vm series amazon web services

7/25/2019 Vm Series Amazon Web Services

http://slidepdf.com/reader/full/vm-series-amazon-web-services 1/3

Palo Alto Networks | Datasheet 1

VM-Series for AWS Use Cases Hybrid Cloud

Hybrid Cloud

• Securely enable a hybrid cloud using our complete

next-generation firewall and advanced threat

prevention features

• Move applications and data to and from AWS via

a standards-based, site-to-site IPsec VPN tunnel

Segmentation Gateway

• Control application communication across different

subnets within a VPC and between VPCs while

blocking lateral threat movement

• Maintain separation of confidential data from other

traffic for security and compliance purposes

Internet Gateway

• Control applications within AWS while preventing

advanced cyberattacks from breaching your cloud

and moving laterally

• Extend firewall and threat prevention policies to

remote users and mobile devices with GlobalProtect

Security Challenges in the Public Cloud

AWS introduces well-known advantages of greater appli-

cation development and deployment agility, scalability andflexibility. However, the security challenges you face in AWS

are exactly the same as those you face when protecting a

physical network.

These challenges include a lack of application visibility and

control, an inability to prevent cyberattacks, and cumbersome

policy update processes that can induce delays between

workload deployment and security policy updates. The

VM-Series for AWS solves these challenges, enabling you to:

• Identify and control applications traversing your AWS

deployment, regardless of which ports they may use.

• Determine who should be allowed to use the applications,

and grant access based on need and credentials.• Stop malware from gaining access to, and moving laterally

(east-west) within the cloud.

• Extend perimeter protection mechanisms to all users and

devices, regardless of location.

• Simplify management and minimize the security policy lag

as virtual workloads change.

The VM-Series for AWS protects your workloads and data

with the same next-generation firewall and advanced

threat prevention features that are available in our security

appliances, allowing you to securely move to the cloud.

Amazon Web Services (AWS) is fueling an evolutionwithin today’s data centers, enabling you to rapidly de-velop, deploy and manage new applications on a globalscale. The VM-Series for AWS enables you to protectyour applications and data in AWS with next-generationfirewall and threat prevention features.

VM-SERIES FOR AMAZON WEB

SERVICES



Palo Alto Networks | Datasheet 2

Are Native Security Features Sufficient?

As part of their services offering, AWS provides users with

some basic security features, such as Security Groups Access

Control Lists (ACLs) and Web Application Firewalls (WAF).

These features will help you protect your AWS deployment;

however, Security Groups and ACLs are looking at traffic only

from a port and IP address perspective and cannot identify

and control your AWS traffic based on the application iden-

tity. A WAF looks only at HTTP/HTTPS applications and noother applications. These features only provide a base level of

security to reduce your attack surface; they will not control

all applications, protect against inbound threats, nor will they

stop their lateral movement. As the public cloud becomes an

extension of your data center, advanced security features,

such as those available from a next-generation firewall,

should become a requirement.

The VM-Series for AWS

The VM-Series for AWS enables you to securely implement

a cloud-first methodology while transforming your data

center into a hybrid architecture that combines the scalability

and agility of AWS with your on-premises resources. This

allows you to move your applications and data to AWS while

maintaining a security posture that is consistent with the one

you may have established on your physical network with

Palo Alto Networks® appliance-based firewalls.

The VM-Series for AWS natively analyzes all traffic in a single

pass to determine the application identity, the content, and

the user identity. These are key components in defining your

security posture and performing the related management

efforts, including visibility, policy control, reporting and

incident investigation.

Improve Security Decisions with Application Visibility

The VM-Series for AWS provides you with the identity ofthe application, irrespective of port, which means you have

far more relevant information about your AWS deployment,

including the application, who the user is, and from where it

emanates. This increased knowledge means you can make

more informed policy decisions and respond to incidents

more quickly.

Limit Security Exposure with Whitelisting Policies

With the VM-Series for AWS, you can extend your firewall

access control policies to the application level, forcing them

to operate on specific ports, while leveraging the “deny all

else” premise that a firewall is based on to block all others.

The added level of control becomes critically important asyou deploy more of your data center assets in AWS.

Strengthen Security Posture with User-Based Controls

Integration with a wide range of user repositories, such

as Microsoft® Active Directory®, LDAP and Microsoft

Exchange, introduces the user identity as a policy element,

complementing application whitelisting with an added

access control component. User-based policies mean you

can grant access to critical applications and data based on

user credentials and respective need. For example, the App

team can have full access to the Development VPC, while the

Operations team has RDP/SSH access to the production VPC.

When deployed in conjunction with GlobalProtect™, the

VM-Series for AWS enables you to extend your corporate

security policies to mobile devices and users, regardless of

their location.

Prevent Advanced Attacks at the Application Level

Attacks, much like many applications, are capable of using

any port, rendering traditional prevention mechanisms

ineffective. The VM-Series for AWS allows you to use theThreat Prevention and WildFire™ services to apply applica-

tion-specific threat prevention policies that block exploits,

malware, and previously unknown threats (APTs) from

infecting your cloud.

Improve Data Security with Segmentation

Today’s cyberthreats commonly compromise an individual

workstation or user and then move laterally across your

physical or virtualized network, placing your mission-critical

applications and data at risk. Using security zones and

whitelisting policies allows you to segment applications

communicating across different subnets and between VPCs

for regulatory compliance. Enabling the Threat Preventionand WildFire services to complement your segmentation

policies will block both known and unknown threats and stop

them from moving laterally from workload to workload.

Policy Consistency with Centralized Management

Panorama™ enables you to manage your VM-Series

deployments across multiple cloud deployments, along with

your physical security appliances, thereby ensuring policy

consistency and cohesiveness. Rich, centralized logging

and reporting capabilities provide visibility into virtualized

applications, users and content.

Automate Security Deployment and Policy Updates

The VM-Series for AWS includes native management features

that enable you to integrate security into your cloud-first

development projects. Bootstrapping automatically provi-

sions a firewall with a working configuration, complete with

licenses and subscriptions, and then auto-registers itself with

Panorama. To automate policy updates as workloads change,

a fully documented XML API and Dynamic Address Groups

allow the VM-Series to consume external data in the form of

tags that can drive policy updates dynamically. The end result

is that new applications and next-generation security can be

deployed simultaneously in an automated manner.

A Z

1

b

C4

GPVM- S E R I E S



4401 Great America Parkway

Santa Clara, CA 95054

Main: +1.408.753.4000

Sales: +1.866.320.4788

Support: +1.866.898.9087

www.paloaltonetworks.com

© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark

of Palo Alto Networks. A list of our trademarks can be found at http://www.

paloaltonetworks.com/company/trademarks.html. All other marks mentioned

herein may be trademarks of their respective companies. pan-vm-series-for-

aws-ds-032216

VM-Series for AWS Use Cases

The VM-Series can be deployed for AWS to address a

number of different use cases.

Hybrid Cloud: Securely Extend Your Data Center into AWS

One of the easiest ways to securely address new application

requirements and cloud-first development initiatives is

through a hybrid deployment that integrates your exist-

ing data center with AWS via a secure connection. Thisapproach enables you to start small and expand as your

requirements change while maintaining a strong security

posture. When deployed in AWS, the VM-Series can act as

a VPN termination point to allow the secure movement of

applications and data to and from AWS. Application control

and threat prevention policies can be layered atop the IPsec

VPN tunnel as added security elements.

Segmentation Gateway: Separation for Security and

Compliance

High-profile breaches have shown that cybercriminals are

adept at hiding in plain sight, bypassing perimeter controls

and moving at will across networks – both physical andvirtualized. An AWS VPC provides an isolation and security

boundary for your workloads. The VM-Series can augment

that seperation through application-level segmentation

policies to control traffic between VPCs. With applica-

tion-level policies, you have greater control over application

traffic moving laterally, and you can apply threat prevention

policies to block their movement as well. If traffic is flowing

between VPCs in different regions across the Internet,

encryption can be enabled for added protection

Internet Gateway: Secure the Network, the Cloud, and

the Device

As your AWS deployment expands, you can build upon yourhybrid deployment by using the VM-Series as an Internet

gateway, further strengthening your security posture. With

the VM-Series you can control AWS access with application

whitelisting policies that are based on user identity and

business need. Application-specific threat prevention

policies to block exploits, malware, and previously unknown

threats (APTs) from gaining access to your AWS deployment

can also be applied, giving you added control and protection.

GlobalProtect will enable you to extend your security

policies to your remote users and mobile devices, regard-

less of their location. GlobalProtect establishes a secure

connection to protect the user from Internet threats and

enforces application-based access control policies. Whether

the need is for access to the Internet, data center or SaaS

applications, the user will enjoy the full protection provided

by the platform.

P A N O R A

M A

C4

V M-Series

C4

V M-Series

C4

GP V

M- S E R I E S

Exert policy consistency

across the network, AWS

cloud, and your devices

Application whitelisting

and threat prevention

policies protect your

AWS perimeter

Segment applications

and data for security

and compliancepurposes

Securely extend your

data center into AWS

vm series amazon web services

Documents