Palo Alto Networks y la tecnología de Next Generation Firewall

2,794 views

Published on

Carlos Alberto Pérez, SE Manager para Latinoamérica de Palo Alto Networks

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,794
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
164
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Palo Alto Networks y la tecnología de Next Generation Firewall

  1. 1. the network security company tm Palo Alto Networks Overview Carlos Alberto Pérez Systems Engineer Manager LATAM cperez@paloaltonetworks.com
  2. 2. Palo Alto Networks at a Glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally 1,800 4,700 11,000 0 2,000 4,000 6,000 8,000 10,000 12,000 Jul-10 Jul-11 $13 $49 $255 $119 $0 $50 $100 $150 $200 $250 $300 FY09 FY10 FY11 FY12 Revenue Enterprise customers $MM FYE July Feb-13 2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
  3. 3. Applications Have Changed, Firewalls Haven’t 3 | ©2012, Palo Alto Networks. Confidential and Proprietary. • Network security policy is enforced at the firewall •  Sees all traffic •  Defines boundary •  Enables access • Traditional firewalls don’t work any more
  4. 4. The Right Answer: Make the Firewall Do Its Job © 2011 Palo Alto Networks. Proprietary and Confidential.Page 4 | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation
  5. 5. Enabling Applications, Users and Content 5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  6. 6. Single-Pass Parallel Processing™ (SP3) Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 | Single Pass •  Operations once per packet -  Traffic classification (app identification) -  User/group mapping -  Content scanning – threats, URLs, confidential data •  One policy Parallel Processing •  Function-specific parallel processing hardware engines •  Separate data/control planes • Up to 20Gbps, Low Latency
  7. 7. Application Control Belongs in the Firewall • Port Policy Decision • App Ctrl Policy Decision Application Control as an Add-on •  Port-based decision first, apps second •  Applications treated as threats; only block what you expressly look for Ramifications •  Two policies/log databases, no reconciliation •  Unable to effectively manage unknowns IPS Applications Firewall PortTraffic Firewall IPS • App Ctrl Policy Decision • Scan Application for Threats Applications ApplicationTraffic Application Control in the Firewall •  Firewall determines application identity; across all ports, for all traffic, all the time •  All policy decisions made based on application Ramifications •  Single policy/log database – all context is shared •  Policy decisions made based on shared context •  Unknowns systematically managed 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  8. 8. NGFW in The Enterprise NetworkPerimeter • App visibility and control in the firewall • All apps, all ports, all the time • Prevent threats • Known threats • Unknown/ targeted malware • Simplify security infrastructure DataCenter • Network segmentation • Based on application and user, not port/IP • Simple, flexible network security • Integration into all DC designs • Highly available, high performance • Prevent threats DistributedEnterprise • Consistent network security everywhere • HQ/branch offices/remote and mobile users • Logical perimeter • Policy follows applications and users, not physical location • Centrally managed 8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  9. 9. Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement •  Application, user and content visibility without inline deployment •  IPS with app visibility & control •  Consolidation of IPS & URL filtering •  Firewall replacement with app visibility & control •  Firewall + IPS •  Firewall + IPS + URL filtering © 2011 Palo Alto Networks. Proprietary and Confidential.Page 9 |
  10. 10. WildFire Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 10 | ✓ ✓ ✓ • WildFire Analysis Center! • Potentially malicious files from Internet • Protection delivered to all customer firewalls • Policy-based forwarding to WildFire for analysis •  Sandbox-based analysis looks for over 80 malicious behaviors •  Generates detailed forensics report •  Creates antivirus and C&C signatures
  11. 11. 0   1,000   2,000   3,000   4,000   5,000   6,000   7,000   8,000   9,000   1   3   5   7   9   11   13   15   17   19   21   23   25   27   29   31   33   35   Hours   The First 24 Hours is Critical • 11 | ©2012, Palo Alto Networks. Confidential and Proprietary. * Sample size = 50 malware files
  12. 12. What is the WF-500? §  Appliance-based version of the WildFire sandbox for on-premises, private cloud deployments §  Ideal for customers that want to avoid sending all files to the public cloud §  All files analyzed locally on the WF-500 §  Identical detection as the public cloud §  Optionally sends confirmed malware to the WildFire public cloud for signature generation §  Provides a private cloud where all firewalls can integrate with the WF-500 • WildFire Cloud • All unknown files • Confirmed Malware • (optional) • Signatures • Customer Firewalls • Local Customer Network • 12 | ©2013 Palo Alto Networks. Confidential and Proprietary.
  13. 13. © 2011 Palo Alto Networks. Proprietary and ConfidentialPage 13 | PA-­‐3050   •  4 Gbps FW •  2 Gbps Threat Prevention •  500,000 sessions •  8 SFP, 12 copper gigabit PA-­‐3020   •  2 Gbps FW •  1 Gbps Threat Prevention •  250,000 sessions •  8 SFP, 12 copper gigabit PA-­‐500   •  250 Mbps FW •  100 Mbps Threat Prevention •  64,000 sessions •  8 copper gigabit PA-­‐200   •  100 Mbps FW •  50 Mbps Threat Prevention •  64,000 sessions •  4 copper gigabit Palo Alto Networks Next-Gen Firewalls PA-­‐5050   •  10  Gbps  FW   •  5  Gbps  threat  preven:on   •  2,000,000  sessions   •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),   12  copper  gigabit   PA-­‐5020   •  5  Gbps  FW   •  2  Gbps  threat  preven:on   •  1,000,000  sessions   •  8  SFP,  12  copper  gigabit   PA-­‐5060   •  20  Gbps  FW   •  10  Gbps  threat  preven:on   •  4,000,000  sessions   •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),   12  copper  gigabit  
  14. 14. Segmenting Traffic in the Virtual Datacenter •  Hardware firewalls will continue to be deployed to secure and segment datacenters at the edge and for legacy servers •  VM-Series introduces the ability for secure segmentation to be done within VMware ESXi 14 | ©2012, Palo Alto Networks. Confidential and Proprietary. • VLAN   • VLAN  
  15. 15. Panorama Distributed Architecture §  With M-100, manager and log collector functions can be split §  Deploy multiple log collectors to scale collection infrastructure • 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  16. 16. © 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 | New Threats Require a Different Model for IPS Functions •  Stand-alone IPS has a negative security model – can only “find it and kill it” •  Stand-alone IPS can’t see into growing volumes of SSL-encrypted traffic, nor into compressed content •  Next-generation firewalls enable “allow application, but scan for threats” policy response •  Gartner’s Recommendations: -  Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two.
  17. 17. • 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

×