Transcript Juniper Migration Webinar

Migrating from Juniper to
Palo Alto Networks
Agenda

Overview

Key Differences

Key Reasons to Migrate

Migration Best Practices

Q&A
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Applications Have Changed, Firewalls Haven’t
Network security policy is enforced at the
firewall
•
Sees all traffic
•
Defines boundary
•
Enables access
Traditional firewalls don’t work any more
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Firewall as a Business Enablement Tool
 Applications: Enablement begins with
application classification by App-ID.
 Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
 Content: Scanning content and protecting
against all threats, both known and unknown,
with Content-ID and WildFire.
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Controlling Applications, Content and Users
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Broad Range of Hardware Platforms
Firewall
PA-7050
Firewall Throughput
Threat Prevention
Throughput
Ports
24 SFP+ (10 Gig)
48 SFP (1 Gig)
72 copper gigabit
Session Capacity
System: 120 Gbps
System: 60 Gbps
NPC: 20 Gbps
NPC: 10 Gbps
PA-5060
20 Gbps
10 Gbps
PA-5050
10 Gbps
5 Gbps
PA-5020
5 Gbps
2 Gbps
8 SFP
12 copper gigabit
1,000,000
PA-3050
4 Gbps
2 Gbps
8 SFP
12 copper gigabit
500,000
PA-3020
2 Gbps
1 Gbps
8 SFP
12 copper gigabit
250,000
PA-2050
1 Gbps
500 Mbps
4 SFP
16 copper gigabit
250,000
PA-2020
500 Mbps
250 Mbps
8 copper gigabit
125,000
PA-500
250 Mbps
100 Mbps
8 copper gigabit
64,000
PA-200
100 Mbps
50 Mbps
4 copper gigabit
64,000
PA-7000-NPC
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
24,000,000
4,000.000
4,000,000
2,000,000
Juniper SRX Overview

SRX = Security services gateways.
 Successor to the NetScreen/ScreenOS products
 Uses JUNOS – a high performance routing OS
 Two platform families
 Enterprise and datacenter (SRX1400 to SRX5800)
 Small, distributed enterprise (SRX100 to SRX650)

AppSecure addresses next-generation firewall features
 NGFW feature components added to Stateful inspection
 AppTrack (visibility), AppFW (id apps), AppQoS (QoS) and AppDoS (DoS)

Application identification and control are performed after an initial port-based
firewall decision is made
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
AppSecure
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Three Reasons to Migrate
Top 3 Reasons to Migrate
1. Context-based policy management
2. Positive control model?
3. APT prevention
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
slideshare-uploading
application function
pdf
file type
slideshare
344
KB
application
shipment.exe
roadmap.pdf
file name
HTTP
unknown
file-sharing
protocol
URL category
SSL
china
canada
protocol
destination country
172.16.1.10
tcp/443
64.81.2.23
source IP
destination port
destination IP
prodmgmt
group
context-based policy management
bjacobs
user
Shared Context Highlights the Value of Integration
Apps | Functions | Users | IPS | AV | AS | Malware | QoS | Files | Patterns
Safe Enablement Policies
Applications
------Users
------Content
Reporting | Logging | Forensics | Panorama
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Operational Efficiency: Unified Policy Control
Users/User Groups
Application
Threat Prevention
Antivirus
Anti-Spyware
Vulnerability Protection
URL Filtering
WildFire
Single Policy for application, user and content (threat prevention)
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
AppSecure Management
Different policy
management components

AppSecure Management Challenges


Multiple management components required – Space, CLI, STRM = more work, less visibility &
control, slows responsiveness
User information is not natively integrated – requires UAC + Pulse = more work, more devices and
components to manage, less effective
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application Control in the Firewall
X
Firewall
Allow Facebook
App-ID
Policy Decision
positive control
Key Difference
Benefit
Single firewall policy
•
Less work, more secure. Administrative effort is reduced; potential
reconciliation holes eliminated.
Positive control model
•
Allow by policy, all else is denied. It’s a firewall.
Single log database
•
Less work, more visibility. Policy decisions based on complete information.
Systematically manage unknowns
•
Less work, more secure. Quickly identify high risk traffic and systematically
manage it.
Shared context
•
Less work, more secure. App, content and user are pervasive - visibility,
policy control, logging, reporting
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application Control as an Add-on
Firewall
tcp service
on port 80
Allow port 80
Policy
Decision #1
App-Control
Add-on
Applications
Policy
Decision #2
Open ports to
allow the application
Allow Facebook
Facebook allowed…what
about the other 299 apps?
Key Difference
Ramifications
Two separate policies
•
•
More Work. Two policies, more admin effort
Possible security holes. No policy reconciliation tools
Two separate policy decisions
•
Weakens the deny-all-else premise. Applications allowed by FW decision
Two separate log databases
•
Less visibility with more effort. Informed policy decisions require more effort ,
slows reaction time
No concept of unknown traffic
•
•
Increased risk. Unknown is found on every network = low volume, high risk
More work, less flexible. Significant effort to investigate; limited management
No shared context
•
More work, less knowledge, slows reaction time. Finding and correlating app,
user, content requires significant effort
16 | ©2013 Palo Alto Networks. Confidential and Proprietary.
*Based on Palo Alto Networks Application Usage and Risk Report
A Unique Approach to Protecting your Network
APT protection
 Scan ALL applications (including SSL traffic) to secure all avenues
in/out of a network, reduce the attack surface area, and provide
context for forensics
 Prevent attacks across ALL attack vectors (exploit, malware, DNS,
command & control, and URL) with content-based signatures
 Detect zero day malware & exploits using public/private cloud and
automatically creates signatures for global customer base
17 | ©2014 Palo Alto Networks. Confidential and Proprietary.
WildFire: Stopping the Unknowns


10Gbps advanced threat visibility
and prevention on all traffic, all ports
(web, email, SMB, etc.)
Global intelligence
and protection
delivered to all users
Malware run in the cloud with open
internet access to discover C2
protocols, domains, URLs and
staged malware downloads

New malware signatures
automatically created by WildFire
and delivered to customers globally

Stream-based malware engine
performs ongoing in-line
enforcement

On-premises WildFire appliance
available for additional data privacy
Command-and-control
Staged malware downloads
Host ID and data exfil
Anti-malware signatures
DNS intelligence
Malware URL database
Anti-C2 signatures
WildFire
TM
WildFire Appliance
(optional)
WildFire Users
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Soak sites, sinkholes,
3rd party sources
Feb 2014: Continued Security Business Uncertainty
The company could cut $200 million in annual operating
costs and buy back $2.5 billion in stock immediately and an
additional $1 billion in 2015, Elliott said in a presentation of
its proposals. Juniper should also review its security and
switching businesses to streamline products, and “focus on
projects and areas where Juniper has clear competencies
and the greatest risk-adjusted return on investment,” Elliott
said.
security commitment?
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Our next-generation enterprise security platform
Threat Intelligence Cloud
Next-Generation Firewall
 Gathers potential threats from network and
endpoints
 Inspects all traffic
 Blocks known threats
 Analyses and correlates threat intelligence
 Sends unknown to cloud
 Disseminates threat intelligence to network
and endpoints
 Extensible to mobile & virtual networks
Advanced Endpoint Protection
 Inspects all processes and files
 Prevents both known & unknown exploits
 Integrates with cloud to prevent known &
unknown malware
Migration Best Practices
From Consulting Services
Perceived Port/Protocol/IP Migration Challenges

Cost – people and time
 Perception of workload and a lot of tedious typing to migrate from your current
configuration

Risk
 Moving configurations can seem daunting and seem to involve a lot of risk

Legacy policy
 Policies were originally created with the mindset of port / protocol / IP and not
optimized for applications and users

Lost history
 Many companies face “policy bloat” and “cruft” in their firewall configurations
22 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Performing the Migration
An effective migration requires a combination of people, process, and
technology to efficiently and effectively migrate from legacy firewalls to
Palo Alto Networks
This approach reduces potential risks and lowers cost.
The engineers performing the task need
knowledge of the current platform and Palo
Alto Networks
Migration tools can
automate the routine
conversion tasks
reducing effort (cost)
and risk.
Any migration should
follow a proven
methodology and
process
(audit, analyze, migrate, cutover)
23 | ©2014 Palo Alto Networks. Confidential and Proprietary.
The Spectrum of Conversion Options
Many options exist when performing the initial conversion from IP/port/protocol
to user/application-based policies
There is a spectrum of options each with pros/cons and potential risk
Less risk
Lower effort
Small reward
More risk
Higher effort
Big reward
Initial policy / object conversion options
Migrate objects and
policies “as is”
24 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Policy / object
“cleanup”
Policy / object
“cleanup” + move
to application
policies
Migrate to
user/application
policies
Palo Alto Networks Firewall Migration Tool

Web 2.0 application in a VMWare image
 Parses configurations into a database backend and web UI frontend

Provides multiple options:
 Migrate objects & policies
 Migrate used or both used / unused objects

Allows “in-place” editing of PAN-OS objects, services & policies prior to
exporting

Doesn’t replace the need for people with expertise in the current technology
and PAN-OS

Goal of the tool is 85+% policy migration automation
25 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Process - Walk Through

Migrate L4 to L4 (Phase I)
 Reduce amount of Rules “Combining” similar ones. By destination address for
example.
 Clean all the unused objects. Clean disabled rules.
 Change services based on other protocols than TCP/UDP to Palo Alto Networks
App-IDs. Example: IKE, IPSEC, GRE
 Change services with ALG to Palo Alto Networks App-IDs. Example: FTP, SIP
 Review & add all NAT rules. Check the security policies to match the destination
zones when destination NAT is defined.
26 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Example: Reducing Policy Rules

Due to the simplistic nature of the security rules, we can often combine many
policies into one, especially if we can utilize App-ID
27 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Process - Walk Through (Cont’d)

Migrate from L4 to L7 (Phase II)
 Put the migrated L4 policy in your Palo Alto Networks device. Connect to your
network.
 In-line ( L3 , L2, VWire ).
 Off-line (TAP mode).
 From this moment the Palo Alto Networks device will classify all the traffic in your
network. That means it will identify all the applications and generate all the log
entries for the application traffic.
 From the current logs we can extract the applications seen by each rule and we
can start to swap from L4 Services to App-ID without to break anything.
28 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Additional Migration Considerations

Once we have changed services by App-ID, change the service to
“application-default” or leave the previous port. Reduce the surface to detect
the application to this port if it always uses the same.

Control the Unknown
 From the logs check for unknown traffic (tcp/udp/p2p) and generate custom
signatures to identify custom apps. Use Application Override when need.
 If you have URL filtering activated check for app we-browsing and the Category is
“unknown”. Generate proper App-id to identify this traffic as your custom app
instead of web-browsing. This is more efficient.
 Block all the unknown.

Threat Prevention
 Activate WildFire where the apps can transfer files (PE, PDF, Office, APK, Jar).
 Activate IPS/AV/SPY profiles to your rules. Use the migration tool to do it massively.

User-ID
 Integrate with your user repository to move from static ip address to users and
groups. Improve visibility and win in mobility.
29 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Tool – Juniper Caveats

Objects in Address-Books
 Check if an object was defined in many address-books (based by zone) If equal,
import only once.
 Check if the IP address/ port is different based in the zone. If different, use different
names to avoid duplicates errors.

Policies and Zones
 Reduction of policies only because we can use more than one zone by rule or use
the zone ANY. Potential for significant rule reductions here.
 Customer with 4,623 rules. Direct reduction by 3 only playing with zones.
30 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Best Practices to Make Your Migration Successful
1. Align people, process and technology
2. Understand conversion options and optimize policies (ports vs. apps)
3. Utilize migration tool to automate conversion tasks (Objects, Rule base)
4. Validation of accuracy and verification of changes
5. Post migration
 Implement custom App-IDs
 Rule cleanup - “Highlight Unused Policies” feature to cleanup post-migration
 Enable additional security features (User-ID, Content-ID, WildFire, etc…)
31 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Get Your Free AVR Report
Find out which applications and threats are on your network with
a FREE assessment from Palo Alto Networks
Palo Alto Networks Application Visibility and Risk Report (AVR) :
 Request an evaluation
 Place Palo Alto Networks inside your network
 We’ll tell you what applications and threats we see in your network!
Register today at: http://connect.paloaltonetworks.com/JuniperMigration
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.