The proliferation of Bring Your Own Device (BYOD) policies and the Internet of Things (IoT) has significantly increased the number and variety of devices connected to enterprise networks. This increase in device diversity poses unique security challenges, making it essential to identify, manage, and secure each device effectively. Palo Alto Networks’ PAN-OS includes a powerful feature known as Device-ID, which enhances security by providing detailed device-specific policies. In this article, we’ll explore what Device-ID is, how it works, and why it is beneficial for your network security infrastructure.

What is Device-ID?

Device-ID is another classification engine available on PAN-OS that enhances network security by providing detailed visibility and control over connecting endpoints. This additional context enables you to create and enforce policies based on specific devices rather than just IP addresses, users, or locations. Implementing Device-ID can significantly strengthen your security posture, offering better protection against threats and greater insight into your network’s activities.

Key benefits of Device-ID include:

• Enhanced Visibility – once endpoints are detected and classified, you can view them based on specific attributes such as vendor, model, or operating system. This classification provides detailed information about each connected device, including its MAC address and other relevant attributes. This visibility allows you to identify what types of devices are on your network and understand their specific characteristics, enabling better monitoring and management of network security
• Device Policy Rules – the ability to reference devices or device groups within security policies empowers administrators to implement highly specific security measures tailored to the unique characteristics and requirements of each device type. For instance, an administrator can create a security policy rule that restricts communication from all printers to a single designated server without needing to manually identify and input their IP addresses. This level of specificity not only simplifies policy management but also enhances security by ensuring that each device type operates within defined and appropriate boundaries, reducing the risk of unauthorized access or data breaches
• Policy Rule Recommendations – based on the device classification, Palo Alto Networks provides policy rule recommendations that define allowed traffic and protocols for each device. These recommendations are continuously updated to adapt to any changes in device behavior or capabilities​

Device-ID Operations

Device-ID works in conjunction with the Palo Alto Networks’ IoT Security cloud. The IoT Security cloud is a comprehensive solution offered by Palo Alto Networks designed to secure the diverse array of IoT devices within a network. This cloud-based service integrates seamlessly with PAN-OS to enhance the Device-ID functionality by leveraging advanced analytics and machine learning.

Once the firewall receives traffic from the endpoints it generates a special type of log messages – Enhanced Application Logs (EALs), which provide detailed metadata about the traffic and sessions observed on the network. EALs capture comprehensive information about application usage, which is then forwarded to the logging service and analyzed by the IoT Security cloud. This analysis helps in identifying and classifying devices, understanding their behavior patterns, and detecting anomalies.

Licensing Requirements

To utilize Device-ID, you need to have an active IoT Security subscription. There are two types of IoT Security subscriptions:

1. IoT Security Subscription: it allows firewalls to send data logs to the logging service, which streams them to the IoT Security cloud for analysis and to a Cortex Data Lake instance for storage​
2. IoT Security – Doesn’t Require Data Lake (DRDL) Subscription: this option also sends data logs to the logging service for analysis but does not store them in a Cortex Data Lake instance

Both subscriptions provide the same functionality in terms of device classification, behavior analysis, and policy recommendations. Additionally, a device license is required for the firewall to connect to IoT Security, and a logging service license is needed to send logs for analysis​.

—

Don’t forget that regular management and updates are essential to maintain effective policies. Device-ID rules and recommendations should be reviewed and updated as new device behaviors are observed or when devices gain new capabilities.