Firewall requirements to secure IPv6

thoughtlessskytopΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 3 χρόνια και 8 μήνες)

73 εμφανίσεις

Firewall requirements to secure IPv6
networks


finished playing!

LANCom

seminar, Maribor


Ides Vanneuville, Palo Alto Networks


Next
-
Generation firewall

Sr. Director Systems Engineering EMEA

© 2011 Palo Alto Networks. Proprietary and Confidential.

About Palo Alto Networks


Palo Alto Networks is the
Network
Security
Company


World
-
class team with strong security and networking experience

-
Founded in
2005, first customer July 2007, top
-
tier
investors


Builds next
-
generation firewalls that identify / control 1,300+ applications

-
Restores the firewall as the core
of
enterprise network security infrastructure

-
Innovations: App
-
ID™, User
-
ID™, Content
-
ID™


Global momentum: 5,300+
customers


August 2011: Annual bookings run rate is over US$200 million*, cash
-
flow positive last
five consecutive quarters


(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings

ar
e defined as non
-
cancellable

orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

© 2011 Palo Alto Networks. Proprietary and Confidential.

2011 Magic Quadrant for Enterprise Network Firewalls

Please get a copy of the report from this link:


http://
www.paloaltonetworks.com/cam/gartner/index.php


© 2011 Palo Alto Networks. Proprietary and Confidential.

Applications Have Changed; Firewalls Have Not

©
2011
Palo Alto Networks. Proprietary and
Confidential.

Need to restore visibility and control in the firewall

BUT…applications have changed


Ports
≠ Applications


IP
Addresses ≠ Users


Packets
≠ Content

The firewall is
the right place
to enforce
policy control


Sees
all traffic


Defines
trust
boundary

Enables access via
positive
control

Applications Carry Risk

©
2011
Palo Alto Networks. Proprietary and
Confidential.

Applications can be “threats”


P2P file sharing, tunneling
applications,
anonymizers
,
media/video

Applications carry threats


Qualys

Top 20 Vulnerabilities


majority result in application
-
level
threats

Applications & application
-
level threats result in major breaches


RSA,
Comodo
, FBI

Enterprise 2.0 Applications and Risks
Widespread

© 2011 Palo Alto Networks. Proprietary and
Confidential.

Palo Alto Networks’ latest Application Usage & Risk Report
highlights actual behavior of 1M+ users in 1253 organizations

-
More e
nterprise

2.0 application use for personal and business
reasons.

-
Tunneling and port hopping are common

-
Bottom line: all had firewalls, most had IPS, proxies, & URL
filtering


but none of these organizations could control what
applications ran on their networks

Technology Sprawl & Creep Are Not The Answer


“More stuff” doesn’t solve the problem


Firewall “helpers” have limited view of traffic


Complex and costly to buy and maintain

©
2011
Palo Alto Networks. Proprietary and
Confidential.

Internet




Putting
all of this in the same box is just slow




New Requirements for the Firewall

1. Identify applications regardless of

port
, protocol,
evasive tactic or SSL

2. Identify users regardless of IP address

3.

Protect in real
-
time against threats embedded across
applications

4.

Fine
-
grained visibility and policy control over
application access / functionality

5. Multi
-
gigabit, in
-
line deployment with

no
performance
degradation

The Right Answer: Make the Firewall Do Its Job

©
2011
Palo Alto Networks. Proprietary and
Confidential.

Why
Visibility &
Control Must Be In The
Firewall

© 2011 Palo Alto Networks. Proprietary and
Confidential.

Port Policy

Decision

App Ctrl Policy

Decision

Application
Control
as an Add
-
on


Port
-
based FW + App Ctrl (IPS) = two policies


Applications are threats; only block what you expressly
look for

Implications


Network access decision is made with no information


Cannot safely enable applications


IPS

Applications

Firewall

Port

Traffic

Firewall

IPS

App Ctrl Policy

Decision

Scan Application

for Threats

Applications

Application

Traffic

NGFW Application Control


Application control is in the firewall = single policy


Visibility across all ports, for all traffic, all the time

Implications


Network access decision is made based on application
identity


Safely enable application usage

What You See…with Port
-
Based FW + Application Control
Add
-
on

© 2011 Palo Alto Networks. Proprietary and Conf idential.

Page
10

|


What You See with a
True Next
-
Generation
Firewall

© 2011 Palo Alto Networks. Proprietary and Confidential.

Page
11

|


Your Control With Port
-
based Firewall Add
-
on

© 2011 Palo Alto Networks. Proprietary and Confidential.

Page
12

|


Your Control With a Next
-
Generation Firewall

»
The ever
-
expanding
universe of applications,
services and threats

»
Traffic limited to
approved business
use cases based on
App
and
User

»
Attack surface
reduced by
orders of
magnitude

»
Complete threat library with no
blind spots


Bi
-
directional inspection


Scans inside of SSL


Scans inside compressed
files


Scans inside proxies and
tunnels

Only allow the

apps you need

Safely enable the
applications relevant to
your business

Page
13

|


Transforming The Perimeter and Datacenter

© 2011 Palo Alto Networks. Proprietary and
Confidential.

Page
14

|



Perimeter


Datacenter

Same Next
-
Generation Firewall, Different Benefits…

©
2011
Palo Alto Networks. Proprietary and
Confidential.

Page
15

|


PAN
-
OS Core Firewall Features


Strong networking foundation


Dynamic routing (BGP, OSPF, RIPv2)


Tap mode


connect to SPAN port


Virtual wire (“Layer 1”) for true
transparent in
-
line deployment


L2/L3 switching foundation


Policy
-
based forwarding


VPN


Site
-
to
-
site IPSec VPN


SSL VPN


QoS

traffic
shaping


Max/guaranteed and priority


By user, app, interface, zone, & more


Real
-
time bandwidth monitor


Zone
-
based architecture


All interfaces assigned to security
zones for policy enforcement


High Availability


Active/active, active/passive


Configuration and session
synchronization


Path, link, and HA monitoring


Virtual Systems


Establish multiple virtual firewalls
in a single device (PA
-
5000, PA
-
4000, and PA
-
2000 Series)


Simple, flexible management


CLI, Web, Panorama, SNMP,
Netflow, email,
Syslog,
Netflow

Visibility and control of applications, users and content
complement core firewall features


PA
-
500

PA
-
2020

PA
-
2050

PA
-
4020

PA
-
4050

PA
-
4060

PA
-
5060

PA
-
5050

PA
-
5020

PA
-
200

IPv6 deployment options

Datacenter

Users

Branch

Email

Internet

Gateway

Internal

Segmentation

Datacenter

Protection

Branch gateway

Road warriors

IPv6 requirements for firewalls


Focus on dual
-
stack functionality on the data
processing part


Transparent for IPv4 and IPv6


Focus on networking functionality


Native IPv6


IPv4 to IPv6 to IPv4 gateway functionality


Focus on IPv6 services


Native support for DNS,
Syslog
, NTP, RADIUS, LDAP, …

IP stack can change but
…Malware is the same

i
t’s time to fix the traditional IPv6 firewall

i
t’s time to fix
malware protection
!

the new
attacker

t
he
attacker
is not a bored geek

n
ation
states

and organized
crime

data breaches

in 2011

step one:
bait

an end
-
user

spear phishing

step one:
bait

an end
-
user

step one:
bait

an end
-
user

step two:
exploit
a vulnerability

step three: download a
backdoor

step four: establish a
back channel

step five:
explore
and
steal

Why App, User and Content
-
ID?

Identification Technologies Transform the Firewall

App
-
ID™

Identify the application

User
-
ID™

Identify the user

Content
-
ID™

Scan the content

needs
to
work across
all
applications

Control known applications

and
block
the unknown

needs
high
-
speed

IPS and AV

The Strategic Role of Modern Malware

Infection

Escalation

Remote Control

Malware provides the internal foothold to control

and expand a sustained attack

Unreliable enforcement


Sandboxes lack enforcement, while

enforcement points lack sandbox intelligence


Lack of outbound traffic controls


Lack of actionable information


Industry Challenges in Controlling Malware

Inability to recognize files
as malware


Targeted malware


New and refreshed malware


Long windows to protection


Infecting files are hidden


Inside applications


Encrypted traffic, proxies


Non
-
standard ports


Drive
-
by
-
downloads




e
xploit
protection

many months pass between black
-
hat discovery,
white hat discovery, and protection being available

Introducing
WildFire

Architecture

© 2011 Palo Alto Networks. Proprietary and
Confidential.

Unknown Files
From the
Internet Coming
into the
Enterprise

Compare to Known
F
iles

Sandbox Environment

Signature Generator

Admin Web Portal

Firewall
Submits File
to
WildFire

Cloud

New Signatures
Delivered to ALL
Firewalls via
regular threat
updates. Portal
provides malware
forensics

solution
has to be enterprise
-
wide

IPv6 firewall needs…continued


Seamless Next
-
Generation firewall operations
across IPv6 and IPv4


Application detection


Interface with user
-
directories and user
-
identification
methods (e.g. captive portal, API, etc…)


Content
-
scanning and (SSL/SSH) decryption is
seamless on both stacks


Focus on IPv6 security specifics (e.g. IPv6 headers,
DoS

detection & prevention)

IPv6 firewall needs…continued


Secure connectivity


SSL
-
VPN and
IPsec

for roaming users and branch
offices


Mix & match IPv6 and IPv4


Integrated security policy management for both IPv6
and IPv4


Integrated reporting and visualization of ‘events’

Summary


Need to ‘secure’ IPv6 networks and services


IPv6 becomes more widespread…



Next
-
Generation firewall plays a very important role
in ‘transitioning’ networks and managing both worlds



Go IPv6!!……..Go Palo Alto Networks NGFW!!


modern
malware

protection belongs in
a

next
generation firewall

thank

you