Palo Alto Networks Next

Download Report

Transcript Palo Alto Networks Next

Palo Alto Networks
Solution Overview
May 2010
Denis Pechnov
Sales, EMEA
About Palo Alto Networks
• Founded in 2005 by security visionaries and engineers from
NetScreen, Juniper Networks, McAfee, Blue Coat, Cisco, …
• Build innovative Next Generation Firewalls that control
more than 900 applications, users & data carried by them
• Backed by $65 Million in venture capital from leading Silicon
Valley investors including Sequoia Capital, Greylock
Partners, Globespan Capital Partners, …
• Global footprint with over 1000 customers, we are passionate
about customer satisfaction and deliver 24/7 global support
and have presence in 50+ countries
• Independent recognition from analysts like Gartner
Page 2 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Why is there a need for a NGFW?
The Social Enterprise 2.0
Page 3 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Enterprise 2.0 Applications Take Many Forms
5 Things You Need To Know About Enterprise 2.0
1.
Driven by new generation of addicted Internet users – smarter than you?
2.
Full, unrestricted access to everything on the Internet is a right
3.
They’re creating a giant social system - collaboration, group knowledge
4.
Not waiting around for IT support or endorsement – IT is irrelevant
5.
Result - a Social Enterprise full of potential risks … and rewards
Risks
Work Life
Internet
Rewards
Enterprise
Home Life
What the 2010 User’s Expectation
How Will You Respond To This Challenge?
• How can you regain control of enterprise 2.0?
• What value do these applications provide to your business?
• What is your organization’s risk tolerance for these
applications?
• How can you “safely enable” the right applications?
• Where do you start?
Start by Understanding What’s Really Happening
• Application Usage and Risk Report
-
-
-
Findings

347 large enterprises worldwide

750+ different Internet applications

Employees have created Enterprise 2.0
Rewards

Enterprises are embracing social networking apps

Proven to deliver measurable value to business
Risks

Incoming threats are increasing

Potential for data leakage is increasing

Existing security infrastructure ineffective
•Page 8 |
What’s the Problem?
Enterprise End Users Do What They Want!
•
The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of millions of
users across hunderds of organizations:
-
Applications are designed for accessibility.

-
Applications that enable users to circumvent security controls are common.

-
P2P was found 92% of the time, with BitTorrent and Gnutella as the most common of 21 variants found. Browser-based
file sharing was found 76% of the time with YouSendit! and MediaFire among the most common of the 22 variants.
Enterprises are spending heavily to protect their networks – yet they cannot control the applications on
the network.
-
•
Proxies Bypass Tools that are typically not endorsed by corporate IT (CGIProxy, PHProxy, Hopster) and remote desktop
access applications (LogMeIn!, RDP, PCAnywhere) were found 81% and 95% of time, respectively. Encrypted tunnel
applications such as SSH, TOR, GPass, and Gbridge were also found.
File sharing usage is rampant.

•
More than half (57%) of the 700+ applications found can bypass security infrastructure – hopping from port to port, using
port 80 or port 443.
Collectively, enterprises spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products. The
analysis showed that 100% of the organizations had firewalls and 87% also had one or more of these firewall
helpers (a proxy, an IPS, URL filtering) – yet they were unable to exercise control over the application traffic
traversing the network.
Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss
Page 10 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Seeing is Believing
• Request a free 30-
day evaluation
• Request a free
Application
Visibility and Risk
report
• Take back control of
Page 11 |
your social
enterprise
© 2009 Palo Alto Networks. Proprietary and Confidential.
The Cause:
Applications Have Changed – Firewalls nor Firewall Helpers Have
• Firewalls should
see and control
applications,
users, and threats
. . .
• . . . but they only
show you ports,
protocols, and IP
addresses –all
meaningless!
Page 12 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Need
to Restore Visibility and Control in the Firewall
Sprawl Is Not The Answer
Internet
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Putting all of this in the same box is just slow
Page 13 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
SO WHAT IS THE SOLUTION?
Page 14 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Gartner, Forrester, …
• Forrester
-
If you do not have IPS you deserve to be hacked.
• Gartner
-
John Pescatore and Grey Young publish a note on October 12th 2009.
-
Key Findings
-

The stateful protocol filtering and limited application awareness offered by first
generation firewalls are not effective in dealing with current and emerging threats.

Next-generation firewalls (NGFWs) are emerging that can detect applicationspecific attacks and enforce application-specific granular security policy, both
inbound and outbound.
Recommendations

If you have not yet deployed network intrusion prevention, require NGFW
capabilities of all vendors at your next firewall refresh point.

If you have deployed both network firewalls and network intrusion prevention,
synchronize the refresh cycle for both technologies and migrate to NGFW
capabilities.
Palo Alto Networks Next-Generation Firewall
New Requirements for the Firewall
1. Identify applications regardless of
port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Fine-grained visibility and policy control
over application access / functionality
4. Protect in real-time against threats
embedded across applications
5. Multi-gigabit, in-line deployment with
no performance degradation
Page 18 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
Page 19 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
• Operations once per
packet
-
Traffic classification (app
identification)
-
User/group mapping
-
Content scanning –
threats, URLs,
confidential data
• One policy
Parallel Processing
• Function-specific
hardware engines
• Separate data/control
planes
Up to 10Gbps, Low Latency
Page 20 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Purpose-Built Architecture: PA-4000 Series
RAM
Flash
Matching
Engine
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
RAM
RAM
RAM
Flash Matching HW Engine
• Palo Alto Networks’ uniform signatures
• Multiple memory banks – memory
bandwidth scales performance
10Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
..
RAM
CPU
16
RAM
RAM
HDD
SSL
IPSec
DeCompression
Multi-Core Security Processor
• High density processing for flexible
security functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec,
decompression)
10Gbps
QoS
Control Plane
Page 21 |
© 2008 Palo Alto Networks. Proprietary and Confidential.
Route,
ARP,
MAC
lookup
NAT
10 Gig Network Processor
• Front-end network processing offloads
security processors
• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
Data Plane
Visibility into Application, Users & Content
• Application Command Center (ACC)
-
View applications, URLs, threats, data
filtering activity
• Mine ACC data, adding/removing filters as
needed to achieve desired result
Filter on Skype
Page 22 |
Filter on Skype
and user harris
© 2009 Palo Alto Networks. Proprietary and Confidential.
Remove Skype to
expand view of harris
Enables Visibility Into Applications, Users, and Content
Page 23 |
© 2008
2009 Palo Alto Networks. Proprietary and Confidential.
PAN-OS Features
Visibility and control of applications, users and content are
complemented by core firewall features
• Strong networking
foundation
-
-
Dynamic routing (OSPF,
RIPv2)
Site-to-site IPSec VPN
SSL VPN for remote access
Tap mode – connect to SPAN
port
Virtual wire (“Layer 1”) for true
transparent in-line deployment
L2/L3 switching foundation
• QoS traffic shaping
-
Max/guaranteed and priority
By user, app, interface, zone,
and more
• Zone-based architecture
-
PA-4060
• High Availability
-
Active / passive
Configuration and session
synchronization
Path, link, and HA monitoring
PA-4050
PA-4020
• Virtual Systems
-
Establish multiple virtual firewalls
in a single device (PA-4000
Series only)
• Simple, flexible
management
-
Page 24 |
All interfaces assigned to security
zones for policy enforcement
© 2009 Palo Alto Networks. Proprietary and Confidential.
CLI, Web, Panorama, SNMP,
Syslog
PA-2050
PA-2020
PA-500
Our Platform Family…
10Gbps; 5Gbps threat
prevention (XFP interfaces)
Performance
10Gbps; 5Gbps threat
prevention
2Gbps; 2Gbps threat
prevention
•PA-4000 Series
•1Gbps; 500Mbps threat
prevention
•500Mbps; 200Mbps
threat prevention
•250Mbps; 100Mbps
threat prevention
Remote Office/
Medium Enterprise
Page 25 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
•PA-2000 Series
•PA-500
Large
Enterprise
Palo Alto Networks Next-Gen Firewalls
PA-4060
PA-4050
PA-4020
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
4 XFP (10 Gig) I/O
4 SFP (1 Gig) I/O
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
16 copper gigabit
8 SFP interfaces
2 Gbps FW
2 Gbps threat prevention
500,000 sessions
16 copper gigabit
8 SFP interfaces
PA-2050
PA-2020
PA-500
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
Page 26 |
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
© 2009 Palo Alto Networks. Proprietary and Confidential
250 Mbps FW
100 Mbps threat prevention
50,000 sessions
8 copper gigabit
Flexible Deployment Options
Visibility
• Application, user and content
visibility without inline
deployment
Page 27 |
Transparent In-Line
• IPS with app visibility & control
• Consolidation of IPS & URL
filtering
© 2009 Palo Alto Networks. Proprietary and Confidential.
Firewall Replacement
• Firewall replacement with app
visibility & control
• Firewall + IPS
• Firewall + IPS + URL filtering
Fix The Firewall – and Save Money!
Capital cost – replace multiple devices
•
Legacy firewall, IPS, URL filtering device (e.g.,
proxy, secure web gateway)
-
Cut by as much
as 80%
“Hard” operational expenses
•
Support contracts
Subscriptions
Power and HVAC
-
Save on “soft” costs too
•
-
Page 28 |
Rack space, deployment/integration, headcount,
training, help desk calls
© 2009 Palo Alto Networks. Proprietary and Confidential.
Cut by as much
as 65%
Now We Fixed The Firewall…
What’s Next?
Global Protect!
Solved the “Inside” Problem - But Users Leave…
Apps
How do you secure your applications and your users when
they are both moving off the “controlled” network?
DATA
Users
Headquarters
Branch Office
Enterprise Secured
Hotel
Home
Open to threats, app usage, & more
Get the Same Visibility and Control for All Users
Apps
Palo Alto Networks GlobalProtectTM will enable organizations
to safely enable applications, regardless of user location
Users
Headquarters
Branch Office
Enterprise Secured
Hotel
Home
Enterprise Secured
Palo Alto Networks Continuing to Innovate
• Enterprises basing network security on Palo Alto Networks
next-generation firewalls
• GlobalProtectTM will bring roaming users into next-
generation firewall-based control
-
Applications/Users/Content
• GlobalProtectTM will support Windows-based machines
initially
-
Windows 7 (32 & 64-bit)
-
Windows Vista (32 & 64-bit)
-
Windows XP
• Pricing: subscription (per firewall, not user-based)
• Available end of 2010
Page 32 |
© 2010 Palo Alto Networks. Proprietary and Confidential.
Next-Generation Firewalls Are Network Security
Page 33 |
© 2010 Palo Alto Networks. Proprietary and Confidential.
What about the Middle East?
• Higher College of Technology in Abu Dhabi
• American University of Sharjah
• Abu Dhabi Government Services
• Cairo Aman Bank in Jordan
• Dubai World
• …
Page 34 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Thank You
Additional
Information
Next-Generation Firewall Solutions
Page 37 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Legendary Customer Support Experience
• Strong TSE team with deep network
security and infrastructure knowledge
-
Experience with every major firewall
-
TSEs average over 15 years of
experience
• TSEs co-located with engineering –
in Sunnyvale, CA
Customer support has always been
amazing. Whenever I call, I always get
someone knowledgeable right away, and
never have to wait. They give me the
answer I need quickly and completely.
Every support rep I have spoken with
knows his stuff.
-Mark Kimball, Hewlett-Packard
• Premium and Standard offerings
• Rave reviews from customers
Customer support has been extraordinarily
helpful – which is not the norm when
dealing with technology companies. Their
level of knowledge, their willingness to
participate – it’s night and day compared
to other companies. It’s an incredible
strength of Palo Alto Networks.
-James Jones, UPMC
Page 38 |
© 2007
2009 Palo Alto Networks. Proprietary and Confidential
Confidential.
Site-to-Site and Remote Access VPN
Site-to-site VPN connectivity
Remote user connectivity
• Secure connectivity
-
Standards-based site-to-site IPSec VPN
-
SSL VPN for remote access
• Policy-based visibility and control over applications, users and content for all
VPN traffic
• Included as features in PAN-OS at no extra charge
Page 39 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Traffic Shaping Expands Policy Control Options
• Traffic shaping policies ensure business applications are not bandwidth
starved
-
Guaranteed and maximum bandwidth settings
-
Flexible priority assignments, hardware accelerated queuing
-
Apply traffic shaping policies by application, user, source, destination,
interface, IPSec VPN tunnel and more
• Enables more effective deployment of appropriate application usage
policies
• Included as a feature in PAN-OS at no extra charge
Page 40 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Flexible Policy Control Responses
• Intuitive policy editor enables appropriate usage policies with flexible policy responses
• Allow or deny individual application usage
• Allow but apply IPS, scan for viruses, spyware
• Control applications by category, subcategory, technology
or characteristic
• Apply traffic shaping (guaranteed, priority, maximum)
• Decrypt and inspect SSL
• Allow for certain users or groups within AD
• Allow or block certain application functions
• Control excessive web surfing
• Allow based on schedule
• Look for and alert or block file or data transfer
Page 41 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
App-ID: Comprehensive Application Visibility
• Policy-based control more than 800 applications distributed across five
categories and 25 sub-categories
• Balanced mix of business, internet and networking applications and networking
protocols
• 3 - 5 new applications added weekly
• App override and custom HTTP applications help address internal applications
Page 42 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
User-ID: Enterprise Directory Integration
• Users no longer defined solely by IP address
-
Leverage existing Active Directory infrastructure without complex agent rollout
-
Identify Citrix users and tie policies to user and group, not just the IP address
• Understand user application and threat behavior based on actual AD
username, not just IP
• Manage and enforce policy based on user and/or AD group
• Investigate security incidents, generate custom reports
Page 43 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Content-ID: Real-Time Content Scanning
Detect and block a wide range of threats, limit unauthorized data transfer and
control non-work related web surfing
• Stream-based, not file-based, for real-time performance
-
Uniform signature engine scans for broad range of threats in single pass
Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)
• Block transfer of sensitive data and file transfers by type
-
-
Looks for CC # and SSN patterns
Looks into file to determine type – not extension based
• Web filtering enabled via fully integrated URL database
-
Local 20M URL database (76 categories) maximizes performance (1,000’s URLs/sec)
Dynamic DB adapts to local, regional, or industry focused surfing patterns
Page 44 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Sprawl Is Not The Answer
Internet
• Doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
Page 45 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
UTM Is Still Sprawl…Just Slower
Internet
• Doesn’t solve the problem
• Firewall “helper” functions have limited view
of traffic
• Turning on functions kills performance
Page 46 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Traditional Multi-Pass Architectures are Slow
IPS Policy
AV Policy
URL Filtering Policy
IPS Signatures
AV Signatures
Firewall Policy
HTTP Decoder
IPS Decoder
AV Decoder & Proxy
Port/Protocol-based ID
Port/Protocol-based ID
Port/Protocol-based ID
Port/Protocol-based ID
L2/L3 Networking, HA,
Config Management,
Reporting
L2/L3 Networking, HA,
Config Management,
Reporting
L2/L3 Networking, HA,
Config Management,
Reporting
L2/L3 Networking, HA,
Config Management,
Reporting
Page 47 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
• Operations once per
packet
-
Traffic classification (app
identification)
-
User/group mapping
-
Content scanning –
threats, URLs,
confidential data
• One policy
Parallel Processing
• Function-specific
hardware engines
• Separate data/control
planes
Up to 10Gbps, Low Latency
Page 48 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Enterprise Device and Policy Management
• Intuitive and flexible management
CLI, Web, Panorama, SNMP, Syslog
- Role-based administration enables delegation of tasks to appropriate person
-
• Panorama central management application
Shared policies enable consistent application control policies
- Consolidated management, logging, and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACC/monitoring views, log collection, and reporting
-
• All interfaces work on current configuration, avoiding sync issues
Page 49 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
PA-4000 Series Specifications
PA-4060
PA-4050
PA-4020
• 10 Gbps FW
• 5 Gbps threat
prevention
• 2,000,000 sessions
• 4 XFP (10 Gig) I/O
• 4 SFP (1 Gig) I/O
• 10 Gbps FW
• 5 Gbps threat
prevention
• 2,000,000 sessions
• 16 copper gigabit
• 8 SFP interfaces
• 2 Gbps FW
• 2 Gbps threat
prevention
• 500,000 sessions
• 16 copper gigabit
• 8 SFP interfaces
-
2U, 19” rack-mountable chassis
-
Dual hot swappable AC power supplies
-
Dedicated out-of-band management port
-
2 dedicated HA ports
-
DB9 console port
Page 50 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Purpose-Built Architecture: PA-4000 Series
RAM
Content
Scanning
Engine
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
RAM
RAM
RAM
Content Scanning HW Engine
• Palo Alto Networks’ uniform signatures
• Multiple memory banks – memory
bandwidth scales performance
10Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
..
RAM
CPU
16
RAM
RAM
HDD
SSL
IPSec
DeCompression
Multi-Core Security Processor
• High density processing for flexible
security functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec,
decompression)
10Gbps
QoS
Control Plane
Page 51 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Route,
ARP,
MAC
lookup
NAT
10 Gig Network Processor
• Front-end network processing offloads
security processors
• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
Data Plane
PA-2000 Series Specifications
PA-2050
PA-2020
•
•
•
•
•
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
•
•
•
•
•
-
1U rack-mountable chassis
-
Single non-modular power supply
-
80GB hard drive (cold swappable)
-
Dedicated out-of-band management port
-
RJ-45 console port, user definable HA port
Page 52 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
Purpose-Built Architecture: PA-2000 Series
RAM
Flash
Matching
Engine
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
RAM
RAM
RAM
Flash Matching HW Engine
• Palo Alto Networks’ uniform
signatures
• Multiple memory banks – memory
bandwidth scales performance
1Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
RAM
CPU
4
RAM
RAM
HDD
SSL
IPSec
Multi-Core Security Processor
• High density processing for flexible
security functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec)
1Gbps
Route,
ARP,
MAC
lookup
Control Plane
Page 53 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
NAT
Network Processor
• Front-end network processing
offloads security processors
• Hardware accelerated route lookup,
MAC lookup and NAT
Data Plane
PA-500 Specifications
Specs
General hardware
•
•
•
•
•
•
•
• 1U rack mountable
• Single non-modular power
supply
• 80GB hard drive
• Dedicated mgmt port
• RJ-45 console port
Page 54 |
250 Mbps FW
100 Mbps IPSec VPN
100 Mbps threat prevention
50,000 sessions
250 VPN tunnels
8 copper gigabit interfaces
Runs PAN-OS 3.0 and later
© 2009 Palo Alto Networks. Proprietary and Confidential.
PA-500 Purpose-Built Architecture
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
SSL
RAM
CPU
4
RAM
RAM
IPSec
Multi-Core Security Processor
• High density processing for networking
and security functions
• Hardware-acceleration for standardized
complex functions (SSL, IPSec)
• Signature match virtual software engine
HDD
Control Plane
Data Plane
• Common dedicated data plane and control plane architecture
• Network processing and signature matching engine virtualized into the multi-core
security processor
• Same software architecture as all Palo Alto Networks platforms
Page 55 |
© 2009 Palo Alto Networks. Proprietary and Confidential.