• No results found

User-ID Best Practices

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "User-ID Best Practices"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

User-ID Best Practices

(2)

Table of Contents

PAN-OS User-ID Functions ... 3  

User / Group Enumeration ... 3

 

Using LDAP Servers for Enumeration ... 4  

Best Practices Using LDAP Servers ... 7

 

User to IP Mapping ... 8  

Active Directory Monitoring ... 8  

Reading Security Logs ... 8

 

Open Server Sessions ... 9

 

Agent and Firewall Communication ... 10

 

eDirectory Monitoring ... 10  

WMI/NetBIOS Probes ... 10  

Captive Portal ... 11  

NTLM Authentication ... 12

 

Web Form Captive Portal ... 13

 

Certificate based Authentication ... 14

 

Best Practices for Configuring Captive Portal: ... 14

 

Terminal Server Agent ... 15  

Palo Alto Networks Client Software ... 15  

(3)

PAN-OS User-ID Functions

User Identification in PAN-OS encompasses two primary functions: • Enumeration of users and their associated group membership. • Mapping of those users to their current IP addresses.

While these functions may rely on similar settings they are separate processes. And both need to be configured to apply group based user policy and reporting.

User / Group Enumeration

Before a security policy can be written for groups of users, the relationships between the users and the groups they are members of must be established. This information is retrieved from an LDAP directory, such as Active Directory, Apple Open Directory or eDirectory. The firewall or an agent will access the directory and search for group objects. Each group object will contain a list of user objects that are members. This list will be evaluated and will become the list of users and groups available in security policy and authentication profiles. The User-ID API was enhanced in PAN-OS 5.0 to allow group membership to be

programmatically sent to the firewall. Specific implementations of group membership delivered over the API are beyond the scope of this document.

(4)

Using LDAP Servers for Enumeration

Operation: The Palo Alto Networks next-generation firewall can gather user and group

information from an LDAP directory.

The firewall defines a number of “LDAP Servers” under the User Identification node. Each LDAP Server instance represents a bind to a specific part of an LDAP tree. It will enumerate all of the user and group

objects at that point and below. Filters can be defined in this configuration using standard LDAP syntax to limit the users and groups returned. In addition a list of groups to be maintained for use in firewall rules can also be configured in the Group Mapping tab. When enumerating users from Active Directory, there will need to be a LDAP Server configured for each domain.. Only LDAP objects that use a field to list membership can be used as groups on the firewall. PAN-OS

does not support the use of container objects such as Organizational Units (OU) as security principals in firewall policy.

Access credentials to the LDAP tree is specified in a LDAP Authentication server object that is referenced by the LDAP Server object. The Authentication Server object also specifies which directory servers will be contacted, the order they will be contacted in and when the firewall will try the next one on the list. One critical setting from the LDAP Server Profile object is the LDAP server Type field. Based on the value chosen for this field (Active Directory, eDirectory or SUN) the values for group mapping using this server will be automatically populated. When configuring the LDAP server profile the domain name must be provided that will be prepended to all of the objects learned from this server. This field must be the NetBIOS name of the domain and should not be the fully qualified domain name of the AD tree. (e.g. CORP not CORP.local)

(5)

credentials that the firewall will use to make the connection to the LDAP server. The format of this field can either be a User Principal Name ([email protected]), a SAM

Accountname (cse\administrator) or a fully qualified LDAP name

(cn=administrator,cn=users,dc=cse,dc=local). This account must have sufficient permissions to read the LDAP directory.

If Universal groups are used in Active Directory, a Global Catalog (GC) server must be used to capture memberships. A GC server is a domain controller for one of the Active Directory domains that also holds a database containing Universal group membership. To access this second LDAP database on this server, the LDAP bind must be set to port tcp/3268 rather than the traditional LDAP port of tcp/389. An important limitation of using a Global Catalog for Universal Group membership is that only Universal Groups containing individual users will be able to be successfully enumerated. If the Universal Groups contain other groups then they will not be fully enumerated and cannot be used for security policy.

Note: In order to support LDAPS (check box ‘SSL’) make sure your Domain Controller is

(6)

Configuration of the LDAP Server object requires knowledge of the LDAP structure in use, such as types of objects used as groups and users. For example, in a standard Active Directory deployment the users are objects “objectclass = User” and are most commonly referred to by either the SAMAccountName (jdoe) or UserPrincipalName ([email protected]) fields. The groups “objectclass = group” are referred to by the CN field and store a list of users in a “members” field. This level of information is required to configure the LDAP Server. The following is an example of the default LDAP server configuration to enumerate users from all

Domain Global security groups in an Active Directory domain. If the server type field is configured correctly in the LDAP Auth server object, these fields will then be prepopulated with the most common settings.

(7)

Best Practices Using LDAP Servers

1. Using an LDAP browser can be extremely helpful if working with a non-generic LDAP deployment.

2. Filter the list of groups to include only the groups that will be used in firewall policy. 3. Always populate the Domain field with the NetBIOS domain name.

(8)

User to IP Mapping

The process of mapping users to IP addresses is the most complex operation of the two User-ID tasks. PAN-OS provides multiple methods to map users to IP addresses. Some methods require specific directory structures to be in place, while other methods may require software agents or clients to be installed. If any of the methods map a user to an IP address

successfully, that data can be used by the firewall in both policy and reporting. User data is written to all appropriate logs when the logs are generated. The methods used to map users to IP addresses are as follows:

1. Active Directory monitoring 2. eDirectory monitoring 3. Client Probing

4. Captive Portal

5. Terminal Services Agent

6. Palo Alto Networks client software (Global Protect) 7. User-ID API

Each of these methods is described in the following section.

Active Directory Monitoring

There are two methods included for Active Directory. All of these methods require the installation of at least one software User-ID Agent in the network or one PAN-OS firewall configured to act as an agent. The User-ID Agent runs as a Windows service and requires specific network access rights to perform some of its tasks. The hardware agent runs as a process on the firewalls Management plane. The AD monitoring mapping methods relies on the users performing common tasks on the network. These include accessing an Exchange server, renewing Kerberos tickets, granting tickets, and connecting to server file shares.

Reading Security Logs

The User-ID Agent will connect to each Domain Controller and Exchange server in its

configured list and will monitor the security log. This list can be auto discovered thru DNS by the agent by using the “Discover” button on the interface. On the initial connection, the agent will read the last 50,000 log entries. After the initial connection, the agent will then monitor all new events. The Agent looks for any of the following Microsoft event IDs: On Windows 2003 DCs:

• 540 (Network Log On)

• 672 (Authentication Ticket Granted, which occurs on the logon moment), • 673 (Service Ticket Granted)

• 674 (Ticket Granted Renewed which may happen several times during the logon session)

(9)

• 4624 (Account Log On)

• 4768 (Authentication Ticket Granted) • 4769 (Service Ticket Granted)

• 4770 (Ticket Granted Renewed)

These events will contain a user and IP address. Only Allowed IP ranges (as configured on the User-ID agent or on the firewall agent) will be recorded. If the file ignore_user_list.txt is present in the Agent installation folder the mapped user name will be compared to the list of names in the file. The firewall also maintains a list that is populated with the CLI command “set user-id-collector ignore-user …”. If the name matches one of the entries, the Agent will discard the data. Once the username to IP mapping is created, the agent will send this data to the firewall. The default timing for checking new log events is every second, but this timer is configurable. Note that these events will only be present in the security log if the AD domain is configured to log successful Account Logon events.

Reading security logs causes very little overhead for a Domain Controller or an Exchange server and is a highly effective method of mapping users in a Microsoft environment. The mappings will be maintained for a configurable time out. For environments using session monitoring this timeout is recommended to be set at 120 min as that is the longest a client will go before checking the sysvol share for new GPO. If no session monitoring is configured the recommended value is half the DHCP lease time used in the environment. Client systems in an AD domain using the default configuration will attempt to renew their tickets every 10 hours.

The account that the agent uses to login to the domain controller must have rights to read the security log. In Windows 2008 and later domains, there is a built in group called “Event Log Readers” that will provide sufficient rights for the agent. In prior versions of Windows, the account must be given the “Audit and manage security log” user right through group policy. Making the account a member of the Domain Administrators group will also provide rights for all operations. The hardware agent will also require the right to make queries over the WMI as it uses the WMI to read logs.

Open Server Sessions

Any connections to a file or print service on the Monitored Server list will also be read by the agent. These connections will provide updated user to IP mapping information to the agent. In all cases the newer event for user mapping will overwrite older events.

(10)

For multiple domain environments the data gathered from open sessions may not be accurate. This method does not deliver domain data with the user name and it is assumed that the user is a member of the domain that the monitored server is part of.

Agent and Firewall Communication

Agent settings can control how often the agent communicates with the Domain Controllers and hosts on the network (for polling). The firewall has specific, non-configurable timers for its communication to the agent.

• 2 seconds: Get list of new IP / user mapping from agent. This is a delta of new mapping only.

• 2 seconds: Send list of unknown IP addresses that were encountered in traffic to the agent.

• 5 seconds: Get agent status. This is a heartbeat used to determine the status of each configured agent.

• 1 hour: Get full list of IP / user mappings from agent

eDirectory Monitoring

The User-ID agent can access an eDirectory tree and read the logged in IP for each user. When the user logs in to eDirectory, the IP address of the end point is stored in the directory as a field in the user object. This serves a similar function as the AD monitoring log scraping and only works with eDirectory.

eDirectory servers are configured in the same monitoring interface as the AD and Exchange servers. The same cache time out will apply to mapping learned from the eDirectory server. Unlike Windows security logs, the user IP data in eDirectory is replicated through the directory. This means that a single eDirectory server can be queried for all users.

WMI/NetBIOS Probes

Log reading is effectively a passive method of user mapping, while probing is an active method. On a configurable interval, the User-ID Agent will send a probe to each learned IP address in its list to verify that the same user is still logged in. The results of the probe will be used to update the record on the agent and then be passed on to the firewall. Each learned IP will be probed once per interval period. It’s important to make sure that large environments have a long enough interval for all IP’s to be probed. For example, in a network with 6,000 users and an interval of 10 minutes, that would require 10 WMI requests a second from each agent. These probes are queued and processed by the agent as needed.

In addition, when the firewall receives traffic on an interface in a zone with User

(11)

If the WMI or NetBIOS probe fails, the IP address will not be probed again until the firewall receives more traffic from the host. If the probe succeeds and then subsequently fails for the same host, the IP will be re-classified as unknown.

NetBIOS probes have no authentication and do not require any specific group membership of the Agent account. A drawback to NetBIOS is that it is not very reliable across larger

networks; it is commonly blocked by host based firewalls and will not work for certain modern operating systems (Anything with NetBIOS over TCP disabled).

WMI queries are much more reliable and are secured by either NTLM or Kerberos based authentication. To perform these queries successfully, the agent account needs permissions to read the CIMV2 namespace on the client systems. By default, only Domain Administrators have this permission. The underlying WMI query that is sent can be simulated with the following command, where remotecomputer would be the IP address of the system being probed:

wmic /node:remotecomputer computersystem get username

The firewall agent can only use WMI for client probing.

Captive Portal

Captive portal is traditionally used to identify users that have slipped through the other methods of identification or for environments where the other methods are not appropriate. It is an identification method that is invoked if there is no user information for HTTP based traffic that the firewall encounters. If a user has been mapped by one of the other possible methods, Captive Portal will not be triggered. Captive portal will only be triggered by a session that matches the following criteria:

1. There is no user data for the source IP of the session.

2. The session is HTTP traffic (note that this traffic can be on any port, but must be HTTP).

3. The session matches a Captive Portal policy on the firewall.

(12)

address to another while keeping the session open. When possible, Captive Portal should always be deployed in redirect mode.

Authentication Servers used by Captive Portal can be configured in an Authentication

Sequence as well. This will allow for sequential validation of a user account on a next server if not found in the previous authentication server checked.

There are three methods for the firewall to extract user data from the browser: 1. NTLM Authentication

2. Web Form Captive Portal 3. Certificate-based Authentication

NTLM Authentication

Microsoft clients can participate in a NTLM challenge and response exchange that consists of 3 messages. The browser will use the credentials of the currently signed in user. Internet Explorer will do this be default and Firefox can be configured to do this for specific URI’s. (In the about:config set the network.automatic-ntlm-auth.trusted-uris value to the captive portal URI) This authentication is transparent to the user. The user name captured from this method is the NetBIOS name in the form of DOMAIN\USER and it will be mapped to the

appropriate user ID if the LDAP Server configured to read the AD domain has the correct value in the domain field. If the browser or operating system does not support NTLM authentication, the firewall will fall back to the next form of Captive Portal. When

(13)

The following diagram shows NTLM based Captive Portal flow using a redirect. In the case of a transparent mode Captive Portal, there would be no steps 2 or 5. Instead the firewall would spoof the destination address and provide the 401 error code as if the target server had sent it.

Web Form Captive Portal

(14)

Certificate based Authentication

A user certificate can also be used by Captive Portal to identify the user. Certificate based authentication requires that trusted CA certs are loaded on the firewall and provisioned for user authentication. When the user first encounters Captive Portal, they will be prompted for the certificate to pass on to the server. If no other authentication profiles are configured for Captive Portal all further interaction between the browser and the portal should be

transparent to the user. This is currently the only way to achieve fully transparent authentication for Linux and Mac clients using Captive Portal.

Best Practices for Configuring Captive Portal:

1. Configure Captive Portal in redirect mode when possible. A single interface can be configured for L3 operations to host the portal for deployments using L2 or virtual wire.

(15)

Terminal Server Agent

The Microsoft Terminal Server agent is a windows service that is installed on a Microsoft terminal server or Citrix server. The agent will work with both 32 and 64 bit operating systems and supports Windows 2003 – 2008 servers. The function of this agent it to intermediate the assignment of source ports to the various user processes. This source port information is passed on to the firewall and a user table is created, which includes the user name, IP address of the terminal server, and source ports of the users. This ensures that each session from the terminal server is correctly mapped to the user that initiated it. No other user mapping features are required for these clients, although enumeration and group mapping still need to take place.

Palo Alto Networks Client Software

If the end point is running the Global Protect Palo Alto Networks client software package, user identification will be provided by that software. No other method would be required to map the users to their IP addresses, though there would still need to be configuration in place to enumerate the users and their group membership.

User-ID API

An API exists that can feed user to IP mapping information into the agent. This API can both add and remove user IP mappings. The API can be used when the traditional methods of log scraping and WMI probing are not ideal for the environment. Some examples of the API that can be found on Dev Center (https://live.paloaltonetworks.com/community/devcenter) are:

1. Syslog interaction with Enterprise WPA WiFi deployments. 2. Integration with VM Hypervisors to enumerate machine names.

(16)

The API passes the data over SSL to the agent using a simple XLM format as follows:

References

Download now ( PDF - 16 Page - 911.43 KB )

Related documents

Identity Management in Quercus. CampusIT_QUERCUS

LDAP_SERVER LDAP Server Type Quercus System Apache Directory Server | CampusIT Embedded | Microsoft Active Directory | Novell eDirectory | OpenLDAP | Oracle Internet

Programs SUNDAY, JULY 10 MONDAY, JULY 11. International Committee Business Meeting. 7:30-8:30 a.m. Trial Techniques and Tactics. 7:30-8:30 a.m.

Sponsored by the Drug, Device and Biotechnology Committee, Employment Law Committee, Medical Defense and Health Law Committee, Toxic and Hazardous Substances

The impact of external environment on organizational development strategy

Analysis of the competitive environment is a difficult process involving: definition, identification main characteristics and intensity of competitive forces analysis

A Directory-driven Approach to Security:

Supported data source connectivity includes directory servers such as Microsoft Active Direc- tory, Lotus Domino, Novell eDirectory, Netscape iPlanet/Sun one/Fedora Directory Server,

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

The principle of least privilege, separation of duties, job rotation, mandatory access control, discretionary access control, role based access control and rule based access

Antena Mikrostrip Broadband Monopole Patch Segitiga untuk Aplikasi RF Power Harvesting Pita Frekuensi 1700-2500 MHz

Gain antena hasil pengukuran memiliki nilai yang lebih baik dari pada gain antena hasil simulasi yaitu 4,34 dB pada frekuensi 2,1 GHz, dan 4,26 dB pada frekeunsi 2,4 GHz. Return

Health care spending in the United States has increased rapidly over the

Thus of the 33 percent growth in total per capita health spending over this period, one-quarter apparently derived from increases in the prices of health care relative to other

Lab Report 2- Head Loss in Pipe & Bends

By calculating the Reynolds number and plotting the values with friction factor, we were able to identify the types of flow of the fluid whether the fluid is laminar