applications have changed. why hasn’t the firewall? dave smith 214.674.7854...
TRANSCRIPT
Applications Have Changed.
Why Hasn’t the Firewall? Dave Smith
214.674.7854
Von Nguyen
713.301.9929
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 2 |
About Palo Alto Networks
• Founded by security visionary Nir Zuk
• World class team with strong security and networking experience
• Built family of next generation firewalls with control of 600+ applications
• Named Gartner Cool Vendor in 2008
• Best of Interop Grand Prize, Best of Interop Security 2008
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 3 |
Leading Organizations Trust Palo Alto NetworksHealth Care Financial Services Government
Mfg / High Tech / EnergyEducationServices
Media / Entertainment / Retail
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 5 |
Applications Have Changed – Firewalls Have Not
• The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
Need to Restore Visibility and Control in the Firewall
Collaboration / MediaSaaS Personal
• BUT…Applications Have Changed
- Ports ≠Applications
- IP Addresses ≠Users
- Packets ≠Content
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 6 |
Today’s Architecture – Appliance Bloat
Packet Shaping
INTERNET
•HTTP/FTP Proxy•IPS/IDS•Content-Filtering
•IM Proxy
Logging/Reporting
User Correlation
Present day firewalls require many “helper”
appliances to try and stop the leakage. Unfortunately,
application visibility and control is STILL lacking and the evasiveness continues
unabated!
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 7 |
Identifies over 700+ applications regardless of port, protocol or evasive tactic
Policy based decryption, identification and control of SSL applications
Application Command Center (ACC) for granular visibility & policy control of applications
FlashMatch™ engine for real-time threat prevention
Dedicated hardware processing for 10 Gbps in-line operation with no network degradation
Designed to transparently augment existing firewall
Palo Alto – Next Generation Firewall
Next-generation firewall based on App-ID™ traffic classification technology
•© 2008 Palo Alto Networks. Proprietary and Confidential.•Page 8 |
Identification Technologies Change the Game
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 9 |
App-ID: Comprehensive Application Visibility
• Policy-based control over more than 600 applications distributed across five categories and 25 sub-categories
• Balanced mix of business, internet and networking applications and networking protocols
• ~ 5 new applications added weekly
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 10 |
Powerful Policy-Based Control
• Browse more than 600 applications based on name, category, technology or characteristic
• Immediately translate results into positive enforcement model firewall rules
• Examples:- Allow all business and networking
apps- Allow IM but block file transfer
capabilities- Block all P2P
• Policy enforcement by end-user / group identities from Active Directory or IP address
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 11 |
Comprehensive Application Visibility
File Sharing (28)afp aim-file-transfer boxnet carbonite cvsup dotmac dropboks esnips foldershare ftp gtalk-file-transfer ibackup jubii mediamax megaupload mozy ms-ds-smb msn-file-transfer nfs omnidrive openomy rsync sosbackup tftp titanize uucp xdrive yahoo-file-transfer
General Internet (28)atom daytime dealio-toolbar discard echo facebook finger google-safebrowsing google-toolbar gopher hi5 livejournal msn-toolbar myspace nntp razor rsh rss rusers send-to-phone spark stumbleupon web-browsing web-crawler webdav webshots whois yahoo-toolbar
Instant Messaging (39)aim aim-audio aim-video camfrog ebuddy fix google-talk gtalk-voice ichat-av icq iloveim imhaha imvu irc jabber koolim mabber meebo meetro meebo-repeater meebome meetro messengerfx msn msn-video msn-voice myspace-im oovoo p10 qq radiusim spark-im swapper userplane webaim xfire yahoo-im yahoo-webcam yoomba zoho-im
Networking (sample of 154 total)Activenet bgp chargen compaq-peer dhcp dns eigrp gre icmp igmp ipip ipv6 isis mgcp ms-wins netbios-dg netbios-ns netbios-ss ospf pim rip stun vrrp
Proxy (10)bypass bypassthat hopster http-proxy http-tunnel httport jap pingfu socks socks2httpDatabase (7)
Dabbledb db2 mssql-db mssql-mon mysql oracle postgres
Media (45)cooltalk eyejot flash folding-at-home foonz gizmo google-earth google-picasa h.245 h.323 http-audio http-video itunes joost lifecam live365 logitech-webcam metacafe miro mms move-networks neokast netmeeting pandora pna rdt rtmp rtp rtsp sccp shoutcast sip skype skype-probe sling socialtv sopcast teamspeak uusee vakaka ventrilo veohtv yahoo-voice youtube
Peer to Peer (34)100bao allpeers applejuice ares azureus babelgum bittorrent direct-connect emule fasttrack flashget freenet generic-p2p gnutella goboogy hotline imesh kazaa mute neonet openft peerenabler poco pplive ppstream soribada soulseek tesla thecircle tvants vuze warez-p2p winmx xunlei
Remote Access (23)avocent beinsync citrix crossloop fastviewer foldera l2tp logmein ms-rdp netviewer pcanyware pptp r-exec r-services radmin rlogin teamviewer telnet unyte vnc x11 xdmcp
Email (7)blackberry imap ms-exchange outlook-web pop3 seven-email smtp
Business Applications (82)active-directory adobe-connect altiris apple-update avamar avaya-phone-ping backweb big-brother ca-mq-service campfire centriccrm convoq corba cpq-wbem cups cvs distcc dynamicintranet eiq-sec-analyzer elluminate eroom-host eroom-net filemaker flexnet gkrellm google-calendar google-desktop google-docs gotomeeting groupwise hp-jetdirect innovative ipp jaspersoft kaspersky kerberos ldap live-meeting lpd mcafee meeting-maker mount ms-dtc ms-frs ms-groove ms-iis ms-netlogon ms-scheduler ms-update msrpc nagios ncp ndmp norton-av ntp perforce portmapper radius rpc rstatd salesforce seamless-phenom securemeeting snmp snmp-trap soap spirent subversion symantec syslog tacacs tacacs-plus time trendmicro vmware vyew webex webex-weboffice ypserv yugma
Encrypted Tunnel (11)ciscovpn hamachi ike ipsec-ah ipsec-esp ipsec-esp-udp secure-access ssh ssl swipe tor
Webmail (7)aim-mail fastmail gmail hotmail myspace-mail yahoo-mail yousendit
Gaming (11)bomberclone knight-online little-fighter party-poker poker-stars source-engine steam subspace war-rock wolfenstein worldofwarcraft
Policy-based control for over 600 applications across categories
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 12 |
Content-ID: Real-Time Content Scanning
• Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing
- Stream-based, not file-based, for real-time performance Uniform signature engine scans for broad range of threats in single pass
Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)
- Block a wide range of file transfers by type Looks into file to determine type – not extension based
- Web filtering enabled via fully integrated URL database 20M URLs across 54 categories
Local database ensure highly scalable solution (1,000’s!)
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 13 |
…
…
User-ID: Enterprise Directory Integration
• Users no longer defined solely by IP address- Leverage existing Active Directory
infrastructure
• Understand users application and threat behavior based on actual AD username, not just IP
• Manage and enforce policy based on user and/or AD group
• Investigate security incidents, generate custom reports
Active Directory Server(s)
User Identification
Agent(s)
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 14 |
User-Based Application Visibility
Drill into specific user activity- Top users of an application- List of applications used by a user- Malware and other threats detected
by user
Application Command Center (ACC)- View exactly what applications are
running on the network- View by top applications, high risk,
and category
Purpose-Built Architecture
Flash Matching HW Engine• Palo Alto Networks’ uniform signatures
• Multiple memory banks – memory bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for standardized
complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt
• High speed logging and route updates
10Gbps
Flash Matching
Engine
RAM
RAM
RAM
RAM
Dual-core
CPURAM
RAM
HDD
10 Gig Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
CPU
16. .
SSL IPSec De-Compression
CPU
1
CPU
2
10Gbps
Control Plane Data Plane
RAM
RAMCPU
3
QoS
Route, ARP, MAC
lookup
NAT
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 17 |
Flexible Deployment OptionsFirewall Replacement
• Replace existing firewall
• Provides application and network-based visibility
and control, consolidated policy, high performance
Application Visibility
• Connect to span port
• Provides application visibility without inline
deployment
Transparent In-Line
• Deploy transparently behind existing firewall
• Provides application visibility & control without
networking changes
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 18 |
Palo Alto Networks Next Generation FirewallsPe
rfor
man
ce
Remote Office/Medium Enterprise Large Enterprise
•PA-2000 Series
•1Gb
•PA-4000 Series
•500Mb
2Gb
10Gb
10Gb with XFPs
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 19 |
PAN-OS Features
• Strong networking foundation: - Dynamic routing (OSPF, RIPv2)
- Site-to-site IPSec VPN,
- Tap mode – connect to SPAN port
- Virtual wire (“Layer 1”) for true transparent in-line deployment
- L2/L3 switching foundation
• Zone-base architecture:- All interfaces assigned to security zones
for policy enforcement
• Annual Subscriptions:- Threat prevention +20%
- URL filtering +20%
• High Availability: - Active / passive
- Configuration and session synchronization
- Path, link, and HA monitoring
• Virtual Systems:- Establish multiple virtual firewalls in a
single device (PA-4000 Series only)
• Legacy firewall support: - Application-based rules complement
inbound and outbound port-based firewall rules
Visibility and control of applications, users and content are complemented by core firewall features
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 20 |
PA-4000 Series Specifications
- 2U, 19” rack-mountable chassis
- Dual AC power supply, Removable 80GB hard drive
- Dedicated out-of-band management port
- 2 dedicated HA ports
- DB9 console port
PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces• $35,000
PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces• $60,000
PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP interfaces • 4 SFP interfaces• $80,000
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 21 |
PA-2000 Series Specifications
- 1U rack-mountable chassis
- Single non-modular power supply
- Removable 80GB hard drive (Non hot-swappable)
- Dedicated out-of-band management port
- RJ-45 console port, user definable HA port
PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces• $16,000
PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces• $12,000
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 23 |
“We now know what we didn’t know. And it’s scary what our users and contractors were doing.”
……….
Mark ReinSenior Director, Information TechnologyMercy Medical Center
MANY SOLUTION USE CASES and BENEFITS
• Application Visibility & Control
• User-based App Visibility & Control
• Real-time Threat Prevention
• Identify & Control SSL
• Content Security & DLP
• Monitor & Control Web Surfing
• Consolidate Security Devices @ Wire Speed
• Firewall Replacement
• Significant Human and Capital ROI
Palo Alto Networks - Use Cases
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 24 |
Customer Example: Nordson Corporation
“The PA-4020 has simplified the tasks of managing security at our remote site. And it gives us visibility that no one else can match, telling us exactly which applications are on the network.”……….
Tim HarrManager, Corporate Information Technologies, Nordson
Problem• Needed cost-effective remote office
security solution
• Was looking at a complex 3-box solution
Solution• PA-4000 Series deployed as primary
firewall for visibility and control over applications and threats
• Consolidates multiple devices
Results• Complete coverage - firewall, application
control, threat prevention - one box
• Easy remote management - one UI
• Deployed in 3 locations internationally including headquarters
Industry: Manufacturing
Statistics: 30 Countries, 4100 employees, 2007 revenue - US$994M
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 25 |
Customer Example: Greenhill Capital
“The PA-4000 Series enables us to manage applications and users – which are far more relevant to our business that ports and protocols.”……….
John ShafferGreenhill
Problem• No visibility into which applications were
running on the network
• Couldn’t control webmail, attachments and unmonitored email a major issue
• Tired of adding appliances and vendors to security racks
Solution• PA-4000 Series deployed as the firewall
for visibility and control over applications
Results• Complete coverage - firewall, application
control, threat prevention - one box
• Easy remote management - one UI
• Easier vendor management – one support line, one vendor
Industry: Financial Services, M&A research and analysis
Statistics: 250 employees, 2007 revenue - US$400M
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 26 |
Customer Example: Constellation Energy
“The PA-4000 Series helps us be proactive in our security, allowing us to set and enforce application policies and protect our business assets much more effectively.”
……….
Frank ChambersDirector of Information Security Management, Constellation Energy
Problem• Lack of visibility and control over
applications traversing the network.
• Want to be more proactive to enable more rapid deployment of new businesses and technology
• Heavy traffic across (2) DS3 pipes was forcing them to look at costly OC3 expansion
Solution• PA-4000 Series provides unmatched
visibility and control over applications and web traffic traversing the centralized Internet connections
Results• Constellation found significant amounts of
IM and P2P traffic traversing the network – which it is now able to control
Industry: Energy, Energy Trading
Statistics: F117, 9700 employees, 2007 revenue - US$21B
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 27 |
Customer Example: SanDisk Corporation
“With Palo Alto Networks, we are now for the first time able to identify rogue applications on the network such as P2P and Skype, and then block them accordingly.”
……….
Justin SmithSenior Network EngineerSanDisk
Problem• Unable to manage applications on the
network – concerned about various “threats” moving over rogue applications
Solution• PA-4000 Series brings increased visibility
and control over applications and web traffic
Results• Able to see which applications and users
are utilizing the network
• Able to take action – created policies to permit/deny groups or specific applications/users
• Provide a level of assurance that networks are being used for business purposes
Industry: High-Tech Manufacturing
Statistics: 3000 employees, 2007 revenue - US$3.9B
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 28 |
Customer Example: Sisters of Mercy Health
“Palo Alto Networks enables us to provide real-time access to critical applications while stopping threats and risky applications.”
……….
Dan SchulteManager of Network SecuritySisters of Mercy Health System
Problem• Couldn’t manage which applications ran
on the network
• Application-level threats impacting business
• IPS up for renewal
Solution• PA-4000 Series consolidates firewall,
URL filtering and threat prevention
• Enables visibility and control over applications, web traffic and threats
Results• Visibility and control of applications
• Able to stop a broad range of threats (exploits, viruses, spyware)
Industry: Health Care
Statistics: 9 US States, 28,000 employees, over 4000 beds
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 29 |
Customer Example: Louis Dreyfus Energy
“Palo Alto Networks enables us not only to stop threats, but to understand how our networks are being used.”
……….
Dave BakerManager, Systems AdministrationLouis-Dreyfus Highbridge Energy
Problem• Firewalls couldn’t stop threats
Solution• PA-4000 Series enables visibility and
control over applications and threats
Results• Visibility and control of applications
• Able to stop a broad range of threats (exploits, viruses, spyware)
• Very happy with customer responsiveness and support
Industry: Financial Services
Statistics: 290 employees, 2007 enterprise value – US$1B
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 30 |
Customer Example: ESPN
“We needed an IPS that could keep up with our business, and that could deal with today’s threats.”
……….
Scott MessinaDirector of SecurityESPN
Problem• ISS IPS was struggling to handle ESPN’s
traffic load
Solution• PA-4000 Series deployed primarily as a
threat prevention solution
• Enables visibility and control over threats and applications
Results• Visibility and control of applications
• Able to stop a broader range of threats (exploits, viruses, spyware) than previous IPS
• Integrates with Active Directory for user- and group-specific policy
• Performance that keeps pace with business
Industry: Media
Statistics: over 50 outlets – television, radio, publishing, ESPN.com
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 31 |
Customer Example: Nicolet National Bank
“We can now meet bank examiners expectations regarding visibility and control on our network.”……….
Jon BisknerAVP and Chief Information Security Officer, Nicolet National Bank
Problem• Couldn’t maintain security posture in the
face of evasive application traffic
• Couldn’t control data leaving network
• Too many appliances
Solution• PA-4000 Series deployed as primary
firewall for visibility and control over applications and threats
Results• Visibility, control and easier compliance
• Reducing and simplifying security infrastructure
Industry: Financial Services/Banking
Statistics: Regional; 6 branches, over $530M in assets
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 32 |
Customer Example: City and Schools of Staunton
“Our legacy firewall simply couldn’t deliver in terms of performance or visibility. The PA-4000 Series keeps pace easily, and provides a level of visibility and control that translates into real and enforceable acceptable use policies.”
……….
Kurt PlowmanChief Technology OfficerCity of Staunton
Problem• Existing port-based firewall could not keep
up with traffic – slowing the business of the city
• Couldn’t manage which applications ran on the network
• Application-level threats impacting business
Solution• PA-4000 Series consolidates multiple
devices - enables visibility and control over applications, threats and web traffic
Results• High-speed firewall
• Visibility and control of applications
• Able to stop a broad range of threats (exploits, viruses, spyware)
Industry: Government
Statistics: over 2000 employees and students
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 33 |
Customer Example: Lenox Hill Radiology
“After evaluating the PA-4000 Series, its ability to control applications and perform access control, as well as inspect content for threats and vulnerabilities – all through an easy, simple management structure – just blew us away.”……….
Joe FunaroIT DirectorLenox Hill Radiology
Problem• Application-level threats impacting business
• Looking at IPS + AV to stop threats
Solution• PA-4000 Series deployed as primary firewall
enabling application visibilty and control
• Replaces multiple security appliances (firewall, IPS, Proxy, AV)
Results• Visibility and control of applications
• Able to stop a broad range of threats (exploits, viruses, spyware)
• Firewall + application visibility + threat blocking in one policy, one appliance
Industry: Health Care
Statistics: 3 locations in New York Metro area, 400 employees
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 34 |
Customer Example: Western & Southern Insurance
“We had every security device imaginable, all in-line, but couldn’t stop layer 7 threats.”
……….
Doug RossChief Technology OfficerWestern & Southern Financial Group
Problem• Couldn’t tell what was on the
network, despite firewall, IPS, DLP. Couldn’t catch L7 threats
Solution• PA-4000 Series enables visibility and
control over applications
Results• Visibility into what’s on network
• Enable positive use of applications while controlling port-agile apps, ID malicious code on desktops that nothing else could find
• Long term, consolidate FW, URL filtering, IPS devices as they near end-of-life
Industry: Financial Services
Statistics: $4.8B, Ranked 480 on Fortune 1000 list, privately held
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 35 |
Customer Example: Sonic Solutions
“Our existing security solution is blind to traffic flowing across port 80. Palo Alto Networks provides us with user-based application visibility and control”
……….
Roger BlakelyVP of Information SecuritySonic Solutions
Problem• Had no control over port 80 traffic, no
ability to understand which users were doing what
Solution• PA-4000 Series for application visibility
and control
Results• Visibility and control over applications
and users traversing the network
• Long term will enable replacement of Cisco PIX and Fortinet firewalls
Industry: High tech, software development
Statistics: 600 employees, multiple sites worldwide
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 36 |
Customer Example: Garland ISD
“Not only did the PA-4000 Series give us total control over all applications, we saw a significant performance increase in our network performance.”……….
Neil MossNetwork EngineerGarland ISD
Industry: K-12 Education
Statistics: Largest district in TX, 57,000 students, 12,000 employees, 74 sites
Problem• Students circumventing IT security controls
with tools such as UtraSurf and TOR
- No visibility into user behavior, application use
• Existing firewalls not keeping up
- Rate of change in applications
- Sheer throughput
Solution• PA-4000 Series deployed as primary
enterprise firewall
Results• Policy control by application and user
- No longer struggle to keep up with new/changed applications
• Improved performance
• Saved $80K in year one
• Application Level Visibility & Control (700+ Signatures)
• User-based & Group-based Visibility & Policy Control via Microsoft AD Integration
• Tightly integrated and Comprehensive Threat Prevention (URL filtering, Anti-Virus, Anti-Spyware, Anti-Malware & Anti-Vulnerability Protection)
• Aggressive Platform-based Subscription Pricing (vs. Costly User-based!)
• Embedded Virtual System Support (VSYS)
• Embedded Zone Protection (Denial of Service, Reconnaissance Port Scan)
• User-based Activity Reports and Ad-Hoc and Scheduled Reports
• Single Management Interface for all features on a single appliance
• Built-in Hardware/Software SSL Decryption capabilities
• 100% security protection during failover to the standby system
• Sensitive Data Protection - SSN & Credit Card numbers (Q4, 2008)
• Traffic Tagging Capability Now – Full Traffic Shaping Coming (1H, 2009)
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 37 |
Palo Alto Networks - Competitive Advantages