palo alto networks y la tecnología de next generation firewall
DESCRIPTION
Carlos Alberto Pérez, SE Manager para Latinoamérica de Palo Alto NetworksTRANSCRIPT
the network security companytm
Palo Alto Networks Overview Carlos Alberto Pérez
Systems Engineer Manager LATAM [email protected]
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
1,000+ employees globally 1,800
4,700
11,000
0
2,000
4,000
6,000
8,000
10,000
12,000
Jul-10 Jul-11
$13 $49
$255
$119
$0 $50
$100 $150 $200 $250 $300
FY09 FY10 FY11 FY12
Revenue
Enterprise customers
$MM
FYE July
Feb-13
2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Applications Have Changed, Firewalls Haven’t
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Network security policy is enforced at the firewall • Sees all traffic • Defines boundary • Enables access • Traditional firewalls don’t work any more
The Right Answer: Make the Firewall Do Its Job
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 4 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
Enabling Applications, Users and Content
5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Single-Pass Parallel Processing™ (SP3) Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 6 |
Single Pass • Operations once per
packet - Traffic classification (app
identification)
- User/group mapping
- Content scanning – threats, URLs, confidential data
• One policy
Parallel Processing • Function-specific parallel
processing hardware engines
• Separate data/control planes
• Up to 20Gbps, Low Latency
Application Control Belongs in the Firewall
• Port Policy Decision
• App Ctrl Policy Decision
Application Control as an Add-on • Port-based decision first, apps second
• Applications treated as threats; only block what you expressly look for
Ramifications • Two policies/log databases, no reconciliation • Unable to effectively manage unknowns
IPS
Applications
Firewall Port Traffic
Firewall IPS
• App Ctrl Policy Decision
• Scan Application for Threats
Applications
Application Traffic
Application Control in the Firewall • Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications • Single policy/log database – all context is shared • Policy decisions made based on shared context • Unknowns systematically managed
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
NGFW in The Enterprise Network P
erim
eter
• App visibility and control in the firewall • All apps, all ports,
all the time • Prevent threats
• Known threats • Unknown/
targeted malware • Simplify security
infrastructure
Dat
a C
ente
r • Network segmentation • Based on
application and user, not port/IP
• Simple, flexible network security • Integration into all
DC designs • Highly available,
high performance • Prevent threats
Dis
tribu
ted
Ent
erpr
ise • Consistent
network security everywhere • HQ/branch
offices/remote and mobile users
• Logical perimeter • Policy follows
applications and users, not physical location
• Centrally managed
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline
deployment
• IPS with app visibility & control • Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control • Firewall + IPS
• Firewall + IPS + URL filtering
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 9 |
WildFire Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 10 |
✓ ✓
✓
• WildFire Analysis Center!
• Potentially malicious files from Internet
• Protection delivered to all customer firewalls
• Policy-based forwarding to WildFire for analysis
• Sandbox-based analysis looks for over 80 malicious behaviors
• Generates detailed forensics report • Creates antivirus and C&C signatures
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 Hours
The First 24 Hours is Critical
• 11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
* Sample size = 50 malware files
What is the WF-500?
§ Appliance-based version of the WildFire sandbox for on-premises, private cloud deployments
§ Ideal for customers that want to avoid sending all files to the public cloud § All files analyzed locally on the WF-500
§ Identical detection as the public cloud
§ Optionally sends confirmed malware to the WildFire public cloud for signature generation
§ Provides a private cloud where all firewalls can integrate with the WF-500
• WildFire Cloud
• All unknown files
• Confirmed Malware • (optional)
• Signatures
• Customer Firewalls
• Local Customer Network
• 12 | ©2013 Palo Alto Networks. Confidential and Proprietary.
© 2011 Palo Alto Networks. Proprietary and Confidential Page 13 |
PA-‐3050 • 4 Gbps FW • 2 Gbps Threat Prevention • 500,000 sessions • 8 SFP, 12 copper gigabit
PA-‐3020 • 2 Gbps FW • 1 Gbps Threat Prevention • 250,000 sessions • 8 SFP, 12 copper gigabit
PA-‐500 • 250 Mbps FW • 100 Mbps Threat Prevention • 64,000 sessions • 8 copper gigabit
PA-‐200 • 100 Mbps FW • 50 Mbps Threat
Prevention • 64,000 sessions • 4 copper gigabit
Palo Alto Networks Next-Gen Firewalls
PA-‐5050 • 10 Gbps FW • 5 Gbps threat preven:on • 2,000,000 sessions • 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit
PA-‐5020 • 5 Gbps FW • 2 Gbps threat preven:on • 1,000,000 sessions • 8 SFP, 12 copper gigabit
PA-‐5060 • 20 Gbps FW • 10 Gbps threat preven:on • 4,000,000 sessions • 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit
Segmenting Traffic in the Virtual Datacenter
• Hardware firewalls will continue to be deployed to secure and segment datacenters at the edge and for legacy servers
• VM-Series introduces the ability for secure segmentation to be done within VMware ESXi
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• VLAN • VLAN
Panorama Distributed Architecture
§ With M-100, manager and log collector functions can be split
§ Deploy multiple log collectors to scale collection infrastructure
• 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
© 2009 Palo Alto Networks. Proprietary and Confidential. Page 16 |
New Threats Require a Different Model for IPS Functions
• Stand-alone IPS has a negative security model – can only “find it and kill it”
• Stand-alone IPS can’t see into growing volumes of SSL-encrypted traffic, nor into compressed content
• Next-generation firewalls enable “allow application, but scan for threats” policy response
• Gartner’s Recommendations:
- Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two.
• 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.