![]() ![]() ![]() So right know the chance for a successful attack is 1:131072 (65536 tcp ports and 65536 TCP ports) or actually pretty much higher as really only a simple port scan is required. Unfortunately this was still not secure enough to me as a port scan of all TCP and UDP ports is done pretty fast and after that also an attacked would be able to reach my GlobalProtect Gateway IP-even though the attacker still has no credentials to access the internal network with a VPN tunnel. ![]() So far, pretty easy: I send a TCP-SYN to a specific port and after that I am able to connect withGlobalProtect. On this rule, I configured a logforwardingprofile with a built in action to tag the source IP which is then added to an address group that is allowed to connect to GlobalProtect. I created a deny firewallrule with a specific port and my GlobalProtect Gateway IP as Destination IP. In the past, I used the built in actions in log-forwarding profiles (logforwardingprofile) to dynamically add some IPs to special decryption rules where the cert validation was disabled, so I started with this here too. With this in mind I searched for a way to implement that. At the beginning, I wrote the keyword port knocking. Prior to this idea, I was working with geolocations but even this restriction was not good enough for me (a very paranoid person in some situations). I don’t want this VPN gateway to be discoverable by anyone. In my example I will secure my global protect access. Even if you're not looking for this creative solution, this post offers ideas and possibilities when using a Palo Alto firewall (and might lead to even better use cases). This access is not detectable by any scans-which happen continuously in the internet (for example from shodan.io or actual threat actors)-and at the same time, it's easy to use and enables access from anywhere sans an IP address. With features included in PAN-OS without any additional subscription, it is possible to secure a critical access. If this sounds familiar to you, then this post is for you. This blog was written by Cyber Elite member you ever seen a port-knocking feature on other firewalls or router vendors and were looking for something similar on Palo Alto Networks? Or were you searching for a way to secure and emergency access to a critical server, or even to the firewall interface over the internet-but you don't want to expose this to the complete internet, Actually, you don’t want do expose it at all. ![]()
0 Comments
Leave a Reply. |