the network security company
tm
Palo Alto Networks Overview
Carlos Alberto Pérez
Systems Engineer Manager LATAM
cperez@pal...
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling appli...
Applications Have Changed, Firewalls Haven’t
3 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
• Network securi...
The Right Answer: Make the Firewall Do Its Job
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 4 |
New Requir...
Enabling Applications, Users and Content
5 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
Single-Pass Parallel Processing™ (SP3) Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 |
Singl...
Application Control Belongs in the Firewall
• Port Policy
Decision
• App Ctrl Policy
Decision
Application Control as an Ad...
NGFW in The Enterprise NetworkPerimeter
• App visibility and
control in the
firewall
• All apps, all ports,
all the time
•...
Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement
•  Application, user and content
visibilit...
WildFire Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 10 |
✓ ✓
✓
• WildFire Analysis Center!
...
0	
  
1,000	
  
2,000	
  
3,000	
  
4,000	
  
5,000	
  
6,000	
  
7,000	
  
8,000	
  
9,000	
  
1	
   3	
   5	
   7	
   9	...
What is the WF-500?
§  Appliance-based version of the WildFire
sandbox for on-premises, private cloud
deployments
§  Ide...
© 2011 Palo Alto Networks. Proprietary and ConfidentialPage 13 |
PA-­‐3050	
  
•  4 Gbps FW
•  2 Gbps Threat Prevention
• ...
Segmenting Traffic in the Virtual Datacenter
•  Hardware firewalls will continue to be deployed to secure and segment
data...
Panorama Distributed Architecture
§  With M-100, manager and log collector functions can be split
§  Deploy multiple log...
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 |
New Threats Require a Different Model for IPS Functions
...
• 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Upcoming SlideShare
Loading in...5
×

Palo Alto Networks y la tecnología de Next Generation Firewall

917

Published on

Carlos Alberto Pérez, SE Manager para Latinoamérica de Palo Alto Networks

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
917
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
77
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Palo Alto Networks y la tecnología de Next Generation Firewall

  1. 1. the network security company tm Palo Alto Networks Overview Carlos Alberto Pérez Systems Engineer Manager LATAM cperez@paloaltonetworks.com
  2. 2. Palo Alto Networks at a Glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally 1,800 4,700 11,000 0 2,000 4,000 6,000 8,000 10,000 12,000 Jul-10 Jul-11 $13 $49 $255 $119 $0 $50 $100 $150 $200 $250 $300 FY09 FY10 FY11 FY12 Revenue Enterprise customers $MM FYE July Feb-13 2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
  3. 3. Applications Have Changed, Firewalls Haven’t 3 | ©2012, Palo Alto Networks. Confidential and Proprietary. • Network security policy is enforced at the firewall •  Sees all traffic •  Defines boundary •  Enables access • Traditional firewalls don’t work any more
  4. 4. The Right Answer: Make the Firewall Do Its Job © 2011 Palo Alto Networks. Proprietary and Confidential.Page 4 | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation
  5. 5. Enabling Applications, Users and Content 5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  6. 6. Single-Pass Parallel Processing™ (SP3) Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 | Single Pass •  Operations once per packet -  Traffic classification (app identification) -  User/group mapping -  Content scanning – threats, URLs, confidential data •  One policy Parallel Processing •  Function-specific parallel processing hardware engines •  Separate data/control planes • Up to 20Gbps, Low Latency
  7. 7. Application Control Belongs in the Firewall • Port Policy Decision • App Ctrl Policy Decision Application Control as an Add-on •  Port-based decision first, apps second •  Applications treated as threats; only block what you expressly look for Ramifications •  Two policies/log databases, no reconciliation •  Unable to effectively manage unknowns IPS Applications Firewall PortTraffic Firewall IPS • App Ctrl Policy Decision • Scan Application for Threats Applications ApplicationTraffic Application Control in the Firewall •  Firewall determines application identity; across all ports, for all traffic, all the time •  All policy decisions made based on application Ramifications •  Single policy/log database – all context is shared •  Policy decisions made based on shared context •  Unknowns systematically managed 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  8. 8. NGFW in The Enterprise NetworkPerimeter • App visibility and control in the firewall • All apps, all ports, all the time • Prevent threats • Known threats • Unknown/ targeted malware • Simplify security infrastructure DataCenter • Network segmentation • Based on application and user, not port/IP • Simple, flexible network security • Integration into all DC designs • Highly available, high performance • Prevent threats DistributedEnterprise • Consistent network security everywhere • HQ/branch offices/remote and mobile users • Logical perimeter • Policy follows applications and users, not physical location • Centrally managed 8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  9. 9. Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement •  Application, user and content visibility without inline deployment •  IPS with app visibility & control •  Consolidation of IPS & URL filtering •  Firewall replacement with app visibility & control •  Firewall + IPS •  Firewall + IPS + URL filtering © 2011 Palo Alto Networks. Proprietary and Confidential.Page 9 |
  10. 10. WildFire Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 10 | ✓ ✓ ✓ • WildFire Analysis Center! • Potentially malicious files from Internet • Protection delivered to all customer firewalls • Policy-based forwarding to WildFire for analysis •  Sandbox-based analysis looks for over 80 malicious behaviors •  Generates detailed forensics report •  Creates antivirus and C&C signatures
  11. 11. 0   1,000   2,000   3,000   4,000   5,000   6,000   7,000   8,000   9,000   1   3   5   7   9   11   13   15   17   19   21   23   25   27   29   31   33   35   Hours   The First 24 Hours is Critical • 11 | ©2012, Palo Alto Networks. Confidential and Proprietary. * Sample size = 50 malware files
  12. 12. What is the WF-500? §  Appliance-based version of the WildFire sandbox for on-premises, private cloud deployments §  Ideal for customers that want to avoid sending all files to the public cloud §  All files analyzed locally on the WF-500 §  Identical detection as the public cloud §  Optionally sends confirmed malware to the WildFire public cloud for signature generation §  Provides a private cloud where all firewalls can integrate with the WF-500 • WildFire Cloud • All unknown files • Confirmed Malware • (optional) • Signatures • Customer Firewalls • Local Customer Network • 12 | ©2013 Palo Alto Networks. Confidential and Proprietary.
  13. 13. © 2011 Palo Alto Networks. Proprietary and ConfidentialPage 13 | PA-­‐3050   •  4 Gbps FW •  2 Gbps Threat Prevention •  500,000 sessions •  8 SFP, 12 copper gigabit PA-­‐3020   •  2 Gbps FW •  1 Gbps Threat Prevention •  250,000 sessions •  8 SFP, 12 copper gigabit PA-­‐500   •  250 Mbps FW •  100 Mbps Threat Prevention •  64,000 sessions •  8 copper gigabit PA-­‐200   •  100 Mbps FW •  50 Mbps Threat Prevention •  64,000 sessions •  4 copper gigabit Palo Alto Networks Next-Gen Firewalls PA-­‐5050   •  10  Gbps  FW   •  5  Gbps  threat  preven:on   •  2,000,000  sessions   •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),   12  copper  gigabit   PA-­‐5020   •  5  Gbps  FW   •  2  Gbps  threat  preven:on   •  1,000,000  sessions   •  8  SFP,  12  copper  gigabit   PA-­‐5060   •  20  Gbps  FW   •  10  Gbps  threat  preven:on   •  4,000,000  sessions   •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),   12  copper  gigabit  
  14. 14. Segmenting Traffic in the Virtual Datacenter •  Hardware firewalls will continue to be deployed to secure and segment datacenters at the edge and for legacy servers •  VM-Series introduces the ability for secure segmentation to be done within VMware ESXi 14 | ©2012, Palo Alto Networks. Confidential and Proprietary. • VLAN   • VLAN  
  15. 15. Panorama Distributed Architecture §  With M-100, manager and log collector functions can be split §  Deploy multiple log collectors to scale collection infrastructure • 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  16. 16. © 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 | New Threats Require a Different Model for IPS Functions •  Stand-alone IPS has a negative security model – can only “find it and kill it” •  Stand-alone IPS can’t see into growing volumes of SSL-encrypted traffic, nor into compressed content •  Next-generation firewalls enable “allow application, but scan for threats” policy response •  Gartner’s Recommendations: -  Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two.
  17. 17. • 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×