Palo Alto Networks

Download Report

Transcript Palo Alto Networks

Next-Generation Firewall
Palo Alto Networks
Applications Have Changed, firewalls have not
• The gateway at the trust
SaaS
Collaboration / Media
Personal
border is the right place to
enforce policy control
-
Sees all traffic
-
Defines trust boundary
• BUT…Applications Have Changed
-
Ports ≠Applications
-
IP Addresses ≠Users
-
Packets ≠Content
Need to Restore Visibility and Control in the Firewall
Page 2 |
Stateful Inspection Classification
The Common Foundation of Nearly All Firewalls
• Stateful Inspection classifies traffic by looking at the IP
header
-
source IP
-
source port
-
destination IP
-
destination port
-
protocol
• Internal table creates mapping to well-known
protocols/ports
-
HTTP = TCP port 80
-
SMTP = TCP port 25
-
SSL = TCP port 443
Page 3 |
Palo Alto Networks Exceeds NGFW Requirements
In “Defining the Next-Generation Firewall,”
Gartner describes what Palo Alto Networks already delivers
 Application Awareness and Full Stack Visibility
App-ID Identifies and controls 900+ applications
 Integrated Rather Than Co-Located IPS
Content-ID includes full IPS, without compromising performance
 Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
 Standard First-Generation Firewall Capabilities
Packet filtering, state, flexible NAT, IPSec, SSL VPNs, etc.
 Support “bump in the wire” Deployments
Multiple options for transparent deployment behind existing firewalls
Page 4 |
Palo Alto Networks “Fixes the Firewall”
New Requirements for the Firewall
1. Identify applications regardless of
port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Granular visibility and policy control
over application access / functionality
4. Protect in real-time against threats
embedded across applications
5. Multi-gigabit, in-line deployment with
no performance degradation
Page 5 |
Identification Technologies Help Manage Risk
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
Page 6 |
App-ID: Comprehensive Application Visibility
• Policy-based control about 900 applications distributed across five
categories and 25 sub-categories
• Balanced mix of business, internet and networking applications and
networking protocols
• ~ 5 new applications added weekly
Page 7 |
User-ID: Enterprise Directory Integration
User-ID
• Users no longer defined solely by IP address
-
Leverage existing Active Directory infrastructure
• Understand users application and threat behavior based on actual
AD username, not just IP
• Manage and enforce policy based on user and/or AD group
• Investigate security incidents, generate custom reports
Page 8 |
Making Content-Scanning Network-Ready
File-based Scanning
Stream-based Scanning
ID
Content
ID
Content
Buffer File
Scan Content
Scan File
Deliver Content
Deliver Content
Time
Time
• Stream-based, not file-based, for real-time performance
- Dynamic reassembly
• Uniform signature engine scans for broad range of threats in
single pass
• Threat detection covers vulnerability exploits (IPS), virus, and
spyware (both downloads and phone-home)
Page 9 |
A better approach
Single-Pass Parallel
Processing (SP3)
Architecture
Single Pass
• Single processes for:
-
Traffic classification (app
identification)
-
User/group mapping
-
Content scanning – threats,
URLs, DLP, etc.
• One policy
Parallel Processing
• Function-specific hardware
engines
• Multi-core security processing
• Separate data/control planes
Up to 10Gbps, Low Latency
Page 10 |
PAN-OS Core Features
• Strong networking
foundation:
-
Dynamic routing (OSPF, RIPv2)
-
Site-to-site IPSec VPN
-
SSL VPN
-
Tap mode – connect to SPAN
port
-
Virtual wire (“Layer 1”) for true
transparent in-line deployment
-
L2/L3 switching foundation
• QoS traffic shaping
-
Max, guaranteed and priority
-
By user, app, interface, zone, and
more
Page 11 |
• High Availability:
-
Active / passive
-
Configuration and session
synchronization
-
Path, link, and HA monitoring
• Virtualization:
-
All interfaces (physical or logical)
assigned to security zones
-
Establish multiple virtual systems
to fully virtualized the device (PA4000 & PA-2000 only)
• Intuitive and flexible
management
-
CLI, Web, Panorama, SNMP,
Syslog
Palo Alto Networks Next-Gen Firewalls
PA-4060
PA-4050
PA-4020
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
4 XFP (10 Gig) I/O
4 SFP (1 Gig) I/O
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
16 copper gigabit
8 SFP interfaces
2 Gbps FW
2 Gbps threat prevention
500,000 sessions
16 copper gigabit
8 SFP interfaces
PA-2050
PA-2020
PA-500
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
Page 12 |
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
250 Mbps FW
100 Mbps threat prevention
50,000 sessions
8 copper gigabit
Purpose-Built Architecture: PA-4000 Series
RAM
Flash
Matching
Engine
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
RAM
RAM
RAM
Flash Matching HW Engine
• Palo Alto Networks’ uniform signatures
• Multiple memory banks – memory
bandwidth scales performance
10Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
..
RAM
CPU
16
RAM
RAM
HDD
SSL
IPSec
DeCompression
Multi-Core Security Processor
• High density processing for flexible
security functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec,
decompression)
10Gbps
QoS
Control Plane
Page 13 |
Route,
ARP,
MAC
lookup
NAT
10 Gig Network Processor
• Front-end network processing offloads
security processors
• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
Data Plane
Flexible Deployment Options
Application Visibility
• Connect to span port
• Provides application
visibility without inline
deployment
Page 14 |
Transparent In-Line
• Deploy transparently
behind existing firewall
• Provides application
visibility & control without
networking changes
Firewall Replacement
• Replace existing firewall
• Provides application and
network-based visibility
and control, consolidated
policy, high performance
Enterprise Device and Policy Management
• Intuitive and flexible management
-
CLI, Web, Panorama, SNMP, Syslog
• Panorama central management application
-
Consolidated management, logging, and monitoring of Palo Alto Networks
devices
-
Consistent web interface between Panorama and device UI
-
Network-wide ACC/monitoring views, log collection, and reporting
• All interfaces work on current configuration, avoiding sync issues
Page 15 |
Requirements for Data Center Firewalls
• Threat Prevention
-
Protect against external attacks – including those routed through
internal “secure” clients
• Data Leakage Prevention
-
Protect confidential and unauthorized content from leaving the
network
• Access Control
-
Control access – by user or groups of users – to specific
applications and content
• Performance
-
Page 16 |
Minimize latency and maximize throughput to ensure business
performance is not compromised
© 2009 Palo Alto Networks. Proprietary and Confidential.
Palo Alto Networks Exceeds Requirements
• Content-ID
- Threat Prevention
-

Stops external attacks with high speed threat prevention engine

Decrypts SSL sessions to identify and stop threats via clients
Data Leakage Prevention

Scans traffic to stop transfer of unauthorized data or file types
• User-ID and App-ID
-
Access Control

Policies to create security zones within the data center

Create data center segments to isolate specific users and applications
• SP3 Architecture
Page 17 |
Single pass, minimized latency, maximum throughput up to 10Gbps
© 2009 Palo Alto Networks. Proprietary and Confidential.
Data Centre Security Zones
• Security zones can first be applied to isolate the DC can as
a means of protecting the data. Once the network has
been divided into distinct zones, positive control model
security policies can be applied that control, at a very
granular level, which applications, users and content are
allowed in and out of the DC security zone.
• Uniform signature format: Rather than use a separate
set of scanning engines and signatures for each type
of threat, Palo Alto Networks uses a uniform threat
engine and signature format to detect and block a wide
range of malware while dramatically reducing latency.
Page 18 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Isolating the Data with Security Zones
•Security zones: logical container for physical
interfaces, VLANs, IP addresses or a combination thereof
Users
Client
Server
Zone
Client
Servers
Users
Infrastructure
Servers
Infrastructure
Servers
Development
Servers
Development
Servers
Users
Flat network – no security zones
All users can access all resources
Difficult to protect proprietary data
Forensics becomes equally difficult
Page 19 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Zones isolate client data – irrespective of
networking environment
Security policies dictate access control, threat
prevention and content scanning
Logging and reporting against zone simplifies
forensics and monitoring
Granular Access Control Policies
• Control access based on application (App-ID) and users
(User-ID)
• Example:
-
-
-
Page 20 |
Only authorized SAP
users and access SAP
Users
Inbound and outbound
traffic scanned for threats
and sensitive data
Palo Alto
Networks
Oracle
Limited traffic in the zone
helps minimize latency,
maximize throughput
Secure IT access for
logging, reporting,
forensics
Client
Server
Zone
Infrastructure
Servers
IT Tools
IT Dept
WAN and
Internet
Users
Development
Servers
Block Threats, Monitor Data Transfer
• Block inbound threats that target Oracle, monitor outbound
traffic for data patterns (Content-ID)
• Example:
-
Add threat prevention policy
element for Oracle (inbound)
-
Monitor out bound traffic for
proprietary data patterns
-
Log for forensics
and record keeping
Client
Server
Zone
Brokers
Palo Alto
Networks
Infrastructure
Servers
WAN and
Internet
Users
Page 21 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Development
Servers
Logging and Reporting
• Forensics and activity monitoring through context aware
and expression-based log filtering
-
Export to excel or syslog for archive and analysis
• Pre-defined and custom reporting
-
Page 22 |
Create zone specific reports, scheduled to be emailed to key
personnel
© 2009 Palo Alto Networks. Proprietary and Confidential.
Policy Example
Rule 1
• Limit access to client data to only brokers in Active Directory
• Only allow Oracle
• Block threats, watch for client data transfer
Rule 2
• Only allow IT to use specific tools to access client data
Rule 3
• Deny and log all else
Page 23 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Limitations of Existing Technology
• Legacy firewalls are ineffective at policy-based segmentation
-
Unable to identify applications – only ports and protocols
-
Cannot see user identity from AD – only IP addresses
-
May require secondary platform to inspect content
-
Cumbersome management and difficult log correlation
• Firewall “helpers” are no help
-
Don’t enforce policy
-
Are not designed to segment
-
Cannot understand all applications, slow, cumbersome to manage
-
Unable to tie applications to users
-
Impossible to produce reports needed for audit purposes
Page 24 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Protecting Proprietary Data
• Flexible, zone-based architecture facilitates data isolation
in any networking environment
• Policy control over cardholder data access
-
Allow/deny access based on specific application
-
Inspect traffic bi-directionally for threats and data transfer
-
Tie access rules to user identity from Active Directory
• Powerful logging and reporting for archival and forensics
purposes
• Up to 10 Gbps throughput and up to 24 ports eliminates
bottlenecks
Page 25 |
© 2009 Palo Alto Networks. Proprietary and Confidential.