{"id":98378,"date":"2019-05-01T06:00:33","date_gmt":"2019-05-01T13:00:33","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=98378"},"modified":"2019-05-01T10:19:32","modified_gmt":"2019-05-01T17:19:32","slug":"network-layers-not-created-equal","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/05\/network-layers-not-created-equal\/","title":{"rendered":"All Layers Are Not Created Equal"},"content":{"rendered":"

 <\/p>\n

How the Principles of Journalism Help Define Zero Trust Policy<\/em><\/strong><\/h3>\n

Everyone knows that in order for a news article, blog post or white paper to have any credibility, a writer needs to cover the \u201cwho, what, where, when, why and how\u201d of the topic. Without covering these things, the reader is left with a partial story. We can credit Rudyard Kipling for clearly defining these journalistic essentials for us:<\/p>\n

 <\/p>\n

I keep six honest serving-men<\/em><\/p>\n

(They taught me all I knew);<\/em><\/p>\n

Their names are What and Why and When<\/em><\/p>\n

And How and Where and Who.<\/em><\/p>\n

 <\/p>\n

-Rudyard Kipling, Just So Stories<\/em>, 1902<\/p>\n

 <\/p>\n

However, the usefulness of this \u201cKipling Method\u201d extends far beyond journalistic best practices. For years, I have used the Kipling Method to help companies define policy and build Zero Trust networks. It ensures that security teams are thorough in their definitions and that anyone, including non-technical business executives, can understand cybersecurity policies due to the simplicity of the approach. Given that the first design principle of Zero Trust is to focus on business objectives, this method is particularly useful.<\/p>\n

 <\/p>\n

Policy at Layer 3 vs. Policy at Layer 7<\/strong><\/p>\n

In order to actually apply the Kipling Method and build a real Zero Trust architecture, you need to understand why it cannot be done with Layer 3 technologies.<\/p>\n

First, what is the difference between Layer 3 and Layer 7? Layer 3 is the layer where information is evaluated based only on IP address, port or protocol. It is severely limited by the lack of information that can be seen. IP addresses can be spoofed. Simple port scans will uncover all the open ports so that the attacker can encapsulate stolen data and exfiltrated across the open port, and the protocol is really just a metadata tag to help the administrator understand the type of traffic that is supposed to be traversing a specific port. Most importantly, ALL adversaries know how to bypass Layer 3 controls. You need to be able to define things with higher fidelity to keep your company secure.<\/p>\n

Layer 7 is much more specific. It is where information is evaluated based on the actual application that\u2019s being used (for example, defining Facebook as a unique application rather than traffic running across ports 80 and 443). While at Forrester, I created a five-step methodology to a Zero Trust network. The fourth step states that you need to write policy rules for your segmentation gateway based on the expected behavior of the data and the user or applications that interact with that data. This is what the Palo Alto Networks Next-Generation Firewall, serving as a segmentation gateway<\/a> in a Zero Trust environment, allows you to do, and due to the granularity of the policy, it can only be done at Layer 7.<\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

 <\/p>\n

Applying the Kipling Method Using the Palo Alto Networks Next-Generation Firewall<\/strong><\/p>\n

Here\u2019s how you can apply the Kipling Method when deploying the Palo Alto Networks Next-Generation Firewall, using our revolutionary User-ID, App-ID and Content-ID technologies:<\/p>\n