Post on 03-Nov-2015
description
PANOS4.0
NickPiagentini
PaloAltoNetworks PANOS4.0 1
ContentsPANOS4.0UserIDfunctions........................................................................................................................1
User/GroupEnumeration.......................................................................................................................1
1. UsingADUserAgentforEnumeration.........................................................................................2
2. UsingLDAPServersforEnumeration............................................................................................3
UsertoIPMapping...................................................................................................................................5
1. ADUserAgent................................................................................................................................5
2. LDAPUserAgent...........................................................................................................................7
3. CaptivePortal................................................................................................................................8
4. TerminalServerAgent................................................................................................................12
5. PaloAltoNetworksclientsoftware............................................................................................12
PANOS4.0UserIDfunctionsUserIdentificationinPANOS4.0encompassestwoprimaryfunctions:
x Enumerationofusersandtheirassociatedgroupmembershipx MappingofthoseuserstotheircurrentIPaddresses.
Eachofthesefunctionscanbeperformedbydifferentmethods.Somemethodsareeffectiveinspecificnetworkenvironmentsandsomeareapplicableinallenvironments..Bothcomponentswillbediscussedinthisdocument.
User/GroupEnumerationBeforeasecuritypolicycanbewrittenforgroupsofusers,therelationshipsbetweentheusersandthegroupstheyaremembersofmustbeestablished.ThisinformationisretrievedfromanLDAPdirectory,suchasActiveDirectoryoreDirectory.Thefirewalloranagentwillaccessthedirectoryandsearchforgroupobjects.Eachgroupobjectwillcontainalistofuserobjectsthataremembers.Thislistwillbeevaluatedandwillbecomethelistofusersandgroupsavailableinsecuritypolicyandauthenticationprofiles.Therearetwomethodsforretrievingthisdata:
1. useanagentthattalkstoActivedirectory,or2. useanagentthattalkstoLDAPservers.
Bothofthesemethodsarediscussedbelow.
PaloAltoNetworks PANOS4.0 2
1. UsingADUserAgentforEnumeration
Operation:ThisagentisinstalledasawindowsserviceonaWindowsserverthatisamemberofthedomaintobepolled.ItisconfiguredwithalistofDomainControllersinasingleWindowsDomain,andwillaccessthe
firstDConthatlistforuserandgroupinformation.IfthefirstDCisnotavailablewhenitdoesgroupenumeration,theagentwillcontinuedownthelistuntilitlocatesaDCthatisavailable.TheagentwillaccessthedomaincontrollerusingMicrosoftRPCandwillreadallofthesecuritygroupsinthedomain.Sincetheagentisonlyconfiguredtomapusersfromasingledomain,anyaccountsfromotherdomainswillbeignored.ForthisreasonitisabestpracticetobuildsecuritypolicyusingDomainGlobalgroups,astheywillonlycontainusers
fromasingledomainandwillbecorrectlyrepresentedbytheADuserAgent.
Aftertheagenthasparsedthedomainforgroupsandusers,itcanapplyagroupfiltertosendonlyselectgroupstothefirewall.Itisstronglyrecommendedthatyouconfigureagroupfilter.Byeliminatingunneededgroupsfromthelistthatissenttothefirewall,overallprocessingonthefirewallsManagementPlaneisreduced,andthegroupselectioninterfaceintheUIismoresuccinct/userfriendly.
Aftertheinitialgroupmembershipisobtained,theagentwillchecktoseeifgroupmembershiphaschangedeverysooften,baseduponaconfigurabletimer(calledUserMembershipTimer).Theagentwillupdatethefirewallwithonlythegroupsthathavechangedmembership.Ifnochangestogroupmembershipisdetectedtherewillbenodatasenttothefirewall.
Asingleagentcanonlymonitordomaincontrollersfromasingledomain.Theagentcanmonitorupto100individualDCsfromthatsingledomain.Inamultidomainenvironmenttherewillneedtobemultipleagentsdeployed,sothatgroupinformationcanberetrievedfromallthedomains.
Foreachdomain,thefirewall(orVirtualSystemifthefirewallisoperatinginthatmode)willselectasingleagenttogathergroupdatafrom.Bydefaultitwillbethefirstagentconfigured,butifthatagentisnotavailablethefirewallwilltryotheragentsinthelist.Todeterminetheagentbeingusedbythefirewallforgroupmembershipthe>showuserpanagentstatisticscommandcanbeused.Theagentwiththe*beforethewordconnectedistheonebeingusedforallgroupmembership,asseeninthescreenshotbelow:
PaloAltoNetworks PANOS4.0 3
BestPracticesforADUserAgent1.) ConfigurewellconnectedDomainControllersonthetopofthelistintheagentandfirewall
configuration.2.) Filterthelistofgroupsthatissenttothefirewalltoincludeonlythegroupsthatwillbeusedin
firewallpolicy.Ifyouwanttomakesurethatallusersaretracked,includethegroupDomainUsers.
3.) OnlyuseDomainGlobalgroupsinfirewallpolicywhenoperatinginamultidomainenvironment.NotethatthisisnotinlinewithtraditionalMicrosoftADpractice,whereDomainLocalgroupsareusedtocontrolrightsandaccess.
4.) Ifsomeagentsarelocatedacrosssloworheavilyimpactedlinksitmaybebesttoconfigureonlythewellconnectedagentsfirstandrunacommit.Thiswillgettheinitialusersandgroupsonthefirewallandinsurethatfutureupdatesarejustdeltas.
2. UsingLDAPServersforEnumeration
Operation:ThePaloAltoNetworksnextgenerationfirewallcangatheruserandgroupinformationfromanLDAPdirectorywithouttheuseofanagent.ThismethodcanbeusedtoenumerateActiveDirectoryoranyotherLDAPenvironment.ThefirewallwillperformalloftheLDAPconnectionsandnoagentisrequiredforthisfunction.
ThefirewalldefinesanumberofLDAPServersundertheUserIdentificationnode.EachLDAPServerinstancerepresentsabindtoaspecificpartofanLDAPtree.Itwillenumeratealloftheuserandgroupobjectsatthatpointandbelow.FilterscanbedefinedinthisconfigurationusingstandardLDAPsyntaxtolimittheusersandgroupsreturned.IfthismethodistobeusedtoenumerateusersfromActiveDirectory,therewillneedtobeaLDAPServerconfiguredforeachdomain.GlobalCatalogscannotbeusedforuserandgroupenumerationacrossADdomains.OnlyLDAPobjectsthatuseafieldtolistmembershipcanbeusedasgroupsonthefirewall.PANOSdoesnotsupporttheuseofcontainerobjectssuchasOrganizationalUnits(OU)assecurityprincipalsinfirewallpolicy.
AccesscredentialstotheLDAPtreeisspecifiedinaLDAPAuthenticationserverobjectthatisreferencedby
PaloAltoNetworks PANOS4.0 4
theLDAPServerobject.TheAuthenticationServerobjectalsospecifieswhichdirectoryserverswillbecontacted,theordertheywillbecontactedinandwhenthefirewallwilltrythenextoneonthelist.
ConfigurationoftheLDAPServerobjectrequiresknowledgeoftheLDAPstructureinuse,suchastypesofobjectsusedasgroupsandusers.ForexampleinastandardActiveDirectorydeploymenttheusersareobjectsobjectclass=UserandaremostcommonlyreferredtobyeithertheSAMAccountName
(jdoe)orUserPrincipalName(jdoe@corp.local)fields.Thegroupsobjectclass=grouparereferredtobytheCNfieldandstorealistofusersinamembersfield.ThislevelofinformationisrequiredtoconfiguretheLDAPServer.ThefollowingisanexampleofLDAPserverconfigurationtoenumerateusersfromallDomainGlobalsecuritygroupsonanActiveDirectorydomain.
ForinteroperabilitybetweentheLDAPserverandtheADAgent,adomaincanbespecifiedintheserverconfiguration.Thisdomainwillbeaddedasaprefixtoanyuseraccountslearnedbytheagent.BysynchronizingthisvaluewiththeNETBIOSnameoftheADdomaininuse,wecanmapusersauthenticatedbyNTLMtousersenumeratedbyLDAP.
BestPracticesusingLDAPServers1.) IftheunderlyingdirectoryisActiveDirectory,makesuretheDomainfieldoftheLDAPServer
matchestheNETBIOSnameofthedomain.2.) UseofanLDAPbrowsercanbeextremelyhelpfulifworkingwithanongenericLDAP
deployment.3.) Usegroupfilterstominimizethenumberofgroupsreturned.Forexample(grouptype=*46)
willreturnonlyDomainGlobalsecuritygroups.
PaloAltoNetworks PANOS4.0 5
UsertoIPMappingTheprocessofmappinguserstoIPaddressesisthemorecomplexofthetwoUserIDtasks.PANOS4.0providesmultiplemethodstomapuserstoIPaddresses.Somemethodsrequirespecificdirectorystructurestobeinplace.Somemethodsrequiresoftwareagentsorclientstobeinstalled.IfanyofthemethodsmapausertoanIPaddress,thatdatacanbeusedbythefirewallinbothpolicyandreporting.Userdataiswrittentoallappropriatelogswhenthelogsaregenerated.ThemethodsmappinguserstoIPare:
1.) ADUserAgent2.) LDAPUserAgent3.) CaptivePortal4.) TerminalServicesAgent5.) PaloAltoNetworksclientsoftware(SSLVPN,GlobalProtect)
Eachoftheseisdescribedbelow.
1. ADUserAgentTheADUserAgentperformsboththeenumerationandmappingtasks.Eventhoughtthetwoprocessesareseparate,theagentcannotbeconfiguredtoperformonlyoneortheother.InActiveDirectoryenvironments,theADAgentisveryusefulformappingusersandasaresultisalsocommonlyusedtoenumerateusersaswell.Theagentcanmapusersbymonitoringeventsinthesecuritylogandbyqueryingendpoints.Thesemappingscanbereconfirmedbymonitoringuserconnectionstothedomaincontrollerduringthecourseofwork.Thefirewall
SecurityLogReadingTheADAgentwillconnecttoeachdomaincontrollerinitslistandmonitorthesecuritylog.Ontheinitialconnectiontheagentwillreadthelast50,000logentries.Aftertheinitialconnection,theagentwillthenmonitorallnewevents.TheADAgentlooksforanyofthefollowingMicrosofteventIDs:
OnWindows2003DCs:o 672(AuthenticationTicketGranted,whichoccursonthelogonmoment),o 673(ServiceTicketGranted)o 674(TicketGrantedRenewedwhichmayhappenseveraltimesduringthelogonsession)
OnWindows2008DCs:o 4768(AuthenticationTicketGranted)o 4769(ServiceTicketGranted)o 4770(TicketGrantedRenewed)
TheseeventswillcontainauserandIPaddress.Theusersdomainwillbecomparedtothedomainthattheagenthasbeenconfiguredtomonitor.Usersfromdomainsotherthanthemonitoreddomainwillbeignored.AlsomonitoredwillbetheIPrangesoftheusers;onlyAllowedIPranges(asconfiguredonthe
PaloAltoNetworks PANOS4.0 6
ADagent)willberecorded.OncetheusernametoIPmappingtableiscreated,theagentwillsendthisdatatothefirewall.Thedefaulttimingforcheckingnewlogeventsiseverysecond,butthistimerisconfigurable.NotethattheseeventswillonlybepresentinthesecuritylogiftheADdomainisconfiguredtologsuccessfulAccountLogonevents.
SecuritylogreadingislowoverheadfortheDomainControllerandahighlyeffectivemethodofmappingusersinaMicrosoftenvironment.Themappingswillbemaintainedforaconfigurabletimeout,whichisrecommendedtobesettohalftheDHCPleasetimeusedintheenvironment.ClientsystemsinanADdomainusingthedefaultconfigurationwillattempttorenewtheirticketsevery10hours.
WMI/NetBIOSProbesWherethelogreadingiseffectivelyapassivemethodofusermapping,probingisanactivemethod.Onaconfigurableinterval,theADAgentwillsendaprobetoeachlearnedIPaddressinitslisttoverifythatthesameuserisstillloggedin.Theresultsoftheprobecanbeusedtoupdatetherecordontheagentandthenbepassedontothefirewall.EachlearnedIPwillbeprobedoneperintervalperiod.CareshouldbetakentomakesurethatlargeenvironmentshavealongenoughintervalforallIPstobeprobed.Forexampleinanetworkwith6,000usersandanintervalof10minutes,thatwouldrequire10WMIrequestsasecondfromeachagent.Theseprobesarequeuedandprocessedbytheagentasneeded.
Inaddition,whenthefirewallreceivestrafficonaninterfaceinazonewithUserIdentificationenabledthatisfromanIPaddressthathasnouserdataassociatedwithit,thefirewallwillsendtheIPtoalltheADgentsconfiguredandaskthemtoprobeittodeterminetheuser.ThisrequestwillbeaddedtothequeuealongwiththeknownIPaddresseswaitingtobepolled.IftheAgentisabletodeterminetheuserattheIPbasedontheprobetheinformationwillbesentbacktothefirewall.
IftheWMIorNetBIOSprobefailstheIPaddresswillnotbeprobedagainuntilthefirewallseesmoretrafficfromit.
NetBIOSprobeshavenoauthenticationanddonotrequireanyspecificgroupmembershipoftheAgentaccount.AdrawbacktoNetBIOSisthatitisnotveryreliableacrosslargernetworks;itiscommonlyblockedbyhostbasedfirewallsandwillnotworkforcertainmodernoperatingsystems.(AnythingwithNetBIOSoverTCPdisabled)
WMIqueriesarefarmorereliableandaresecuredbyeitherNTLMorKerberosbasedauthentication.ToperformthesequeriessuccessfullytheagentaccountneedstherightstoreadtheCIMV2namespaceontheclientsystems.BydefaultonDomainAdministratorshavethisright.TheunderlyingWMIquerythatissentcanbesimulatedwiththefollowingcommand,whereremotecomputerwouldbetheIPaddressofthesystembeingprobed:
wmic /node:remotecomputer computersystem get username
PaloAltoNetworks PANOS4.0 7
OpenServerSessionsAnyconnectionstoafileorprintserviceontheDomainControllerwillalsobereadbytheagent.Iftheuser/IPcombinationforthesessiondoesnotmatchthecombinationthattheAgentlastlearnedthemappingwillberemovedandtheuserattheIPaddresswillbecomeunknown.Theagentwillnotupdateuserdataasaresultofinformationlearnedfromtheopenserversessions.IftheopensessionconfirmstheuserattheIPaddressthenthatmappingwillhaveitslifetimerenewed.
InthenormaloperationsofanADdomain,usersonWindowssystemswillconnecttothesysvolshareonthedomaincontrollertocheckfornewGroupPolicyObjects.Thedefaulttimingforthisis90minuteswitha+/30minuteoffset.Forusersconnectedtothenetworkduringaregularworkdaythisprocesswillinsurethattheyremainmappedthroughouttheday.
AgentandFirewallCommunicationSettingsontheAgentcontrolhowoftentheagentcommunicateswiththeDomainControllersandhostsonthenetwork(forpolling).Thefirewallhasspecific,nonconfigurabletimersforitscommunicationtotheagent.
x 2seconds:GetlistofnewIP/usermappingfromagent.Thisisadeltaofnewmappingonly.x 2seconds:SendlistofunknownIPaddressesthatwereencounteredintraffictotheagent.x 5seconds:Getagentstatus.Thisisaheartbeatusestodeterminethestatusofeachconfigured
agent.x 10minutes:Getgroupmembershipchangesfromagent.Thisisjustthedeltaofchangessince
thelastcheck.x 1hour:GetfulllistofIP/usermappingsfromagent
BestPracticesforADAgent:1) SettheageouttimerfortheagenttoavalueclosetohalftheDHCPleasetime.2) UseWMIoverNetBIOSifpossible.3) Makesuretoplantheintervalforprobingbasedonthetotalnumberofusersinthe
environment.
2. LDAPUserAgentTheLDAPagentprovidestwoveryspecificfunctions.OneistoaccessaneDirectorytreeandreadtheloggedinIPforeachuser.WhentheuserlogsintoeDirectory,theIPaddressoftheendpointisstoredinthedirectoryasafieldintheuserobject.ThisservesasimilarfunctionastheADAgentslogscrapingandonlyworkswitheDirectory.
ThesecondfunctionoftheLDAPagentistoreceiveXMLuserinformationfromexternalsources.ThisinformationcanbothaddandremoveuserIPmappings.SomeexamplesoftheAPIare:
1) VisualBasicbasedloginandlogoutscriptsthataddandremovetheuserandalltheIPaddressesoftheendstation.
2) PerlbasedscriptsforMacbasedsystemstoregisterusersonlogin.3) ModulesforNACappliancesthatpassonuserandIPinformationtothefirewall.
PaloAltoNetworks PANOS4.0 8
TheAPIpassesthedataoverSSLusingasimpleXLMformatasfollows:
3. CaptivePortalCaptivePortalisanidentificationmethodthatisnotinvokedunlessthereisnouserinformationforHTTPbasedtrafficthatthefirewallencounters.Ifauserhasbeenmappedbyoneoftheotherpossiblemethods,captiveportalwillnotbetriggered.Captiveportalistraditionallyusedtoidentifyusersthathaveslippedthroughtheothermethodsorforenvironmentswheretheothermethodsarenotappropriate.Captiveportalwillonlybetriggeredbyasessionthatmatchesthefollowingcriteria:
1) ThereisnouserdataforthesourceIPofthesession2) ThesessionisHTTPtraffic3) ThesessionmatchesaCaptivePortalpolicyonthefirewall
Whencaptiveportalistriggeredthebrowsersessionisinterruptedbythefirewallandusercredentialsarerequested.OncetheuserisidentifiedtheywillremainmappeduntileitheranIdleorhardtimeoutisreached.Atthatpointtheusermappingisremovedandcaptiveportalmaybetriggeredagain.
ForfirewallsdeployedinL2orVirtualWiremodecaptiveportalmustbeconfiguredtransparently.Inthisconfigurationthefirewallwillspoofthedestinationaddressforuseinauthentication.ThiscangeneratecertificateerrorsiftheoriginalcommunicationwasoverSSL.Amoreflexiblemethodisaredirectcaptiveportal,wherethefirewallusesa302HTTPerrorcodetoredirecttheusertoaL3interfaceownedbythefirewall.WhenusingredirectcaptiveportalaspecificSSLcertificatecanbeinstalledfortheportaltomitigateanycertificatewarnings.Inadditionredirectcaptiveportalcanusecookiestomarkthesession.Thiswillallowthesessiontoremainmappedevenafterthetimeoutshaveexpired.FinallyredirectcaptiveportalwithcookiescansupportauserthatroamsfromoneIPaddresstoanotherwhilekeepingthesessionopen.Whenpossible,captiveportalshouldalwaysbedeployedinredirectmode.
PaloAltoNetworks PANOS4.0 9
Therearethreemethodsforthefirewalltoextractuserdatafromthebrowser:
1.) NTLMAuthentication2.) WebFormCaptivePortal3.) CertificatebasedAuthentication
NTLMAuthenticationMicrosoftclientscanparticipateinaNTLMchallengeandresponseexchangethatconsistsof3messages.Thebrowserwillusethecredentialsofthecurrentlysignedinuser.InternetExplorerwilldothisbedefault,andFirefoxcanbeconfiguredtodothisforspecificURIs.(Intheabout:configsetthenetwork.automaticntlmauth.trustedurisvaletothecaptiveportalURI)Thisauthenticationistransparenttotheuser.TheusernamecapturedfromthismethodistheNetBIOSnameintheformofDOMAIN\USER,itwillbemappedtotheappropriateuserIDiftheADAgentisinuse,oriftheLDAPServerconfiguredtoreadtheADdomainhasthecorrectvalueinthedomainfield.IfthebrowseroroperatingsystemdoesnotsupportNTLMauthentication,thefirewallwillfallbacktothenextformofCaptivePortal.WhenconfiguringNTLMbasedauthenticationforCaptivePortalahostnamemustbeprovided.ForNTLMtowork,thishostnamemustnotbefullyqualified.Forexample,iftheDNSnameoftheportalisportal1.company.com,andcompany.comisintheuserssearchsuffix,thecorrectvalefortheNTLMhostwouldbeportal1.
ThefollowingdiagramshowsNTLMbasedCaptivePortalflowusingaredirect.InthecaseofatransparentmodeCaptivePortaltherewouldbenosteps2or5.Insteadthefirewallwouldspoofthe
PaloAltoNetworks PANOS4.0 10
destinationaddressandprovidethe401errorcodeasifthetargetserverhadsentit.
WebFormCaptivePortalThismethoddisplaysawebpagewithfieldsforusernameandpassword.ThebackendauthenticationcanbeRADIUS,LDAP,localdatabaseornativeKerberos.Whilethisisthemostdisruptiveuseridentificationmethoditisalsothemethodthatwillworkwithanykindofbrowseroroperatingsystem.Assuchitisanexcellentmethodoflastresort.ThefollowingdiagramshowswebformbasedCaptive
PaloAltoNetworks PANOS4.0 11
Portalflowusingaredirect.
CertificatebasedAuthenticationAusercertificatecanalsobeusedbythecaptiveportaltoidentifytheuser.CertificatebasedauthrequiresthattrustedCAcertsareloadedonthefirewallandprovisionedforuserauthentication.Whentheuserfirstencounterscaptiveportaltheywillbepromptedforthecertificatetopassontotheserver.Ifnootherauthenticationprofilesareconfiguredforthecaptiveportalallfurtherinteractionbetweenthebrowserandtheportalshouldbetransparenttotheuser.ThisiscurrentlytheonlywaytoachievefullytransparentauthenticationforLinuxandMacclientsusingcaptiveportal.
BestPracticesforConfiguringCaptivePortal:1.) Configurecaptiveportalinredirectmodewhenpossible.Asingleinterfacecanbeconfiguredfor
L3operationstohosttheportalfordeploymentsusingL2orvirtualwire.2.) IfusingRADIUSinsuretheproperdefaultdomainisconfiguredforusers.Ifnodomainis
providedduringtheloginthedefaultdomainwillbeassumed.3.) KerberosauthenticationrequirelessconfigurationforADenvironmentsthenLDAPandshould
beusedinthesecases.
PaloAltoNetworks PANOS4.0 12
4. TerminalServerAgentTheMSTerminalServeragentisawindowsservicethatisinstalledonaMicrosoftterminalserverorCitrixserver.Thejobofthisagentittointermediatetheassignmentofsourceportstothevarioususerprocesses.Thissourceportinformationispassedontothefirewallandausertableiscreatedincludingtheusername,IPaddressoftheterminalserverandsourceportsoftheusers.Thisinsuresthateachsessionfromtheterminalserveriscorrectlymappedtotheuserthatinitiatedit.Nootherusermappingfeaturesarerequiredfortheseclients,althoughenumerationandgroupmappingstillneedtotakeplace.
5. PaloAltoNetworksclientsoftwareIftheendpointisrunningoneofthePaloAltoNetworksclientsoftwarepackagesuseridentificationwillbeprovidedbythatsoftware.Therearecurrently2softwarepackagesthatcanrunontheendpoint.NetConnectSSLVPNandGlobalProtect.Bothofthesepackageswillprovideuserinformationtothefirewalltheyareconnectedto.NoothermethodwouldberequiredtomaptheuserstotheirIPaddresses,thoughtherewouldstillneedtobesomethinginplacetoenumeratetheusersandtheirgroupmembership.