We covered blocking Facebook, Twitter and BitTorrent using Paloalto networks firewall by creating an application filter and specifying the required parameters to identify social media pattern in user traffic.
Highlights
What is a Firewall?
A firewall is software or hardware that monitors the network traffic and compares it against a set of rules before passing or blocking it. The most basic firewall should be able to inspect at least the packet’s protocol, source and destination port and IP addresses.
Firewall types based on packet filtering
Packet filtering firewallsor dubbed as stateless firewalls. These firewalls inspect each data packet as it travels through a network. They decide whether to block a specific packet based on the configured rules.Application-layer firewallscan be a physical appliance using its own hardware or software-based installed on another machine, like a plug-in or a filter. These types of firewalls target applications and monitor their behavior. For example, if placed in front of a web server, they can inspect requests for HTTP connections and block abnormal floods of traffic indicating a DOS attack.Circuit-level firewallscheck whether TCP and UDP connections across a network are valid before data is exchanged. For example, this type of firewall might first check whether the source and destination addresses, the user, the time, and the date meet certain defined rules. Data is exchanged between parties without further investigation when these checks pass, and a session starts.Proxy server firewallsor called as web application firewalls. They control the information that goes in and out of a network. This ability means the server can monitor, filter, and cache data requests to and from a network. Firewall proxy servers provide safe and secure internet access to all devices on a network. As depicted in the image below, there can be no communication between the client machine and the internet without the proxy server.Stateful firewallsinspect connections on a network. As traffic hits the firewall, it monitors all packets that go through it and stores a combination of information about the packets in a state table. The state table tracks sessions by recording port numbers as sessions start from inside the network and are transmitted outside of the network. Gathering this information helps the firewall recognize what legitimate traffic with the correct port numbers should look like upon its return, thus allowing legitimate replies back into the network.Next-generation firewallsperform many of the same functions as stateful firewalls but with more functions from other types of firewalls, such as packet filtering and VPN support. This type of firewall also investigates packets more thoroughly compared to stateful firewalls. For example, a next-generation firewall can examine the payload for each packet and inspect it for suspicious characteristics and malware. Examples include the Juniper SRX series and Cisco Firepower.
Blocking and Allowing Social Media Such as Facebook, Twitter using Paloalto Firewall
1)set up a default policy to all users and default URL profile A to block social networking sites.
2) create another policy on the top of the default policy and create another URL profile B and apply this profile to the security policy. In this URL profile block all the social networking websites and in the allow list type this *.facebook.com/*. This will allow only facebook and will block all other social media sites to these users.
Additionally, Palo Alto Networks recommends creating a security policy in the firewall to block the QUIC application. With the QUIC traffic getting blocked by the Firewall, the Chrome browser will fall back to using traditional TLS/SSL. Note that this will not cause the user to lose any functionality on their browser. Firewall gains better visibility and control of Google applications with or without the SSL decryption enabled.
Video Walkthrough
