Palo Alto Networks Solution Overview

thoughtlessskytopΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 4 χρόνια και 15 μέρες)

163 εμφανίσεις

Palo Alto Networks
Solution Overview

May 2010



Denis
Pechnov

Sales
, EMEA

About Palo Alto Networks


Founded in 2005 by security visionaries and engineers from
NetScreen
, Juniper Networks, McAfee, Blue Coat, Cisco, …


Build innovative
Next Generation Firewalls

that control
more than 900 applications, users & data carried by them


Backed by $65 Million in venture capital from leading Silicon
Valley investors including Sequoia Capital,
Greylock

Partners,
Globespan

Capital Partners, …


Global footprint with over

1000
customers,
we are passionate
about customer satisfaction and deliver 24/7 global support
and have presence in 50+ countries


Independent recognition from analysts like Gartner



© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
2

|

Why is there a
need for a NGFW?

The Social Enterprise 2.0

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
3

|

Enterprise 2.0 Applications Take Many Forms

5 Things You Need To Know About Enterprise 2.0

1.
Driven by new generation of addicted Internet users


smarter than you?

2.
Full, unrestricted access to everything on the Internet is a right

3.
They’re creating a giant social system
-

collaboration, group knowledge

4.
Not waiting around for IT support or endorsement


IT is irrelevant

5.
Result
-

a Social Enterprise full of potential risks … and rewards

Rewards

Risks

Internet

Enterprise

Work Life

Home Life

What the 2010 User’s Expectation


How Will You Respond To This Challenge?


How can you regain control of enterprise 2.0?


What value do these applications provide to your business?


What is your organization’s risk tolerance for these
applications?


How can you “safely enable” the right applications?


Where do you start?


Start by Understanding What’s Really Happening


Application Usage and Risk Report

-
Findings


347 large enterprises worldwide


750+ different Internet applications


Employees have created Enterprise 2.0

-
Rewards


Enterprises are embracing social networking apps


Proven to deliver measurable value to business

-
Risks


Incoming threats are increasing


Potential for data leakage is increasing


Existing security infrastructure ineffective


Page
8

|

What’s the Problem?


The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of

millions of
users across
hunderds

of organizations
:

-
Applications are designed for accessibility.


More than half (57%) of the

700+ applications
found can bypass security infrastructure


hopping from port to port, using
port 80 or port 443.

-
Applications that enable users to circumvent security controls are common.


Proxies Bypass Tools that are typically not endorsed by corporate IT (
CGIProxy
,
PHProxy
,
Hopster
) and remote desktop
access applications (
LogMeIn
!, RDP,
PCAnywhere
) were found 81% and 95% of time, respectively. Encrypted tunnel
applications such as SSH, TOR,
GPass
, and
Gbridge

were also found.

-
File sharing usage is rampant.


P2P was found 92% of the time, with
BitTorrent

and Gnutella as the most common of 21 variants found. Browser
-
based
file sharing was found 76% of the time with
YouSendit
! and
MediaFire

among the most common of the 22 variants.


Enterprises are spending heavily to protect their networks


yet they cannot control the applications on
the network.

-
Collectively, enterprises spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products. The
analysis showed that 100% of the organizations had firewalls and 87% also had one or more of these firewall
helpers (a proxy, an IPS, URL filtering)


yet they were unable to exercise control over the application traffic
traversing the network.


Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss


© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
10

|

Enterprise End Users Do What They Want!

Seeing is Believing

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
11

|


Request a free 30
-
day evaluation



Request a free
Application
Visibility and Risk
report



Take back control of
your social
enterprise

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
12

|

The Cause:

Applications Have Changed


Firewalls nor Firewall Helpers Have


Need to Restore Visibility and Control in the Firewall


Firewalls should
see and control
applications,
users, and threats
. . .



. . . but they only
show you ports,
protocols, and IP
addresses

all
meaningless!

Internet

Sprawl Is Not The Answer



“More stuff” doesn’t solve the problem


Firewall “helpers” have limited view of traffic


Complex and costly to buy and
maintain


© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
13

|


Putting all of this in the same box is just slow


SO WHAT IS THE SOLUTION?

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
14

|

Gartner, Forrester, …


Forrester

-
If you do not have IPS you deserve to be hacked.



Gartner

-
John
Pescatore

and Grey Young publish a note on October 12
th

2009.

-
Key Findings


The
stateful

protocol filtering and limited application awareness offered by first
generation firewalls are not effective in dealing with current and emerging threats.


Next
-
generation firewalls (
NGFWs
) are emerging that can detect application
-
specific attacks and enforce application
-
specific granular security policy, both
inbound and outbound.

-
Recommendations


If you have not yet deployed network intrusion prevention, require NGFW
capabilities of all vendors at your next firewall refresh point.


If you have deployed both network firewalls and network intrusion prevention,
synchronize the refresh cycle for both technologies and migrate to NGFW
capabilities.


© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
18

|


New Requirements for the Firewall

1. Identify applications regardless of


port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Fine
-
grained visibility and policy control


over application access / functionality

4. Protect in real
-
time against threats
embedded across applications

5. Multi
-
gigabit, in
-
line deployment with


no performance degradation

Palo Alto Networks Next
-
Generation Firewall

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
19

|

Unique Technologies Transform the Firewall

App
-
ID

Identify the application



User
-
ID

Identify the user



Content
-
ID

Scan the content

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
20

|

Single
-
Pass Parallel Processing (SP3) Architecture

Single Pass


Operations once per
packet

-
Traffic classification (app
identification)

-
User/group mapping

-
Content scanning


threats, URLs,
confidential data


One policy

Parallel Processing


Function
-
specific
hardware engines


Separate data/control
planes


Up to 10Gbps, Low Latency

© 2008 Palo Alto Networks. Proprietary and Confidential.

Page
21

|

Purpose
-
Built Architecture: PA
-
4000 Series

Flash Matching HW Engine


Palo Alto Networks’ uniform signatures


Multiple memory banks


memory
bandwidth scales performance

Multi
-
Core Security Processor


High density processing for flexible
security functionality


Hardware
-
acceleration for standardized
complex functions (SSL, IPSec,
decompression)

Dedicated Control Plane


Highly available mgmt


High speed logging and
route updates


10Gbps

Flash
Matching

Engine

RAM

RAM

RAM

RAM

Dual
-
core

CPU

RAM

RAM

HDD

10 Gig Network Processor


Front
-
end network processing offloads
security processors


Hardware accelerated QoS, route lookup,
MAC lookup and NAT

CPU

16

. .

SSL

IPSec

De
-
Compression

CPU

1

CPU

2

10Gbps

Control Plane

Data Plane

RAM

RAM

CPU

3

QoS

Route,
ARP,
MAC
lookup

NAT

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
22

|

Visibility into Application, Users & Content


Application Command Center (ACC)

-
View applications, URLs, threats, data
filtering activity


Mine ACC data, adding/removing filters as
needed to achieve desired result


Filter on Skype

Remove Skype to

expand view of harris

Filter on Skype

and user harris

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
23

|

© 2008 Palo Alto Networks. Proprietary and Confidential.

Page
23

|

© 2008 Palo Alto Networks. Proprietary and Confidential.

Page
23

|

Enables Visibility Into Applications, Users, and Content

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
24

|

PAN
-
OS Features


Strong networking
foundation

-
Dynamic routing (OSPF,
RIPv2)

-
Site
-
to
-
site IPSec VPN

-
SSL VPN for remote access

-
Tap mode


connect to SPAN
port

-
Virtual wire (“Layer 1”) for true
transparent in
-
line deployment

-
L2/L3 switching foundation


QoS

traffic shaping

-
Max/guaranteed and priority

-
By user, app, interface, zone,
and more


Zone
-
based architecture

-
All interfaces assigned to security
zones for policy enforcement


High Availability

-
Active / passive

-
Configuration and session
synchronization

-
Path, link, and HA monitoring


Virtual Systems

-
Establish multiple virtual firewalls
in a single device (PA
-
4000
Series only)


Simple, flexible
management

-
CLI, Web, Panorama, SNMP,
Syslog

Visibility and control of applications, users and content are

complemented by core firewall features


PA
-
500

PA
-
2020

PA
-
2050

PA
-
4020

PA
-
4050

PA
-
4060

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
25

|

Our Platform Family…

Performance

Remote Office/

Medium Enterprise

Large

Enterprise


PA
-
2000 Series


1Gbps; 500Mbps threat
prevention


PA
-
4000 Series


500Mbps; 200Mbps
threat prevention

2Gbps; 2Gbps threat
prevention

10Gbps; 5Gbps threat
prevention

10Gbps; 5Gbps threat
prevention (XFP interfaces)


PA
-
500


250Mbps; 100Mbps
threat prevention

© 2009 Palo Alto Networks. Proprietary and Confidential

Page
26

|

Palo Alto Networks Next
-
Gen Firewalls

PA
-
4050


10 Gbps FW


5 Gbps threat prevention


2,000,000 sessions


16 copper gigabit


8 SFP interfaces

PA
-
4020


2 Gbps FW


2 Gbps threat prevention


500,000 sessions


16 copper gigabit


8 SFP interfaces

PA
-
4060


10 Gbps FW


5 Gbps threat prevention


2,000,000 sessions


4 XFP (10 Gig) I/O


4 SFP (1 Gig) I/O

PA
-
2050


1 Gbps FW


500 Mbps threat prevention


250,000 sessions


16 copper gigabit


4 SFP interfaces

PA
-
2020


500 Mbps FW


200 Mbps threat prevention


125,000 sessions


12 copper gigabit


2 SFP interfaces

PA
-
500


250 Mbps FW


100 Mbps threat prevention


50,000 sessions


8 copper gigabit

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
27

|

Flexible Deployment Options

Visibility

Transparent In
-
Line

Firewall Replacement


Application, user and content
visibility without inline
deployment


IPS with app visibility & control


Consolidation of IPS & URL
filtering


Firewall replacement with app
visibility & control


Firewall + IPS


Firewall + IPS + URL filtering

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
28

|

Fix The Firewall


and Save Money!


Capital cost


replace multiple devices

-
Legacy firewall, IPS, URL filtering device (e.g.,
proxy, secure web gateway)

Cut by as much
as
80%

Cut by as much
as
65%


“Hard” operational expenses

-
Support contracts

-
Subscriptions

-
Power and HVAC



Save on “soft” costs too

-
Rack space, deployment/integration, headcount,
training, help desk calls

Now We Fixed The Firewall…

What’s Next?

Global Protect!

Solved the “Inside” Problem
-

But Users Leave…

Headquarters

Branch Office

Hotel

Home

Enterprise Secured

Open to threats, app usage, & more

How do you secure your applications and your users when
they are both moving off the “controlled” network?

DATA

Apps

Users

Get the Same Visibility and Control for All Users

Headquarters

Branch Office

Hotel

Home

Enterprise Secured

Enterprise Secured

Palo Alto Networks
GlobalProtect
TM

will enable organizations
to safely enable applications, regardless of user location

Apps

Users

Palo Alto Networks Continuing to Innovate


Enterprises basing network security on Palo Alto Networks
next
-
generation firewalls


GlobalProtect
TM

will bring roaming users into next
-
generation firewall
-
based control

-
Applications/Users/Content


GlobalProtect
TM

will support Windows
-
based machines
initially

-
Windows 7 (32 & 64
-
bit)

-
Windows Vista (32 & 64
-
bit)

-
Windows XP


Pricing: subscription (per firewall, not user
-
based)


Available end of 2010

© 2010 Palo Alto Networks. Proprietary and Confidential.

Page
32

|

Next
-
Generation Firewalls Are Network Security

© 2010 Palo Alto Networks. Proprietary and Confidential.

Page
33

|

What about the Middle East?


Higher College of Technology in Abu Dhabi


American University of Sharjah


Abu Dhabi Government Services


Cairo Aman Bank in Jordan


Dubai World







© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
34

|

Thank You

Additional
Information

Next
-
Generation Firewall Solutions

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
37

|

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
38

|

Legendary Customer Support Experience


Strong TSE team with deep network
security and infrastructure knowledge

-
Experience with every major firewall

-
TSEs average over 15 years of
experience


TSEs co
-
located with engineering


in Sunnyvale, CA


Premium and Standard offerings


Rave reviews from customers



© 2007 Palo Alto Networks. Proprietary and Confidential

Page
38

|

Customer support has always been
amazing. Whenever I call, I always get
someone knowledgeable right away, and
never have to wait. They give me the
answer I need quickly and completely.
Every support rep I have spoken with
knows his stuff.

-
Mark Kimball, Hewlett
-
Packard

Customer support has been extraordinarily
helpful


which is not the norm when
dealing with technology companies. Their
level of knowledge, their willingness to
participate


it’s night and day compared
to other companies. It’s an incredible
strength of Palo Alto Networks.

-
James Jones, UPMC

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
39

|

Site
-
to
-
Site and Remote Access VPN


Secure connectivity

-
Standards
-
based site
-
to
-
site IPSec VPN

-
SSL VPN for remote access


Policy
-
based visibility and control over applications, users and content for all
VPN traffic


Included as features in PAN
-
OS at no extra charge

Site
-
to
-
site VPN connectivity

Remote user connectivity

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
40

|

Traffic Shaping Expands Policy Control Options


Traffic shaping policies ensure business applications are not bandwidth
starved

-
Guaranteed and maximum bandwidth settings

-
Flexible priority assignments, hardware accelerated queuing

-
Apply traffic shaping policies by application, user, source, destination,
interface, IPSec VPN tunnel and more


Enables more effective deployment of appropriate application usage
policies


Included as a feature in PAN
-
OS at no extra charge

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
41

|

Flexible Policy Control Responses


Intuitive policy editor enables appropriate usage policies with flexible policy responses


Allow or deny individual application usage


Allow but apply IPS, scan for viruses, spyware


Control applications by category, subcategory, technology
or characteristic


Apply traffic shaping (guaranteed, priority, maximum)


Decrypt and inspect SSL


Allow for certain users or groups within AD


Allow or block certain application functions


Control excessive web surfing


Allow based on schedule


Look for and alert or block file or data transfer

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
42

|

App
-
ID: Comprehensive Application Visibility


Policy
-
based control more than 800 applications distributed across five
categories and 25 sub
-
categories


Balanced mix of business, internet and networking applications and networking
protocols


3
-

5 new applications added weekly


App override and custom HTTP applications help address internal applications

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
43

|

User
-
ID: Enterprise Directory Integration


Users no longer defined solely by IP address

-
Leverage existing Active Directory infrastructure without complex agent rollout

-
Identify Citrix users and tie policies to user and group, not just the IP address


Understand user application and threat behavior based on actual AD
username, not just IP


Manage and enforce policy based on user and/or AD group


Investigate security incidents, generate custom reports

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
44

|

Content
-
ID: Real
-
Time Content Scanning


Stream
-
based, not file
-
based, for real
-
time performance

-
Uniform signature engine scans for broad range of threats in single pass

-
Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone
-
home)


Block transfer of sensitive data and file transfers by type

-
Looks for CC # and SSN patterns

-
Looks into file to determine type


not extension based


Web filtering enabled via fully integrated URL database

-
Local 20M URL database (76 categories) maximizes performance (1,000’s URLs/sec)

-
Dynamic DB adapts to local, regional, or industry focused surfing patterns

Detect and block a wide range of threats, limit unauthorized data transfer and
control non
-
work related web surfing

Internet

Sprawl Is Not The Answer



Doesn’t solve the problem


Firewall “helpers” have limited view of traffic


Complex and costly to buy and maintain


© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
45

|

Internet

UTM Is Still Sprawl…Just Slower



Doesn’t solve the problem


Firewall “helper” functions have limited view
of traffic


Turning on functions kills performance


© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
46

|

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
47

|

Traditional Multi
-
Pass Architectures are Slow

Port/Protocol
-
based ID

L2/L3 Networking, HA,
Config

Management,
Reporting

Port/Protocol
-
based ID

HTTP Decoder

L2/L3 Networking, HA,
Config Management,
Reporting

URL Filtering Policy

Port/Protocol
-
based ID

IPS Signatures

L2/L3 Networking, HA,
Config Management,
Reporting

IPS Policy

Port/Protocol
-
based ID

AV Signatures

L2/L3 Networking, HA,
Config Management,
Reporting

AV Policy

Firewall Policy

IPS Decoder

AV Decoder & Proxy

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
48

|

Single
-
Pass Parallel Processing (SP3) Architecture

Single Pass


Operations once per
packet

-
Traffic classification (app
identification)

-
User/group mapping

-
Content scanning


threats, URLs,
confidential data


One policy

Parallel Processing


Function
-
specific
hardware engines


Separate data/control
planes


Up to 10Gbps, Low Latency

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
49

|

Enterprise Device and Policy Management


Intuitive and flexible management

-
CLI, Web, Panorama, SNMP, Syslog

-
Role
-
based administration enables delegation of tasks to appropriate person


Panorama central management application

-
Shared policies enable consistent application control policies

-
Consolidated management, logging, and monitoring of Palo Alto Networks devices

-
Consistent web interface between Panorama and device UI

-
Network
-
wide ACC/monitoring views, log collection, and reporting


All interfaces work on current configuration, avoiding sync issues

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
50

|

PA
-
4000 Series Specifications

-
2U, 19” rack
-
mountable chassis

-
Dual hot swappable AC power supplies

-
Dedicated out
-
of
-
band management port

-
2 dedicated HA ports

-
DB9 console port

PA
-
4050


10 Gbps FW


5 Gbps threat
prevention


2,000,000 sessions


16 copper gigabit


8 SFP interfaces

PA
-
4020


2 Gbps FW


2 Gbps threat
prevention


500,000 sessions


16 copper gigabit


8 SFP interfaces

PA
-
4060


10 Gbps FW


5 Gbps threat
prevention


2,000,000 sessions


4 XFP (10 Gig) I/O


4 SFP (1 Gig) I/O

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
51

|

Purpose
-
Built Architecture: PA
-
4000 Series

Content Scanning HW Engine


Palo Alto Networks’ uniform signatures


Multiple memory banks


memory
bandwidth scales performance

Multi
-
Core Security Processor


High density processing for flexible
security functionality


Hardware
-
acceleration for standardized
complex functions (SSL, IPSec,
decompression)

Dedicated Control Plane


Highly available mgmt


High speed logging and
route updates


10Gbps

Content
Scanning

Engine

RAM

RAM

RAM

RAM

Dual
-
core

CPU

RAM

RAM

HDD

10 Gig Network Processor


Front
-
end network processing offloads
security processors


Hardware accelerated QoS, route lookup,
MAC lookup and NAT

CPU

16

. .

SSL

IPSec

De
-
Compression

CPU

1

CPU

2

10Gbps

Control Plane

Data Plane

RAM

RAM

CPU

3

QoS

Route,
ARP,
MAC
lookup

NAT

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
52

|

PA
-
2000 Series Specifications

-
1U rack
-
mountable chassis

-
Single non
-
modular power supply

-
80GB hard drive (cold swappable)

-
Dedicated out
-
of
-
band management port

-
RJ
-
45 console port, user definable HA port

PA
-
2050


1 Gbps FW


500 Mbps threat prevention


250,000 sessions


16 copper gigabit


4 SFP interfaces

PA
-
2020


500 Mbps FW


200 Mbps threat prevention


125,000 sessions


12 copper gigabit


2 SFP interfaces

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
53

|

Purpose
-
Built Architecture: PA
-
2000 Series

Route,
ARP,
MAC
lookup

NAT

Flash Matching HW Engine


Palo Alto Networks’ uniform
signatures


Multiple memory banks


memory
bandwidth scales performance

Multi
-
Core Security Processor


High density processing for flexible
security functionality


Hardware
-
acceleration for standardized
complex functions (SSL, IPSec)

Dedicated Control Plane


Highly available mgmt


High speed logging and
route updates


1Gbps

Flash
Matching

Engine

RAM

RAM

RAM

RAM

Dual
-
core

CPU

RAM

RAM

HDD

Network Processor


Front
-
end network processing
offloads security processors


Hardware accelerated route lookup,
MAC lookup and NAT

CPU

4

SSL

IPSec

CPU

1

CPU

2

1Gbps

Control Plane

Data Plane

RAM

RAM

CPU

3

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
54

|

PA
-
500 Specifications

Specs


250 Mbps FW


100 Mbps IPSec VPN


100 Mbps threat prevention


50,000 sessions


250 VPN tunnels


8 copper gigabit interfaces


Runs PAN
-
OS 3.0 and later

General hardware


1U rack mountable


Single non
-
modular power
supply


80GB hard drive


Dedicated mgmt port


RJ
-
45 console port

© 2009 Palo Alto Networks. Proprietary and Confidential.

Page
55

|

PA
-
500 Purpose
-
Built Architecture


Common dedicated data plane and control plane architecture


Network processing and signature matching engine virtualized into the multi
-
core
security processor


Same software architecture as all Palo Alto Networks platforms

Multi
-
Core Security Processor


High density processing for networking
and security functions


Hardware
-
acceleration for standardized
complex functions (SSL, IPSec)


Signature match virtual software engine

Dedicated Control Plane


Highly available mgmt


High speed logging and
route updates

Dual
-
core

CPU

RAM

RAM

HDD

CPU

4

SSL

IPSec

CPU

1

CPU

2

Control Plane

Data Plane

RAM

RAM

CPU

3