1、Basic App-IDPAN-EDU-201PAN-OS 6.1Rev B1AgendaApplication Identification (App-ID)OverviewComponentsApplication Groups and Filters2Application Identification (App-ID)3 | 2015,Palo Alto Networks. Confidential and Proprietary. Flow Logic of the Next-Generation FirewallInitial Packet ProcessingSource Zon

2、e/ Address/ User-IDPBF/ Forwarding LookupDestination ZoneNAT PolicyEvaluatedSecurity Pre-PolicyCheck Allowed PortsSession CreatedApplicationCheck for Encrypted TrafficDecryption PolicyApplication Override PolicyApp-IDSecurity PolicyCheck Security PolicyCheck Security ProfilesPost Policy ProcessingRe

3、-Encrypt TrafficNAT Policy AppliedPacket Forwarded4App-IDApplication Identification is at the core of PAN-OS Security, QoS, and PBF policiesEach session contains the information that is necessary to identify the applications traversing the firewall5What is an Application?GoogleGmailGoogleTalkGoogle

4、CalendareMuleUltraSurfSybase6Evasive ApplicationsYahoo MessengerBitTorrent ClientPort 80OpenPort-Based FirewallPort 5050BlockedPort 6681Blocked7FirewallFirewallPalo Alto Networks Firewalls with App-IDLegacy FirewallsFirewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53 DNS = DNS:Packet on Port 53: Al

5、lowAllowDNSDNSDNSDNSBittorrentBitTorrent DNS:Visibility: BitTorrent detected and blockedDenyBitTorrentPacket on Port 53: AllowVisibility: Port 53 allowedBitTorrentScenario 1: DNS Traffic8App IPSFirewallFirewallScenario 2: BitTorrent with Application IPSLegacy FirewallsFirewall Rule: ALLOW DNSFirewal

6、l Rule: ALLOW Port 53 DNS=DNS:Packet on Port 53: AllowAllowDNSDNSDNSDNSBittorrentBitTorrent DNS:Visibility: BitTorrent detected and blockedDenyBittorrentBitTorrent: DenyVisibility: BitTorrent detected and blockedDNSBittorrentApplication IPS Rule: Block BitTorrent Palo Alto Networks Firewalls with Ap

7、p-ID9FirewallFirewallLegacy FirewallsFirewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53 DNS=DNS:Packet on Port 53: AllowAllowDNSDNSDNSDNS Zero-day C & CCommand & Control DNS:Visibility: Unknown traffic detected and blockedDenyBitTorrentVisibility: Packet on Port 53 allowedDNSBitTorrentApplication

8、IPS Rule: Block BitTorrent BitTorrent Zero-day C & C Zero-day C & C Zero-day C & CC & C BitTorrent: AllowApp IPSScenario 3: Zero-Day MalwarePalo Alto Networks Firewalls with App-ID10Application DataSource AddressDestination AddressDestination PortExamining UDP Packets00 1b 17 01 10 20 00 1c 23 07 42

9、 5f 08 00 45 0000 3b d1 26 00 00 80 11 54 18 0a 10 00 6e 0a 0000 f6 c1 76 00 35 00 27 c7 5a a3 24 01 00 00 0100 00 00 00 00 00 03 77 77 77 05 6d 65 65 62 6f 03 63 6f 6d 00 00 01 00 01 11Examining TCP PacketsSource AddressDestination AddressDestination Port00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45

10、00 30 d1 29 40 00 80 06 8f 60 0a 10 00 6e d0 51bf 6e 3a 52 01 bb 31 d7 06 19 00 00 00 00 70 02ff ff 74 e4 00 00 02 04 05 b4 01 01 04 02 TCP syn1f 8b 08 00 00 00 00 00 00 03 b4 57 fd 6f db 3613 fe 57 ae 1a 36 3b 99 2d 35 fb 00 da c4 f6 b0 26 e9 bb bc 48 9a 60 75 57 0c 7d 8b 81 92 4e 1263 89 54 49 2a

11、ae 57 e4 7f df 1d 25 39 b2 f7 91fe b0 37 08 60 ea 78 3c de 3d 7c ee 78 9c 3d 39bb 3e 5d fe 7a 73 0e 3f 2d af 2e e1 e6 cd 8b cbsyn ackackhttp gethttp responseApplication Data12 | 2015,Palo Alto Networks. Confidential and Proprietary. App-ID Flow 13App-ID ComponentsProtocol DecodersDetect Protocol in

12、Protocol within a sessionProvide context for Application Signatures Application SignaturesDetect Layer 7 signatures within a sessionProtocol DecryptionSSL & SSH decryptionHeuristicsLooks for patterns of communication when no signature exists14Facebook-chatProtocol DecodersProtocol DecodersApplicatio

13、n SignaturesApplication shiftApplication shiftWeb-browsingApplication SignaturesHeuristicsFacebook-base15Heuristics16Application SignaturesObjects Applications17Application DependenciesParent applications must also be allowed by security policy for the dependent applications to function.Google-trans

14、late-baseAllow | DenyAllow | DenyApplication shiftWeb-browsing18Applications with Implicitly Used Applications Objects Applications19Applications that Depend on Applications 20Implicit ApplicationsPAN-OS Implicitly Allows Parent Applications for a Set of Commonly Used Applications such as ssl and we

15、b-browsingIn this example, facebook access will work even if the Allow Web-browsing policy were removed.21Application DependenciesThis policy takes into account the dependent applications as well as the URL category for the Office-on-Demand Application 22Implicit Application DependenciesAllowed Appl

16、icationExample ApplicationsImplicitly Allowed App Dependencysoftware-update appsbusiness-systems appsweb-mail apps, IMs, social-networking erp-crm, storage-backup, sharepointweb-browsingApps identified in rpc decoder mount, nfs, portmapper, ibm-clearcaserpcApps identified in msrpc decoder ms-exchang

17、e, active-directory, arcservemsrpc msrpcms-ds-smb ms-ds-smbnetbios-ssApps identified in rtsp decoderrtspApps identified in rtmp decoder bbc-iplayertmp, rtmptMedia streaming apps napster, megavideoflash ms-rdp, msn-remote-desktopt.120Citrix ICA/Jedicitrix/citrix-jediIM apps yahoo-voice, gtalk-voice,

18、msn-voic, facetimestun gotomeeting, gotomypc, gotoassistjabberApps identified based on SSL request and responseSSH can remain in both uses-apps and implicit-uses-appsssl23Using Port Numbers in Security PoliciesObjects ServicesPolicies Security24Application DefaultApplication Default option is found

19、within the Service columnExample: Policy will only match if the Application matches SSH and is using TCP Port 22 as is expected.25Security Policy Example: http-get Destination Port: TCP 80Address Group:“Local-Net” /16JoeZone: Trust-L324Zone: Untrust-L326 | 2015,Palo Alto Networks. Confidential and P

20、roprietary. Security Policy Example: Google Translate Destination Port: TCP 80Address Group:“Local-Net” /16JoeZone: Trust-L324Zone: Untrust-L327 | 2015,Palo Alto Networks. Confidential and Proprietary. Application Groups and Filters28 | 2015,Palo Alto Networks. Confidential and Proprietary. Applicat

21、ion Filters and GroupsApplication Filters Dynamic grouping of individual App-IDs based on App-ID attributes: CategorySubcategoryTechnologyRiskCharacteristicApplication GroupsAggregates of: Individual App-IDsApplication FiltersNested Application Groups29Application Filters and Groups HierarchySecurit

22、y Policy30App-ID Filters ExampleUsed to cover families of applicationsObjects Application Filters31Displaying Application InformationApplicationsApplication ContainersFiltersApplication GroupsDisplays detailed information for:32Filtering Web-Browsing ApplicationsNew Application Signatures are automa

23、tically included in the filter when releasedObjects Application Filters Add33Application GroupApplication Groups can contain applications, filters, or other application groups34Application Group ExampleKnown_GoodStatic Group of ApplicationsDNSWeb-browsingSSLFlashKnown_BadStatic Group of filters and applicationsGamesP2PRemote AccessTunnelingObjects Application Groups35Security Policy ExampleRequirements:Process known good and bad applicationsDetermine what other applications are present in network traffic for future classificationPolicies Se