15. Use case - Outbound Traffic Protection with URL Filtering
Acme Dev Cluster
Github.com/PaloAltoNetworks
Acme-Dev-ns Acme-Staging-ns
NODE NODE NODE
Source Destination Application Action Profile
Jenkins Any Github-download Allow Only Palo alto Repo
Web App Any Any Allow Any Repo
19. Use case - Outbound Traffic Protection with Anti-Malware
Acme-Dev-ns Acme-Staging-ns
NODE NODE NODE
Acme Dev Cluster
Source Destination Application Action Vulnerability Protection
Ngnix ( With Graboid ) Any Any Allow Strict
Now, network security is not the end all be all of container security. Prisma Cloud provides a comprehensive toolset for securing cloud native apps, inclusive of features that deliver governance, compute security and workload protection, and identity security.
As you can see, CN-Series rounds out the Network Protection pillar with its layer 7 threat protection capabilities.
When it comes to network security, micro-segmentation and segmentation in general is only part of the picture.
To illustrate this point, let’s think about how we secure airports. In an airport, we install cameras so that the security team can see everything that’s going on. In the network security world, security cameras are akin to network visibility. They’re ideal for reactive investigative work after an incident has already taken place, but they’re most likely not going to help stop the incident from happening in the first place.
A more proactive security measure is issuing every traveler a boarding pass. Boarding passes dictate where a traveler is allowed to go, just like micro-segmentation dictates where traffic can flow in an enterprise network. But boarding passes alone aren’t enough to prevent threats from getting into the airport or onto planes. A boarding pass has no concept of whether or not I’m carrying a weapon onto the plane.
That’s why airport security uses metal detectors at strategic parts of the airport, forcing travelers through a deeper level of inspection for threats. This is the role that next-gen firewalls play in internal network security, as well.
Palo Alto offers a suit of products
PCC : Vulnerability management for containers in your CICD pipeline prior to containers being deployed and runtime threat analytics on the host
Aporeto : Reducing the scope of lateral attacks within your infrastructure by minimizing allowed connections. When an unpatched asset is potentially compromised reduce the spread of the attack.
NGFW: Threat analytics for allowed connections at your network trust boundaries. Example : Enforcing egress controls for traffic leaving my k8s cluster, VM environment. This is how both PayPal and Comcast mix NGFW with Aporeto’s capabilities
CN-Series can be deployed in self-managed Kubernetes environments hosted on-prem or in the public cloud. This includes RedHat Openshift environments, as well.
It can also be deployed into managed Kubernetes environments offered by cloud service providers. These environments include the Google Kubernetes Engine, Amazon’s Elastic Kubernetes Service, the Azure Kubernetes Service.
For an exhaustive list of supported environments, versions, and operating systems, reference the CN-Series data sheet.