What Did You Do At School Today Junior?

Ethan West – Palo Alto Networks Systems Engineer

279schools

1,000s ofstudents

1,200+applications

1challenge

What do you really know about your network?

|

75%Frequency is defined as a single instance found on a network (n=279).

Frequency that external proxies were found on K-12 Networks?

A total of 28 different proxies were in use, with an average of 4 external proxies found on 80% of the 279 K12 networks.

80%

Frequency that external proxies were found on K-12 networks?

|

50%Frequency is defined as a single instance found on a network (n=279).

Frequency that non-VPN related encrypted tunnels were found?

An average of 2 encrypted tunnel applications were found in 42% of the K12 networks.

SSH is excluded

42%

Frequency that non-VPN related encrypted tunnels were found?

• External proxies commonly used to bypass URL filtering

• Remote access commonly used to evade controls; known as a cyber criminal target

• Encrypted tunnels (Tor, UltraSurf, Hamachi) used to “hide”

Frequency is defined as a single instance found on a network (n=279).

Students will find a way…

10%Percentage of total bandwidth consumed by

file transfer of all types

P2P, browser-based and client-server filesharing applications consumed 9% of total bandwidth – roughly the same amount as viewed in the

enterprise environments.

Percentage of total bandwidth consumed by file transfer of all types?

9%

P2P Dwarfs All Other Filesharing Applications

The solution of choice for moving big files…

10Average number of browser-based file sharing

applications found on each network?

11

Average number of browser-based filesharing applications found on each network?

There were 64 browser-based filesharing variants found with an average of 11 discovered on 95% of the K-12 networks.

Browser-Based File Sharing: Two Use Cases

Browser-based filesharing use cases: entertainment or productivity. Both uses have a common set of business and security risks that organizations must address.

The number of applications using Port 80 (tcp/80) only?

250

The number of applications using Port 80 (tcp/80) only?

The number of applications that ONLY use Port 80 is 278 or 26% of the 1,050 applications found on the participating K-12 networks.

278

Percentage of total bandwidth consumed by applications not using tcp/80?

40%

Percentage of total bandwidth consumed by applications not using tcp/80?

30% of the total bandwidth is being consumed by (31% of the 1,050) applications that DO NOT USE port 80 at all. Ever.

30%

Port 80 only security is shortsighted

The common perception is that port 80 (tcp/80) is where all the traffic and all the problems are. An emphasis is an absolute requirement; but too much tcp/80 focus is shortsighted.

Junior’s application usage is sophisticated…

These are not our parents applications – usage patterns are on-par with those seen in the enterprise

Applications that can hide or mask activity are common

P2P, despite control efforts, is used heavily; browser-based filesharing is a hidden risk

Port 80 is used heavily, but too much focus is shortsighted and high risk

© 2012 Palo Alto Networks. Proprietary and Confidential.Page 21 |

Applications Have Changed, Firewalls Haven’t

22 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more

Technology Sprawl and Creep Aren’t the Answer

Enterprise Network

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address application “accessibility” features

23 | ©2012, Palo Alto Networks. Confidential and Proprietary.

IMDLPIPS ProxyURLAV

UTM

Internet

© 2010 Palo Alto Networks. Proprietary and Confidential.

More not always better…

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

The Answer? A capable Next Gen Security Platform

25 | ©2012, Palo Alto Networks. Confidential and Proprietary.

The Benefits of Classifying Traffic in the Firewall

Policy Decision

FirewallApp-ID

Allow FacebookXKey Difference Benefit

Single firewall policy • Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.

Positive control model • Allow by policy, all else is denied. It’s a firewall.

Single log database • Less work, more visibility. Policy decisions based on complete information.

Systematic management of unknowns

• Less work, more secure. Quickly identify high risk traffic and systematically manage it.

26 | ©2013 Palo Alto Networks. Confidential and Proprietary.

Multi-Step Scanning Ramifications

300+ applications allowed*

*Based on Palo Alto Networks Application Usage and Risk Report

Facebook allowed…what about the other 299 apps?

PolicyDecision #2

App-ControlAdd-on

Applications

Allow Facebook

PolicyDecision #1

Firewall Allow port 80

Open ports to allow the application

Key Difference Ramifications

Two separate policies • More Work. Two policies = double the admin effort (data entry, mgmt, etc)• Possible security holes. No policy reconciliation tools to find potential

holes

Two separate policy decisions • Weakens the FW deny all else premise. Applications allowed by port-based FW decision.

Two separate log databases • Less visibility with more effort. informed policy decisions require more effort , slows reaction time

No concept of unknown traffic

• Increased risk. Unknown is found on every network = low volume, high risk

• More work, less flexible. Significant effort to investigate; limited ability to manage if it is found.

27 | ©2013 Palo Alto Networks. Confidential and Proprietary.

Your Control With a Next-Generation Firewall

»The ever-expanding universe of applications, services and threats

»Traffic limited to approved business use cases based on App and User

»Attack surface reduced by orders of magnitude

»Complete threat library with no blind spots

Bi-directional inspectionScans inside of SSLScans inside compressed

filesScans inside proxies and

tunnels

Only allow the apps you need

Safely enable the applications relevant to your business

Covering the entire EnterpriseData center/

cloudEnterprise perimeter

Distributed enterprise/BYOD

Next-Generation Firewall

Cybersecurity:IDS / IPS / APT Web gateway VPN

Panorama and M-100 appliance

PAN-OS™

Network location

Next-generation appliances

Subscription services

Use cases

Management system

Operating system

Physical: PA-200, PA-500,, PA-3000 Series, PA-5000 SeriesWildFire: WF-500Virtual: VM-Series

URL Filtering

GlobalProtect™

WildFire™

Threat Prevention

29 | ©2013, Palo Alto Networks. Confidential and Proprietary.

Addresses Three Key Business Problems

Safely Enable Applications Identify more than 1,900 applications, regardless of port, protocol, encryption, or

evasive tactic Fine-grained control over applications/application functions (allow, deny, limit, scan,

shape) Addresses the key deficiencies of legacy firewall infrastructure Systematic management of unknown applications

Prevent Threats Stop a variety of known threats – exploits (by vulnerability), viruses, spyware Detect and stop unknown threats with WildFire Stop leaks of confidential data (e.g., credit card #, social security #, file/type) Enforce acceptable use policies on users for general web site browsing

Simplify Security Infrastructure Put the firewall at the center of the network security infrastructure Reduce complexity in architecture and operations

30 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Magic Quadrant for Enterprise Network Firewalls

31 | ©2013, Palo Alto Networks. Confidential and Proprietary.

“Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.”

Gartner, February 2013

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 32 |

Customer Example: Huron Valley Schools

“Not only did the PA-3000 Series give us total control over all applications, we saw an increase in our Internet performance plus much easier administration.”

Industry: K-12 EducationStatistics: School District in Oakland County supporting 9800 students across 15 schools.

Problem

Students circumventing IT security controls with tools such as UltraSurf and TOR

No visibility into user behavior, application use

Existing firewall not keeping up Rate of change in applications Difficult to maintain content filter Reaching throughput maximum End of life

Solution / Results

PA-3000 Series deployed as primary enterprise firewall

Policy control by application and user No longer struggle to keep up with

new/changed applications

Improved performance

33 | ©2012, Palo Alto Networks. Confidential and Proprietary.