* [Blog](https://www2.paloaltonetworks.com/blog) * [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/) * [Cybersecurity](https://www2.paloaltonetworks.com/blog/category/cybersecurity-2/) * All Layers Are Not Create... # All Layers Are Not Created Equal [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F05%2Fnetwork-layers-not-created-equal%2F) [](https://twitter.com/share?text=All+Layers+Are+Not+Created+Equal&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F05%2Fnetwork-layers-not-created-equal%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F05%2Fnetwork-layers-not-created-equal%2F&title=All+Layers+Are+Not+Created+Equal&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2019/05/network-layers-not-created-equal/&ts=markdown) \[\](mailto:?subject=All Layers Are Not Created Equal) Link copied By [John Kindervag](https://www.paloaltonetworks.com/blog/author/john-kindervag/?ts=markdown "Posts by John Kindervag") May 01, 2019 5 minutes [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown) [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [App-ID](https://www.paloaltonetworks.com/blog/tag/app-id/?ts=markdown) [Content ID](https://www.paloaltonetworks.com/blog/tag/content-id/?ts=markdown) [network segmentation](https://www.paloaltonetworks.com/blog/tag/network-segmentation/?ts=markdown) [Thought Bubble with John Kindervag](https://www.paloaltonetworks.com/blog/tag/thought-bubble-with-john-kindervag/?ts=markdown) [User-ID](https://www.paloaltonetworks.com/blog/tag/user-id/?ts=markdown) [Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown) This post is also available in: [简体中文 (Chinese (Simplified))](https://www2.paloaltonetworks.com/blog/2019/08/network-layers-not-created-equal/?lang=zh-hans "Switch to Chinese (Simplified)(简体中文)") [繁體中文 (Chinese (Traditional))](https://www2.paloaltonetworks.com/blog/2019/08/network-layers-not-created-equal/?lang=zh-hant "Switch to Chinese (Traditional)(繁體中文)") [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2019/07/network-layers-not-created-equal/?lang=ja "Switch to Japanese(日本語)") [한국어 (Korean)](https://www2.paloaltonetworks.com/blog/2019/08/network-layers-not-created-equal/?lang=ko "Switch to Korean(한국어)") [Português (Portuguese (Brazil))](https://www2.paloaltonetworks.com/blog/2019/08/network-layers-not-created-equal/?lang=pt-br "Switch to Portuguese (Brazil)(Português)") ### ***How the Principles of Journalism Help Define Zero Trust Policy*** Everyone knows that in order for a news article, blog post or white paper to have any credibility, a writer needs to cover the "who, what, where, when, why and how" of the topic. Without covering these things, the reader is left with a partial story. We can credit Rudyard Kipling for clearly defining these journalistic essentials for us: *I keep six honest serving-men* *(They taught me all I knew);* *Their names are What and Why and When* *And How and Where and Who.* \-Rudyard Kipling, *Just So Stories*, 1902 However, the usefulness of this "Kipling Method" extends far beyond journalistic best practices. For years, I have used the Kipling Method to help companies define policy and build Zero Trust networks. It ensures that security teams are thorough in their definitions and that anyone, including non-technical business executives, can understand cybersecurity policies due to the simplicity of the approach. Given that the first design principle of Zero Trust is to focus on business objectives, this method is particularly useful. **Policy at Layer 3 vs. Policy at Layer 7** In order to actually apply the Kipling Method and build a real Zero Trust architecture, you need to understand why it cannot be done with Layer 3 technologies. First, what is the difference between Layer 3 and Layer 7? Layer 3 is the layer where information is evaluated based only on IP address, port or protocol. It is severely limited by the lack of information that can be seen. IP addresses can be spoofed. Simple port scans will uncover all the open ports so that the attacker can encapsulate stolen data and exfiltrated across the open port, and the protocol is really just a metadata tag to help the administrator understand the type of traffic that is supposed to be traversing a specific port. Most importantly, ALL adversaries know how to bypass Layer 3 controls. You need to be able to define things with higher fidelity to keep your company secure. Layer 7 is much more specific. It is where information is evaluated based on the actual application that's being used (for example, defining Facebook as a unique application rather than traffic running across ports 80 and 443). While at Forrester, I created a five-step methodology to a Zero Trust network. The fourth step states that you need to write policy rules for your segmentation gateway based on the expected behavior of the data and the user or applications that interact with that data. This is what the Palo Alto Networks Next-Generation Firewall, serving as a [segmentation gateway](https://www.paloaltonetworks.com/blog/2019/01/you-want-network-segmentation-but-you-need-zero-trust/) in a Zero Trust environment, allows you to do, and due to the granularity of the policy, it can only be done at Layer 7. [](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/04/Old-Layer-3-500x281.png) [![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/04/Old-Layer-3-500x281.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/04/Old-Layer-3-500x281.png) **Applying the Kipling Method Using the Palo Alto Networks Next-Generation Firewall** Here's how you can apply the Kipling Method when deploying the Palo Alto Networks Next-Generation Firewall, using our revolutionary User-ID, App-ID and Content-ID technologies: * User-ID becomes a **WHO** statement: "**Who** is accessing a resource?" User-ID is a Layer 7 instantiation of the approximation given by the source IP address. For example, we can grab OUs from Active Directory to pull domain users into a custom User-ID. We can then add things like multifactor authentication (MFA) or the Host Information Profile (HIP) from our GlobalProtect client to enrich the fidelity of the "Who" statement. We can also add MFA to a User-ID and an additional attribute for more granular control. * App-ID becomes a **WHAT** statement: "**What** application is being used to access the resource?" Palo Alto Networks currently has more than 2800 published App-IDs (visit [Applipedia](https://applipedia.paloaltonetworks.com/) to see the growing list) to be used in building these rules. This means that attackers can no longer use a generic application, such as web services (HTTP/HTTPS), to bypass the security control. * Content-ID becomes a **HOW** statement: "**How** should the User-ID and App-ID traffic be allowed to access a resource?" Content-ID includes Threat Prevention rules, our advanced intrusion prevention capability; SSL Decryption so that malicious traffic and stolen data can't hide inside of encrypted tunnels; URL Filtering so that users don't go to malicious or phishing domains; WildFire, our state-of-the-art sandbox technology that redefines the way malware is stopped; and our new DNS Security service, which applies predictive analytics for automated protections to thwart attacks that use DNS. With these three technologies defining **WHO** , **WHAT** and **HOW** statements, a basic Kipling Method Layer 7 rule can be easily defined and then implemented using our Panorama management system. Additionally, PAN-OS has the ability to add a **WHEN** statement (a time delineated rule); a **WHERE** statement, which is the location of the resource (this can often be automatically pulled into Panorama via an API); or a **WHY** statement by reading metadata from a data classification tool and using that in the rule. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/05/Screen-Shot-2019-05-01-at-10.19.06-AM-500x284.png) The Kipling method has been designed to help both business leaders and security administrators define granular, Layer 7 policies using the simple who, what, when, where, why and how methodology given to us by Rudyard Kipling. Individuals who have never considered writing firewall policy can easily understand this methodology and help define the criteria necessary to create a rule set for your segmentation gateway. *** ** * ** *** ## Related Blogs ### [カテゴリーなし](https://www.paloaltonetworks.com/blog/category/%e3%82%ab%e3%83%86%e3%82%b4%e3%83%aa%e3%83%bc%e3%81%aa%e3%81%97/?lang=ko&ts=markdown) [#### 「レイヤーは皆平等」ではない](https://www2.paloaltonetworks.com/blog/2019/07/network-layers-not-created-equal/?lang=ja) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### You Want Network Segmentation, But You Need Zero Trust](https://www2.paloaltonetworks.com/blog/2019/01/you-want-network-segmentation-but-you-need-zero-trust/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### Define a Protect Surface to Massively Reduce Your Attack Surface](https://www2.paloaltonetworks.com/blog/2018/09/define-protect-surface-massively-reduce-attack-surface/) ### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown) [#### The Zero Trust Learning Curve: Deploying Zero Trust One Step at a Time](https://www2.paloaltonetworks.com/blog/2020/04/network-zero-trust-learning-curve/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### Clarifying What Zero Trust Is -- and Is Not](https://www2.paloaltonetworks.com/blog/2018/08/clarifying-zero-trust-not/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown) [#### Available Now: Custom App-ID for FIFA World Cup 2018](https://www2.paloaltonetworks.com/blog/2018/06/available-now-custom-app-id-fifa-world-cup-2018/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language