View
226
Download
1
Category
Preview:
Citation preview
Palo Alto Networks Jumpstart
pvonwallenberg@paloaltonetworks.com
+49.172.5118275
About Palo Alto Networks
We are the network security company
• World-class team with strong security and networking experience
- Founded in 2005, first customer July 2007
• We offer next-generation firewalls that safely enable 1,400+ applications
- Restores the firewall as the core of the enterprise network security infrastructure
- Innovations: App-ID™, User-ID, Content-ID, GlobalProtect™, WildFire™
• Global footprint: 7.500+ customers in 100+ countries,60 of whom deployed more than $1M of our solution
• $200+M in bookings run rate*; 10 consecutive quarters of
positive cash flow from operations
© 2012 Palo Alto Networks. Proprietary and Confidential. Page 2 |
(*) Reported on August 1, 2011. Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are
defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.
2011 Magic Quadrant for Enterprise Network Firewalls
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 3 |
Source: Gartner, December 14, 2011
“Palo Alto Networks' high-performance NGFW functionality continues to drive competitors to react in the firewall market. It is assessed as a Leader mostly because of its NGFW design, redirection of the market along the NGFW path, consistent displacement of Leaders and Challengers, and market disruption forcing Leaders to react.”
Applications Have Changed; Firewalls Have Not
Page 4 |
Need to restore visibility and control in the firewall
BUT…applications have changed
• Ports ≠ Applications
• IP Addresses ≠ Users
• Packets ≠ Content
The gateway at the trust border is the right place to enforce policy control
• Sees all traffic
• Defines trust boundary
Technology Sprawl & Creep Are Not The Answer
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
Page 5 |
Internet
• Putting all of this in the same box is just slow
Firewalls MUST Do More to Be Relevant
Page 6 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
Why Visibility & Control Must Be In The Firewall
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 7 |
Port Policy
Decision
App Ctrl Policy
Decision
Application Control as an Add-on
• Port-based FW + App Ctrl (IPS) = two policies
• Applications are threats; only block what you expressly look for
Implications
• Network access decision is made with no information
• Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
App Ctrl Policy
Decision
Scan Application
for Threats
Applications
Application Traffic
NGFW Application Control
• Application control is in the firewall = single policy
• Visibility across all ports, for all traffic, all the time
Implications
• Network access decision is made based on application identity
• Safely enable application usage
Identification Technologies Transform the Firewall
Page 8 |
•App-ID™
•Identify the application
•User-ID™
•Identify the user
•Content-ID™
•Scan the content
Single-Pass Parallel Processing™ (SP3) Architecture
Page 9 |
Single Pass
• Operations once per packet
- Traffic classification (app identification)
- User/group mapping
- Content scanning – threats, URLs, confidential data
• One policy
Parallel Processing
• Function-specific parallel processing hardware engines
• Separate data/control planes
Up to 20Gbps, Low Latency
The Strategic Role of Modern Malware
Infection
Escalation
Remote Control
Malware provides the internal foothold to control
and expand a sustained attack
Industry Challenges in Controlling Malware
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 11 |
Unreliable enforcement
•Sandboxes lack enforcement, while enforcement points lack sandbox intelligence
•Lack of outbound traffic controls
•Lack of actionable information
Inability to recognize files as malware
•Targeted malware
•New and refreshed malware
•Long windows to protection
Infecting files are hidden
• Inside applications
•Encrypted traffic, proxies
•Non-standard ports
•Drive-by-downloads
Introducing WildFire
• Identifies unknown malware by direct observation in a cloud-based, virtual sandbox
- Detects more than 70 malicious behaviors
- Capture and enforcement performed locally by firewall
- Sandbox analysis performed in the cloud removes need for new hardware and provides single point of malware visibility
• Automatically generates signatures for identified malware
- Infecting files and command-and-control
- Distributes signatures to all firewalls via regular threat updates
• Provides forensics and insight into malware behavior
- Actions on the target machine
- Applications, users and URLs involved with the malware
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 12 |
WildFire Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 13 |
Unknown
Files From the
Internet
Coming into
the Enterprise
Compare to Known Files
Sandbox Environment
Signature Generator
Admin Web Portal
Firewall
Submits
File to
WildFire
Cloud
New Signatures
Delivered to ALL
Firewalls via
regular threat
updates. Portal
provides
malware
forensics
Visibility and Architecture Change the Game
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 14 |
NGFW is Required Must decode apps to
find hidden files
Must control SSL,
circumventors and
evasion
In-line enforcement and
blocking of command
and control
Centralized Analysis Intelligence and
protections shared with
ALL firewalls
No need to reprocess files
Easily update detection,
anti-detection logic
No new hardware required
✓ ✓
✓
✓
✓
Attack Stages of Modern Malware
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 16 |
Targeted malicious
email sent to user
User clicks on link to a
malicious website
Malicious website exploits
client-side vulnerability
Drive-by download of
malicious payload
URL Filtering
IPS
Behavioral Analysis
Signature Detection
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 17 |
PAN-OS Core Firewall Features
• Strong networking foundation
- Dynamic routing (BGP, OSPF, RIPv2)
- Tap mode – connect to SPAN port
- Virtual wire (“Layer 1”) for true transparent in-line deployment
- L2/L3 switching foundation
- Policy-based forwarding
• VPN
- Site-to-site IPSec VPN
- SSL VPN
• QoS traffic shaping - Max/guaranteed and priority
- By user, app, interface, zone, & more
- Real-time bandwidth monitor
• Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
• High Availability
- Active/active, active/passive
- Configuration and session synchronization
- Path, link, and HA monitoring
• Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-5000, PA-4000, and PA-2000 Series)
• Simple, flexible management
- CLI, Web, Panorama, SNMP, Syslog
Visibility and control of applications, users and content complement core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
PA-5060
PA-5050
PA-5020
PA-200
Appliances – Übersicht
Firewall Firewall Throughput Threat Prevention Throughput Ports Session Capacity
PA-5060 20 Gbps 10 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
4,000,000
PA-5050 10 Gbps 5 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
2,000,000
PA-5020 5 Gbps 2 Gbps 8 SFP 12 copper gigabit 1,000,000
PA-4060 10 Gbps 5 Gbps 4 XFP (10 Gig) 4 SFP (1 Gig) 2,000,000
PA-4050 10 Gbps 5 Gbps 8 SFP 16 copper gigabit 2,000,000
PA-4020 2 Gbps 2 Gbps 8 SFP 16 copper gigabit 500,000
PA-3050 4 Gbps 2 Gbps 8 SFP 12 copper gigabit 500,000
PA-3020 2 Gbps 1 Gbps 8 SFP 12 copper gigabit 250,000
PA-2050 1 Gbps 500 Mbps 4 SFP 16 copper gigabit 250,000
PA-2020 500 Mbps 250 Mbps 8 copper gigabit 125,000
PA-500 250 Mbps 100 Mbps 8 copper gigabit 64,000
PA-200 100 Mbps 50 Mbps 4 copper gigabit 64,000
© 2012 Palo Alto Networks. Proprietary and Confidential.
VM-Series – Übersicht
• PAN-OS Next-Gen Firewall Features in einem virtuellen Form Faktor
• Sichtbarkeit und Kontrolle des Traffics zwischen VMs
Specifications
Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 2,000 500
Supported on VMware ESX/ESXi 4.0 or later
Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces
Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames
Performance
Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second
2 Core 500 Mbps 200 Mbps 100 Mbps 8,000
4 Core 1 Gbps 600 Mbps 250 Mbps 8,000
8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 20 |
Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement
• Application, user and content
visibility without inline
deployment
• IPS with app visibility & control
• Consolidation of IPS & URL
filtering
• Firewall replacement with app
visibility & control
• Firewall + IPS
• Firewall + IPS + URL filtering
Enterprise-Wide Next-Generation Firewall Protection
Same Next-Generation Firewall, Different Benefits…
Perimeter
Identify and control applications,
users and content
Positive enablement
Data Center
Network segmentation based on users
and applications
High performance threat prevention
Distributed Enterprise
Branch
Office Remote
Users
Extending consistent security to all users
and locations
Visibility and control over applications,
users and content
IT-Infrastructur: past
past: clear segregation
• Control by physical location
• „yours“ and „mine“ is clear to see
© 2012 Palo Alto Networks. Proprietary and Confidential. Page 22 |
IT infrastructure: present
present: partially open
• Outsorcing / Hosting relocates servers to the „outside“
• Cient2Site VPN for roaming clients
• „guest access“ for contractors
© 2012 Palo Alto Networks. Proprietary and Confidential. Page 23 |
IT infrastrukture: future
future: massive outsourcing of services and devices
• vDC and SaaS replace large chunks of todays IT
• Corporate WAN mostly replaced by Site2Site VPN
• BYOD is default
© 2012 Palo Alto Networks. Proprietary and Confidential. Page 24 |
Palo Alto Networks Weekly Jumpstart
contact_sales@paloaltonetworks.com
(408) 753-4000
Recommended