A quick summary of who we are. We were founded in 2005; in 2007 we brought to market the first next generation firewall to classify traffic based on application, regardless of the port, protocol, encryption or other evasive tactic. We have been described by Gartner as a disruptive security platform because we took a fresh, from the ground up approach to building a firewall for modern networks. Our key differentiator is the ability to Safely Enable Applications: this means more than allowing or blocking – it means using business-relevant elements such as the application identity, who is using the application, and the type of content or threat as a more meaningful way to control network access and grow your business. This means you can build firewall policies to allow the application but apply function control, or bandwidth shaping, or threat prevention to the application. Able to Address All Network Security Needs: We have a broad range of platforms that all support a rich firewall feature-set that can protect your perimeter, datacenter, distributed enterprise with Exceptional Growth and Global Presence: Refer to the charts on the right for growth. We have over 11,000 customers in over 100 customers with support centers and hardware depots distributed worldwide. Experienced Technology and Management Team: The technology team drives our innovation and our continued efforts at disrupting the network security market – they are our most valued team members. The management team brings a rich history of steering a rapidly growing dynamic company like ours.
The fundamental problem that we set out to solve is this: applications have changed, the firewall has not kept pace. And what we sometimes forget is that the firewall was designed to act as the security boundary for your network. It sees all traffic and enables access. The evolution of the application landscape has not happened over night – although it has accelerated dramatically in recent years. Antivirus applications began using port 80 as their avenue for updates back in 1997. AV is not a web application. The vendors did this to simplify access and better support their customers.AOL instant messenger (AIM) used to prompt you with “Find an open port?” if it could not establish a connection. BitTorrent, Skype both port hop and MS sharepoint uses a range of ports. Finally, MS-Lync – the messaging component for MS live 365 requires port 443, 3478 (stun), 5223 and a range of ports between 20,000-45,000 and 50,000-59,999.These are just a few examples of how applications have changed to mainly simplify access. Think about it, if you’re an application developer, you want your application used – so you will do what is necessary to achieve that goal. The ramifications of these changes result in an increase in business and security risks - applications act as (1) a threat vector (Email delivering a video URL but is really malware) and (2) they are threat targets (SQL injection attacks), and (3) they act as the command and control/exfiltration avenue. So while applications were rapidly evolving, port-based firewalls were stuck in the late 1990s – they did not keep pace. To try and address the problem, the industry’s response has been to sell more stuff!-------------Goals of this slide. This slide establishes the problem: Firewalls have always been designed to be the security boundary. They have not kept pace with the application trends. Use interesting examples that are not Facebook and Twitter to show that applications have changes firewalls have not. Use examples of applications that may use evasive techniques to simplify use and in so doing, avoid detection. Use applications that change state as added functions are used – they are hard for UTMS to identify, control and enable.
OPTIONAL slide Threat ramifications: Applications are a threat vector (malware) and a target (exploits)
OPTIONAL slide exfiltrationExfiltration ramifications: Today’s threats are applications – their command/control/exfiltration requires network communications. Apps can act as the conduit for data theft.
OPTIONAL slide SSL and SSH: more and more applications use encryption, rendering existing FWs useless.
Now…this is probably what your current network infrastructure looks like: Behind your port blocking firewall there is most likely a stand alone IPS, Quality of Service, URL Filtering, Data Leakage Prevention, Proxy, Antivirus, and maybe others…but our position is that sprawl is not the answer. <Click to animate>And bolting it all in one box, as UTM vendors have done, doesn’t work for several reasons: UTMs are all stateful inspection based – it is part of the UTM definition: stateful inspection + IPS + AV as outlined by IDC around 10 years ago. In all UTMs, the port-based decision is made first – this cannot be changed. Then the application, IPS, AV, URL decisions are made sequentially using a silo-based scanning approach – but it is all still based on what the stateful inspection (port-based) decision was. None of the information learned by the first scan is shared with the second, third or fourth. So ultimately, the decisions are either allow or deny – nothing in between. Sheet metal integration merely puts everything in one box for the sole purpose of lowering costs – nothing more. Nothing has changed.It’s all the same stuff just a lot slower and cheaper. We believe that the firewall is STILL the ideal location to exert control over traffic flowing across the network. But we believe control needs to be based on the application identify, regardless of which port/ports it uses – and here’s why… -------------------Explain why customers have deployed all of these devices – the control that once existed in the firewall has eroded over time. Added devices or scanning engines do not solve the problem. UTMs exist for the sole purpose of consolidating devices to save money UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etcUTMs are all stateful inspection based – the all make their first decision on port. This is not our value-add
Today, every firewall vendor will say they can control applications – let’s take a look how they address the application control challenge in a bit more detail. Folks like check point, juniper, fortinet, cisco are all adding control elements to their stateful inspection firewalls. Just like a UTM. Some add new application control blades, other use the IPS engine with new signatures. What ever mechanism used, the application control decision is made after stateful inspection. So you will need to open port 80 and 443 in order to try and control web applications like twitter and facebook. This means you are allowing roughly 300 applications (app usage and risk report) – just to try and control 2 or 3 applications. What happens to the other 297? The operational ramifications of this are significant. Multiple policies/log databases . A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. Traffic is logged in two databases – the firewall and the app control element. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. There are no tools to reconcile the two policies in order to make sure nothing sneaks by. Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Blocking it all may cripple the business. Allowing it all is high risk. Port-based ‘allow’ rule defeats ‘deny all’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the Application Usage and ThreatReport, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a firewall’s default deny all else policy is significantly weakened. What sets us apart? As soon as we see the traffic, we determine what the application is, regardless of the port, and we then use that information as the basis for all security policy decisions. This means: Single policy/log database: Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies. Systematic management of unknowns: We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy. We act as a firewall should – deny-all else. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.
Palo Alto Networks allows you to build enablement policies that are based on business relevant elements – applications, users and content. It makes perfect sense, right? Your business runs on applications, users and content – shouldn’t your security policies? At the perimeter, you can reduce your organizationsthreat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats - both known and unknown. <point out gmail, ultrasurf, tor as examples of applications you would allow and scan for threats; or outright block>In the datacenter, application enablement translates to confirming the applications users and content are allowed and protected from threats while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration. <point out Oracle and Sharepoint as examples>Expanding outwards to enterprise branch offices and remote users, enablement is delivered through policy consistency - the same policy deployed at the corporate location and is extended, seamlessly to other locations.In short, our technology allows you to enable applications for users and protect the associated content – without hindering your business.
Lets talk for a moment about how our technology can enable applications, users and content – along with your business. Safe enablement policies begin with accurate classification of the application using App-ID. App-ID uses a combination of signatures, application and protocol decoders, and heuristics to identify all applications, across all ports, all the time - as soon as traffic hits the firewall. The application identity then becomes the basis for your positive enforcement model firewall policies. This means you can safely allow or block certain applications, or specific functionality within or across multiple applications like file sharing or instant messaging.Users make up the next piece of a safe enablement policy. We can tie users, regardless of the device platform, to the application with User-ID and GlobalProtect. User-ID integrates with the widest range of directory services on the market, including Active Directory, and Microsoft Exchange (which brings you Linux or MAC-OS users and LDAP to enable you to build policy aroundusers and groups of users by name, not just IPaddresses. An API is also available for non-standard directory integration. For remote or traveling employees working on a laptop, an iOS or Android platform from say, a Starbucks or a customer site, we can include them in the safe application enablement policies with our Global Protect end point solution. Scanning the content within the application is the final enablement policy and that is delivered by Content-ID. IPS, AV, antispyware and URL filtering within Content-IDwill allow you to apply very specific threat prevention profiles to your business critical traffic and/or users. The threat prevention engine is stream based and it utilizes a uniform signature format. It looks for a combination of things in a single pass, unlike the silo based AV, IPS and URL filtering. Wildfire provides the ability to identify malicious behaviors typically associated with zero-day attacks found in executable files by running them in a virtual environment and observing their behaviors. When a malicioussample is identified, it is then passed on to the signature generator, which automatically writes a signature for the sample and tests it for accuracy. Signatures are then delivered to all Palo Alto Networks customers as part of the daily malware signature updates.This slide summarizes one of our Core Value Propositions and Main Differentiators from the other vendors: The ability to SAFELY ENABLE APPLICATIONS, USERS AND CONTENT. Now, real quick I want to talk about how the device is sold: We sell a purpose built appliance with a purpose built operating system. Included with the base appliance are all the firewall capabilities: App-ID, User-ID, SSL and IPSEC VPN, SSL decryption and re-encryption, QoS, and Data Filtering. If you are interested in Threat Prevention, URL Filtering – or - Global Protect, these would each require a separate license. Oh, and just so you are aware…there are no user counts anywhere in our licensing model.ONE OF THE MAIN POINTS IS TO EMPHASIZE IS THAT WE INNOVATED HEAVILY TO DELIVER ON THE REQUIREMENTS. IT’S A BIG PART OF OUR CULTURE.
One of the common questions we get is around how we perform with services enabled. The best way I can describe the platform is it is purpose-built. I like to use a racing analogy. Any racing vehicle – indy, nascar, F1, Rally, motocross, motorcycle, go-kart, dragster – does not go fast because of one thing. It is a combination of engine, frame, suspension, aerodynamics and of course driver. We followed the same path. We first built a single-pass software engine which scans traffic only once – as opposed to the UTM approach which uses multiple, silo-like scans to protect the network. We then married the software to a high-performance hardware platform that uses the same architecture across all platforms. Each platform has either dedicated processors or dedicated computing resources for networking, security, threat prevention and management – as an example, the high-end PA-5000 Series has 40 processing cores that deliver predictable performance with all services enabled. The control plane and management plane are physically separated to provide some built-in resiliency. This is Fundamentally Differentthan UTM vendors who have bolted on an IPS engine, and AV engine, a QoS engine, and others, onto their firewall engine, usually all driven by a single processor. ****EVEN WHEN THEY’VE GOT MULTIPLE PROCESSORS, THE SILO-BASED APPROACH KILLS THEIR PERFORMANCEWe were a part of a NetworkWorldtest, where with every feature enabled, we were able to maintain 80% of marketed throughput, as compared with all other vendors, some of whom dropped below 50% and some as much as 90%...quite alarming, isn’t it?
DEVICE GROUPSThe collection of objects available to an operator include Shared, DG specific, or device specific. All can be used in policy.Shared in this instance means it is applied to all devices managed by Panorama.There are also Device Group rules (policy) and device specific rules.DG rules include pre and post rules (applied before and after device rules).DG rules can only utilize Shared and DG objects. Objects pushed by Panorama.Device specific rules can use all objects.Any rule base available in PANOS (e.g. Security, NAT, QOS, etc.) is available in Panorama as well.There is a Shared global policy as well which is applied to all DGs The shared rules can only be edited by Panorama or Superuser admins. This allows tiered access control models for large organizations which have multiple administrators with different levels of responsibilityTargets can be used to create Shared rules which apply to the devices of one or more DGs or specific devicesShared rules are essentially a pre-pre and post-post rulebaseAll of these rules are put into an ordered list on the firewall.The firewall itself does the sanity checking and installs the rulesTEMPLATESTemplates allow for central management of the Device and Network config elements from PanoramaAll config elements in these tabs can be managed centrally. Eg. Network elements (Interface, zones, VR, etc). Device elements (setup items [eg. DNS server], Auth Profiles, Server profiles, etc)This allows for staging of changes centrally before a maintenance period for all elements of the devices configurationIt also allows for applying common settings across multiple devices to allow for one change instead of manyEg. DNS server update across 100 FWs
Until now, we have been talking about how Palo Alto Networks can help you securely enable the applications traversing your Perimeter firewall. That makes sense right? The Perimeter is the place where ALL traffic passes. And at the end of the day, that is the ideal location for safe application enablement. That being said, we know that the perimeter is not the only location where firewalls are deployed. We have many customers who are deploying our firewalls in their Data Center as well. When looking at those locations, the value proposition changes slightly. In the Data Center, you’re not too concerned with end user applications like webmail or social networking. You’re more concerned about isolating the Data Center applications along with the tools you may use to manage those applications - or in other words, you need network segmentation. By using App-ID and User-ID to verify the approved set of applications and users, you are able to segment the network all while using high performance IPS to protect the data. In the Distributed Enterprise, the value proposition is also slightly different. Here, it’s about consistency: You need to deliver the best protection, by using either a Device or GlobalProtect, to implement the same policies that are in use at the Corporate Perimeter. Much to the delight of our customers, and many IT organizations, we offer solutions for all three use cases, the Perimeter, Data Center, as well as the Distributed Enterprise.
In this MQ Gartner is validating that the next-generation firewall has gone mainstream, stating "Advances in threats have driven mainstream firewall demand for next- generation firewall capabilities. Buyers should focus on the quality, not quantity, of the features and the R&D behind them." With our placement in the upper right for the 2nd consecutive Gartner is validating that we are a leader in the enterprise FW market: "Palo Alto Networks continued through 2012 to generate the most firewall inquiries among Gartner customers by a significant margin. Palo Alto Networks was consistently on most NGFW competitive shortlists, and we observed high customer loyalty and satisfaction from early adopters." We came to market in 2007 with an innovative, disruptive firewall solution and a singular focus on customers, which Gartner validates in the MQ: "Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward.”As far as what not to say – stick to the script, do NOT: 1. Put words in Gartner's mouth.2. Anticipate future MQ positions.3. Talk about other vendors. We have plenty of strong stuff in the bullets below.
Exact same feature set available in HW FW is now available in virtualized form factorLicensed by capacities – not CPU or other money sucking scheme.
We believe application enablement belongs in the FW, not in a secondary scanning process. And that is what we do with app-id. In 2007 when we launched our first product, competitors dismissed the concept of application enablement. Now, many existing firewall vendors say, “we do what Palo Alto Networks does”, validating our direction set forth at that time. In reality, there are some fundamental differences that cannot be overlooked, starting with the foundation of your existing firewalls. Stateful inspection makes all access control decisions based on port and protocol. This cannot be changed, yet it is easily bypassed by many of today’s applications. Existing firewall vendors try to address application enablement by adding application control features to their Stateful inspection firewall, much like they have done with IPS. There are several significant ramifications to this add-on approach. Multiple policies with duplicate information increases management effort. A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies. Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Blocking it all may cripple the business. Allowing it all is high risk. We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy. Port-based ‘allow’ rule defeats ‘deny all’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the December 2011 Application Usage and Risk Report, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.
You can ease into deploying us. We designed our devices to be deployed in several different ways. Tap Mode provides visibility only, and is generally where we deploy a device during a product evaluation. With a device in Tab Mode for a short period of time, we can provide you with an Application Visibility and Risk Report that will show you the traffic traversing your network with your current policies still in place. We usually EVALUATE IN Tap Mode. We can also sit In-line, where our device would be deployed behind the existing firewall like a more traditional IPS. You will now gain visibility and control without having to rip out your current firewall. And finally we can be deployed in layer 2 or 3, as a Replacement for your existing firewall. Typically, we are moving clients from left to right as the value of our Next-Generation Firewall Platform is realized over time.
Palo Alto Networks 28.5.2013
Palo Alto Networks Product OverviewKilian Zantop28. Mai 2013Belsoft Best Practice - Next Generation Firewalls