Palo Alto
Zone Protection
Palo Alto zone protection is the first line of defence really for the Palo Alto Networks Strata User, this profile sits on the zone level and incorporates a multitude of protections that will help defend your network from both external and internal threats.
Zero Trust
Arguably Zone Protection is part of the Zero Trust Security model as it assumes that all traffic passing across an interface is potentially malicious, and the sad fact is that in todays environment there are as many, if not more attacks launched from inside a network as outside, and let us not forget that a compromised host is effectively an external actor that has access as in internal user.Who is attacking?
of all attacks in 2016 were found to be carried out by insiders..."
Zone Protection Profiles address this by scanning for and dropping the following attacks:
TCP Flood
Through the use of the TCP SYN flood protection, this is where an attacker attempts to exhaust the resources of the target server by sending a continual flood of SYN requests and never following them up the server has no option but to hold the SYN open until a timer expires allowing the session to close, do this quick enough and there is a denial of service attack.Reconnaissance Protection
Port Scans and Host Sweeps are what we are trying to avoid here, this is the ability to scan through the firewall to other potentially more sensitive networks and return a list of hosts and the open ports, with enough access to the target subnet you can even ascertain operating systems and versions allowing you to carry out a vulnerability search and then ultimately compromise the box.Packet Based Attack Protection
Malforming packets and sending carefully crafted packets will cause havoc with your firewall and any host they are targeted at on the other side of that firewall, with Packet Based Attack Protection switched on the firewall will drop malformed packets, spoofed addresses, strict source routing and loose source routing as well as others, ICMP drop is also an option dependant on how you use ICMP (ping) within your organisation.DOS Profile Protection
It doesn’t stop there...Once the zone protection profile has been evaluated you will further inspect and defend traffic designed to take down your servers, by implementing a DOS protection Profile that is evaluated after the zone protection, you can control connections per second right down to a specific server in your environment.
The Difficult Part
In order to use these protections as efficiently and securely as possible you have to remember that all networks are different, if you have backup jobs that run at quiet times you need to know that they won’t break the threshold and be dropped, equally if you are an online retailer for instance, and you have busy days and quiet days a balance must be struck to allow protection and connectivity.
This is achieved through baselining the network, given a starting point of around 80 to 90 percent of the firewalls capacity and then with the protections set to alert only you can start to bring down the thresholds to the point where you have the balance.
The Conclusion
Palo Alto Networks and mode44 have the technology and the knowledge to make your environment a safer place, please get in touch and start a conversation about how we will make you sleep better at night, there are demonstrations on our YouTube Channel or call for a free no obligation demonstration of the huge industry leading security suite Palo Alto Networks has to offer.
Contact Us for Further Info
As you can see the scope of the ability Mode44 is vast, and is much better understood in an interactive manner, we are happy to take calls and email questions or to provide you with free no obligation demonstrations and Proof of Concept designs / implementations so you can see the value in Mode44.
ARE YOU READY?
We are ready for your queries, please get in touch with any enquiries or issues you may have with your existing or not-present cyber security services.
Mode44 is able to discuss any projects, issues or concerns you may have with either Palo Alto Networks or with your current vendor if they are not Palo Alto Network specialists.
