Palo Alto Networks 28.5.2013

5,004 views

Published on

Präsentation anlässich des Belsoft Best Practice - Next Generation Firewalls

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,004
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
423
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • A quick summary of who we are. We were founded in 2005; in 2007 we brought to market the first next generation firewall to classify traffic based on application, regardless of the port, protocol, encryption or other evasive tactic. We have been described by Gartner as a disruptive security platform because we took a fresh, from the ground up approach to building a firewall for modern networks. Our key differentiator is the ability to Safely Enable Applications: this means more than allowing or blocking – it means using business-relevant elements such as the application identity, who is using the application, and the type of content or threat as a more meaningful way to control network access and grow your business. This means you can build firewall policies to allow the application but apply function control, or bandwidth shaping, or threat prevention to the application.  Able to Address All Network Security Needs: We have a broad range of platforms that all support a rich firewall feature-set that can protect your perimeter, datacenter, distributed enterprise with  Exceptional Growth and Global Presence: Refer to the charts on the right for growth. We have over 11,000 customers in over 100 customers with support centers and hardware depots distributed worldwide. Experienced Technology and Management Team: The technology team drives our innovation and our continued efforts at disrupting the network security market – they are our most valued team members. The management team brings a rich history of steering a rapidly growing dynamic company like ours.
  • The fundamental problem that we set out to solve is this: applications have changed, the firewall has not kept pace. And what we sometimes forget is that the firewall was designed to act as the security boundary for your network. It sees all traffic and enables access. The evolution of the application landscape has not happened over night – although it has accelerated dramatically in recent years. Antivirus applications began using port 80 as their avenue for updates back in 1997. AV is not a web application. The vendors did this to simplify access and better support their customers.AOL instant messenger (AIM) used to prompt you with “Find an open port?” if it could not establish a connection. BitTorrent, Skype both port hop and MS sharepoint uses a range of ports. Finally, MS-Lync – the messaging component for MS live 365 requires port 443, 3478 (stun), 5223 and a range of ports between 20,000-45,000 and 50,000-59,999.These are just a few examples of how applications have changed to mainly simplify access. Think about it, if you’re an application developer, you want your application used – so you will do what is necessary to achieve that goal. The ramifications of these changes result in an increase in business and security risks - applications act as (1) a threat vector (Email delivering a video URL but is really malware) and (2) they are threat targets (SQL injection attacks), and (3) they act as the command and control/exfiltration avenue. So while applications were rapidly evolving, port-based firewalls were stuck in the late 1990s – they did not keep pace. To try and address the problem, the industry’s response has been to sell more stuff!-------------Goals of this slide. This slide establishes the problem: Firewalls have always been designed to be the security boundary. They have not kept pace with the application trends. Use interesting examples that are not Facebook and Twitter to show that applications have changes firewalls have not. Use examples of applications that may use evasive techniques to simplify use and in so doing, avoid detection. Use applications that change state as added functions are used – they are hard for UTMS to identify, control and enable.
  • OPTIONAL slide Threat ramifications: Applications are a threat vector (malware) and a target (exploits)
  • OPTIONAL slide exfiltrationExfiltration ramifications: Today’s threats are applications – their command/control/exfiltration requires network communications. Apps can act as the conduit for data theft.
  • OPTIONAL slide SSL and SSH: more and more applications use encryption, rendering existing FWs useless.
  • Now…this is probably what your current network infrastructure looks like: Behind your port blocking firewall there is most likely a stand alone IPS, Quality of Service, URL Filtering, Data Leakage Prevention, Proxy, Antivirus, and maybe others…but our position is that sprawl is not the answer. <Click to animate>And bolting it all in one box, as UTM vendors have done, doesn’t work for several reasons: UTMs are all stateful inspection based – it is part of the UTM definition: stateful inspection + IPS + AV as outlined by IDC around 10 years ago. In all UTMs, the port-based decision is made first – this cannot be changed. Then the application, IPS, AV, URL decisions are made sequentially using a silo-based scanning approach – but it is all still based on what the stateful inspection (port-based) decision was. None of the information learned by the first scan is shared with the second, third or fourth. So ultimately, the decisions are either allow or deny – nothing in between. Sheet metal integration merely puts everything in one box for the sole purpose of lowering costs – nothing more. Nothing has changed.It’s all the same stuff just a lot slower and cheaper. We believe that the firewall is STILL the ideal location to exert control over traffic flowing across the network. But we believe control needs to be based on the application identify, regardless of which port/ports it uses – and here’s why… -------------------Explain why customers have deployed all of these devices – the control that once existed in the firewall has eroded over time. Added devices or scanning engines do not solve the problem. UTMs exist for the sole purpose of consolidating devices to save money UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etcUTMs are all stateful inspection based – the all make their first decision on port. This is not our value-add
  • Today, every firewall vendor will say they can control applications – let’s take a look how they address the application control challenge in a bit more detail. Folks like check point, juniper, fortinet, cisco are all adding control elements to their stateful inspection firewalls. Just like a UTM. Some add new application control blades, other use the IPS engine with new signatures. What ever mechanism used, the application control decision is made after stateful inspection. So you will need to open port 80 and 443 in order to try and control web applications like twitter and facebook. This means you are allowing roughly 300 applications (app usage and risk report) – just to try and control 2 or 3 applications. What happens to the other 297? The operational ramifications of this are significant. Multiple policies/log databases . A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. Traffic is logged in two databases – the firewall and the app control element. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. There are no tools to reconcile the two policies in order to make sure nothing sneaks by. Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Blocking it all may cripple the business. Allowing it all is high risk. Port-based ‘allow’ rule defeats ‘deny all’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the Application Usage and ThreatReport, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a firewall’s default deny all else policy is significantly weakened. What sets us apart? As soon as we see the traffic, we determine what the application is, regardless of the port, and we then use that information as the basis for all security policy decisions. This means: Single policy/log database: Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies. Systematic management of unknowns: We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy. We act as a firewall should – deny-all else. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.
  • Palo Alto Networks allows you to build enablement policies that are based on business relevant elements – applications, users and content. It makes perfect sense, right? Your business runs on applications, users and content – shouldn’t your security policies? At the perimeter, you can reduce your organizationsthreat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats - both known and unknown. <point out gmail, ultrasurf, tor as examples of applications you would allow and scan for threats; or outright block>In the datacenter, application enablement translates to confirming the applications users and content are allowed and protected from threats while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration. <point out Oracle and Sharepoint as examples>Expanding outwards to enterprise branch offices and remote users, enablement is delivered through policy consistency - the same policy deployed at the corporate location and is extended, seamlessly to other locations.In short, our technology allows you to enable applications for users and protect the associated content – without hindering your business.
  • Lets talk for a moment about how our technology can enable applications, users and content – along with your business. Safe enablement policies begin with accurate classification of the application using App-ID. App-ID uses a combination of signatures, application and protocol decoders, and heuristics to identify all applications, across all ports, all the time - as soon as traffic hits the firewall. The application identity then becomes the basis for your positive enforcement model firewall policies. This means you can safely allow or block certain applications, or specific functionality within or across multiple applications like file sharing or instant messaging.Users make up the next piece of a safe enablement policy. We can tie users, regardless of the device platform, to the application with User-ID and GlobalProtect. User-ID integrates with the widest range of directory services on the market, including Active Directory, and Microsoft Exchange (which brings you Linux or MAC-OS users and LDAP to enable you to build policy aroundusers and groups of users by name, not just IPaddresses. An API is also available for non-standard directory integration. For remote or traveling employees working on a laptop, an iOS or Android platform from say, a Starbucks or a customer site, we can include them in the safe application enablement policies with our Global Protect end point solution. Scanning the content within the application is the final enablement policy and that is delivered by Content-ID. IPS, AV, antispyware and URL filtering within Content-IDwill allow you to apply very specific threat prevention profiles to your business critical traffic and/or users. The threat prevention engine is stream based and it utilizes a uniform signature format. It looks for a combination of things in a single pass, unlike the silo based AV, IPS and URL filtering. Wildfire provides the ability to identify malicious behaviors typically associated with zero-day attacks found in executable files by running them in a virtual environment and observing their behaviors. When a malicioussample is identified, it is then passed on to the signature generator, which automatically writes a signature for the sample and tests it for accuracy. Signatures are then delivered to all Palo Alto Networks customers as part of the daily malware signature updates.This slide summarizes one of our Core Value Propositions and Main Differentiators from the other vendors: The ability to SAFELY ENABLE APPLICATIONS, USERS AND CONTENT. Now, real quick I want to talk about how the device is sold: We sell a purpose built appliance with a purpose built operating system. Included with the base appliance are all the firewall capabilities: App-ID, User-ID, SSL and IPSEC VPN, SSL decryption and re-encryption, QoS, and Data Filtering. If you are interested in Threat Prevention, URL Filtering – or - Global Protect, these would each require a separate license. Oh, and just so you are aware…there are no user counts anywhere in our licensing model.ONE OF THE MAIN POINTS IS TO EMPHASIZE IS THAT WE INNOVATED HEAVILY TO DELIVER ON THE REQUIREMENTS. IT’S A BIG PART OF OUR CULTURE.
  • One of the common questions we get is around how we perform with services enabled. The best way I can describe the platform is it is purpose-built. I like to use a racing analogy. Any racing vehicle – indy, nascar, F1, Rally, motocross, motorcycle, go-kart, dragster – does not go fast because of one thing. It is a combination of engine, frame, suspension, aerodynamics and of course driver. We followed the same path. We first built a single-pass software engine which scans traffic only once – as opposed to the UTM approach which uses multiple, silo-like scans to protect the network. We then married the software to a high-performance hardware platform that uses the same architecture across all platforms. Each platform has either dedicated processors or dedicated computing resources for networking, security, threat prevention and management – as an example, the high-end PA-5000 Series has 40 processing cores that deliver predictable performance with all services enabled. The control plane and management plane are physically separated to provide some built-in resiliency. This is Fundamentally Differentthan UTM vendors who have bolted on an IPS engine, and AV engine, a QoS engine, and others, onto their firewall engine, usually all driven by a single processor. ****EVEN WHEN THEY’VE GOT MULTIPLE PROCESSORS, THE SILO-BASED APPROACH KILLS THEIR PERFORMANCEWe were a part of a NetworkWorldtest, where with every feature enabled, we were able to maintain 80% of marketed throughput, as compared with all other vendors, some of whom dropped below 50% and some as much as 90%...quite alarming, isn’t it?
  • DEVICE GROUPSThe collection of objects available to an operator include Shared, DG specific, or device specific. All can be used in policy.Shared in this instance means it is applied to all devices managed by Panorama.There are also Device Group rules (policy) and device specific rules.DG rules include pre and post rules (applied before and after device rules).DG rules can only utilize Shared and DG objects. Objects pushed by Panorama.Device specific rules can use all objects.Any rule base available in PANOS (e.g. Security, NAT, QOS, etc.) is available in Panorama as well.There is a Shared global policy as well which is applied to all DGs The shared rules can only be edited by Panorama or Superuser admins. This allows tiered access control models for large organizations which have multiple administrators with different levels of responsibilityTargets can be used to create Shared rules which apply to the devices of one or more DGs or specific devicesShared rules are essentially a pre-pre and post-post rulebaseAll of these rules are put into an ordered list on the firewall.The firewall itself does the sanity checking and installs the rulesTEMPLATESTemplates allow for central management of the Device and Network config elements from PanoramaAll config elements in these tabs can be managed centrally. Eg. Network elements (Interface, zones, VR, etc). Device elements (setup items [eg. DNS server], Auth Profiles, Server profiles, etc)This allows for staging of changes centrally before a maintenance period for all elements of the devices configurationIt also allows for applying common settings across multiple devices to allow for one change instead of manyEg. DNS server update across 100 FWs
  • Until now, we have been talking about how Palo Alto Networks can help you securely enable the applications traversing your Perimeter firewall. That makes sense right? The Perimeter is the place where ALL traffic passes. And at the end of the day, that is the ideal location for safe application enablement. That being said, we know that the perimeter is not the only location where firewalls are deployed. We have many customers who are deploying our firewalls in their Data Center as well. When looking at those locations, the value proposition changes slightly. In the Data Center, you’re not too concerned with end user applications like webmail or social networking. You’re more concerned about isolating the Data Center applications along with the tools you may use to manage those applications - or in other words, you need network segmentation. By using App-ID and User-ID to verify the approved set of applications and users, you are able to segment the network all while using high performance IPS to protect the data. In the Distributed Enterprise, the value proposition is also slightly different. Here, it’s about consistency: You need to deliver the best protection, by using either a Device or GlobalProtect, to implement the same policies that are in use at the Corporate Perimeter. Much to the delight of our customers, and many IT organizations, we offer solutions for all three use cases, the Perimeter, Data Center, as well as the Distributed Enterprise.
  • In this MQ Gartner is validating that the next-generation firewall has gone mainstream, stating "Advances in threats have driven mainstream firewall demand for next- generation firewall capabilities. Buyers should focus on the quality, not quantity, of the features and the R&D behind them." With our placement in the upper right for the 2nd consecutive Gartner is validating that we are a leader in the enterprise FW market: "Palo Alto Networks continued through 2012 to generate the most firewall inquiries among Gartner customers by a significant margin. Palo Alto Networks was consistently on most NGFW competitive shortlists, and we observed high customer loyalty and satisfaction from early adopters." We came to market in 2007 with an innovative, disruptive firewall solution and a singular focus on customers, which Gartner validates in the MQ: "Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward.”As far as what not to say – stick to the script, do NOT: 1.  Put words in Gartner's mouth.2.  Anticipate future MQ positions.3.  Talk about other vendors.  We have plenty of strong stuff in the bullets below.
  • Exact same feature set available in HW FW is now available in virtualized form factorLicensed by capacities – not CPU or other money sucking scheme.
  • We believe application enablement belongs in the FW, not in a secondary scanning process. And that is what we do with app-id. In 2007 when we launched our first product, competitors dismissed the concept of application enablement. Now, many existing firewall vendors say, “we do what Palo Alto Networks does”, validating our direction set forth at that time. In reality, there are some fundamental differences that cannot be overlooked, starting with the foundation of your existing firewalls. Stateful inspection makes all access control decisions based on port and protocol. This cannot be changed, yet it is easily bypassed by many of today’s applications. Existing firewall vendors try to address application enablement by adding application control features to their Stateful inspection firewall, much like they have done with IPS. There are several significant ramifications to this add-on approach. Multiple policies with duplicate information increases management effort. A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies. Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Blocking it all may cripple the business. Allowing it all is high risk. We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy. Port-based ‘allow’ rule defeats ‘deny all’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the December 2011 Application Usage and Risk Report, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.   
  • You can ease into deploying us. We designed our devices to be deployed in several different ways. Tap Mode provides visibility only, and is generally where we deploy a device during a product evaluation. With a device in Tab Mode for a short period of time, we can provide you with an Application Visibility and Risk Report that will show you the traffic traversing your network with your current policies still in place. We usually EVALUATE IN Tap Mode. We can also sit In-line, where our device would be deployed behind the existing firewall like a more traditional IPS. You will now gain visibility and control without having to rip out your current firewall. And finally we can be deployed in layer 2 or 3, as a Replacement for your existing firewall. Typically, we are moving clients from left to right as the value of our Next-Generation Firewall Platform is realized over time.
  • Palo Alto Networks 28.5.2013

    1. 1. Palo Alto Networks Product OverviewKilian Zantop28. Mai 2013Belsoft Best Practice - Next Generation Firewalls
    2. 2. Palo Alto Networks at a GlanceCorporate highlightsFounded in 2005; first customer shipment in 2007Safely enabling applicationsAble to address all network security needsExceptional ability to support global customersExperienced technology and management team1,000+ employees globally1,8004,70011,00002,0004,0006,0008,00010,00012,000Jul-10 Jul-11$13$49$255$119$0$50$100$150$200$250$300FY09 FY10 FY11 FY12RevenueEnterprise customers$MMFYE JulyFeb-133 | ©2013, Palo Alto Networks. Confidential and Proprietary.
    3. 3. Applications Have Changed, Firewalls Haven’t4 | ©2012, Palo Alto Networks. Confidential and Proprietary.Network security policy is enforcedat the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work anymore
    4. 4. Encrypted Applications: Unseen by FirewallsWhat happens traffic is encrypted?• SSL• Proprietary encryption7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    5. 5. Technology Sprawl and Creep Aren’t the AnswerEnterpriseNetwork• “More stuff” doesn’t solve the problem• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Doesn’t address application “accessibility” features8 | ©2012, Palo Alto Networks. Confidential and Proprietary.IMDLPIPS ProxyURLAVUTMInternet
    6. 6. 1. Identify applications regardless of port, protocol, evasive tactic or SSL2. Identify and control users regardless of IP address, location, or device3. Protect against known and unknown application-borne threats4. Fine-grained visibility and policy control over application access / functionality5. Multi-gigabit, low latency, in-line deploymentThe Answer? Make the Firewall Do Its Job9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    7. 7. Application Control Belongs in the FirewallPort PolicyDecisionApp Ctrl PolicyDecisionApplication Control as an Add-on• Port-based decision first, apps second• Applications treated as threats; only block whatyou expressly look forRamifications• Two policies/log databases, no reconciliation• Unable to effectively manage unknownsIPSApplicationsFirewallPortTrafficFirewall IPSApp Ctrl PolicyDecisionScan Applicationfor ThreatsApplicationsApplicationTrafficApplication Control in the Firewall• Firewall determines application identity; across allports, for all traffic, all the time• All policy decisions made based on applicationRamifications• Single policy/log database – all context is shared• Policy decisions made based on shared context• Unknowns systematically managed10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    8. 8. Enabling Applications, Users and Content11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    9. 9. Making the Firewall a Business Enablement Tool Applications: Enablement begins withapplication classification by App-ID. Users: Tying users and devices, regardless oflocation, to applications with User-ID andGlobalProtect. Content: Scanning content and protectingagainst all threats, both known andunknown, with Content-ID and WildFire.12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    10. 10. Single Pass Platform Architecture13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    11. 11. PAN-OS Core Firewall Features Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for truetransparent in-line deployment L2/L3 switching foundation Policy-based forwarding VPN Site-to-site IPSec VPN Remote Access (SSL) VPN QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor Zone-based architecture All interfaces assigned to securityzones for policy enforcement High Availability Active/active, active/passive Configuration and sessionsynchronization Path, link, and HA monitoring Virtual Systems Establish multiple virtual firewalls in asingle device (PA-5000, PA-4000, PA-3000, and PA-2000 Series) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog14 | ©2012, Palo Alto Networks. Confidential and Proprietary.Visibility and control of applications, users and contentcomplement core firewall featuresPA-500PA-200PA-2000 SeriesPA-2050, PA-2020PA-3000 SeriesPA-3050, PA-3020PA-4000 SeriesPA-4060, PA-4050 PA-4020PA-5000 SeriesPA-5060, PA-5050 PA-5020VM-SeriesVM-300, VM-200, VM-100
    12. 12. PanoramaCentral management
    13. 13. Panorama Deployment Recommendations16 | ©2012, Palo Alto Networks. Confidential and Proprietary.Panorama VM< 10 devices< 10,000 logs/secSites with need for virtual appliancePanorama M-100< 100 devices< 10,000 logs/secPanorama Distributed Architecture< 1,000 devices> 10,000 logs/sec (50,000 per collector)Deployments with need for collector proximity
    14. 14. Panorama Distributed Architecture With the M-100, manager and log collector functions can be split Deploy multiple log collectors to scale collection infrastructure17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    15. 15. M-100 Hardware Appliance Simple, high-performance, dedicated appliance for Panorama Simplifies deployment and support Introduces distributed log collection capability for large scale deployments License migration path available for current Panorama customers18 | ©2012, Palo Alto Networks. Confidential and Proprietary.Specifications1 RU form factor Intel Xeon 4 core 3.4 GHz CPU16 GB memory 64bit Panorama kernel120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)
    16. 16. Panorama Architecture – Configuration Device Groups are used to sharecommon Policies and Objects Templates are used to sharecommon Networking and Deviceconfiguration19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    17. 17. Wildfire0-day Malware defense
    18. 18. The Lifecycle of Network Attacks - Rehearsal21 | ©2012, Palo Alto Networks. Confidential and Proprietary.Bait theend-user1End-user lured to adangerousapplication orwebsite containingmalicious contentExploit2Infected contentexploits the end-user, oftenwithout theirknowledgeDownloadBackdoor3Secondarypayload isdownloaded inthe background.Malware installedEstablishBack-Channel4Malwareestablishes anoutboundconnection to theattacker forongoing controlExplore &Steal5Remote attacker hascontrol inside thenetwork andescalates the attack
    19. 19. An Integrated Approach to Threat Prevention22 | ©2012, Palo Alto Networks. Confidential and Proprietary.App-IDURLIPSSpywareAVFilesWildFireBait the end-user Exploit Download Backdoor Command/ControlBlock high-riskappsBlock knownmalware sitesBlock theexploitBlock malwarePrevent drive-by-downloadsDetect 0-daymalwareBlock new C2trafficBlockspyware, C2trafficBlock fast-flux,bad domainsBlock C2 onopen ports
    20. 20. Why Traditional Antivirus Protection FailsModern/Targeted malware is increasingly able to: Avoid hitting traditional AV honeypots Evolve before protection can be delivered, using polymorphism, re-encoding, and changing URLs23 | ©2012, Palo Alto Networks. Confidential and Proprietary.☣Targeted and custom malware☣Polymorphic malware☣Newly released malwareHighly variable time to protection
    21. 21. WildFire Architecture 10Gbps threat prevention andfile scanning on all traffic, allports (web, email, SMB, etc.) Malware ran in the cloud withopen internet access todiscover hidden behaviors Sandbox logic updated routinelywith no customer impact Malware signaturesautomatically created based onpayload data Stream-based malware engineperforms true inlineenforcement24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    22. 22. WildFire Subscription ServiceWildFire signatures every 30 minutesIntegrated logging & reportingREST API for scripted file uploads25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    23. 23. Reaching Effects of WildFire26 | ©2012, Palo Alto Networks. Confidential and Proprietary.Threat IntelligenceSourcesWildFire UsersAV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
    24. 24. Introducing theWildFire Appliance (WF-500) Appliance-based version of WildFire for on-premises deployments All sandbox analysis performed locally onthe WildFire appliance WF-500 has option to send locally identifiedmalware to WildFire public cloud Signatures only are created in public cloud WildFire signatures for all customersdistributed via normal update service Detection capabilities in sync with publiccloud27 | ©2012, Palo Alto Networks. Confidential and Proprietary.WildFire CloudEagle ApplianceAll samplesMalwareSignatures
    25. 25. Global ProtectSecuring your road worriers
    26. 26. Challenge: Quality of Security Tied to LocationEnterprise-secured withfull protectionHeadquarters Branch Officesmalwarebotnetsexploits29 | ©2012, Palo Alto Networks. Confidential and Proprietary.Airport Hotel Home OfficeExposed to threats, riskyapps, and data leakage
    27. 27. GlobalProtect: Consistent Security Everywhere•Headquarters •Branch Officemalwarebotnetsexploits• VPN connection to a purpose built firewall that is performing the security work• Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance & reporting30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    28. 28. LSVPNLarge scale satellite VPN
    29. 29. 32© 2011 Palo Alto Networks. Proprietary and Confidential.The ConceptEasy deployment oflarge scale VPNinfrastructure• GlobalProtect Satellitesautomatically acquireauthenticationcredentials and initialconfiguration fromGlobalProtect Portal• GlobalProtect Satelliteestablishes tunnels withavailable Gateways• Satellites and Gatewaysautomatically exchangerouting configuration
    30. 30. Magic Quadrant for Enterprise Network Firewalls35 | ©2013, Palo Alto Networks. Confidential and Proprietary.“Palo Alto Networks continues toboth drive competitors to react in thefirewall market and to move theoverall firewall market forward. It isassessed as a Leader, mostlybecause of its NGFW design,direction of the market along theNGFW path, consistentdisplacement of competitors, rapidlyincreasing revenue and marketshare, and market disruption thatforces competitors in all quadrants toreact.”Gartner, February 2013
    31. 31. Thank YouPage 37 |© 2010 Palo Alto Networks. Proprietary and Confidential.
    32. 32. Next-Generation Firewall Virtualized Platforms38 | ©2012, Palo Alto Networks. Confidential and Proprietary.SpecificationsModel Sessions Rules Security Zones AddressObjectsIPSec VPNTunnelsSSL VPNTunnelsVM-100 50,000 250 10 2,500 25 25VM-200 100,000 2,000 20 4,000 500 200VM-300 250,000 5,000 40 10,000 2,000 500Supported on VMware ESX/ESXi 4.0 or laterMinimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfacesSupports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo framesPerformanceCores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second2 Core 500 Mbps 200 Mbps 100 Mbps 8,0004 Core 1 Gbps 600 Mbps 250 Mbps 8,0008 Core 1 Gbps 1 Gbps 400 Mbps 8,000
    33. 33. Differentiating: App-ID vs. Two Step Scanning Operational ramifications of two step scanning Two separate policies with duplicate info – impossible to reconcile them Two log databases decrease visibility Unable to systematically manage unknown traffic Weakens the deny-all-else premise Every firewall competitor uses two step scanning39 | ©2012, Palo Alto Networks. Confidential and Proprietary.Port PolicyDecisionApp Ctrl PolicyDecisionIPSApplicationsFirewallAllow port 80 trafficTraffic300 or more applications300 or more applications300 or more applications
    34. 34. Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement• Application, user and contentvisibility without inlinedeployment• IPS with app visibility & control• Consolidation of IPS & URLfiltering• Firewall replacement with appvisibility & control• Firewall + IPS• Firewall + IPS + URL filtering40 | ©2012, Palo Alto Networks. Confidential and Proprietary.

    ×