SlideShare una empresa de Scribd logo

Palo Alto Networks authentication

Alberto Rivai
Alberto Rivai

presentation on different authentication protocols on Palo Alto Networks NGFW

Tecnología
1 de 31
11 Palo Alto Networks - Authentication Alberto Rivai – Senior Systems Engineer
2 Agenda  Authentication Methods  Supported Authentication in Palo Alto Networks firewall  2FA demo
3 Authentication Protocols  PAP  CHAP  MS-CHAP  EAP
4 PAP  Password Authentication Protocol  PAP is not the only authentication protocol but probably the most generic and widely used.  Transmits passwords in clear text, but…… – This password is only in clear text between the user and the NAS. – The user's password will be encrypted when the NAS forwards the request to the RADIUS server.  If PAP is used inside a secure tunnel it is as secure as the tunnel.
5 CHAP  Challenge Authentication Protocol  Improvement to PAP  No clear text transmitted over the wire  Only one major drawback……..
6 CHAP  although the password is transmitted encrypted, the password source has to be in clear text for RADIUS to perform password verification.
7 PAP VS CHAP 2 choices 1. You allow CHAP and store all the passwords plaintext Advantage: passwords don't go cleartext over the wire between the user and the terminal server Disadvantage: You have to store the passwords in cleartext on the server 2. You don't allow CHAP, just PAP Advantage: you don't store cleartext passwords on your system Disadvantage: passwords going cleartext over wire between the user and the terminal server
8 So… which one is more secure  https://live.paloaltonetworks.com/t5/Management-Articles/Active-Directory- Encrypted-Authentication-Settings-for-Device/ta-p/52573
9 Store password using reversible encryption
10 So…. Is it secure ?  Does it mean Windows stores password in plain text ?  To decrypt the password you need the following components: The encrypted password (G$RADIUSCHAP) The 16 byte random (G$RADIUSCHAPKEY) The global LSA secret (G$MSRADIUSCHAPKEY) A static key hardcoded in RASSFM.DLL  You need a domain admin account to get the LSA secret.  A tool called Revdump will do the job for you  In summary, you might as well store the passwords in plain text. https://technet.microsoft.com/en-us/library/cc784581(v=ws.10).aspx
11 MS-CHAP  Microsoft version of CHAP  More secure than CHAP
12 EAP ( Extensible Authentication Protocol )  EAP is used to authenticate a user before he or she is allowed access onto the network. EAP is a framework with extensibility in mind, it uses one of many available methods to authenticate a user.
13 SAML  Security Assertion Markup languange
14 RADIUS VSA
15 RADIUS VSA  Vendor Specific Attributes – specifies a method for communicating vendor-specific information between the network access server and the RADIUS server. – Attribute 26 encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use.  There are 5 attributes:  PaloAlto-Admin-Role: Attribute #1 - This can either be a default admin role name or a custom admin role name.  PaloAlto-Admin-Access-Domain: Attribute #2 - This is used when a Palo Alto Networks device has multiple vsys. This is the name of an Access Domain as created under Device > Access Domains.  PaloAlto-Panorama-Admin-Role: Attribute #3 - This can either be a default admin role name or a custom admin role name on Panorama.  PaloAlto-Panorama-Admin-Access-Domain: Attribute #4 - This is the name of an Access Domain configured on Panorama as created under Panorama > Access Domains.  PaloAlto-User-Group: Attribute #5 - This is the name of a group to be used in an Authentication Profile.
16  PaloAlto-Admin-Role  PaloAlto-Admin-Access-Domain – This is the access domain name
17  PaloAlto-Panorama-Admin-Role  PaloAlto-Panorama-Admin-Access-Domain
18  PaloAlto-User-Group
19 Supported Authentication Methods  As of PANOS 7.0* – CHAP – PAP  PANOS 6 – PAP * Beginning from PAN-OS 7.0 Palo Alto Networks firewall will use the mode CHAP instead of PAP while sending the first RADIUS access request message for authentication
20 CHAP/PAP selection  Authd, the process which handles the authentication functionality always tries CHAP first and PAP next time only if CHAP fails. This will be performed for all the incoming RADIUS ACCESS-REQUESTS until either of the two scenario's occurs -  (1) authd receives success or challenge response from RADIUS server for the CHAP method (from now on, authd only sends CHAP request)  or  (2) authd receive success/challenge response from RADIUS server for the PAP method (from now now, authd only sends PAP request)  There's no option to manually disable Radius CHAP mode on the Palo Alto Networks firewall running PAN-OS 7.0 or more, either from the command line or web GUI
21 Palo Alto Networks Authentication  Authentication can be used for – GlobalProtect – Device management/Role based access
22 Palo Alto Networks 2FA with Duo Security
23 Configuring 2FA for GlobalProtect using DuoSecurity  Step 1 – Create Radius server Do not check this. When checked, can only be used to authenticate admin access Default timeout is 3. Changed this to 30 to give Dup time to authenticate IP address of DUO Proxy
24 Configuring 2FA for GlobalProtect using DuoSecurity  Step 2 – Create Authentication Profile Select the server name from step 1 Select this the check box to use RADIUS Vendor-Specific Attributes (VSAs) to define the group that has access to the firewall. The value being returned by Radius server needs to match the Allow List value modify the domain/username string that a user enters during login.
25 Configuring 2FA for GlobalProtect using DuoSecurity  Step 3 – Use the Authentication profile in GlobalProtect portal and gateway
26 Configuring 2FA for GlobalProtect using DuoSecurity  Step 3b – Select Cookie authentication for config refresh
27  Step 4 – Select the authentication profile from step 2
28 Duo Proxy configuration [radius_client] host=192.168.1.5 secret=pass123 port=1812 [radius_server_auto] ikey=--------- skey=------------- api_host=api-0e0dfbb4.duosecurity.com radius_ip_1=192.168.1.2 radius_secret_1=pass123 failmode=safe factors=auto client=radius_client port=1817
29 You are about to witness a live demo. Something will probably go wrong. (Whatever happens, keep smiling and don’t panic!)
30 Demo  WARNING Live Demo !!!!
31

Recomendados

Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
Palo alto NGfw2023.pptx
Palo alto NGfw2023.pptxPalo alto NGfw2023.pptx
Palo alto NGfw2023.pptxahmad661583
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 

Recomendados

Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
Palo alto NGfw2023.pptx
Palo alto NGfw2023.pptxPalo alto NGfw2023.pptx
Palo alto NGfw2023.pptxahmad661583
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyCisco Canada
 
19 high availability
19 high availability19 high availability
19 high availabilityMostafa El Lathy
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id conceptMostafa El Lathy
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabricANSItunCERT
 
7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces conceptsMostafa El Lathy
 
17 palo alto threat prevention concept
17 palo alto threat prevention concept17 palo alto threat prevention concept
17 palo alto threat prevention conceptMostafa El Lathy
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
4 palo alto licenses
4 palo alto licenses4 palo alto licenses
4 palo alto licensesMostafa El Lathy
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
Palo alto-review
Palo alto-reviewPalo alto-review
Palo alto-reviewRayan Darine
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
SD WAN
SD WANSD WAN
SD WANBri Molina
 
SDWAN.pdf
SDWAN.pdfSDWAN.pdf
SDWAN.pdfsushil kumar
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 

Más contenido relacionado

La actualidad más candente

Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyCisco Canada
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id conceptMostafa El Lathy
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabricANSItunCERT
 
7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces conceptsMostafa El Lathy
 
17 palo alto threat prevention concept
17 palo alto threat prevention concept17 palo alto threat prevention concept
17 palo alto threat prevention conceptMostafa El Lathy
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsAnthony Daniel
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 

La actualidad más candente (20)

Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN Technology
 
19 high availability
19 high availability19 high availability
19 high availability
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 Presentation
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabric
 
7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts
 
17 palo alto threat prevention concept
17 palo alto threat prevention concept17 palo alto threat prevention concept
17 palo alto threat prevention concept
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
4 palo alto licenses
4 palo alto licenses4 palo alto licenses
4 palo alto licenses
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
 
Palo alto-review
Palo alto-reviewPalo alto-review
Palo alto-review
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 
SD WAN
SD WANSD WAN
SD WAN
 
SDWAN.pdf
SDWAN.pdfSDWAN.pdf
SDWAN.pdf
 

Similar a Palo Alto Networks authentication

EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Niels de Bruijn
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guideMDEMARCOCCIE
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Solarwinds port requirement
Solarwinds port requirementSolarwinds port requirement
Solarwinds port requirementEzahir Amer
 
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPChris John Riley
 
Free radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integrationFree radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integrationChanaka Lasantha
 
5 ip security dataplace security
5 ip security dataplace security5 ip security dataplace security
5 ip security dataplace securitySagarR24
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScaleMariaDB plc
 
Troubleshooting Apache Cloudstack
Troubleshooting Apache CloudstackTroubleshooting Apache Cloudstack
Troubleshooting Apache CloudstackRadhika Puthiyetath
 
Palo Alto Networks PAN-OS 4.0 New Features
Palo Alto Networks PAN-OS 4.0 New FeaturesPalo Alto Networks PAN-OS 4.0 New Features
Palo Alto Networks PAN-OS 4.0 New Featureslukky753
 
DirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideDirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideChristian Petrou
 

Similar a Palo Alto Networks authentication (20)

EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guide
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
802.1x
802.1x802.1x
802.1x
 
Solarwinds port requirement
Solarwinds port requirementSolarwinds port requirement
Solarwinds port requirement
 
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
 
Free radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integrationFree radius for wpa2 enterprise with active directory integration
Free radius for wpa2 enterprise with active directory integration
 
Aruba OS 6.4 Command Line Interface Reference Guide
Aruba OS 6.4 Command Line Interface Reference GuideAruba OS 6.4 Command Line Interface Reference Guide
Aruba OS 6.4 Command Line Interface Reference Guide
 
ARPMiner Manual
ARPMiner ManualARPMiner Manual
ARPMiner Manual
 
5 ip security dataplace security
5 ip security dataplace security5 ip security dataplace security
5 ip security dataplace security
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScale
 
Troubleshooting Apache Cloudstack
Troubleshooting Apache CloudstackTroubleshooting Apache Cloudstack
Troubleshooting Apache Cloudstack
 
Palo Alto Networks PAN-OS 4.0 New Features
Palo Alto Networks PAN-OS 4.0 New FeaturesPalo Alto Networks PAN-OS 4.0 New Features
Palo Alto Networks PAN-OS 4.0 New Features
 
Aruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guide
 
DirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideDirectShare Quick Start Setup Guide
DirectShare Quick Start Setup Guide
 

Más de Alberto Rivai

FUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdfFUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdfAlberto Rivai
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASBAlberto Rivai
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideAlberto Rivai
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configurationAlberto Rivai
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-idAlberto Rivai
 

Más de Alberto Rivai (6)

FUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdfFUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdf
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Palo Alto Networks authentication

  • 1. 11 Palo Alto Networks - Authentication Alberto Rivai – Senior Systems Engineer
  • 2. 2 Agenda  Authentication Methods  Supported Authentication in Palo Alto Networks firewall  2FA demo
  • 3. 3 Authentication Protocols  PAP  CHAP  MS-CHAP  EAP
  • 4. 4 PAP  Password Authentication Protocol  PAP is not the only authentication protocol but probably the most generic and widely used.  Transmits passwords in clear text, but…… – This password is only in clear text between the user and the NAS. – The user's password will be encrypted when the NAS forwards the request to the RADIUS server.  If PAP is used inside a secure tunnel it is as secure as the tunnel.
  • 5. 5 CHAP  Challenge Authentication Protocol  Improvement to PAP  No clear text transmitted over the wire  Only one major drawback……..
  • 6. 6 CHAP  although the password is transmitted encrypted, the password source has to be in clear text for RADIUS to perform password verification.
  • 7. 7 PAP VS CHAP 2 choices 1. You allow CHAP and store all the passwords plaintext Advantage: passwords don't go cleartext over the wire between the user and the terminal server Disadvantage: You have to store the passwords in cleartext on the server 2. You don't allow CHAP, just PAP Advantage: you don't store cleartext passwords on your system Disadvantage: passwords going cleartext over wire between the user and the terminal server
  • 8. 8 So… which one is more secure  https://live.paloaltonetworks.com/t5/Management-Articles/Active-Directory- Encrypted-Authentication-Settings-for-Device/ta-p/52573
  • 9. 9 Store password using reversible encryption
  • 10. 10 So…. Is it secure ?  Does it mean Windows stores password in plain text ?  To decrypt the password you need the following components: The encrypted password (G$RADIUSCHAP) The 16 byte random (G$RADIUSCHAPKEY) The global LSA secret (G$MSRADIUSCHAPKEY) A static key hardcoded in RASSFM.DLL  You need a domain admin account to get the LSA secret.  A tool called Revdump will do the job for you  In summary, you might as well store the passwords in plain text. https://technet.microsoft.com/en-us/library/cc784581(v=ws.10).aspx
  • 11. 11 MS-CHAP  Microsoft version of CHAP  More secure than CHAP
  • 12. 12 EAP ( Extensible Authentication Protocol )  EAP is used to authenticate a user before he or she is allowed access onto the network. EAP is a framework with extensibility in mind, it uses one of many available methods to authenticate a user.
  • 13. 13 SAML  Security Assertion Markup languange
  • 15. 15 RADIUS VSA  Vendor Specific Attributes – specifies a method for communicating vendor-specific information between the network access server and the RADIUS server. – Attribute 26 encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use.  There are 5 attributes:  PaloAlto-Admin-Role: Attribute #1 - This can either be a default admin role name or a custom admin role name.  PaloAlto-Admin-Access-Domain: Attribute #2 - This is used when a Palo Alto Networks device has multiple vsys. This is the name of an Access Domain as created under Device > Access Domains.  PaloAlto-Panorama-Admin-Role: Attribute #3 - This can either be a default admin role name or a custom admin role name on Panorama.  PaloAlto-Panorama-Admin-Access-Domain: Attribute #4 - This is the name of an Access Domain configured on Panorama as created under Panorama > Access Domains.  PaloAlto-User-Group: Attribute #5 - This is the name of a group to be used in an Authentication Profile.
  • 19. 19 Supported Authentication Methods  As of PANOS 7.0* – CHAP – PAP  PANOS 6 – PAP * Beginning from PAN-OS 7.0 Palo Alto Networks firewall will use the mode CHAP instead of PAP while sending the first RADIUS access request message for authentication
  • 20. 20 CHAP/PAP selection  Authd, the process which handles the authentication functionality always tries CHAP first and PAP next time only if CHAP fails. This will be performed for all the incoming RADIUS ACCESS-REQUESTS until either of the two scenario's occurs -  (1) authd receives success or challenge response from RADIUS server for the CHAP method (from now on, authd only sends CHAP request)  or  (2) authd receive success/challenge response from RADIUS server for the PAP method (from now now, authd only sends PAP request)  There's no option to manually disable Radius CHAP mode on the Palo Alto Networks firewall running PAN-OS 7.0 or more, either from the command line or web GUI
  • 21. 21 Palo Alto Networks Authentication  Authentication can be used for – GlobalProtect – Device management/Role based access
  • 22. 22 Palo Alto Networks 2FA with Duo Security
  • 23. 23 Configuring 2FA for GlobalProtect using DuoSecurity  Step 1 – Create Radius server Do not check this. When checked, can only be used to authenticate admin access Default timeout is 3. Changed this to 30 to give Dup time to authenticate IP address of DUO Proxy
  • 24. 24 Configuring 2FA for GlobalProtect using DuoSecurity  Step 2 – Create Authentication Profile Select the server name from step 1 Select this the check box to use RADIUS Vendor-Specific Attributes (VSAs) to define the group that has access to the firewall. The value being returned by Radius server needs to match the Allow List value modify the domain/username string that a user enters during login.
  • 25. 25 Configuring 2FA for GlobalProtect using DuoSecurity  Step 3 – Use the Authentication profile in GlobalProtect portal and gateway
  • 26. 26 Configuring 2FA for GlobalProtect using DuoSecurity  Step 3b – Select Cookie authentication for config refresh
  • 27. 27  Step 4 – Select the authentication profile from step 2
  • 29. 29 You are about to witness a live demo. Something will probably go wrong. (Whatever happens, keep smiling and don’t panic!)
  • 31. 31