Author: Dr. Philip Cao

In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.

Unit 42 is aware of threat actors using two toolkits – MNKit and the Tran Duy Linh toolkit – to produce malicious documents that exploit CVE-2012-0158 in order to implant Cmstar. The Cmstar downloader itself has several unique and interesting features, as well as substantial infrastructure overlap with other tools worth discussing.

Manual Building of Import Address Table

The Cmstar downloader starts by manually building its import address table (IAT), much like shellcode would; however, it uses a rather unique technique. Instead of finding API function names based on their hashed values, this malware enumerates libraries’ export address table (EAT) and searches for the name of the API function the payload needs to load by using a character to offset array. The payload pairs several comma-separated lists of characters with comma-separated lists of numbers. Each list of characters consists of the set found within the API function name the payload seeks to add to its IAT, while the corresponding list of numbers specifies the offset in the function name where those characters should be placed. For example, if the payload has “D,e,A” paired with “0,5,19”, this results in the following mapping:

• “D” at offset 0 in API function name
• “e” at offset 5 in API function name
• “A” at offset 19 in API function name

The payload loads a specific Windows library’s EAT by calling the ImageDirectoryEntryToData API function using the IMAGE_DIRECTORY_ENTRY_EXPORT flag. It then enumerates the library’s EAT to find exported function names by checking each function name for the character and the specific offset. Once found, the payload adds the address for the specific API function to its IAT. For instance, the payload checks the EAT of “wininet.dll” using the comparisons mentioned above to find the address to the “DeleteUrlCacheEntryA” API function. One specific Cmstar payload that we analyzed used the character/offsets seen in Figure 1 to locate the API functions within three different Windows libraries to build its IAT.

Library	Characters	Offsets	Function Name
wininet.dll	D,e,A	0,5,19	DeleteUrlCacheEntryA
	e,O,A	3,8,12	InternetOpenA
	e,C,A	3,8,15	InternetConnectA
	p,O,A	3,4,15	HttpOpenRequestA
	p,S,A	3,4,15	HttpSendRequestA
	p,E,A	3,4,14	HttpEndRequestA
	p,Q,A	3,4,13	HttpQueryInfoA
	e,R,e	3,8,15	InternetReadFile
	e,C,e	3,8,18	InternetCloseHandle
advapi32.dll	S,V,A	3,6,13	RegSetValueExA
	C,s,y	3,6,10	RegCloseKey
	O,K,A	3,7,12	RegOpenKeyExA
	D,K,A	3,9,12	RegDeleteKeyA
	D,V,A	3,9,14	RegDeleteValueA
	U,r,A	3,6,11	GetUserNameA
	v,t,S	3,6,12	ConvertSidToStringSidA
	k,A,A	3,6,17	LookupAccountNameA
kernel32.dll	W,E,c	0,3,6	WinExec
	C,M,A	0,10,17	CreateFileMappingA
	U,V,e	0,5,14	UnmapViewOfFile
	M,O,e	0,7,12	MapViewOfFile

Figure 1. Character and Offset Pairs Found in Cmstar Payload and the Resulting API Function Names

Cmstar Behavior

After manually creating the IAT, Cmstar decrypts its configuration, several encrypted strings, and a piece of shellcode. The embedded configuration contains nothing more than a URL that Cmstar uses as its command and control (C2) location. The encrypted strings within the Trojan include fields used within the HTTP requests that Cmstar will create to communicate with its C2 server, as well as additional strings used to interact with the registry. The Cmstar sample associated with the MNKIT delivery document creates the following registry key to automatically execute at system startup:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xpsfiltsvcs: “rundll32.exe
• C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpsfiltsvcs.dll,XpsRegisterServer”

Unit 42 found an additional encrypted registry key that would allow Cmstar to automatically start up after reboots. However, the code does not decrypt, reference, or use the following registry key in any way, which suggests that the malware author left this artifact in the code after swapping to the run key listed above:

• HKCU\Software\Microsoft\CTF\LangBarAddIn

Cmstar also decrypts a 752-byte piece of shellcode that carries out communications with the C2 server, specifically by sending HTTP POST requests to the following URL:

• http://happy.launchtrue[.]com:8080/cgl-bin/update.cgi

It should be noted that the C2 URL contains the string ‘cgl-bin’, which visually resembles the common cgi-bin folder used by many webservers to run server-side scripts. Unit 42 used the Palo Alto Networks AutoFocus threat intelligence service to locate additional samples using the ‘cgl-bin’ string within URLs of HTTP requests and found several samples of the Cmwhite tool associated with the LURID/Enfal downloader¹, as seen in Figure 2.

 

Figure 2. Cmwhite Tools Using “cgl-bin” within HTTP Requests

Cmstar’s HTTP POST requests sent to ‘happy.launchtrue[.]com’ contain data that the Trojan gathers from the infected machine that has the following structure:

<Windows Version number>@@<CPU Architecture (2 for x64, 1 for x86)>??<boolean for elevated privileges>]]**<boolean if antivirus processes are found>!!<static version string>==

In one example, Unit 42 observed the following data within an analysis environment, which was then encrypted using a single-byte XOR algorithm and a key of 0x45 before being sent to the C2 server:

510@@1??1]]**0!!150316o==

Helpfully, the malware author writes log messages to the ‘DF64159.TMP’ file, used for debugging purposes throughout the execution of the Cmstar downloader. The log messages are abbreviated strings that describe specific activities during the execution of the code. For instance, the downloader uses the CreateMutex to create a mutex named ‘{53A4988C-F91F-4054-9076-220AC5EC03F3}’ to determine if another instance of the code is running. If the downloader determines another instance of itself is running, the code writes the string ‘CM**’ – which happens to be the basis for the name of the Trojan – to the log file. Unit 42 created a Yara signature to detect Cmstar samples based on these debugging strings, which is available in the appendix.

Hashing Process Names

As mentioned in the behavioral analysis section, the Cmstar downloader gathers system-specific information to send to the C2 server. One such piece of information is the existence of specific running processes. Many malware families and tools check for the existence of antivirus, but the Cmstar tool does so in a clever way. Rather than including a list of strings of associated processes, Cmstar enumerates the running processes and subjects these process names to a hashing algorithm. The results of this algorithm are then compared against three static values: 0x1E00AFA, 0xBEE091E8 and 0xD46FCDFA. Unit 42 reverse engineered the algorithm and created the function seen below to generate hashes in order to determine the processes Cmstar is trying to find:

Unit 42 found that the string ‘avp’ subjected to the algorithm above results in the value 0x1E00AFA, which suggests the Cmstar sample specifically looks for Kaspersky’s Anti-virus product (avp.exe) running on the compromised system. If the Trojan finds processes whose hash matches the three values mentioned earlier, it sets a boolean value (the character ‘1’) within the data sent to the C2 server and continues carrying out its functionality. Rather than altering its activities, Cmstar only notifies the C2 server if a system is running one of these processes, suggesting that the threat actors might employ this technique as a filtering mechanism to ignore analysis systems and researchers.

Threat Infrastructure

In order to determine the intrusion set involved with the Cmstar, Unit 42 enumerated infrastructure used by the downloader for its C2 servers. The related infrastructure chart in Figure 3 shows a rather large cluster of related entities with one small set of entities that do not share any related entities with the larger cluster.

Figure 3. Infrastructure and Entites Related to Cmstar

As seen in the chart above, the C2 domain ‘happy.launchtrue[.]com’ was originally registered using the email address ‘WANGMINGHUA6@GMAIL[.]COM’. When Unit 42 used the Palo Alto Networks AutoFocus threat intelligence service to locate additional Cmstar samples, we found several with C2 domains that also had the same original registrant:

• links.dogsforhelp[.]com
• three.earewq[.]com
• question.eboregi[.]com
• here.pechooin[.]com
• sarey.phdreport[.]com
• bakler.featurvoice[.]com

The only known Cmstar C2 domain not initially registered by the email address was help.ubxpi0s[.]com. Further analysis revealed that additional domains related to Cmstar C2 domains were also originally registered using the email address ‘WANGMINGHUA6@GMAIL[.]COM’ and updated to the current information within a few days. In addition, this was the original registrant for C2 domain used in our Google Code blog², indicating this registrant email is likely a re-seller, and/or someone who initially sets up infrastructure for particular APT threat actors.

• forever.cowforhelp[.]com
• question.shiesiido[.]com
• endline.biortherm[.]com
• right.marubir[.]com
• baby.brabbq[.]com
• lind.kruptcy[.]com

The rest of the domains related to the Cmstar infrastructure did not use the original registrant noted above, but instead kept the same information initially used to register them. The difference in domain registration patterns could indicate threat actor preference, or could indicate there are at least two groups using this malware whose infrastructure at times overlaps.

• under.suttgte[.]com
• help.ubxpi0s[.]com
• finally.basiccompare[.]com
• crystal.diskfunc[.]com
• queenfansclub[.]com
• novnitie[.]com
• flash-vip[.]com
• replyfunt[.]com
• natcongress[.]com
• keep.regebky[.]com
• love.regebky[.]com

Interestingly, the updated registrant information (or original, in the cases where it wasn’t changed) for all of the C2 domains in this blog has also been used to register scam sites, most purporting to sell knock-off designer products like shoes, software, or cell phones.  The contact emails and contact names can vary, but the address is re-used. Blue Coat noted this pattern as well in a blog published late last year, which also noted the  ‘WANGMINGHUA6@GMAIL[.]COM’ registrant email.³ It is not known whether the threat actors conducting the malicious activity are also behind the scam sites.

 Conclusion

The Cmstar tool has several interesting features, including a previously unseen method of manually creating its import address table using an API function name character to offset mapping techniques, and a hashing algorithm used to find antivirus processes on an infected system. Both of these features are noteworthy and may provide the ability to correlate future tools to the same group and/or malware authors.

The URL used by Cmstar to communicate with its C2 server, as well as significant infrastructure overlap, show a direct relationship between the Cmstar downloader, Lurid/Enfal and Cmwhite tools. In a majority of the cases, threat actors using the Cmstar downloader initially register the C2 domains using the email address ‘WANGMINGHUA6@GMAIL[.]COM’ and later change the registration information to include a different email address. Unit 42 cannot positively confirm that the threat actors control the ‘WANGMINGHUA6@GMAIL[.]COM’ email address, or if the email address belongs to a reseller that the threat actors buy domains from to create their infrastructure; however, we do believe this is an interesting TTP worth tracking in future infrastructure enumeration.

1. THE “LURID”DOWNLOADER – Nart Villeneuve and David Sancho –http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf
2. Attacks on East Asia using Google Code for Command and Control – Jen Miller-Osborn and Rob Downs — http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/
3. Linking APTs from 2011 and 2014 to an Active Scam Network – Kiel Wadner – https://www.bluecoat.com/security-blog/2014-10-08/linking-apts-2011-and-2014-active-scam-network

 Appendix

Known Cmstar Downloaders

Filename: xpsfiltsvcs.tmp
SHA256: 239a25ac2b38f0be9392ceeaeab0d64cb239f033af07ed56565ba9d6a7ddcf1f
C2: links.dogsforhelp.com

Filename: xpsfiltsvcs.tmp
SHA256: 6b557c22ab12e8ea43d29e4f9f8a9483e3e75cd41338a674c9069b6dacdf7ba7
C2: question.eboregi.com

Filename: xpsfiltsvcs.tmp
SHA256: 7ade616a8f1750cecba944a02e2bce1340b18a55697b29f721ccc4701aadba6e
C2: links.dogsforhelp.com

Filename: xpsfiltsvcs.tmp
SHA256: 88184983733f4d4fa767ad4e7993b01c5754f868470dd78ac1bad2b02c9e5001
C2: here.pechooin.com

Filename: xpsfiltsvcs.tmp
SHA256: b9d597aea53023727d8564e47e903b652f5e98a2c32bdc23bc4936448fb2d593
C2: question.eboregi.com

Filename: xpsfiltsvcs.tmp
SHA256: e0b3cc07d3a9b509480b240368dee2a29713ea1e240674c0ccf610c84810a7c5
C2: question.eboregi.com

Filename: xpsfiltsvcs.txt
SHA256: f4b8f71c0e10a345a855763e01033e2144e949c8f98c271755cc025e3f55b7da
C2: three.earewq.com

Filename: xpsfiltsvcs.tmp
SHA256: 2e00a98212c5a2015d12612f0d26039a0c2dfee3e1b384675f613e683f276e02
C2: bakler.featurvoice.com

Filename: xpsfiltsvcs.dll
SHA256: 42ed2edc37b957266ff7b02955a007dd82d955c09ef7be23e685d938e40ad61d
C2: turber.xoxcobbs.com

Filename: xpsfiltsvcs.dll
SHA256: 9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c
C2: happy.launchtrue.com

Filename: xpsfiltsvcs.tmp
SHA256: a330c52b7643de9d8be51a4ae0150b7b8390dbabaea9704069694835fbd3298e
C2: three.earewq.com

Filename: xpsfiltsvcs.tmp
SHA256: a8fa487d9f2152738bf49c8c69e8a147aae55c06f37c7e25026a28f21601ad7f
C2: sarey.phdreport.com

Filename: xpsfiltsvcs.tmp
SHA256: c99c0b37f2fd64fa523d39c35ead6416a684ae203ae728feb5feff8490eb902c
C2: help.ubxpi0s.com

Filename: xpsfiltsvcs.tmp
SHA256: d541280b37dd5e2101cc5cd47b0991b8320714f5627b37646330136cddef0c23
C2: three.earewq.com

Filename: coyote_load.dll
SHA256: adb05c1eecd789582886b3354b53831df9c9a06e891bb687633ee7ce21417edc
C2: bakler.featurvoice.com

Delivery Documents Installing Cmstar

Filename: Какая реформа армии нужна Украине.doc (What is needed reform of the army Ukraine.doc)
MD5: 76ffb9c2d8d0ae46e8ea792ffacc8018
SHA256: c26c67eac20614038aaadfda19b604862926433333893d65332928b5e36796aa
Type: MIME entity text
Toolkit: MNKit
Author: User123
Last Saved By: User123
Created: 2012-05-01T14:08:00Z
Modified: 2012-05-01T14:12:00Z

Filename: запуск ракеты-носителя Союз.doc (launch of the carrier rocket Soyuz.doc)
MD5: 6fdeadacfe1dafd2293ce5c4e178b668
SHA256: e39b0e777ef0135c1f737b67988df70c2e6303c3d2b01d3cdea3efc1d03d9ad9
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: РФ_КНР_сельское_хозяйство.doc (RF China Agriculture and Economy.doc)
MD5: 9da10a36daf845367e0fc2f3e7e54336
SHA256: a0aeb172a72442d2c2c02e1d32b48accb9975c4da7742df24d9350a8ccd401f2
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: Ерөнхий сайд асан Н.Алтанхуягийг шалгаж эхэлжээ.doc (Former Prime Minister started to check with their lethargy.doc)
MD5: f7d47e1de4f5f4ad530bca0fc080ea53
SHA256: 4883286b8229a2c43db17eb1e1c5bd79d1933e840cdfedff80d5b99a84c9e39f
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: запуск ракеты-носителя Союз.doc (launch of the carrier rocket Soyuz.doc)
MD5: 6fdeadacfe1dafd2293ce5c4e178b668
SHA256: e39b0e777ef0135c1f737b67988df70c2e6303c3d2b01d3cdea3efc1d03d9ad9
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

MD5: 5aeb8a5aa8f6e2408016cbd13b3dfaf0
SHA256: df34aa9c8021f1f0bdf33249908efc4a9628941453ad79b281b3a46bf9a7f37f
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: Путины урилга.doc (Putin’s invitation.doc)
SHA256: 45027d11ab783993c413f97e8e29759d04b04564f8916f005f5c632f291697bb
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

MD5: 46bf922d9ae07a9bc3667a374605bdbb
SHA256: 7dc78caf515d1d3d2b84be7c023ccbd0b4fd670a42babcbcbd5a5ba65bbdd166
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: Армия-2015.doc (Army-2015.doc)
MD5: 783a423f5e285269126d0d98f53c795b
SHA256: 5b338decffe665a2141d1079c32b2d612057d1fdbfddf198cc28003dae7f0516
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: С днём 70 лет победы.doc (Happy 70 years of victory.doc)
MD5: 510b3272342765743a202373261c08da
SHA256: 0a10d7bb317dceccd05d18408fd6b8b12c784910e5f7e035ee22c2c5d7e4cbf5
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: new resume.doc
MD5: c5ae7bd6aec1e01aa53edcf41962ac04
SHA256: 87bcc6d18c6a81d92d826b232703dee84b522bd1d0cae56f74bcf58fdca0930e
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

MD5: 3d41e3c902502c8b0ea30f5947307d56
SHA256: b65dd4da9f83c11fcb5beaec43fabd0df0f7cb61de94d874f969ca926e085515
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation

Filename: Центр-2015.doc (Center-2015.doc)
MD5: 94499ff857451ab7ef8823bf067189e7
SHA256: 671dfc4d47a43cf0bd9205a0f654dcd5050175aef54b69388b0c5f4610896c6a
Type: Microsoft Office Word 97-2003 Document
Toolkit: Tran Duy Linh
Created: 2012:11:23 04:35:00
Modified: 2012:11:23 04:39:00
Company: DLC Corporation
Related Cmwhite Tools

MD5: 3fff0bf6847d0d056636caef9c3056c3
SHA256: 13c1d7eb2fd64591e224dec9534d8252f4b91e425e8f047b36605138d15cbf2d
C2: stone.timmf.com

MD5: 30a6c3c7723fe14c4b6960fa3e4e57ba
SHA256: ab934c6177be0fdc3b6dfbf21f60ce7837a30e6599dcfb111b43008c75ceb91f
C2: xphome.mailru-vip.com
C2: error.yandex-pro.com

MD5: e0417547ba54b58bb2c8f795bca0345c
SHA256: 1cf44815f9eb735e095f68c929d5549e0ebc44af9988cccaf1852baeb96bb386
C2: dns.thinkttun.com

MD5: d05f012c9c1a7fb669a07070be821072
SHA256: a37f337d0bc3cebede2039b0a3bd5afd0624e181d2dcc9614d2f7d816b5a7a6b
C2: help.redhag.com
C2: mssage.hotoicq.com
C2: new.hoticq.com

Cmstar Yara Rule

[Palo Alto Networks Blog]

 

Over the last few years, we’ve increasingly seen a number of products claiming to be “next-generation.” This message is now so frequently used, it’s difficult to really understand whether the message has gotten lost in the technology or vice versa. What makes something “next-generation”?

To quote from my favorite college-unapproved secondary source, Wikipedia, which takes their definition for Next-Generation Firewalls from this article written by Eric Geier of eSecurity Planet:

“A Next-Generation Firewall (NGFW) is an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e.Active Directory).”

From this definition, next-generation products appear to be those that are natively built within the same platform or device, can identify applications regardless of port or protocol,operate in Layer 7, and can integrate with other software that maps IP addresses to actual users on the network.

But this brings me to my next question: What’s the difference between traditional IPS and “next-generation” IPS, or NGIPS for short?

The description above would indicate that NGIPS is part of a next-generation security platform, sharing context-aware features with the firewall, such as application and user awareness, improved threat prevention performance, and log correlation. In short, they’re much better than traditional IPS at understanding malicious traffic.

NSS Labs has designed a test for NGIPS products, which Palo Alto Networks participated in recently. In their methodology overview, NSS sets forth this requirement for NGIPS devices:

“…next generation intrusion prevention systems (NGIPS) must provide organizations the ability to identify both the applications and the users on their internal networks.”

The importance of application and user awareness is paramount, as these are what basically turn an IPS into an NGIPS.

First off, it helps to enforce application- and user-specific policies. For example, JDoe should have access to this application but only in these specific ways — anything outside this is prohibited. An NGIPS can help you do this.

Secondly, application and user awareness make heuristics much more useful. These features make your IPS smarter so that it knows what “normal” traffic looks like for each application, and alerts you to anything that falls outside that pattern.

Any vendor who boasts an NGIPS product must be able to employ these features realistically for the customer. This means providing NGIPS capabilities while maintaining performance that reasonably fits the customer’s throughput needs, and doesn’t sacrifice 80 to 90 percent of throughput when these “next-generation” features are turned on. You can’t claim to be serious about security and promote these features if customers can’t really use them in a meaningful way.

Although the platform component is a key improvement in intrusion prevention, as it effectively consolidates multiple security features and makes them easier to deploy and manage, not every customer in the market for IPS necessarily needs all of these bells and whistles.

Internal IPS deployments are sometimes stand-alone, segmenting the network or protecting data centers. These stand-alone deployments are where “next-generation” features like application and user awareness are most needed.

In today’s world of devious attackers and sophisticated threats, hiding in plain sight – within the very applications that enable businesses to become more productive – is a tactic cyber criminals are using to successfully infiltrate organizations. Only a smart IPS, one that’s truly “next-generation,” is equipped to prevent these threats and level up enterprise security.

Kate Taylor

[Palo Alto Networks Blog]

One of my roles in the company is to participate in our regular new hire training, and in our last session, I was asked a question that I had never been asked before. The question was, “What is the coolest feature in your product that not everyone knows about?” While there are many, many very cool features in our product, without hesitation I told them that it is actually a combination of three features that allow customers to collect external data and use it to automate firewall deployment and policy updates.

Let me explain.

To be specific, the three cool features I am referring to are the XML API, Dynamic Address Groups (DAG) and Virtual Machine Monitoring (VM-Monitoring). They are standard PAN-OS features and are supported in both our virtualized and appliance-based form factor firewalls. I believe the reason users don’t know about them is that they see these three features as being primarily applicable to managing the dynamic nature of virtualized environments, ensuring that security keeps pace with business.

But the best-kept secret around these features is that they are equally valuable when used with our appliance form-factor firewalls. Just think about the external data sources that you may refer to regularly and then use (manually) to manage your network security. Now imagine if there was a way to automate those tedious, day-to-day tasks. You understand the value these features might provide.

It’s true that they are invaluable in a virtualized environment because they facilitate two forms of automation:

1. They help automate the provisioning of a VM-Series firewall so that when new virtual machines are created, our next-generation firewall can be deployed simultaneously.
2. They bring a sense of order to policy chaos by updating policies dynamically as virtualized and hardware form-factor workloads are added, changed or removed.

In a virtualized environment, change is common and happens rapidly. But often security, as part of a set of best practices, follows a more rigid change control process that may mean delays. Therefore, the value of these three features is they allow security to keep pace with the speed of change in virtualized environments. You can preserve the flexibility of a virtualized environment and ensure important security updates get made just as rapidly. Here are two other examples of how these features solve a variety of challenges using our appliances:

• Automating the deployment of hundreds of physical firewalls: Imagine the challenge of deploying our firewall appliance to hundreds of remote locations, quickly, consistently and cost-effectively. The solution for this customer was a strict adherence to IP addressing on the networking side that they mapped to named objects in PAN-OS such as “External_IP”, “Wireless_network”, and “Wired_workstations”. The objects are then used in Panorama Templates and the IP addresses are dynamically provisioned, greatly simplifying firewall deployment. One of our firewalls is sent to the remote location, they are connected to the network and Panorama is used to deliver the configuration via a Template. Device Groups are then used to complete the setup.

• Enabling policy creation that accompanies IT asset allocation: In another example of how these three features can enable dynamic policy updates, a customer is integrating our firewall with their IT ticketing solution (ServiceNow) as a means of generating policy updates as new IT assets are deployed. In this scenario, the new asset (PC, Workstation, Laptop) IP address is harvested and pulled into the firewall as part of the policy update.

Most security professionals have too many things to do in a single day. The ability use the XMP API, DAG and VM-Monitoring to tie our enterprise security platform, both virtualized or physical form-factor, into external data sources as a means of automating what are normally manual and time consuming tasks is a wickedly cool feature.

Got a cool example of how you use any of these features? Comment and let us know.

Matt Keil

[Palo Alto Networks Blog]