Presentacion Palo Alto Networks

  • 2,781 views
Uploaded on

Puedes ver en pocos minutos lo que se ha estado perdiendo...

Puedes ver en pocos minutos lo que se ha estado perdiendo...

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,781
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Managing the Security Risks and Business Rewards of Internet Applications © 2007 Palo Alto Networks. Proprietary and Confidential Page |
  • 2. Real Data – What’s on Enterprise Networks
    • Application usage assessment of 60 enterprises
      • 960,000 users
      • Across verticals: financial services, health care, manufacturing, government, retail, education
    • Important questions
      • How are networks being used?
      • What applications are running on enterprise networks?
      • Which applications are considered high-risk?
      • What are the risks associated with the existing application mix?
      • What threats are on enterprise networks?
    © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
  • 3. Key Findings – the Internet is the Network
    • HTTP has become the universal application protocol
      • All types of applications have converged on HTTP
    • Video consumes the greatest amount of bandwidth
      • Streaming media applications consume far more enterprise bandwidth than file sharing
    • Applications are the major unmanaged threat vector
      • Most common threats ride on the most common applications
    © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
  • 4. Internet Business Applications Are Common © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
    • Google applications (Docs, Calendar) found in most organizations
    • Collaborative/utility apps are high risk (file transfer, evasive, etc.)
    • Used in nearly all of the organizations studied
  • 5. Video is Everywhere and YouTube is King © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
    • Streaming media in every enterprise
    • Consumes 10% of total bandwidth
    • Video is biggest consumer
    • Streaming media uses 30x more bandwidth than file sharing
    • YouTube is king
    • Even P2P is going streaming video (43%), but file sharing is going browser-based
  • 6. New Threats at the Application Layer © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
    • Threats are now targeting applications – including media applications
    • 86% of organizations had “drive by” download exploits of browser apps
    • Every organization experiences spyware (200 different varieties)
    Most Frequently Targeted Media Applications
  • 7. Savvy Users Know How To Get Around Security © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
    • Users circumvent IT security controls
      • Public proxy services/private proxies at home
      • Encrypted tunnels
  • 8. Example: UltraSurf
    • Tunneling/anonymizing client
    • Client-server
    • Web surf any site, bypassing all traditional security controls
      • Firewall
      • IPS/IDS
      • URL filtering
    • But…it presents risk
      • File transfer
      • Evasive
      • Prone to misuse
      • Tunnels other applications
    UltraSurf is a Risky Application – With Questionable Value
  • 9. Example: Groove
    • Collaborative workspace
    • Peer-to-peer
    • Effective, just-in-time shared workspace
    • But…it presents risk
      • File transfer
      • Malware
      • Evasive
      • Prone to misuse
    Business Applications Present Risk Too
  • 10. Example: eBuddy
    • Instant messaging aggregator application
    • Browser-based
    • Log in to all of your IM networks from a single web page
    • But…it presents risk
      • File transfer
      • Malware
      • Evasive
      • Tunnels other applications
    Personal Applications Might Be Used for Business
  • 11. Inability to Manage Application Risks and Rewards ? ? ? ? ? ? ? ? ?
    • Risks
      • Lower employee productivity
      • Compliance
      • Loss of sensitive data
      • Higher operational cost
      • Business disruption
    • Rewards
      • Increased collaboration
      • Market expansion
      • Higher productivity
      • Reduced time to market
      • Lower operational costs
  • 12. Firewalls Have Not Kept Pace with Applications © 2008 Palo Alto Networks. Proprietary and Confidential. Page | Collaboration / Media SaaS Personal
    • Hundreds of applications, users, and threats may be passing through your firewall . . .
    . . . but the only things you see are ports, protocols, and IP addresses.
  • 13. As a result, IT is Confronted with 5 Problems
    • Most IT organizations don’t really know what’s on their networks
    • User policies may exist, but can’t be enforced
    • More devices added to compensate for firewall ineffectiveness
    • Network security becoming more expensive, harder to manage, and less effective
    • Risks are increasing, rewards are decreasing
  • 14. Requirements for Next Generation Firewalls © 2007 Palo Alto Networks. Proprietary and Confidential Page | © 2007 Palo Alto Networks. Proprietary and Confidential Page | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Granular visibility and policy control over application access / functionality 4. Protect in real-time against threats embedded across applications 5. Multi-gigabit, in-line deployment with no performance degradation
  • 15. About Palo Alto Networks
    • Founded in 2005 by Nir Zuk, inventor of stateful inspection technology
    • World class team with strong security and networking experience
    • Innovative next generation firewalls identify and control 700+ applications
    • Named Gartner Cool Vendor in 2008; 2008 Best of Interop Grand Prize
    © 2008 Palo Alto Networks. Proprietary and Confidential Page |
  • 16. Identification Technologies Help Manage Risk
    • App-ID
    • Identify the application
    • User-ID
    • Identify the user
    • Content-ID
    • Scan the content
    © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
  • 17. Restored Visibility and Control of the Network
      • User Port Protocol Application
    • Port 80 is much more than Web browsing. . .
      • 216.27.61.137 80 HTTP Web Browsing?
      • Mary Jones 80 IM Yahoo-IM
    • Port 443 is an encrypted mystery . . .
      • 136.49.15.395 443 HTTPs Secure banking?
      • Paul King 443 email Google g-Mail
    • Other ports are being exploited . . .
      • 315.44.29.603 2543 SIP VOIP?
      • John Smith many Gnutella Limewire P2P
  • 18. Innovative Visibility and Reporting Tools
  • 19. Managing Risks and Rewards of Internet Applications Application Visibility and Control
    • Risks
      • Lower employee productivity
      • Compliance
      • Loss of sensitive data
      • Higher operational cost
      • Business disruption
    • Rewards
      • Increased collaboration
      • Market expansion
      • Higher productivity
      • Reduced time to market
      • Lower operational costs
  • 20. Palo Alto Networks Next Generation Firewalls Performance Remote Office/ Medium Enterprise Large Enterprise 1 Gbps 500 Mbps 2 Gbps 10 Gbps 10 Gbps + 10G ports PA-2000 Series PA-4000 Series
  • 21. Performance Tuned Hardware Architecture
    • Flash Matching HW Engine
    • Palo Alto Networks’ uniform signatures
    • Multiple memory banks – memory bandwidth scales performance
    • Multi-Core Security Processor
    • High density processing for flexible security functionality
    • Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression)
    • Dedicated Control Plane
    • Highly available mgmt
    • High speed logging and route updates
    10Gbps Dual-core CPU RAM RAM HDD
    • 10 Gig Network Processor
    • Front-end network processing offloads security processors
    • Hardware accelerated QoS, route lookup, MAC lookup and NAT
    CPU 16 . . SSL IPSec De-Compression CPU 1 CPU 2 10Gbps Control Plane Data Plane RAM RAM CPU 3 QoS Route, ARP, MAC lookup NAT Flash Matching Engine RAM RAM RAM RAM
  • 22. Flexible Deployment Options © 2007 Palo Alto Networks. Proprietary and Confidential Page | Firewall Replacement
    • Replace existing firewall
    • Provides application and network-based visibility and control, consolidated policy, high performance
    Application Visibility
    • Connect to span port
    • Provides application visibility without inline deployment
    Transparent In-Line
    • Deploy transparently behind existing firewall
    • Provides application visibility & control without networking changes
  • 23. Leading Organizations Trust Palo Alto Networks © 2007 Palo Alto Networks. Proprietary and Confidential Page | Health Care Financial Services Government Mfg / High Tech / Energy Education Services Media / Entertainment / Retail
  • 24. Thank You! © 2007 Palo Alto Networks. Proprietary and Confidential Page |
  • 25. App-ID: Comprehensive Application Visibility
    • Policy-based control more than 700 applications distributed across five categories and 25 sub-categories
    • Balanced mix of business, internet and networking applications and networking protocols
    • ~ 5 new applications added weekly
    © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
  • 26.
    • Users no longer defined solely by IP address
      • Leverage existing Active Directory infrastructure
    • Understand users application and threat behavior based on actual AD username, not just IP
    • Manage and enforce policy based on user and/or AD group
    • Investigate security incidents, generate custom reports
    User-ID: Enterprise Directory Integration © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
  • 27. Content-ID: Real-Time Content Scanning
    • Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing
      • Stream-based, not file-based, for real-time performance
        • Uniform signature engine scans for broad range of threats in single pass
        • Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)
      • Block a wide range of file transfers by type
        • Looks into file to determine type – not extension based
      • Web filtering enabled via fully integrated URL database
        • 20M URLs across 54 categories
        • Local database ensure highly scalable solution (1,000’s URLs/sec)
    © 2008 Palo Alto Networks. Proprietary and Confidential. Page |