Tuesday, April 23, 2013

Palo Alto Networks and PAP

Firewalls, Evolved

It is no secret that Universal Threat Management (UTM) or the Palo Alto Networks Next Generation Firewall (NGFW) model is the clear winner for the current generation of firewalls in the market.  If you are still only using your firewall to block ports, implement Stateful Packet Inspection and support VIP rules, you are behind the times!  Inspecting egress traffic for known bad URL's and IP addresses, blocking sites based on policy groups and carving out usability of online applications are a must have these days.

Palo Alto Networks

Started in, no surprise, Palo Alto California in 2005, this company set out to flip the firewall world on its head.  When a group of engineers at Juniper were turned down to spin up a division to research the future of firewall technology, they took their ideas and left.

Skip ahead to July 2012, where we witnessed one of the most successful network hardware IPO's in over a decade unfold before our eyes.  Proving that UTM/NGFW firewall model was not only a great idea, but here to stay.

What's in a password transmission protocol?

Password Authentication Protocol (PAP) was introduced in 1992 as part of RFC 1334.  This RFC addressed the need for Point to Point (PPP) access between networks.  In the RFC, it is explicitly mentioned that PAP is an insecure protocol.  Further, they actually recommend attempting to negotiate CHAP first before PAP is attempted as a failover option.  However, the simple implementation of PAP has allowed it to persist in our authentication servers for many many years.

It was not until May of 2005, when Windows Server 2008 and Vista were released, that the last of the production desktop Operating Systems fully purged PAP as a usable option.  Finally!  A protocol that was replaced from within its own RFC and superseded by no less than 10 different open and closed authentication standards (see MS-CHAP, EAP, PEAP, TLS, TTLS, etc.) was dead at last.

Palo Alto and Radius

Establishing a Radius server connection with Palo Alto Networks firewall is a pretty routine affair.  You setup a shared secret on your Radius server, you assign it to the client IP address of your Palo Alto management interface, then you tether your security rule checks and policies.  Simple right?  What happens when everything keeps failing to authenticate? I was able connect, but kept getting errors that policies never matched my requests from Palo Alto.  The reason?  The Authentication Protocol never matched a rule.  What protocol should I use?  A quick call to Palo Alto Network support answered this quickly - Use PAP for all Radius requests from a Palo Alto Networks firewall to any Radius server.  

It worked!  Using PAP did in fact solve my support issue.  However, it opened up another concern:

Why is Palo Alto Networks - the network firewall company founded in 2005 - using an authentication protocol that has been deprecated before the company even existed?

I have since put in several support tickets and discussed this issue with my assigned Sales and SE representatives from Palo Alto.  While everyone agrees this is extremely insecure, especially for a Firewall company, they always note that there is no current interest in fixing the issue.

If this is disconcerting to you, I suggest you contact your Sales and SE peeps at Palo Alto and demand, as I have, to have this glaring oversight fixed.