© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 1 |
Implementing Policy and Control
Steve Mullaney
Vice President, Marketing
What IT Needs to Control Has Changed
• Before, “applications” were well-understood.
- Network utilities, OLTP
- Internally-developed enterprise client server
- Known behavior, studied risks, predictable
- Power users are rare
• Now, “applications” are likely to be employed by users for months before IT hears about them
- Collaboration, media, interactivity
- Externally-sourced, browser-based, Web 2.0
- Unknown behavior, unknown risks, unpredictable
- Everybody is a power user
Both Applications and Users Have Evolved
Enterprise Users Do What They Want
• The Application Usage & Risk Report highlights actual behavior of 350,000 users across 20 organizations:
- End-users actively circumvent controls - 80% of organizations
- Port 80 traffic isn’t what you think it is – most Port 80 apps not web browsing
- Non-business applications chew up all available bandwidth – video, P2P, audio, etc.
Presents Risks to Your Business That You Can’t Control
© 2008 Palo Alto Networks. Proprietary and ConfidentialPage 4 |
IT is Blind to Applications on the Network
• Applications have gone evasive
- Encryption
- Port-agnostic (80 or 443)
- Port-agile
• Need to enable agile business technology adoption
• Threats target applications
• Leads to increased business risks
- Productivity
- Compliance
- Operational cost
- Business continuity
- Data loss
Need to Safely Enable Some New Applications, Effectively Block Others
Problem Why it Matters
InternetGateway
The Strategy is Fine, but the Execution Stinks
© 2008 Palo Alto Networks. Proprietary and ConfidentialPage 5 |
Internet
• The gateway on the trust border is the right place to exert control
- All traffic goes through
- Defines trust boundary
- Since biblical times, the natural place to apply policy
• BUT…
- What firewalls need to do has changed
- Unfortunately, firewalls haven’t changed
• Fix the execution, make the firewall do its job
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 6 |
Classify Applications, Not Ports or Protocols
• Applications use port 80 or 443
• Applications are evasive
• Need multiple ways to identify
- Decryption
- Decoding
- Pattern recognition
Need to ID and control all sorts of applications
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 7 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol or evasive tactic
2. Policy based decryption, identification and control of SSL
3. Granular visibility and policy control over application access / functionality
4. Protect in real-time against broad threats embedded across applications
5. Multi-gigabit, in-line deployment with no performance degradation
Making the Firewall Do Its Job
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 8 |
About Palo Alto Networks
• Founded in 2005 by Nir Zuk, inventor of stateful inspection technology
• Builds next generation firewalls; visibility and control of 600+ applications
• Integrated URL filtering and high-speed threat prevention
• Named Gartner Cool Vendor in 2008; 2008 Best of Interop Grand Prize
Visibility of Apps/Users/Risk = Common Language
Palo Alto Networks Enables Safe Use of New Applications
RiskUsers
Applications
IT
Threats
Viruses
Hackers
IP addresses
Ports
NO
Business
Growth
Profit
Revenue
Competition
Business process
YES…but HOW?
Eliminate Risk Manage Risk
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 10 |
Thank You!