Professional Documents
Culture Documents
Palo Alto Networks - Content-ID Tech Brief
Palo Alto Networks - Content-ID Tech Brief
Palo Alto Networks - Content-ID Tech Brief
Decode Check
maximizes performance by scan- Signatures
Botnet/C&C Matches
Vulnerabilty Matches
Data Matches
URL Matches
Applications Exploits & Malware Dangerous URLs Unknown & Targeted Threats
• All traffic, all ports, all the time • Block threats on all ports • Malware hosting URLs • Identify unknown malware
• Application signatures • Millions of malware samples • Newly registered domains and zero-day exploits
• Heuristics • SSL decryption of high-risk sites • Unknown traffic analysis
• Decryption • Anomalous network behaviors
• Reduce the attack surface • Prevent known threats • Block known sources of threats • Pinpoint live infections and prevent
• Remove the ability to hide • Exploits, malware, • Be wary of unclassified and targeted attacks
C&C traffic new domains
Decreasing Risk
Figure 2: Palo Alto Networks brings a unique approach to Threat Prevention, starting with reducing the attack surface
through positive security controls, blocking all known threats, and quickly discovering and stopping unknown threats.
Manag
emen
t
Conte
nt WildFire: Protection from Unknown Malware and
Securi
ty
Zero-Day Exploits
Contr
ol Pla
ne Manag
Cyber adversaries have increasingly turned to unknown threats
emen
Data
Plane
t
to avoid traditional security controls. Palo Alto Networks has
addressed this challenge with WildFire™ cloud-based malware
analysis environment, which identifies unknown malware,
Figure 3: Palo Alto Networks single-pass parallel zero-day
Networkexploits,Payload
and advanced persistent threats (APTs) by
observing Received
Traffic their actual behavior in a virtualized environment,
processing architecture accelerates content inspection
performance while minimizing latency instead of relying solely on pre-existing signatures.
Payload
Scanned
• Integration of Firewall and the Cloud: To support dynamic
malware analysis across the network at scale, WildFire is
Content-ID is enabled on all Palo Alto Networks platform Output
built on a cloud-based architecture that can be leveraged
deployments through annual URL Filtering and/or Threat
by your existing Palo Alto Networks next-generation
Prevention subscriptions, both of which provide support for
firewall, with no additional hardware. The in-line firewall
unlimited users. The unlimited user support helps maintain Latency
captures unknown files and performs enforcement while
a consistent annual cost structure while ensuring that new
maintaining high network throughput and low Timelatency.
employees are protected as they are hired.
Stream-Based Scanning
Network Payload
Traffic Received
Network Payload
Payload Traffic Received
Scanned
Payload
Scanned
Output Output
Latency Latency
Time Time
Figure 3: Stream-based scanning helps minimize latency and maximize throughput performance
Network Payload
Traffic Received
Payload
Scanned
Output
Latency
Figure 4: Content-ID is enabled on a per-rule basis using individual or group profiles to facilitate
policy-based control over content traversing the network
• WildFire Virtualized Sandbox: WildFire is an advanced, not categorized by the local URL database can be pulled into
virtual malware analysis environment, purpose-built for cache from a hosted URL database. In addition to database
high fidelity hardware emulation, analyzing suspicious customization, administrators can create custom URL cate-
samples as they execute. The cloud-based service detects gories to further tailor the URL controls to suit their specific
and blocks targeted and unknown malware, exploits, and needs. URL categorization can be combined with application
outbound C2 activity by observing their actual behavior, and user classification to further target and define policies. For
rather than relying on pre-existing signatures. example, SSL decryption can be invoked for select, high-risk
URL categories to ensure threats are exposed; QoS controls
• Automated Signature Generator: When a sample is
can be applied to streaming media sites. URL filtering visibility
identified as malicious, WildFire automatically generates
and policy controls can be tied to specific users through
protections and delivers them to all subscribed WildFire
transparent integration with enterprise directory services
customers globally in as little as 5 minutes.
(Active Directory®, LDAP, eDirectory™) with additional insight
• Deep Visibility and Analysis: WildFire users receive integrat- provided through customizable reporting and logging.
ed logs, analysis and visibility into WildFire events enabling
Administrators can configure a custom block page to notify
teams to quickly investigate and correlate events observed
end users of any policy violations. In order to place some of
in their networks. This allows security staff to quickly locate
the web activity ownership back in the user’s hands, admin-
the data needed for timely investigations and incident
istrators can allow users to continue after being presented
response. Host-based and network-based indicators of com-
with
a warning page or require passwords to override the URL
promise become actionable through log analysis and custom
filtering policy.
signatures. An open API allows for integration with best-in-
class SIEM tools, such as the Palo Alto Networks application
for Splunk®, and leading endpoint agents.
File and Data Filtering
URL Filtering Data filtering features enable administrators to implement
Complementing the threat prevention and application control policies that will reduce the risks associated with the transfer
capabilities is a fully integrated, on-box URL filtering database of unauthorized files and data.
that enables security teams to not only control end-user web
• File blocking by type: Control the flow of a wide range of
surfing activities but also block access to malicious URLs and
file types by looking deep within the payload to iden-
phishing links used in cyber attacks. The on-box URL database
tify the file type (as opposed to looking only at the file
can be augmented to suit the traffic patterns of the local
extension).
user community with a custom URL database. URLs that are
4401 Great America Parkway © 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at http://www.
Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Sales: +1.866.320.4788 herein may be trademarks of their respective companies. pan-content-id-
Support: +1.866.898.9087 tb-061416
www.paloaltonetworks.com