5 Minute Fix Zero Trust

U S I N G AP P - I D , U S E R -ID

DEMO GUIDE

VER 1. 1, J a n u a r y 2 0 2 2
 Table of Contents

Table of Contents
Demo Environment Overview ............................................................................................................................ 1

Demo Environment Topology ...................................................................................................................... 2

Introduction and Objective .................................................................................................................... 3

Setting the Demo Stage .......................................................................................................................... 4

Demo Steps ................................................................................................................................................... 5

Activity 1: Prepare for the Demo .................................................................................................................. 6

Task 1: Log into the Lab Environment ................................................................................................................................... 6
Task 2: Login to the Firewall .................................................................................................................................................7

Activity 2: Demo .......................................................................................................................................... 8

Task 1: Access Gmail as an Unknown User .................................................................................................................................... 8
Task 2: Access Gmail as an Known User ............................................................................................................................... 9

Follow Up .................................................................................................................................................................. 11

Key Questions ..................................................................................................................................................... 12

Palo Alto Networks

 Introduction and Objective

Demo Environment Overview

• Product Type: Strata or Prisma Access
• Product Version: 10.0.0
• Prep-Time: 30 minutes
• Demo Time: 4-5 minutes
• Demo Environment: PANWLABS
• Virtual Machines Deployed:

• Pan-panos-vm50 - Firewall used for credential theft protection

• Msft-w10 - Client machine used for demo
• Msft-dc - Windows domain controller for user-id

Palo Alto Networks 1

 Matches Page Title

Demo Environment Topology

Palo Alto Networks 2

 Introduction and Objective

Introduction and Objective

Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating trust from your
organization. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to prevent lateral
movement. No matter which technology or vendor you use to deploy Zero Trust, the strategy remains the
same. Ultimately, Zero Trust is a Layer 7 policy statement, which means it takes Layer 7 controls to enforce
this policy.

Zero Trust Policy creation is known as the Kipling Method. This is named after the esteemed writer Rudyard
Kipling, who gave the world the concepts of Who, What, When, Where, Why, and How in 1902. To gain a
better understanding, check out this video and then review the Zero Trust Terminology guide which will help
you decipher Zero Trust terminology, and understand what Zero Trust is, and just as important, what Zero
Trust isn’t. And finally, be sure to review the Best Practices for Implementing Zero Trust guide.

Zero Trust policy determines who can transit the microperimeter at any point in time, preventing access
from unauthorized users to your protected surface, and prevents the exfiltration of sensitive data. True Zero
Trust can only be done at Layer 7. The Kipling Method of creating Zero Trust policy enables Layer 7 policy for
granular enforcement so that only known allowed traffic or legitimate application communication is allowed.
This method reduces the attack surface while also significantly reducing the number of port-based firewall
rules. With the Kipling Method, you can easily write Zero Trust policy by answering:

• Who should be accessing a resource? This defines the “asserted identity.”

• What application is the asserted identity of the packet used to access a resource inside the protected
surface?

• When is the asserted identity trying to access the resource?

• Where is the packet destination? A packet’s destination is often automatically pulled from other
systems that manage assets in an environment, such as from a load-balanced server via a virtual IP.

• Why is this packet trying to access this resource within the protected surface? This relates to data
classification, where metadata automatically ingested from data classification tools helps make your
policy more granular.

• How is the asserted identity of a packet accessing the protected surface via a specific application?

Palo Alto Networks 3

 Setting the Demo Stage

Setting the Demo Stage

• If you haven’t already done so, watch John’s introduction and overview of the Kipling Method and Zero
Trust HERE.
• Watch the instructor version of the demo video HERE.

Palo Alto Networks 4

 Demo Steps

Demo Steps
• After you’ve watched the Demo Instruction Video mentioned above, watch the Demo Example Video
HERE.

• This demo example has 3 minutes of introduction and the Demo actually begins at the 3 minute
mark. This demo is an EXCELLENT example of clear, concise, on message and brief.

Palo Alto Networks 5

 Activity 1 - Prepare for the Demo

Activity 1: Prepare for the Demo

TASK 1: LOG INTO THE LAB ENVIRONMENT

If you have not already requested your lab instance, do so by clicking HERE.

Once you have submitted the request to provision this lab environment, you will receive an email similar to
the one below with your login credentials. Pay close attention to expiration date, as these labs have a limited
amount of time in which they remain active.

1. Click on the link included in the email you received, enter username and password as shown here:

2. Prior to reaching the Windows login screen, you are shown a list of accounts that can be used.
However, for this demo, you will first login with a local (non-domain) account. By doing so,
there will be no user-IP mapping and the firewall will not ‘trust’ the user, thereby blocking the
connection request to Gmail. Click OK to load the windows login screen.

3. At the Windows login prompt click Other User in the bottom left corner and enter MSFT-
W10\panse as the username, and Paloalto1! as the password and login to the Windows 10
environment.

Palo Alto Networks 6

 Activity 1 - Prepare for the Demo

4. Note: Once you successfully log in, if the GlobalProtect Login window appears, close it, as you will
not use that feature for this demo.

Palo Alto Networks 7

 Activity 1 - Prepare for the Demo

TASK 2: LOGIN TO THE FIREWALL

1. Double-click Google Chrome on your desktop and browse to https://pan-vm50.demoinabox.net/

2. Login to the firewall using the following credentials: admin/Paloalto1!

3. Navigate the Monitor > Logs > User-ID. The IP address of the Windows client PC is 192.168.45.200.
Since you logged in using a local computer account, you will notice that the user-id has mapped to a
non-domain account as shown here:

If you skipped reviewing the instructor video referenced above, now would be a good time to watch it. The
video will provide you with an overview of how to run through the demo. Feel free to tweak your presentation
to fit your style but remember that the goal is to effectively demonstrate the value and benefits of
implementing zero trust.

Palo Alto Networks 8

 Activity 2: Demo

Activity 2: Demo
TASK 1: ACCESS GMAIL AS AN UNKNOWN USER
1. Navigate to Policies > Security. Type gmail into the search bar and execute the filter to display the
two security policy rules for Gmail. As you saw in the instructor video, provide a quick overview of
the two policies to explain how the first rule will allow authenticated domain users access to Gmail,
while all other users will be denied access to Gmail.

2. Open another browser tab and navigate to www.gmail.com and notice that because the panse user is a
local computer account, it will not match the allow rule. As a result, it will be processed by the next
rule in the policies which blocks access to non-domain users.

3. Return to the firewall and navigate to Monitor > Logs > Traffic and show the traffic log that has
the details of why the firewall blocked the traffic (Zero Trust - I don’t know who this user is, so we
aren’t going to allow access). Note: clear any existing filter that may be in place so you can see all
traffic logs.

Palo Alto Networks 9

 Activity 2: Demo

TASK 2: ACCESS GMAIL AS AN KNOWN USER

Now that you’ve demonstrated how the firewall will block access from unknown users, you will log out, and
log back in using a domain account which will be picked up by the user-id agent and map the IP address
to a known/authorized user, and access to Gmail will be allowed. First you will need to sign out of the
panse account.

1. Click the start menu on the Windows desktop.

2. Click panse

3. Click Sign out

4. Prior to reaching the Windows login screen, you are shown a few different accounts that can be
used. For this demo, you will log in as Chewie as shown below. Click OK to begin the login process.

5. At the Windows login prompt, click Other User then enter Chewie as the username, and Paloalto1!
as the password.

Palo Alto Networks 10

 Demo Steps

6. After closing the GlobalProtect Login Window (if it appears), double-click Google Chrome on your
desktop and browse to https://pan-vm50.demoinabox.net/

7. Login to the firewall using the following credentials: admin/Paloalto1!

8. Navigate to Monitor > Logs > User-ID. Notice that the user-id agent has properly mapped chewie
to the IP address of 192.168.45.200.

9. Open another browser tab and navigate to www.gmail.com. This time the firewall will allow access
because it knows the user is part of the domain users group, and is processed by the Safely Enable
Gmail for Authenticated Users rule.

10. Return to the firewall and navigate to Monitor > Logs > Traffic and show the traffic log that has the
details of why the firewall blocked the traffic (You might need to filter the log to quickly locate the
log entry)

That’s it for the demonstration. In just a few minutes you were able to effectively show how the firewall uses
a combination of User-ID and App-ID to implement a zero trust security policy rule set that blocks access to
untrusted users/applications (zero trust), while allowing authorized users access to approved applications.

Palo Alto Networks 11

 Follow Up

Follow Up
There are plenty of examples of where networks have been compromised by attackers due to gaps in security
configuration. Often these breaches could have been prevented if a zero tust approach was taken. One of
the more recent breaches that you likely have heard about was the Solarwinds attack. You should review the
information below and consider incorporating this into your zero trust conversation with the customer as
you roll through this demo.

In review of a pretty good write up of SUNBURST network behavior by Joe Slowik, Senior Researcher over at
Domain Tools, his conclusion stood out. Take a look at the bolded statement in the excerpt and tell me???
->->->-> Zero Trust anyone?!?!?!

Our own Unit-42 Threat Brief on Solarstorm and SUNBURST conclude similar to Joe and includes coverage
for customers.

The SUNBURST campaign represents a uniquely distressing intrusion event with implications for multiple
industries and network operators. The ubiquity of SolarWinds in large networks, combined with the
potentially long dwell time of intrusions facilitated by this compromise, mean victims of this campaign need
not only recover their SolarWinds instance, but may need to perform widespread password resets, device
recovery, and similar restoration activity to completely evict an intruder.

A word on Threat Intelligence; At a BARE MINIMUM <- note, that means what it says, follow Unit-42! If you
have not been on Unit-42’s site lately, do yourself a favor and spend 10 minutes on it! Check out the ATOMs
section and hover over North America? Can anyone guess what is ALREADY there? If not? Well... That is what
screenshots are for!

Palo Alto Networks 12

 Key Questions

Key Questions
The ability to create easy to build and understand policies is a key differentiator for Palo Alto Networks. A
Kipling Method Zero Trust Policy is a plain language way of showing leadership that there is a granular and
robust security policy protecting an organization.

Showing a customer how easy it is to create a Kipling Method Policy helps propel the company to a deeper
commitment towards a Zero Trust framework, which is one of our sweetspots.

Some key things to look for in an account:

• What compliance objectives are they compelled to meet? Compliance is a massive driver for security
and it is generally based around a specific data element. For example, PCI compliance is focused on
credit card numbers and GDPR is focused on Personally Identifiable Information (PII).
• Do they have auditors who often ask to review firewall rules? Auditors love Zero Trust and this Kipling
Method concept. It makes it easy to validate a firewall rule. PCI DSS Requirement 1.1.7 demands that
firewall and router rule sets must be reviewed at least every six months.

• Does the company have a network segmentation initiative? Network Segmentation is a key driver
towards Zero Trust. Think of each Kipling Method Policy rule as a Layer 7 segment. Remember,
you can segment a network without touching the infrastructure using Zero Trust and Palo Alto
Networks technology.

Palo Alto Networks 13

HEADQUARTERS
Palo Alto Networks Phone: +1 (408) 753-4000
3000 Tannery Way Sales: +1 (866) 320-4788
Santa Clara, CA 95054, USA Fax: +1 (408) 753-4001
http://www.paloaltonetworks.com info@paloaltonetworks.com

© 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. Palo Alto Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

You can use the feedback form to send comments

about this guide.