Core Security Adoption Bundle

Crossconnect Engineering’s process will take your firewall posture from port-based to adopting the advanced feature-sets that make firewalls “next generation.”

Palo Alto Firewalls

What Makes a Firewall “Next Generation?“

Traditional firewalls are port-based. This means that users are only identified by their IP address and services are only mapped to ports. However, users change IPs and use multiple devices, and most malicious traffic now hides as encrypted traffic on trusted ports.

How Next Generation Firewalls Address These Issues

The problem the Core Security Adoption Bundle addresses is that most next-generation firewalls are installed as a conversion from a port-based firewall, and the next-generation features are not adopted, leaving a security posture little better than the original firewall. This is because successfully enabling the entirety of the next-generation feature set, while at the same time not breaking production traffic, requires a significant amount of work to adopt in your organization. Most organizations do not have the resources to complete this internally.

Moreover, traffic decryption is required for the majority of next-generation features to work: nearly all traffic, including threats, are encrypted. The ability to decrypt TLS/ssL-encrypted traffic is now a foundational security function. These features are severely limited without decryption: Antivirus, Intrusion Prevention, Wildfire (Sandboxing), File Blocking, and App-ID (Application Visibility & Control). Next-generation firewalls must perform traffic decryption in order to be effective today.

The problem the Core Security Adoption Bundle addresses is that most next-generation firewalls are installed as a conversion from a port-based firewall, and the next-generation features are not adopted, leaving a security posture little better than the original firewall. This is because successfully enabling the entirety of the next-generation feature set, while at the same time not breaking production traffic, requires a significant amount of work to adopt in your organization. Most organizations do not have the resources to complete this internally.

Moreover, traffic decryption is required for the majority of next-generation features to work: nearly all traffic, including threats, are encrypted. The ability to decrypt TLS/ssL-encrypted traffic is now a foundational security function. These features are severely limited without decryption: Antivirus, Intrusion Prevention, Wildfire (Sandboxing), File Blocking, and App-ID (Application Visibility & Control). Next-generation firewalls must perform traffic decryption in order to be effective today.

Key Features

Threat Prevention (IPS)

URL Filtering

App-ID (Application Visbility & Control)

Antivirus

Wildfire (Malware Sandboxing)

User-ID (User Identification / User Awareness)

Antispyware

File Blocking

DNS Security

TLS/SSL Decryption (“traffic decryption”)
critical to enable the features above

Features Our Services Will
Adopt for Your Business

Adopt These Features For Your Business

Palo Alto Iron Skillet Day-Zero Configuration – Adopt Palo Alto’s day-zero configuration to give a secure foundation for which to build the remainder of the configuration.
User-ID – Identify users and user groups via Active Directory regardless of IP address.
Traffic Decryption – Enable traffic decryption using pilot groups, and after remedying incompatible websites and applications, escalating to increasing numbers of users in a safe fashion.
- Exclude traffic based on compliance or business requirement reasons (ex: Health, Finance, Government, Military)
- Exclude incompatible applications or those with security dependencies on certificate pinning.
Antivirus – Block malicious files passing through the firewall based on signature matching.
Antispyware – Block & alert on connections going to known command & control servers.
Threat Prevention (IPS) – Examines network traffic to identify and block attacks based on known vulnerabilities.
App-ID – Traditional port-based firewalls identify an “application” by identifying the port number. App-ID identifies an application regardless of port and works with applications that use multiple or non-standard ports.
- Create App-ID rules to replace non-TLS/SSL port-based rules.
- Create “Starter” rules for Allowed, Blocked, and Tolerated TLS/SSL Applications
  - Provide “over-the-shoulder” training to Customer for additional adoption.
URL Filtering – Block access to websites known to host malware, or content filter based on users or groups.
Wildfire Sandboxing – Traditional malware detection is signature based. To cover the time lag between when malware is released and when a signature is created, Wildfire scans the files not matched by Anti-virus and uploads it to the Palo Alto cloud for further analysis and sandboxing. The verdict is then sent back to the firewall and can alert administrators.
File Blocking – Protects from both data exfiltration and malicious software ingress to the network. File blocking uses MIME types and blocks unauthorized files as they traverse the firewall.
DNS Security – Block malicious connections before they begin. Malicious connections use DNS just like legitimate connections. Scan all DNS requests going through the firewall and block or sinkhole requests for malicious sites.

Palo Alto Iron Skillet Day-Zero Configuration – Adopt Palo Alto’s day-zero configuration to give a secure foundation for which to build the remainder of the configuration.
User-ID – Identify users and user groups via Active Directory regardless of IP address.
Traffic Decryption – Enable traffic decryption using pilot groups, and after remedying incompatible websites and applications, escalating to increasing numbers of users in a safe fashion.
- Exclude traffic based on compliance or business requirement reasons (ex: Health, Finance, Government, Military)
- Exclude incompatible applications or those with security dependencies on certificate pinning.
Antivirus – Block malicious files passing through the firewall based on signature matching.
Antispyware – Block & alert on connections going to known command & control servers.
Threat Prevention (IPS) – Examines network traffic to identify and block attacks based on known vulnerabilities.
App-ID – Traditional port-based firewalls identify an “application” by identifying the port number. App-ID identifies an application regardless of port and works with applications that use multiple or non-standard ports.
- Create App-ID rules to replace non-TLS/SSL port-based rules.
- Create “Starter” rules for Allowed, Blocked, and Tolerated TLS/SSL Applications
  - Provide “over-the-shoulder” training to Customer for additional adoption.
URL Filtering – Block access to websites known to host malware, or content filter based on users or groups.
Wildfire Sandboxing – Traditional malware detection is signature based. To cover the time lag between when malware is released and when a signature is created, Wildfire scans the files not matched by Anti-virus and uploads it to the Palo Alto cloud for further analysis and sandboxing. The verdict is then sent back to the firewall and can alert administrators.
File Blocking – Protects from both data exfiltration and malicious software ingress to the network. File blocking uses MIME types and blocks unauthorized files as they traverse the firewall.
DNS Security – Block malicious connections before they begin. Malicious connections use DNS just like legitimate connections. Scan all DNS requests going through the firewall and block or sinkhole requests for malicious sites.

Deployment, Pricing,
and Terms

The Firewall Core Security Adoption Bundle will be deployed in a manner sensitive to minimizing impact to the business. This means allowing proper time to determine any side-effects new security features will have, which means the project will take multiple months to complete. Safety is favored over speed.
Due to the extended timeline to complete, to ensure your project continues to progress, our service includes technical project management with regular status meetings to ensure the service continues moving forward.
Pricing is provided at a flat rate. All services are implemented by a PCNSE. Pricing is for a single logical firewall (one firewall, or one HA pair) and is priced by quantity of users:
Users

The Firewall Core Security Adoption Bundle will be deployed in a manner sensitive to minimizing impact to the business. This means allowing proper time to determine any side-effects new security features will have, which means the project will take multiple months to complete. Safety is favored over speed.
Due to the extended timeline to complete, to ensure your project continues to progress, our service includes technical project management with regular status meetings to ensure the service continues moving forward.
Pricing is provided at a flat rate. All services are implemented by a PCNSE. Pricing is for a single logical firewall (one firewall, or one HA pair) and is priced by quantity of users:
Users

Overage Users

If near the edge of a user tier, additional users may be added to the lower tier: $120/user for 1-250 tier, $100/user for 251-500 user tier, $80/user for 501-750 user tier, $60/user for > 1000 users. Example: 252 users may be purchased at $20,240.

What changes between user/pricing tiers?

The service is fundamentally the same regardless of if deploying for 1 user or 1,000 users. However, larger user bases have longer deployment times for features, as there are naturally more applications, file types, and web traffic involved. Also, the single largest change in hours is that more pilot groups are used during the traffic decryption phase for safety, resulting in an extended deployment time.

Limitations Apply

Please consult with our sales team for the granular specifics of what is and is not included.