palo alto networks overview - campus3.org

Palo Alto Networks Overview

campu [s] ³campu [s] ³

Christian EtzoldSr. System Engineer

About Palo Alto Networks

• Palo Alto Networks is the Network Security Company

• World-class team with strong security and networking experience

- Founded in 2005, first customer July 2007, top-tier investors

• Builds next-generation firewalls that identify / control 1,300+ applications

- Restores the firewall as the core of enterprise network security infrastructure

- Innovations: App-ID™, User-ID™, Content-ID™

• Global momentum: 4,500+ customers

- August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters

(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable

orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

•A few of the many enterprises that have deployed mo re than $1M

© 2011 Palo Alto Networks. Proprietary and Confidential. |

The Internet World Anno 1995

• Virtually no application traffic, no known threats

• Simple assumptions worked; HTTP traffic = browsing

• Firewalls were born to keep simple traffic from coming in or going out; in 15 years time it became a $5B industry


Security v1.0 Response: Rip Holes in Firewall

• Background

• Appeared mid 1980’s

• Typically embedded in routers

• Classify individual packets based on port numbers

• Traditional Applications

• DNS

• Gopher

• SMTP

• HTTP

• Dynamic Applications

• FTP

• RPC

• Java/RMI

• Multimedia

• Challenge

• Could not support dynamic applications

• Flawed solution was to open large groups of ports

• Opened the entire network to attack

•Internet

Security v2.0: Stateful Inspection

• Background

• Innovation created Check Point in 1994

• Used state table to fix packet filter shortcomings

• Classified traffic based on port numbers but in

• Traditional Applications

• DNS

• Gopher

• SMTP

• HTTP

• Dynamic Applications

• FTP

• RPC

• Java/RMI

• Multimedia

• Evasive Applications

• Encrypted

• Web 2.0

• P2P

• Instant Messenger

• Skype

•Internet

on port numbers but in the context of a flow

• Challenge

• Cannot identify Evasive Applications

• Embedded throughout existing security products

• Skype

• Music

• Games

• Desktop Applications

• Spyware

• Crimeware

The Internet World Anno 2010


• Many applications; many more threats

• Applications are evasive and are the #1 threat vector

• Traditional firewalls are defenseless and offer no protection to enterprises

Applications Have Changed; Firewalls Have Not

The firewall is the right place to enforce policy control

• Sees all traffic

• Defines trust boundary

• Enables access via positive control


Need to restore visibility and control in the firew all

BUT…applications have changed

• Ports ≠ Applications

• IP Addresses ≠ Users

• Packets ≠ Content

Applications Carry RiskApplications can be “threats”

• P2P file sharing, tunneling applications, anonymizers,

media/video

Applications carry threats• Qualys Top 20 Vulnerabilities –

majority result in application-level threats


Applications & application-level threats result in major breaches – RSA, Comodo, FBI

Enterprise 2.0 Applications and Risks Widespread

Palo Alto Networks’ latest Application Usage & Risk Report highlights actual behavior of 1M+ users in 1253 organizations

- More enterprise 2.0 application use for personal and business reasons.

- Tunneling and port hopping are common

- Bottom line: all had firewalls, most had IPS, proxies, & URL filtering – but none of these organizations could control what applications ran on their networks


•Eavesdropping (1994)

•Resource Access (1992)

•Info Leakage (2005)

•Viruses (1997)

•Worms (2005)

•IM Attacks (2002)

•Denial of Service (2000)

•Content Access (1998)

•XML/W.S. Attacks (2004)

•Web App Attacks (2002)

•Corporate Assets•Corporate Assets •WAN•WAN•Security Perimeter•Security Perimeter

The Traditional Approach to Network Security

•IPSEC

•VPN

•IPS

•Anti-Virus

•Content

•Filtering

•DoS

•Protection

•Anti-Spyware

•Worm

•Mitigation

•DLP/ILP

•WebApp Security

•IM Security

•IDS

•XML Security•Spyware (2006) •Exploits (1996)

•Internet

Traditional Systems Have Limited Understanding

Some port-based apps caught by firewalls (if they behave!!!)

Some web-based apps caught by

•None give a comprehensive view of what is going on in the network

Some web-based apps caught by URL filtering or proxy

Some evasive apps caught by an IPS

| © 2011 Palo Alto Networks. Proprietary and Confidential.

Technology Sprawl & Creep Are Not The Answer

Internet

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain


• Putting all of this in the same box is just slow

The Right Answer: Make the Firewall Do Its Job

New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address


3. Protect in real-time against threats embedded across applications

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

Disruptive ThinkingConventional Wisdom

How Do You Change The Architecture?


•✔✔✔✔ Sprawl •✔✔✔✔ Simplification

Why Visibility & Control Must Be In The Firewall

•Port PolicyDecision

•App Ctrl PolicyDecision

Application Control as an Add-on• Port-based FW + App Ctrl (IPS) = two policies

• Applications are threats; only block what you expressly look for

Implications • Network access decision is made with no

information

• Cannot safely enable applications

IPS

Applications

Firewall

PortTraffic


Firewall IPS

•App Ctrl PolicyDecision

•Scan Applicationfor Threats

Applications

ApplicationTraffic

NGFW Application Control • Application control is in the firewall = single policy

• Visibility across all ports, for all traffic, all the time

Implications • Network access decision is made based on

application identity

• Safely enable application usage

Palo Alto Networks Firewall Policy


What You See…with Port-Based FW + Application Control Add-on


What You See with a True Next-Generation Firewall


Your Control With Port-based Firewall Add-on


Your Control With a Next-Generation Firewall

Only allow the apps you need

Safely enable the applications relevant

to your business

» The ever-expanding universe of applications, services and threats

» Traffic limited to approved business use cases based on App and User

» Attack surface reduced by orders of magnitude

» Complete threat library with no blind spots

�Bi-directional inspection

�Scans inside of SSL

�Scans inside compressed files

�Scans inside proxies and tunnels


Identification Technologies Transform the Firewall

•App-ID™

•Identify the application

•User-ID™


•User-ID™

•Identify the user

•Content-ID™

•Scan the content

Comprehensive View of Applications, Users & Content

• Application Command Center (ACC)

- View applications, URLs, threats, data filtering activity

• Add/remove filters to achieve desired result

© 2010 Palo Alto Networks. Proprietary and Confidential. |Filter on Facebook-base Filter on Facebook-baseand user cook

Remove Facebook to expand view of cook

PAN-OS Core Firewall Features

• Strong networking foundation- Dynamic routing (BGP, OSPF, RIPv2)

- Tap mode – connect to SPAN port

- Virtual wire (“Layer 1”) for true transparent in-line deployment

- L2/L3 switching foundation

- Policy-based forwarding

• Zone-based architecture- All interfaces assigned to

security zones for policy enforcement

• High Availability- Active/active, active/passive

- Configuration and session

Visibility and control of applications, users and c ontent complement core firewall features

PA-4060

PA-5060

PA-5050

PA-5020


- Policy-based forwarding

• VPN- Site-to-site IPSec VPN

- SSL VPN

• QoS traffic shaping- Max/guaranteed and priority

- By user, app, interface, zone, & more

- Real-time bandwidth monitor

- Configuration and session synchronization

- Path, link, and HA monitoring

• Virtual Systems- Establish multiple virtual firewalls

in a single device (PA-5000, PA-4000, and PA-2000 Series)

• Simple, flexible management

- CLI, Web, Panorama, SNMP, Syslog PA-500

PA-2020

PA-2050

PA-4020

PA-4050

PA-4060

Palo Alto Networks Next-Gen Firewalls

PA-5050• 10 Gbps FW/5 Gbps threat

prevention/2,000,000 sessions

• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit



• 8 SFP, 12 copper gigabit



• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit

© 2011 Palo Alto Networks. Proprietary and Confidential |





prevention/500,000 sessions




• 4 XFP (10 Gig), 4 SFP (1 Gig)

PA-2050• 1 Gbps FW/500 Mbps threat



PA-2020• 500 Mbps FW/200 Mbps threat



PA-500• 250 Mbps FW/100 Mbps threat


• 8 copper gigabit

PA-5000 Series Architecture

Signature Match HW Engine

• Stream-based uniform sig. match

• Vulnerability exploits (IPS), virus,

spyware, CC#, SSN, and more

• Highly available mgmt

• High speed logging and

route update

• Dual hard drives

10Gbps 10Gbps

... ......

Signature Match

Signature Match

Quad-core

CPU CPU

12

CPU

1

CPU

2

CPU

12

CPU

1

CPU

2

CPU

12

CPU

1

CPU

2

RAM

RAM

HDD

HDD

RAM

RAM

RAM

RAM

RAM

RAM

RAM

RAM

RAM

RAM

RAM

RAM

RAM

RAM

• 40+ processors

• 30+ GB of RAM

• Separate high speed data and control planes

© 2011 Palo Alto Networks. Proprietary and Confidential.

• 80 Gbps switch fabric

interconnect

• 20 Gbps QoS engine

Security Processors

• High density parallel processing

for flexible security

functionality

• Hardware-acceleration for

standardized complex functions

(SSL, IPSec, decompression)

20Gbps

Network Processor

• 20 Gbps front-end network

processing

• Hardware accelerated per-packet

route lookup, MAC lookup and

NAT

Control Plane

Data PlaneSwitch Fabric

QoS

Flow

control

Route, ARP, MAC

lookup

NATSwitch

Fabric

SSL IPSecDe-

Compress.SSL IPSec

De-Compress.

SSL IPSecDe-

Compress.

HDDRAM RAMRAM

• 20 Gbps firewall throughput

• 10 Gbps threat prevention throughput

• 4 Million concurrent sessions

|

Transforming The Perimeter and Datacenter


•Perimeter •Datacenter

Same Next-Generation Firewall, Different Benefits…

Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement

• Application, user and content visibility without inline

deployment

• IPS with app visibility & control• Consolidation of IPS & URL

filtering

• Firewall replacement with app visibility & control• Firewall + IPS

• Firewall + IPS + URL filtering


Redefine Network Security – and Save Money!

Cut by as much as 80%

Cut by as much as 65%

• Capital cost – replace multiple devices- Legacy firewall, IPS, URL filtering device (e.g.

proxy, secure web gateway…)

• “Hard” operational expenses- Support contracts

- Subscriptions


as 65%- Subscriptions

- Power and HVAC

• Save on “soft” costs too- Rack space, deployment/integration, headcount,

training, help desk calls

GlobalProtect™Securing Users and Data in an Always

Connected World

Introducing GlobalProtect

• Users never go “off-network” regardless of location

• All firewalls work together to provide “cloud” of network security

• How it works:- Small agent determines network

location (on or off the enterprise network)


- If off-network, the agent automatically connects the laptop to the nearest firewall via SSL VPN

- Agent submits host information profile (patch level, asset type, disk encryption, and more) to the gateway

- Gateway enforces security policy using App-ID, User-ID, Content-ID AND host information profile

A Modern Architecture for Enterprise Network Securi ty

malware

botnets

exploits

• Establishes a logical perimeter that is not bound to physical limitations

• Users receive the same depth and quality of protection both inside and out

• Security work performed by purpose-built firewalls, not end-user laptops

• Unified visibility, compliance and reporting


Palo Alto Networks Wrap-up

campu [s] ³campu [s] ³

Enables Visibility Into Applications, Users, and Co ntent

2010 Magic Quadrant for Enterprise Network Firewall s

Check Point Software Technologies

Juniper NetworksCisco

Fortinet

McAfeeab

ility

to e

xecu

te


Palo Alto NetworksStonesoft

SonicWALL

WatchGuard

NETASQ Astarophion

3Com/H3C

completeness of visionvisionaries

abili

ty to

exe

cute

As of March 2010niche players

Source: Gartner

Next-Generation Firewalls Are Network Security


Continual Customer Driven Innovation

4,500

App-ID: Traffic classification by application; all ports, all the time

SSL decryption/inspection, control unknowns, PCAPs, App override, function enablement, custom App-IDs, QoS, PBF, SSH control…

User-ID: User identity becomes pervasive; visibility, policy, logging and reporting

Active Directory, terminal services, LDAP, eDirectory, XML API…

Content -ID: Single engine stream-based scanning of allowed content

19 164

776

2,500


Content -ID: Single engine stream-based scanning of allowed content

Exploits, viruses, confidential data, botnets, modern malware…

Enterprise-Class Platform: Scalable, deployable, predictable

Dual-plane architecture; single pass software, function specific processing, tap mode, Vwire, L2/L3/mixed mode, IPv6…

Customer Count

2007 2011

Addresses Three Key Business Problems

• Identify and Control Applications

- Visibility of 1300+ applications, regardless of port, protocol, encryption, or evasive tactic

- Fine-grained control over applications (allow, deny, limit, scan, shape)

- Addresses the key deficiencies of legacy firewall infrastructure

• Prevent Threats

- Stop a variety of threats – exploits (by vulnerability), viruses, spyware- Stop a variety of threats – exploits (by vulnerability), viruses, spyware

- Stop leaks of confidential data (e.g., credit card #, social security #, file/type)

- Stream-based engine ensures high performance

- Enforce acceptable use policies on users for general web site browsing

• Simplify Security Infrastructure

- Put the firewall at the center of the network security infrastructure

- Reduce complexity in architecture and operations


palo alto networks overview - campus3.org

Documents