Information Security Office (ISO) create a number of security profiles that individual departments can use in their own environment. In order to understand the settings associated with these profiles and to evaluate them for local use, it is best to review the profiles is by looking at the settings themselves. Below are the steps that would be necessary to examine the settings of a AntiSpyware profile.
- While logged into https://panorama.net.berkeley.edu, chose “Objects” from the tabs at the top of the window
- Under “Security Profiles” in the left pane choose “Anti-Spyware”
- From the list of Anti-Spyware profiles select the one that you are interested in examining. For this example we will look at the ucbsec-RD_server (this is the recommended Anti-Spyware profile for servers containing Restricted Data). Opening the profile, the first thing you will notice is the rules. Like firewall rules in general, these rules are read by the Palo Alto firewall in order from top down. As a result, things items that have a higher criticality should be placed at the top of the rules.
- Examining the first rule, “simple-critical” it will apply to any threat where the spyware has a severity (as determined by Palo Alto) of critical. If behavior seen by the Palo Alto Firewall matches the behavior identified as a piece of malware with this severity, it will take the action described in the action column, which in this case is to send a reset-packet to both the client and the server. Effectively, this ends the session. It will also record the packet that was detected attempting the exploit. If your display does not contain any of the columns you see above, click on the down arrow that appears if you hover over a column header and then from the resulting menu, choose the “Columns” you wish to see.
- The next rule, “simple-high,” performs a similar function for spyware deemed to have a high severity.
- This pattern continues on with lower levels of severity until the “Data Theft” rule, which is a rule based on a particular category of Spyware. While all of the other rules require an action based on the severity of the spyware, this one is different in that it says that even if a piece of Spyware has a low severity, if it falls into the category of spyware associated with data-theft its traffic is going to be interrupted by the firewall.
- After reviewing the rules, it is important to examine the exceptions to the rules. In the ucbsec-RD_server Anti-Spyware profile, there are normally no exceptions. However, for the purposes of this article, one was created as a demonstration of what it would look like. Exceptions can be made to change the behavior of the firewall (as seen in this one where it is set to alert despite being a critical issue), to change if a packet is captured, or to only apply the exception to specific IP addresses.
Note: To see all of the signatures that could be used for exceptions, click the “Show all signatures” checkbox in the lower left part of the above window. - The final area to examine in this Anti-Spyware Rule is the “DNS Signatures” tab which includes two External Dynamic Lists of Malicious/Spyware related domains and the Sinkhole behavior of the firewall. In this example, the External Dynamic List Domains has two entries, one that is provided by Palo Alto Networks and the other titled “threat-malicious_FQDN” that ISP accumulates from trusted third parties. These are hostnames that, when the firewall sees a DNS query for one of them, instead of allowing an accurate response, will send the requester a sinkhole IP address so the traffic will not successfully connect to the IP address associated with that domain. At the time of this writing we are directing the traffic to a publicly known sinkhole operated by Palo Alto if the DNS request is for an IPv4 request and back to the victim’s machine if it is an IPv6 address.
- To exit out of this, click the “Cancel” button.
More information about Anti-Spyware profiles can be found at:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-anti-spyware-profile