what did you do at school today junior? ethan west – palo alto networks systems engineer
TRANSCRIPT
What Did You Do At School Today Junior?
Ethan West – Palo Alto Networks Systems Engineer
279schools
1,000s ofstudents
1,200+applications
1challenge
What do you really know about your network?
|
75%Frequency is defined as a single instance found on a network (n=279).
Frequency that external proxies were found on K-12 Networks?
A total of 28 different proxies were in use, with an average of 4 external proxies found on 80% of the 279 K12 networks.
80%
Frequency that external proxies were found on K-12 networks?
|
50%Frequency is defined as a single instance found on a network (n=279).
Frequency that non-VPN related encrypted tunnels were found?
An average of 2 encrypted tunnel applications were found in 42% of the K12 networks.
SSH is excluded
42%
Frequency that non-VPN related encrypted tunnels were found?
• External proxies commonly used to bypass URL filtering
• Remote access commonly used to evade controls; known as a cyber criminal target
• Encrypted tunnels (Tor, UltraSurf, Hamachi) used to “hide”
Frequency is defined as a single instance found on a network (n=279).
Students will find a way…
10%Percentage of total bandwidth consumed by
file transfer of all types
P2P, browser-based and client-server filesharing applications consumed 9% of total bandwidth – roughly the same amount as viewed in the
enterprise environments.
Percentage of total bandwidth consumed by file transfer of all types?
9%
P2P Dwarfs All Other Filesharing Applications
The solution of choice for moving big files…
10Average number of browser-based file sharing
applications found on each network?
11
Average number of browser-based filesharing applications found on each network?
There were 64 browser-based filesharing variants found with an average of 11 discovered on 95% of the K-12 networks.
Browser-Based File Sharing: Two Use Cases
Browser-based filesharing use cases: entertainment or productivity. Both uses have a common set of business and security risks that organizations must address.
The number of applications using Port 80 (tcp/80) only?
250
The number of applications using Port 80 (tcp/80) only?
The number of applications that ONLY use Port 80 is 278 or 26% of the 1,050 applications found on the participating K-12 networks.
278
Percentage of total bandwidth consumed by applications not using tcp/80?
40%
Percentage of total bandwidth consumed by applications not using tcp/80?
30% of the total bandwidth is being consumed by (31% of the 1,050) applications that DO NOT USE port 80 at all. Ever.
30%
Port 80 only security is shortsighted
The common perception is that port 80 (tcp/80) is where all the traffic and all the problems are. An emphasis is an absolute requirement; but too much tcp/80 focus is shortsighted.
Junior’s application usage is sophisticated…
These are not our parents applications – usage patterns are on-par with those seen in the enterprise
Applications that can hide or mask activity are common
P2P, despite control efforts, is used heavily; browser-based filesharing is a hidden risk
Port 80 is used heavily, but too much focus is shortsighted and high risk
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 21 |
Applications Have Changed, Firewalls Haven’t
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more
Technology Sprawl and Creep Aren’t the Answer
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application “accessibility” features
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IMDLPIPS ProxyURLAV
UTM
Internet
© 2010 Palo Alto Networks. Proprietary and Confidential.
More not always better…
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
The Answer? A capable Next Gen Security Platform
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The Benefits of Classifying Traffic in the Firewall
Policy Decision
FirewallApp-ID
Allow FacebookXKey Difference Benefit
Single firewall policy • Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.
Positive control model • Allow by policy, all else is denied. It’s a firewall.
Single log database • Less work, more visibility. Policy decisions based on complete information.
Systematic management of unknowns
• Less work, more secure. Quickly identify high risk traffic and systematically manage it.
26 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Multi-Step Scanning Ramifications
300+ applications allowed*
*Based on Palo Alto Networks Application Usage and Risk Report
Facebook allowed…what about the other 299 apps?
PolicyDecision #2
App-ControlAdd-on
Applications
Allow Facebook
PolicyDecision #1
Firewall Allow port 80
Open ports to allow the application
Key Difference Ramifications
Two separate policies • More Work. Two policies = double the admin effort (data entry, mgmt, etc)• Possible security holes. No policy reconciliation tools to find potential
holes
Two separate policy decisions • Weakens the FW deny all else premise. Applications allowed by port-based FW decision.
Two separate log databases • Less visibility with more effort. informed policy decisions require more effort , slows reaction time
No concept of unknown traffic
• Increased risk. Unknown is found on every network = low volume, high risk
• More work, less flexible. Significant effort to investigate; limited ability to manage if it is found.
27 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Your Control With a Next-Generation Firewall
»The ever-expanding universe of applications, services and threats
»Traffic limited to approved business use cases based on App and User
»Attack surface reduced by orders of magnitude
»Complete threat library with no blind spots
Bi-directional inspectionScans inside of SSLScans inside compressed
filesScans inside proxies and
tunnels
Only allow the apps you need
Safely enable the applications relevant to your business
Covering the entire EnterpriseData center/
cloudEnterprise perimeter
Distributed enterprise/BYOD
Next-Generation Firewall
Cybersecurity:IDS / IPS / APT Web gateway VPN
Panorama and M-100 appliance
PAN-OS™
Network location
Next-generation appliances
Subscription services
Use cases
Management system
Operating system
Physical: PA-200, PA-500,, PA-3000 Series, PA-5000 SeriesWildFire: WF-500Virtual: VM-Series
URL Filtering
GlobalProtect™
WildFire™
Threat Prevention
29 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Addresses Three Key Business Problems
Safely Enable Applications Identify more than 1,900 applications, regardless of port, protocol, encryption, or
evasive tactic Fine-grained control over applications/application functions (allow, deny, limit, scan,
shape) Addresses the key deficiencies of legacy firewall infrastructure Systematic management of unknown applications
Prevent Threats Stop a variety of known threats – exploits (by vulnerability), viruses, spyware Detect and stop unknown threats with WildFire Stop leaks of confidential data (e.g., credit card #, social security #, file/type) Enforce acceptable use policies on users for general web site browsing
Simplify Security Infrastructure Put the firewall at the center of the network security infrastructure Reduce complexity in architecture and operations
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Magic Quadrant for Enterprise Network Firewalls
31 | ©2013, Palo Alto Networks. Confidential and Proprietary.
“Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.”
Gartner, February 2013
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 32 |
Customer Example: Huron Valley Schools
“Not only did the PA-3000 Series give us total control over all applications, we saw an increase in our Internet performance plus much easier administration.”
Industry: K-12 EducationStatistics: School District in Oakland County supporting 9800 students across 15 schools.
Problem
Students circumventing IT security controls with tools such as UltraSurf and TOR
No visibility into user behavior, application use
Existing firewall not keeping up Rate of change in applications Difficult to maintain content filter Reaching throughput maximum End of life
Solution / Results
PA-3000 Series deployed as primary enterprise firewall
Policy control by application and user No longer struggle to keep up with
new/changed applications
Improved performance
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.