palo alto networks 28.5.2013
DESCRIPTION
Präsentation anlässich des Belsoft Best Practice - Next Generation FirewallsTRANSCRIPT
![Page 1: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/1.jpg)
Palo Alto Networks Product Overview
Kilian Zantop
28. Mai 2013
Belsoft Best Practice - Next Generation Firewalls
![Page 2: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/2.jpg)
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
1,000+ employees globally0
2,000
4,000
6,000
8,000
10,000
12,000
1,800
4,700
11,000
Jul-10 Jul-11
FY09 FY10 FY11 FY12$0
$50
$100
$150
$200
$250
$300
$13
$49
$255
$119
Revenue
Enterprise customers
$MM
FYE July
Feb-13
3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
![Page 3: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/3.jpg)
Applications Have Changed, Firewalls Haven’t
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more
![Page 4: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/4.jpg)
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?• SSL• Proprietary encryption
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 5: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/5.jpg)
Technology Sprawl and Creep Aren’t the Answer
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application “accessibility” features
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IMDLPIPS ProxyURLAV
UTM
Internet
![Page 6: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/6.jpg)
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
The Answer? Make the Firewall Do Its Job
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 7: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/7.jpg)
Application Control Belongs in the Firewall
Port PolicyDecision
App Ctrl PolicyDecision
Application Control as an Add-on• Port-based decision first, apps second
• Applications treated as threats; only block what you expressly look for
Ramifications• Two policies/log databases, no reconciliation• Unable to effectively manage unknowns
IPS
Applications
FirewallPortTraffic
Firewall IPS
App Ctrl PolicyDecision
Scan Applicationfor Threats
Applications
ApplicationTraffic
Application Control in the Firewall• Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications• Single policy/log database – all context is shared
• Policy decisions made based on shared context• Unknowns systematically managed
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 8: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/8.jpg)
Enabling Applications, Users and Content
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 9: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/9.jpg)
Making the Firewall a Business Enablement Tool
Applications: Enablement begins with application classification by App-ID.
Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.
Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire.
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 10: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/10.jpg)
Single Pass Platform Architecture
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 11: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/11.jpg)
PAN-OS Core Firewall Features
Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true
transparent in-line deployment L2/L3 switching foundation Policy-based forwarding
VPN Site-to-site IPSec VPN Remote Access (SSL) VPN
QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor
Zone-based architecture All interfaces assigned to security
zones for policy enforcement
High Availability Active/active, active/passive Configuration and session
synchronization Path, link, and HA monitoring
Virtual Systems Establish multiple virtual firewalls in a
single device (PA-5000, PA-4000, PA-3000, and PA-2000 Series)
Simple, flexible management CLI, Web, Panorama, SNMP, Syslog
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Visibility and control of applications, users and content complement core firewall features
PA-500
PA-200
PA-2000 SeriesPA-2050, PA-2020
PA-3000 SeriesPA-3050, PA-3020
PA-4000 SeriesPA-4060, PA-4050 PA-4020
PA-5000 SeriesPA-5060, PA-5050 PA-5020
VM-SeriesVM-300, VM-200, VM-100
![Page 12: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/12.jpg)
Panorama
Central management
![Page 13: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/13.jpg)
Panorama Deployment Recommendations
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Panorama VM< 10 devices< 10,000 logs/secSites with need for virtual appliance
Panorama M-100 < 100 devices< 10,000 logs/sec
Panorama Distributed Architecture< 1,000 devices> 10,000 logs/sec (50,000 per collector)Deployments with need for collector proximity
![Page 14: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/14.jpg)
Panorama Distributed Architecture
With the M-100, manager and log collector functions can be split
Deploy multiple log collectors to scale collection infrastructure
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 15: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/15.jpg)
M-100 Hardware Appliance
Simple, high-performance, dedicated appliance for Panorama
Simplifies deployment and support
Introduces distributed log collection capability for large scale deployments
License migration path available for current Panorama customers
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Specifications
1 RU form factor Intel Xeon 4 core 3.4 GHz CPU
16 GB memory 64bit Panorama kernel
120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)
![Page 16: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/16.jpg)
Panorama Architecture – Configuration
Device Groups are used to share common Policies and Objects
Templates are used to share common Networking and Device configuration
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 17: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/17.jpg)
Wildfire
0-day Malware defense
![Page 18: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/18.jpg)
The Lifecycle of Network Attacks - Rehearsal
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
EstablishBack-Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
![Page 19: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/19.jpg)
An Integrated Approach to Threat Prevention
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
App-ID
URL
IPS
Spyware
AV
Files
WildFire
Bait the end-user Exploit Download Backdoor Command/Control
Block high-risk apps
Block known malware sites
Block the exploit
Block malware
Prevent drive-by-downloads
Detect 0-day malware
Block new C2 traffic
Block spyware, C2 traffic
Block fast-flux, bad domains
Block C2 on open ports
![Page 20: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/20.jpg)
Why Traditional Antivirus Protection Fails
Modern/Targeted malware is increasingly able to:
Avoid hitting traditional AV honeypots
Evolve before protection can be delivered, using polymorphism, re-encoding, and changing URLs
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
☣ Targeted and custom malware
☣ Polymorphic malware
☣ Newly released malware
Highly variable time to protection
![Page 21: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/21.jpg)
WildFire Architecture
10Gbps threat prevention and file scanning on all traffic, all ports (web, email, SMB, etc.)
Malware ran in the cloud with open internet access to discover hidden behaviors
Sandbox logic updated routinely with no customer impact
Malware signatures automatically created based on payload data
Stream-based malware engine performs true inline enforcement
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 22: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/22.jpg)
WildFire Subscription Service
WildFire signatures every 30 minutes
Integrated logging & reporting
REST API for scripted file uploads
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 23: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/23.jpg)
Reaching Effects of WildFire
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Threat Intelligence Sources
WildFire Users
AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
WildFire
![Page 24: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/24.jpg)
Introducing theWildFire Appliance (WF-500)
Appliance-based version of WildFire for on-premises deployments
All sandbox analysis performed locally on the WildFire appliance
WF-500 has option to send locally identified malware to WildFire public cloud Signatures only are created in public cloud
WildFire signatures for all customers distributed via normal update service
Detection capabilities in sync with public cloud
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Cloud
Eagle Appliance
All samples
Malware
Signatures
![Page 25: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/25.jpg)
Global Protect
Securing your road worriers
![Page 26: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/26.jpg)
Challenge: Quality of Security Tied to Location
Enterprise-secured with full protection
Headquarters Branch Offices
malware
botnets
exploits
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Airport Hotel Home Office
Exposed to threats, risky apps, and data leakage
![Page 27: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/27.jpg)
GlobalProtect: Consistent Security Everywhere
•Headquarters •Branch Office
malware
botnets
exploits
• VPN connection to a purpose built firewall that is performing the security work • Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance & reporting
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 28: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/28.jpg)
LSVPN
Large scale satellite VPN
![Page 29: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/29.jpg)
32
© 2011 Palo Alto Networks. Proprietary and Confidential.
The Concept
Easy deployment of large scale VPN infrastructure
• GlobalProtect Satellites automatically acquire authentication credentials and initial configuration from GlobalProtect Portal
• GlobalProtect Satellite establishes tunnels with available Gateways
• Satellites and Gateways automatically exchange routing configuration
![Page 30: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/30.jpg)
Magic Quadrant for Enterprise Network Firewalls
35 | ©2013, Palo Alto Networks. Confidential and Proprietary.
“Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.”
Gartner, February 2013
![Page 31: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/31.jpg)
Thank You
Page 37 | © 2010 Palo Alto Networks. Proprietary and Confidential.
![Page 32: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/32.jpg)
Next-Generation Firewall Virtualized Platforms
38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Specifications
Model Sessions Rules Security Zones
Address Objects
IPSec VPN Tunnels
SSL VPN Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 2,000 500
Supported on VMware ESX/ESXi 4.0 or later
Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces
Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames
Performance
Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second
2 Core 500 Mbps 200 Mbps 100 Mbps 8,000
4 Core 1 Gbps 600 Mbps 250 Mbps 8,000
8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
![Page 33: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/33.jpg)
Differentiating: App-ID vs. Two Step Scanning
Operational ramifications of two step scanning Two separate policies with duplicate info – impossible to reconcile them Two log databases decrease visibility Unable to systematically manage unknown traffic Weakens the deny-all-else premise
Every firewall competitor uses two step scanning
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Port PolicyDecision
App Ctrl PolicyDecision
IPS
Applications
FirewallAllow port 80 traffic
Traffic 300 or more applications
300 or more applications 300 or more applications
![Page 34: Palo Alto Networks 28.5.2013](https://reader037.vdocuments.site/reader037/viewer/2022102613/54bcb1f84a7959bd3f8b456c/html5/thumbnails/34.jpg)
Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline deployment
• IPS with app visibility & control• Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control
• Firewall + IPS• Firewall + IPS + URL filtering
40 | ©2012, Palo Alto Networks. Confidential and Proprietary.