Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Palo alto networks product overview


Published on

Published in: Technology
  • Be the first to comment

Palo alto networks product overview

  1. 1. Palo Alto Networks Product OverviewKilian Zantop28. Mai 2013Belsoft Best Practice - Next Generation Firewalls
  2. 2. Palo Alto Networks at a GlanceCorporate highlightsFounded in 2005; first customer shipment in 2007Safely enabling applicationsAble to address all network security needsExceptional ability to support global customersExperienced technology and management team1,000+ employees globally1800470011,000020004000600080001000012000Jul-10 Jul-11$13$49$255$119$0$50$100$150$200$250$300FY09 FY10 FY11 FY12RevenueEnterprise customers$MMFYE JulyFeb-133 | ©2013, Palo Alto Networks. Confidential and Proprietary.
  3. 3. Applications Have Changed, Firewalls Haven’t4 | ©2012, Palo Alto Networks. Confidential and Proprietary.Network security policy is enforcedat the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work anymore
  4. 4. Encrypted Applications: Unseen by FirewallsWhat happens traffic is encrypted?• SSL• Proprietary encryption7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  5. 5. Technology Sprawl and Creep Aren’t the AnswerEnterpriseNetwork• “More stuff” doesn’t solve the problem• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Doesn’t address application “accessibility” features8 | ©2012, Palo Alto Networks. Confidential and Proprietary.IMDLPIPS ProxyURLAVUTMInternet
  6. 6. 1. Identify applications regardless of port, protocol, evasive tactic or SSL2. Identify and control users regardless of IP address, location, or device3. Protect against known and unknown application-borne threats4. Fine-grained visibility and policy control over application access / functionality5. Multi-gigabit, low latency, in-line deploymentThe Answer? Make the Firewall Do Its Job9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  7. 7. Application Control Belongs in the FirewallPort PolicyDecisionApp Ctrl PolicyDecisionApplication Control as an Add-on• Port-based decision first, apps second• Applications treated as threats; only block whatyou expressly look forRamifications• Two policies/log databases, no reconciliation• Unable to effectively manage unknownsIPSApplicationsFirewallPortTrafficFirewall IPSApp Ctrl PolicyDecisionScan Applicationfor ThreatsApplicationsApplicationTrafficApplication Control in the Firewall• Firewall determines application identity; across allports, for all traffic, all the time• All policy decisions made based on applicationRamifications• Single policy/log database – all context is shared• Policy decisions made based on shared context• Unknowns systematically managed10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  8. 8. Enabling Applications, Users and Content11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  9. 9. Making the Firewall a Business Enablement ToolApplications: Enablement begins withapplication classification by App-ID.Users: Tying users and devices, regardless oflocation, to applications with User-ID andGlobalProtect.Content: Scanning content and protectingagainst all threats, both known and unknown,with Content-ID and WildFire.12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  10. 10. Single Pass Platform Architecture13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  11. 11. PAN-OS Core Firewall FeaturesStrong networking foundationDynamic routing (BGP, OSPF, RIPv2)Tap mode – connect to SPAN portVirtual wire (“Layer 1”) for truetransparent in-line deploymentL2/L3 switching foundationPolicy-based forwardingVPNSite-to-site IPSec VPNRemote Access (SSL) VPNQoS traffic shapingMax/guaranteed and priorityBy user, app, interface, zone, & moreReal-time bandwidth monitorZone-based architectureAll interfaces assigned to securityzones for policy enforcementHigh AvailabilityActive/active, active/passiveConfiguration and sessionsynchronizationPath, link, and HA monitoringVirtual SystemsEstablish multiple virtual firewalls in asingle device (PA-5000, PA-4000, PA-3000, and PA-2000 Series)Simple, flexible managementCLI, Web, Panorama, SNMP, Syslog14 | ©2012, Palo Alto Networks. Confidential and Proprietary.Visibility and control of applications, users and contentcomplement core firewall featuresPA-500PA-200PA-2000 SeriesPA-2050, PA-2020PA-3000 SeriesPA-3050, PA-3020PA-4000 SeriesPA-4060, PA-4050 PA-4020PA-5000 SeriesPA-5060, PA-5050 PA-5020VM-SeriesVM-300, VM-200, VM-100
  12. 12. PanoramaCentral management
  13. 13. Panorama Deployment Recommendations16 | ©2012, Palo Alto Networks. Confidential and Proprietary.Panorama VM< 10 devices< 10,000 logs/secSites with need for virtual appliancePanorama M-100< 100 devices< 10,000 logs/secPanorama Distributed Architecture< 1,000 devices> 10,000 logs/sec (50,000 per collector)Deployments with need for collector proximity
  14. 14. Panorama Distributed ArchitectureWith the M-100, manager and log collector functions can be splitDeploy multiple log collectors to scale collection infrastructure17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  15. 15. M-100 Hardware ApplianceSimple, high-performance, dedicated appliance for PanoramaSimplifies deployment and supportIntroduces distributed log collection capability for large scale deploymentsLicense migration path available for current Panorama customers18 | ©2012, Palo Alto Networks. Confidential and Proprietary.Specifications1 RU form factor Intel Xeon 4 core 3.4 GHz CPU16 GB memory 64bit Panorama kernel120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)
  16. 16. Panorama Architecture – ConfigurationDevice Groups are used to sharecommon Policies and ObjectsTemplates are used to sharecommon Networking and Deviceconfiguration19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  17. 17. Wildfire0-day Malware defense
  18. 18. The Lifecycle of Network Attacks - Rehearsal21 | ©2012, Palo Alto Networks. Confidential and Proprietary.Bait theend-user1End-user lured to adangerousapplication orwebsite containingmalicious contentExploit2Infected contentexploits the end-user, oftenwithout theirknowledgeDownloadBackdoor3Secondarypayload isdownloaded inthe background.Malware installedEstablishBack-Channel4Malwareestablishes anoutboundconnection to theattacker forongoing controlExplore &Steal5Remote attacker hascontrol inside thenetwork andescalates the attack
  19. 19. An Integrated Approach to Threat Prevention22 | ©2012, Palo Alto Networks. Confidential and Proprietary.App-IDURLIPSSpywareAVFilesWildFireBait the end-user Exploit Download Backdoor Command/ControlBlock high-riskappsBlock knownmalware sitesBlock theexploitBlock malwarePrevent drive-by-downloadsDetect 0-daymalwareBlock new C2trafficBlock spyware,C2 trafficBlock fast-flux,bad domainsBlock C2 onopen ports
  20. 20. Why Traditional Antivirus Protection FailsModern/Targeted malware is increasingly able to:Avoid hitting traditional AV honeypotsEvolve before protection can be delivered, using polymorphism, re-encoding,and changing URLs23 | ©2012, Palo Alto Networks. Confidential and Proprietary.☣Targeted and custom malware☣Polymorphic malware☣Newly released malwareHighly variable time to protection
  21. 21. WildFire Architecture10Gbps threat prevention andfile scanning on all traffic, allports (web, email, SMB, etc.)Malware ran in the cloud withopen internet access todiscover hidden behaviorsSandbox logic updated routinelywith no customer impactMalware signaturesautomatically created based onpayload dataStream-based malware engineperforms true inlineenforcement24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  22. 22. WildFire Subscription ServiceWildFire signatures every 30 minutesIntegrated logging & reportingREST API for scripted file uploads25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  23. 23. Reaching Effects of WildFire26 | ©2012, Palo Alto Networks. Confidential and Proprietary.Threat IntelligenceSourcesWildFire UsersAV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
  24. 24. Introducing theWildFire Appliance (WF-500)Appliance-based version of WildFire for on-premises deploymentsAll sandbox analysis performed locally onthe WildFire applianceWF-500 has option to send locally identifiedmalware to WildFire public cloudSignatures only are created in public cloudWildFire signatures for all customersdistributed via normal update serviceDetection capabilities in sync with publiccloud27 | ©2012, Palo Alto Networks. Confidential and Proprietary.WildFire CloudEagle ApplianceAll samplesMalwareSignatures
  25. 25. Global ProtectSecuring your road worriers
  26. 26. Challenge: Quality of Security Tied to LocationEnterprise-secured withfull protectionHeadquarters Branch Officesmalwarebotnetsexploits29 | ©2012, Palo Alto Networks. Confidential and Proprietary.Airport Hotel Home OfficeExposed to threats, riskyapps, and data leakage
  27. 27. GlobalProtect: Consistent Security Everywhere•Headquarters •Branch Officemalwarebotnetsexploits• VPN connection to a purpose built firewall that is performing the security work• Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance & reporting30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  28. 28. LSVPNLarge scale satellite VPN
  29. 29. 32© 2011 Palo Alto Networks. Proprietary and Confidential.The ConceptEasy deployment oflarge scale VPNinfrastructure• GlobalProtect Satellitesautomatically acquireauthenticationcredentials and initialconfiguration fromGlobalProtect Portal• GlobalProtect Satelliteestablishes tunnels withavailable Gateways• Satellites and Gatewaysautomatically exchangerouting configuration
  30. 30. Magic Quadrant for Enterprise Network Firewalls35 | ©2013, Palo Alto Networks. Confidential and Proprietary.“Palo Alto Networks continues toboth drive competitors to react in thefirewall market and to move theoverall firewall market forward. It isassessed as a Leader, mostlybecause of its NGFW design,direction of the market along theNGFW path, consistentdisplacement of competitors, rapidlyincreasing revenue and marketshare, and market disruption thatforces competitors in all quadrants toreact.”Gartner, February 2013
  31. 31. Thank YouPage 37 |© 2010 Palo Alto Networks. Proprietary and Confidential.
  32. 32. Next-Generation Firewall Virtualized Platforms38 | ©2012, Palo Alto Networks. Confidential and Proprietary.SpecificationsModel Sessions Rules Security Zones Address Objects IPSec VPNTunnels SSL VPN TunnelsVM-100 50,000 250 10 2,500 25 25VM-200 100,000 2,000 20 4,000 500 200VM-300 250,000 5,000 40 10,000 2,000 500Supported on VMware ESX/ESXi 4.0 or laterMinimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfacesSupports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo framesPerformanceCores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second2 Core 500 Mbps 200 Mbps 100 Mbps 8,0004 Core 1 Gbps 600 Mbps 250 Mbps 8,0008 Core 1 Gbps 1 Gbps 400 Mbps 8,000
  33. 33. Differentiating: App-ID vs. Two Step ScanningOperational ramifications of two step scanningTwo separate policies with duplicate info – impossible to reconcile themTwo log databases decrease visibilityUnable to systematically manage unknown trafficWeakens the deny-all-else premiseEvery firewall competitor uses two step scanning39 | ©2012, Palo Alto Networks. Confidential and Proprietary.Port PolicyDecisionApp Ctrl PolicyDecisionIPSApplicationsFirewallAllow port 80 trafficTraffic300 or more applications300 or more applications300 or more applications
  34. 34. Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement• Application, user and contentvisibility without inlinedeployment• IPS with app visibility & control• Consolidation of IPS & URLfiltering• Firewall replacement with appvisibility & control• Firewall + IPS• Firewall + IPS + URL filtering40 | ©2012, Palo Alto Networks. Confidential and Proprietary.