palo alto networks overview - campus3.org
Post on 08-Feb-2022
1 Views
Preview:
TRANSCRIPT
About Palo Alto Networks
• Palo Alto Networks is the Network Security Company
• World-class team with strong security and networking experience
- Founded in 2005, first customer July 2007, top-tier investors
• Builds next-generation firewalls that identify / control 1,300+ applications
- Restores the firewall as the core of enterprise network security infrastructure
- Innovations: App-ID™, User-ID™, Content-ID™
• Global momentum: 4,500+ customers
- August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters
(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable
orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.
•A few of the many enterprises that have deployed mo re than $1M
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 2 |
The Internet World Anno 1995
• Virtually no application traffic, no known threats
• Simple assumptions worked; HTTP traffic = browsing
• Firewalls were born to keep simple traffic from coming in or going out; in 15 years time it became a $5B industry
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 3 |
Security v1.0 Response: Rip Holes in Firewall
• Background
• Appeared mid 1980’s
• Typically embedded in routers
• Classify individual packets based on port numbers
• Traditional Applications
• DNS
• Gopher
• SMTP
• HTTP
• Dynamic Applications
• FTP
• RPC
• Java/RMI
• Multimedia
• Challenge
• Could not support dynamic applications
• Flawed solution was to open large groups of ports
• Opened the entire network to attack
•Internet
Security v2.0: Stateful Inspection
• Background
• Innovation created Check Point in 1994
• Used state table to fix packet filter shortcomings
• Classified traffic based on port numbers but in
• Traditional Applications
• DNS
• Gopher
• SMTP
• HTTP
• Dynamic Applications
• FTP
• RPC
• Java/RMI
• Multimedia
• Evasive Applications
• Encrypted
• Web 2.0
• P2P
• Instant Messenger
• Skype
•Internet
on port numbers but in the context of a flow
• Challenge
• Cannot identify Evasive Applications
• Embedded throughout existing security products
• Skype
• Music
• Games
• Desktop Applications
• Spyware
• Crimeware
The Internet World Anno 2010
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 6 |
• Many applications; many more threats
• Applications are evasive and are the #1 threat vector
• Traditional firewalls are defenseless and offer no protection to enterprises
Applications Have Changed; Firewalls Have Not
The firewall is the right place to enforce policy control
• Sees all traffic
• Defines trust boundary
• Enables access via positive control
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 7 |
Need to restore visibility and control in the firew all
BUT…applications have changed
• Ports ≠ Applications
• IP Addresses ≠ Users
• Packets ≠ Content
Applications Carry RiskApplications can be “threats”
• P2P file sharing, tunneling applications, anonymizers,
media/video
Applications carry threats• Qualys Top 20 Vulnerabilities –
majority result in application-level threats
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 8 |
Applications & application-level threats result in major breaches – RSA, Comodo, FBI
Enterprise 2.0 Applications and Risks Widespread
Palo Alto Networks’ latest Application Usage & Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 2.0 application use for personal and business reasons.
- Tunneling and port hopping are common
- Bottom line: all had firewalls, most had IPS, proxies, & URL filtering – but none of these organizations could control what applications ran on their networks
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 9 |
•Eavesdropping (1994)
•Resource Access (1992)
•Info Leakage (2005)
•Viruses (1997)
•Worms (2005)
•IM Attacks (2002)
•Denial of Service (2000)
•Content Access (1998)
•XML/W.S. Attacks (2004)
•Web App Attacks (2002)
•Corporate Assets•Corporate Assets •WAN•WAN•Security Perimeter•Security Perimeter
The Traditional Approach to Network Security
•IPSEC
•VPN
•IPS
•Anti-Virus
•Content
•Filtering
•DoS
•Protection
•Anti-Spyware
•Worm
•Mitigation
•DLP/ILP
•WebApp Security
•IM Security
•IDS
•XML Security•Spyware (2006) •Exploits (1996)
•Internet
Traditional Systems Have Limited Understanding
Some port-based apps caught by firewalls (if they behave!!!)
Some web-based apps caught by
•None give a comprehensive view of what is going on in the network
Some web-based apps caught by URL filtering or proxy
Some evasive apps caught by an IPS
Page 11 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Technology Sprawl & Creep Are Not The Answer
Internet
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 12 |
• Putting all of this in the same box is just slow
The Right Answer: Make the Firewall Do Its Job
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 13 |
3. Protect in real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
Disruptive ThinkingConventional Wisdom
How Do You Change The Architecture?
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 14 |
•✔✔✔✔ Sprawl •✔✔✔✔ Simplification
Why Visibility & Control Must Be In The Firewall
•Port PolicyDecision
•App Ctrl PolicyDecision
Application Control as an Add-on• Port-based FW + App Ctrl (IPS) = two policies
• Applications are threats; only block what you expressly look for
Implications • Network access decision is made with no
information
• Cannot safely enable applications
IPS
Applications
Firewall
PortTraffic
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 15 |
Firewall IPS
•App Ctrl PolicyDecision
•Scan Applicationfor Threats
Applications
ApplicationTraffic
NGFW Application Control • Application control is in the firewall = single policy
• Visibility across all ports, for all traffic, all the time
Implications • Network access decision is made based on
application identity
• Safely enable application usage
Palo Alto Networks Firewall Policy
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 16 |
What You See…with Port-Based FW + Application Control Add-on
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 17 |
What You See with a True Next-Generation Firewall
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 18 |
Your Control With Port-based Firewall Add-on
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 19 |
Your Control With a Next-Generation Firewall
Only allow the apps you need
Safely enable the applications relevant
to your business
» The ever-expanding universe of applications, services and threats
» Traffic limited to approved business use cases based on App and User
» Attack surface reduced by orders of magnitude
» Complete threat library with no blind spots
�Bi-directional inspection
�Scans inside of SSL
�Scans inside compressed files
�Scans inside proxies and tunnels
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 20 |
Identification Technologies Transform the Firewall
•App-ID™
•Identify the application
•User-ID™
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 21 |
•User-ID™
•Identify the user
•Content-ID™
•Scan the content
Comprehensive View of Applications, Users & Content
• Application Command Center (ACC)
- View applications, URLs, threats, data filtering activity
• Add/remove filters to achieve desired result
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 22 |Filter on Facebook-base Filter on Facebook-baseand user cook
Remove Facebook to expand view of cook
PAN-OS Core Firewall Features
• Strong networking foundation- Dynamic routing (BGP, OSPF, RIPv2)
- Tap mode – connect to SPAN port
- Virtual wire (“Layer 1”) for true transparent in-line deployment
- L2/L3 switching foundation
- Policy-based forwarding
• Zone-based architecture- All interfaces assigned to
security zones for policy enforcement
• High Availability- Active/active, active/passive
- Configuration and session
Visibility and control of applications, users and c ontent complement core firewall features
PA-4060
PA-5060
PA-5050
PA-5020
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 23 |
- Policy-based forwarding
• VPN- Site-to-site IPSec VPN
- SSL VPN
• QoS traffic shaping- Max/guaranteed and priority
- By user, app, interface, zone, & more
- Real-time bandwidth monitor
- Configuration and session synchronization
- Path, link, and HA monitoring
• Virtual Systems- Establish multiple virtual firewalls
in a single device (PA-5000, PA-4000, and PA-2000 Series)
• Simple, flexible management
- CLI, Web, Panorama, SNMP, Syslog PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
Palo Alto Networks Next-Gen Firewalls
PA-5050• 10 Gbps FW/5 Gbps threat
prevention/2,000,000 sessions
• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit
PA-5020• 5 Gbps FW/2 Gbps threat
prevention/1,000,000 sessions
• 8 SFP, 12 copper gigabit
PA-5060• 20 Gbps FW/10 Gbps threat
prevention/4,000,000 sessions
• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit
© 2011 Palo Alto Networks. Proprietary and ConfidentialPage 24 |
PA-4050• 10 Gbps FW/5 Gbps threat
prevention/2,000,000 sessions
• 8 SFP, 16 copper gigabit
PA-4020• 2 Gbps FW/2 Gbps threat
prevention/500,000 sessions
• 8 SFP, 16 copper gigabit
PA-4060• 10 Gbps FW/5 Gbps threat
prevention/2,000,000 sessions
• 4 XFP (10 Gig), 4 SFP (1 Gig)
PA-2050• 1 Gbps FW/500 Mbps threat
prevention/250,000 sessions
• 4 SFP, 16 copper gigabit
PA-2020• 500 Mbps FW/200 Mbps threat
prevention/125,000 sessions
• 2 SFP, 12 copper gigabit
PA-500• 250 Mbps FW/100 Mbps threat
prevention/50,000 sessions
• 8 copper gigabit
PA-5000 Series Architecture
Signature Match HW Engine
• Stream-based uniform sig. match
• Vulnerability exploits (IPS), virus,
spyware, CC#, SSN, and more
• Highly available mgmt
• High speed logging and
route update
• Dual hard drives
10Gbps 10Gbps
... ......
Signature Match
Signature Match
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
• 40+ processors
• 30+ GB of RAM
• Separate high speed data and control planes
© 2011 Palo Alto Networks. Proprietary and Confidential.
• 80 Gbps switch fabric
interconnect
• 20 Gbps QoS engine
Security Processors
• High density parallel processing
for flexible security
functionality
• Hardware-acceleration for
standardized complex functions
(SSL, IPSec, decompression)
20Gbps
Network Processor
• 20 Gbps front-end network
processing
• Hardware accelerated per-packet
route lookup, MAC lookup and
NAT
Control Plane
Data PlaneSwitch Fabric
QoS
Flow
control
Route, ARP, MAC
lookup
NATSwitch
Fabric
SSL IPSecDe-
Compress.SSL IPSec
De-Compress.
SSL IPSecDe-
Compress.
HDDRAM RAMRAM
• 20 Gbps firewall throughput
• 10 Gbps threat prevention throughput
• 4 Million concurrent sessions
Page 25 |
Transforming The Perimeter and Datacenter
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 26 |
•Perimeter •Datacenter
Same Next-Generation Firewall, Different Benefits…
Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline
deployment
• IPS with app visibility & control• Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control• Firewall + IPS
• Firewall + IPS + URL filtering
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 27 |
Redefine Network Security – and Save Money!
Cut by as much as 80%
Cut by as much as 65%
• Capital cost – replace multiple devices- Legacy firewall, IPS, URL filtering device (e.g.
proxy, secure web gateway…)
• “Hard” operational expenses- Support contracts
- Subscriptions
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 28 |
as 65%- Subscriptions
- Power and HVAC
• Save on “soft” costs too- Rack space, deployment/integration, headcount,
training, help desk calls
Introducing GlobalProtect
• Users never go “off-network” regardless of location
• All firewalls work together to provide “cloud” of network security
• How it works:- Small agent determines network
location (on or off the enterprise network)
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 30 |
- If off-network, the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level, asset type, disk encryption, and more) to the gateway
- Gateway enforces security policy using App-ID, User-ID, Content-ID AND host information profile
A Modern Architecture for Enterprise Network Securi ty
malware
botnets
exploits
• Establishes a logical perimeter that is not bound to physical limitations
• Users receive the same depth and quality of protection both inside and out
• Security work performed by purpose-built firewalls, not end-user laptops
• Unified visibility, compliance and reporting
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 31 |
2010 Magic Quadrant for Enterprise Network Firewall s
Check Point Software Technologies
Juniper NetworksCisco
Fortinet
McAfeeab
ility
to e
xecu
te
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 34 |
Palo Alto NetworksStonesoft
SonicWALL
WatchGuard
NETASQ Astarophion
3Com/H3C
completeness of visionvisionaries
abili
ty to
exe
cute
As of March 2010niche players
Source: Gartner
Next-Generation Firewalls Are Network Security
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 35 |
Continual Customer Driven Innovation
4,500
App-ID: Traffic classification by application; all ports, all the time
SSL decryption/inspection, control unknowns, PCAPs, App override, function enablement, custom App-IDs, QoS, PBF, SSH control…
User-ID: User identity becomes pervasive; visibility, policy, logging and reporting
Active Directory, terminal services, LDAP, eDirectory, XML API…
Content -ID: Single engine stream-based scanning of allowed content
19 164
776
2,500
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 36 |
Content -ID: Single engine stream-based scanning of allowed content
Exploits, viruses, confidential data, botnets, modern malware…
Enterprise-Class Platform: Scalable, deployable, predictable
Dual-plane architecture; single pass software, function specific processing, tap mode, Vwire, L2/L3/mixed mode, IPv6…
Customer Count
2007 2011
Addresses Three Key Business Problems
• Identify and Control Applications
- Visibility of 1300+ applications, regardless of port, protocol, encryption, or evasive tactic
- Fine-grained control over applications (allow, deny, limit, scan, shape)
- Addresses the key deficiencies of legacy firewall infrastructure
• Prevent Threats
- Stop a variety of threats – exploits (by vulnerability), viruses, spyware- Stop a variety of threats – exploits (by vulnerability), viruses, spyware
- Stop leaks of confidential data (e.g., credit card #, social security #, file/type)
- Stream-based engine ensures high performance
- Enforce acceptable use policies on users for general web site browsing
• Simplify Security Infrastructure
- Put the firewall at the center of the network security infrastructure
- Reduce complexity in architecture and operations
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 37 |
top related