria menu) and restrict access to sensitive applications (such as the customer database). The firewall also links network policy to users and groups, ensuring that only the right users can reach permitted applications. These principles help organizations determine what should be allowed before ever getting into myriad of use case issues that arise out of identifying the things that don’t belong.

Upon reflection, these are precisely the issues that’s needed for tackling the unmanaged device scenario. It’s the applications and users that count, and it’s the network that’s the point of control. The device may be the issue, but it’s the network that needs the solution. The foundation for security starts with knowing who the users are and what application they are accessing, and that should be in place regardless of what device is in use. With good knowledge of the user and the application, more granular controls can address the devices. Is an employee using a corporate laptop that’s up to spec? Is an employee using a non-recognized device? Address the specific conditions once it’s determined that the user’s allowed to access the application in the first place.

During my conversation with the customer, this was precisely the line of thought that he was going through. Although he originally purchased Palo Alto Networks firewalls to replace his legacy firewalls at the perimeter and in the data center, it provides the foundation for what’s needed to tackle the BYOD issues that he was seeing. IT can permit an accountant access to financial applications from a corporate laptop with assurance that the endpoint has proper data protection measures installed. The same user accessing the same application from a personally-owned iPad may have restricted access, such as a path through remote desktop. From the remote desktop session, the user can access the application but cannot download the data locally to the device. An unknown user with an unknown iPad would see a captive portal that requires authentication before any access is allowed, and then appropriate application policies can be enforced.

With the next-generation firewall at the network perimeter, an organization can enforce controls over employee owned devices between security zones, such as from the corporate LAN to the Internet. A user might be allowed to use their personal iPad to access the web, while the firewall enforces content control policies to block undesirable browsing behavior according to company policy. In addition, an organization can tackle the issue of how to address employee-owned devices that are being used externally by implementing GlobalProtect for safe access back to the corporate network.

With these fundamental controls in place in the network, it’s much easier to apply a variety of additional technologies to make a BYOD strategy even more effective. Back to the customer’s original question, mobile device management pairs quite nicely to all of the controls listed above. Taking the data center example, the authorized user with the unmanaged device would have very limited access to the environment, and the unknown user would have none at all. With Mobile Device Management, an organization could provide the options for greater access after the proper controls for device policy are in place, such as PIN enforcement, lockout and remote wipe. For example, a user that wants greater access from a personally owned device might choose to install a mobile device management profile. As mentioned before, there’s no way to force users what to do with their personal devices, but with the next-generation firewall securing the network, an organization can govern the amount of access from an unmanaged device. The users can choose to switch from unmanaged to managed in order to gain even more functionality. It’s a win-win because company gets control over risk without unnecessary administrative headaches, and employees get access through their favorite device.

We covered a lot of important topics in that meeting, and I think the customer is exactly right. The network is the place to enforce control, whether it’s a matter of dealing with applications, users or in this case, devices.  In Part III of this series, we’ll cover the specifics on how the next-generation firewall applies these concepts.