sc gmis bernard cobb consulting engineer, dns · next-generation firewalls (ngfws) are deep-packet...
TRANSCRIPT
Next Generation FirewallsSC GMIS
Bernard CobbConsulting Engineer, DNS
Some of Our Partnerships…
Agenda• What is a Next Generation Firewall• What are the differences between traditional and NextGen
firewalls• Cover the added features in the NextGen Firewall solution• Review the advantages for the business from the perspective of
understanding what applications are running on the network and what users are doing while consuming bandwidth.
• Key Business Problems Solved by an NextGen Firewall
Next Generation Firewall• Unified Threat Management, Application
Identification, Application Awareness, User Identity, SSL Decryption, URL Filtering, Traffic Priority, Advanced Persistent Threats, Kill Chain, Threat Prevention, Anti-virus, Anti-malware, Vulnerability Protection, IPS, Data Loss Prevention, etc…
NextGen Firewall?• Next-generation firewalls (NGFWs) are deep-
packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or nonenterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated. --Gartner
“What’s that one?” –Mini-BNext-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
• 5-tuple Firewall• Application Visibility & Control• Integrated IPS• Adding Context (AD integration)
The Differences of a NGFW• Visibility• Reporting• Control• Optimize the network as a business tool
Enterprise-wide NextGen Firewall TopologyP
erim
eter • App visibility and
control in the firewall• All apps, all ports, all
the time• Prevent threats
• Known threats• Unknown/targeted
malware• Simplify security
infrastructure
• App visibility and control in the firewall• All apps, all ports, all
the time• Prevent threats
• Known threats• Unknown/targeted
malware• Simplify security
infrastructure Dat
a C
ente
r • Network segmentation• Based on application
and user, not port/IP• Simple, flexible network
security• Integration into all DC
designs• Highly available, high
performance• Prevent threats• Virtual Environments
• Network segmentation• Based on application
and user, not port/IP• Simple, flexible network
security• Integration into all DC
designs• Highly available, high
performance• Prevent threats• Virtual Environments
Dis
tribu
ted
Ent
erpr
ise • Consistent network
security everywhere• HQ/branch
offices/remote and mobile users
• Logical perimeter• Policy follows
applications and users, not physical location
• Centrally managed
• Consistent network security everywhere• HQ/branch
offices/remote and mobile users
• Logical perimeter• Policy follows
applications and users, not physical location
• Centrally managed
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications Have Changed, Firewalls Haven’t
9 | ©2012, Palo Alto
Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?• SSL• Proprietary encryption
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications: Threat Vector and a Target
11 | ©2012, Palo Alto
Threats target applications• Used as a delivery mechanism • Application specific exploits
Applications: Payload Delivery/Command & Control
Applications provide exfiltration• Confidential data• Threat communication
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Enabling Applications, Users and Content
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Another view of an NGFW—but not perfect
Enterprise Network
• IPS, DLP, IM, AV, URL, Proxy• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Single place for decision making, logging, etc…
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SSLDLPIPS ProxyURLAV
NGFW
Internet
NGFW Security Platform
15 | ©2012, Palo Alto
Address Three Key Business Problems
• Safely Enable Applications• Identify applications, regardless of port, protocol, encryption, or evasive tactic• Fine-grained control over applications/application functions (allow, deny, limit,
scan, shape)• Addresses the key deficiencies of legacy firewall infrastructure• Systematic management of unknown applications
• Prevent Threats• Stop a variety of known threats – exploits (by vulnerability), viruses, spyware• Detect and stop unknown threats • Stop leaks of confidential data (e.g., credit card #, social security #, file/type)• Enforce acceptable use policies on users for general web site browsing
• Simplify Security Infrastructure• Reduce complexity in architecture and operations• Predictable performance• Holistic Security View down to endpoint level protection
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Thank You• Questions?