Successfully reported this slideshow.
Your SlideShare is downloading. ×

Palo alto networks product overview

More Related Content

Similar to Palo alto networks product overview

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Palo alto networks product overview

  1. 1. Palo Alto Networks Product Overview Kilian Zantop 28. Mai 2013 Belsoft Best Practice - Next Generation Firewalls
  2. 2. Palo Alto Networks at a Glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally 1'800 4'700 11,000 0 2'000 4'000 6'000 8'000 10'000 12'000 Jul-10 Jul-11 $13 $49 $255 $119 $0 $50 $100 $150 $200 $250 $300 FY09 FY10 FY11 FY12 Revenue Enterprise customers $MM FYE July Feb-13 3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
  3. 3. Applications Have Changed, Firewalls Haven’t 4 | ©2012, Palo Alto Networks. Confidential and Proprietary. Network security policy is enforced at the firewall • Sees all traffic • Defines boundary • Enables access Traditional firewalls don’t work any more
  4. 4. Encrypted Applications: Unseen by Firewalls What happens traffic is encrypted? • SSL • Proprietary encryption 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  5. 5. Technology Sprawl and Creep Aren’t the Answer Enterprise Network • “More stuff” doesn’t solve the problem • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Doesn’t address application “accessibility” features 8 | ©2012, Palo Alto Networks. Confidential and Proprietary. IMDLPIPS ProxyURLAV UTM Internet
  6. 6. 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment The Answer? Make the Firewall Do Its Job 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  7. 7. Application Control Belongs in the Firewall Port Policy Decision App Ctrl Policy Decision Application Control as an Add-on • Port-based decision first, apps second • Applications treated as threats; only block what you expressly look for Ramifications • Two policies/log databases, no reconciliation • Unable to effectively manage unknowns IPS Applications Firewall PortTraffic Firewall IPS App Ctrl Policy Decision Scan Application for Threats Applications ApplicationTraffic Application Control in the Firewall • Firewall determines application identity; across all ports, for all traffic, all the time • All policy decisions made based on application Ramifications • Single policy/log database – all context is shared • Policy decisions made based on shared context • Unknowns systematically managed 10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  8. 8. Enabling Applications, Users and Content 11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  9. 9. Making the Firewall a Business Enablement Tool Applications: Enablement begins with application classification by App-ID. Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire. 12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  10. 10. Single Pass Platform Architecture 13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  11. 11. PAN-OS Core Firewall Features Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation Policy-based forwarding VPN Site-to-site IPSec VPN Remote Access (SSL) VPN QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor Zone-based architecture All interfaces assigned to security zones for policy enforcement High Availability Active/active, active/passive Configuration and session synchronization Path, link, and HA monitoring Virtual Systems Establish multiple virtual firewalls in a single device (PA-5000, PA-4000, PA- 3000, and PA-2000 Series) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog 14 | ©2012, Palo Alto Networks. Confidential and Proprietary. Visibility and control of applications, users and content complement core firewall features PA-500 PA-200 PA-2000 Series PA-2050, PA-2020 PA-3000 Series PA-3050, PA-3020 PA-4000 Series PA-4060, PA-4050 PA-4020 PA-5000 Series PA-5060, PA-5050 PA-5020 VM-Series VM-300, VM-200, VM-100
  12. 12. Panorama Central management
  13. 13. Panorama Deployment Recommendations 16 | ©2012, Palo Alto Networks. Confidential and Proprietary. Panorama VM < 10 devices < 10,000 logs/sec Sites with need for virtual appliance Panorama M-100 < 100 devices < 10,000 logs/sec Panorama Distributed Architecture < 1,000 devices > 10,000 logs/sec (50,000 per collector) Deployments with need for collector proximity
  14. 14. Panorama Distributed Architecture With the M-100, manager and log collector functions can be split Deploy multiple log collectors to scale collection infrastructure 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  15. 15. M-100 Hardware Appliance Simple, high-performance, dedicated appliance for Panorama Simplifies deployment and support Introduces distributed log collection capability for large scale deployments License migration path available for current Panorama customers 18 | ©2012, Palo Alto Networks. Confidential and Proprietary. Specifications 1 RU form factor Intel Xeon 4 core 3.4 GHz CPU 16 GB memory 64bit Panorama kernel 120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)
  16. 16. Panorama Architecture – Configuration Device Groups are used to share common Policies and Objects Templates are used to share common Networking and Device configuration 19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  17. 17. Wildfire 0-day Malware defense
  18. 18. The Lifecycle of Network Attacks - Rehearsal 21 | ©2012, Palo Alto Networks. Confidential and Proprietary. Bait the end-user 1 End-user lured to a dangerous application or website containing malicious content Exploit 2 Infected content exploits the end- user, often without their knowledge Download Backdoor 3 Secondary payload is downloaded in the background. Malware installed Establish Back-Channel 4 Malware establishes an outbound connection to the attacker for ongoing control Explore & Steal 5 Remote attacker has control inside the network and escalates the attack
  19. 19. An Integrated Approach to Threat Prevention 22 | ©2012, Palo Alto Networks. Confidential and Proprietary. App-ID URL IPS Spyware AV Files WildFire Bait the end-user Exploit Download Backdoor Command/Control Block high-risk apps Block known malware sites Block the exploit Block malware Prevent drive- by-downloads Detect 0-day malware Block new C2 traffic Block spyware, C2 traffic Block fast-flux, bad domains Block C2 on open ports
  20. 20. Why Traditional Antivirus Protection Fails Modern/Targeted malware is increasingly able to: Avoid hitting traditional AV honeypots Evolve before protection can be delivered, using polymorphism, re-encoding, and changing URLs 23 | ©2012, Palo Alto Networks. Confidential and Proprietary. ☣Targeted and custom malware ☣Polymorphic malware ☣Newly released malware Highly variable time to protection
  21. 21. WildFire Architecture 10Gbps threat prevention and file scanning on all traffic, all ports (web, email, SMB, etc.) Malware ran in the cloud with open internet access to discover hidden behaviors Sandbox logic updated routinely with no customer impact Malware signatures automatically created based on payload data Stream-based malware engine performs true inline enforcement 24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  22. 22. WildFire Subscription Service WildFire signatures every 30 minutes Integrated logging & reporting REST API for scripted file uploads 25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  23. 23. Reaching Effects of WildFire 26 | ©2012, Palo Alto Networks. Confidential and Proprietary. Threat Intelligence Sources WildFire Users AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
  24. 24. Introducing the WildFire Appliance (WF-500) Appliance-based version of WildFire for on- premises deployments All sandbox analysis performed locally on the WildFire appliance WF-500 has option to send locally identified malware to WildFire public cloud Signatures only are created in public cloud WildFire signatures for all customers distributed via normal update service Detection capabilities in sync with public cloud 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. WildFire Cloud Eagle Appliance All samples Malware Signatures
  25. 25. Global Protect Securing your road worriers
  26. 26. Challenge: Quality of Security Tied to Location Enterprise-secured with full protection Headquarters Branch Offices malware botnets exploits 29 | ©2012, Palo Alto Networks. Confidential and Proprietary. Airport Hotel Home Office Exposed to threats, risky apps, and data leakage
  27. 27. GlobalProtect: Consistent Security Everywhere •Headquarters •Branch Office malware botnets exploits • VPN connection to a purpose built firewall that is performing the security work • Automatic protected connectivity for users both inside and outside • Unified policy control, visibility, compliance & reporting 30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  28. 28. LSVPN Large scale satellite VPN
  29. 29. 3 2 © 2011 Palo Alto Networks. Proprietary and Confidential. The Concept Easy deployment of large scale VPN infrastructure • GlobalProtect Satellites automatically acquire authentication credentials and initial configuration from GlobalProtect Portal • GlobalProtect Satellite establishes tunnels with available Gateways • Satellites and Gateways automatically exchange routing configuration
  30. 30. Magic Quadrant for Enterprise Network Firewalls 35 | ©2013, Palo Alto Networks. Confidential and Proprietary. “Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.” Gartner, February 2013
  31. 31. Thank You Page 37 |© 2010 Palo Alto Networks. Proprietary and Confidential.
  32. 32. Next-Generation Firewall Virtualized Platforms 38 | ©2012, Palo Alto Networks. Confidential and Proprietary. Specifications Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels VM-100 50,000 250 10 2,500 25 25 VM-200 100,000 2,000 20 4,000 500 200 VM-300 250,000 5,000 40 10,000 2,000 500 Supported on VMware ESX/ESXi 4.0 or later Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames Performance Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second 2 Core 500 Mbps 200 Mbps 100 Mbps 8,000 4 Core 1 Gbps 600 Mbps 250 Mbps 8,000 8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
  33. 33. Differentiating: App-ID vs. Two Step Scanning Operational ramifications of two step scanning Two separate policies with duplicate info – impossible to reconcile them Two log databases decrease visibility Unable to systematically manage unknown traffic Weakens the deny-all-else premise Every firewall competitor uses two step scanning 39 | ©2012, Palo Alto Networks. Confidential and Proprietary. Port Policy Decision App Ctrl Policy Decision IPS Applications Firewall Allow port 80 traffic Traffic 300 or more applications 300 or more applications 300 or more applications
  34. 34. Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement • Application, user and content visibility without inline deployment • IPS with app visibility & control • Consolidation of IPS & URL filtering • Firewall replacement with app visibility & control • Firewall + IPS • Firewall + IPS + URL filtering 40 | ©2012, Palo Alto Networks. Confidential and Proprietary.

×