PANOS | Best Practices

Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions

To monitor and protect your network from most Layer 4 and Layer 7 attacks, here are a few recommendations:

  • Upgrade to the most current PAN-OS software version and content release version to ensure that you have the latest security updates.

  • For web servers, create a security policy to only allow the protocols that the server supports. For example, ensure that only HTTP traffic is allowed to a web server. If you have defined an application override policy for a custom application, make sure to restrict access to specific source zone or set of IP addresses.

  • Attach the following security profiles to your security policies to provide signature-based protection.
    • Create a vulnerability protection profile to block all vulnerabilities with severity low and higher.
    • Create a anti-spyware profile to block all spyware.
    • Create an antivirus profile to block all content that matches an antivirus signature.
  • Block all unknown applications/traffic using security policy. Typically, the only applications that are classified as unknown traffic are internal or custom applications on your network, or potential threats. Because unknown traffic can be a non-compliant application or protocol that is anomalous or abnormal, or a known application that is using non-standard ports, unknown traffic should be blocked.

  • Create a file blocking profile that blocks Portable Executable (PE) file types for Internet-based SMB (Server Message Block) traffic from traversing the trust to untrust zones, (ms-ds-smb applications).
    • For additional protection, create an antivirus policy to detect and block any known malicious DLL files.
  • Create a zone protection profile that is configured to drop mismatched and overlapping TCP segments, to protect against packet-based attacks.
    • By deliberately constructing connections with overlapping but different data in them, attackers can attempt to cause misinterpretation of the intent of the connection. This can be used to deliberately induce false positives or false negatives. An attacker can use IP spoofing and sequence number prediction to intercept a user's connection and inject his/her own data into the connection. PAN-OS uses this field to discard such frames with mismatched and overlapping data. The scenarios where the received segment will be discarded are:
      • The segment received is contained within another segment.
      • The segment received overlaps with part of another segment.
      • The segment completely contains another segment.
  • Verify that support for IPv6 is enabled, if you have configured IPv6 addresses on your network hosts. ( Network > Interfaces > Ethernet> IPv6 )
    • This allows access to IPv6 hosts and filters IPv6 packets that are encapsulated in IPv4 packets. Enabling support for IPv6 prevents IPv6 over IPv4 multicast addresses from being leveraged for network reconnaissance.
  • Enable support for multicast traffic so that the firewall can enforce policy on multicast traffic. (Network > Virtual Router > Multicast)

  • Enable the following CLI command to clear the URG bit flag in the TCP header and disallow out-of-band processing of packets.
    • The urgent pointer in the TCP header is used to promote a packet for immediate processing by removing it from the processing queue and expediting it through the TCP/IP stack on the host. This process is called out-of-band processing. Because the implementation of the urgent pointer varies by host, to eliminate ambiguity, use the following CLI command to disallow out-of-band processing; the out-of-band byte in the payload becomes part of the payload and the packet is not processed urgently. Making this change allows you to remove ambiguity in how the packet is processed on the firewall and the host, and the firewall sees the exact same stream in the protocol stack as the host for whom the packet is destined.
    • set deviceconfig setting tcp urgent-data clear
  • Enable the following CLI command for disabling the bypass-exceed-queue.
    • The bypass exceed queue is required for out of order packets. This scenario is most common in an asymmetric environment where the firewall receives packets out of order. For identification of certain applications (App-ID) the firewall performs heuristic analysis. If the packets are received out of order, the data must be copied to a queue in order to complete the analysis for the application.
    • set deviceconfig setting application bypass-exceed-queue no
  • Enable the following CLI commands for disabling the inspection of packets when the out-of-order packet limit is reached. The Palo Alto Networks firewall can collect up to 32 out-of-order packets per session. This counter identifies that packets have exceeded the 32-packet limit. When the bypass setting is set to no , the device drops the out-of-order packets that exceed the 32-packet limit. A commit is required.
    • set deviceconfig setting tcp bypass-exceed-oo-queue no
    • set deviceconfig setting ctd bypass-exceed-queue no
  • Enable the following CLI commands for checking the TCP timestamp. The TCP timestamp records when the segment was sent and allows the firewall to verify that the timestamp is valid for that session.
    • set deviceconfig setting tcp check-timestamp-option yes