Western & Southern Financial Group had what it considered defense in depth for its IP network but recognized that there were still ways that sensitive data might leave the network undetected, so it looked for more protection.
The company, which manages US$47 billion in assets, chose to add Palo Alto Networks’ next-generation firewall to its existing traditional firewall, intrusion prevention system, URL filtering and data-loss prevention gear.
The result is that Western & Southern now has better visibility into traffic leaving the network, says Doug Ross, CTO of the Cincinnati, Ohio financial firm.
Palo Alto’s PA-4000 appliances perform deep packet inspection on traffic originating in business networks that is perhaps destined for servers outside the company. The devices identify what applications are running on the network and apply filters based on them.
Layer 7 firewalls, sometimes called next-generation firewalls, can parse traffic to the point of detecting content, and traditional firewall vendors are adding intrusion prevention to their products to attain this type of support, analysts say.
“A next-generation firewall needs to look within traffic streams and determine whether this is the traffic I expected,” says Rob Whiteley, an analyst with Forrester Research. The key to protection is peering deep into packets to decide what poses a threat and what doesn’t, not merely on what ports it uses, he says.
Palo Alto, for instance, can detect peer-to-peer traffic such as file sharing and Skype, applications that seek random ports and so are more difficult to block with traditional firewalls. Such applications can be simply unwanted or even dangerous – letting sensitive data leave the corporate network – and Palo Alto gear can at least reveal that they are running, Ross says, allowing network security staff to deal with them.
“Data-loss prevention doesn’t give you insight into what applications are running out there,” he says.
Western & Southern doesn’t trust the Palo Alto gear yet to enforce policies; it is installed in monitoring mode, he says. “We have found significant value in understanding the geographic and application profiles of our network traffic. Long term, we intend to block,” he says.
The Palo Alto gear can tell where in the world connections are being made and flag suspicious traffic. “We do no business outside the U.S.,” Ross says of Western & Southern. “Why would we even allow a source to come from a specific country or allow a destination address in a country where we have no business relationship? [Palo Alto’s equipment] allows us to manage risk in a more comprehensive way than we could with any of the tools we had before.”
Similarly, if malware manages to infect a computer and it needs to connect to servers outside the network, Palo Alto can detect that.
“This tool will say, ‘I’ve got some unidentified traffic that’s attempting to phone home to some weird place and it has no recognizable application behind it and it appears to be encrypted.’ That’s a theoretical situation that tool could help us with,” says Ross.
The Palo Alto gear can terminate SSL traffic and decrypt it to figure out what’s in it, but Western & Southern hasn’t turned on that feature. There are legitimate private uses of SSL connections – such as accessing personal bank accounts on company time – that the firm doesn’t want to hamper, Ross says.
With the ability to view and apply policies to traffic all the way to Layer 7, the Palo Alto gear could eventually replace the company’s firewall and IPS when he feels comfortable that it could be done without losing protection.
“One of the hopes with Palo Alto Networks is that, over time, we can greatly simplify our infrastructure,” Ross says.
A set of business rules would have to be set up first to deal with whatever reports the Palo Alto gear might make about such traffic, he says.
“My suspicion is a lot of people don’t have a process for dealing with a series of incidents that could be a completely innocent.” Ross says. “What do you do with the information you get? What’s the governance for notifying a business unit about incidents?”
For instance, if an employee sends SSH-encrypted data through an SSL session, who should be notified? The end user? The end user’s boss? Ross recommends working groups made up of representatives of business units to set policies on such issues.
Western & Southern has faced one glitch caused by Palo Alto. The platform detected the company’s HP desktop management software traffic to and from endpoints and couldn’t figure out what it was. “It threw up its hands and said, ‘I don’t know what this is but you should be aware of it,'” Ross says.
He reported the problem to Palo Alto and it fixed it. The PA-4000 now identifies the HP software as a vendor tool, he says.