Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
the network security company
tm
Palo Alto Networks Overview
Carlos Alberto Pérez
Systems Engineer Manager LATAM
cperez@pal...
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling appli...
Applications Have Changed, Firewalls Haven’t
3 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
• Network securi...
The Right Answer: Make the Firewall Do Its Job
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 4 |
New Requir...
Enabling Applications, Users and Content
5 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
Single-Pass Parallel Processing™ (SP3) Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 |
Singl...
Application Control Belongs in the Firewall
• Port Policy
Decision
• App Ctrl Policy
Decision
Application Control as an Ad...
NGFW in The Enterprise NetworkPerimeter
• App visibility and
control in the
firewall
• All apps, all ports,
all the time
•...
Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement
•  Application, user and content
visibilit...
WildFire Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 10 |
✓ ✓
✓
• WildFire Analysis Center!
...
0	
  
1,000	
  
2,000	
  
3,000	
  
4,000	
  
5,000	
  
6,000	
  
7,000	
  
8,000	
  
9,000	
  
1	
   3	
   5	
   7	
   9	...
What is the WF-500?
§  Appliance-based version of the WildFire
sandbox for on-premises, private cloud
deployments
§  Ide...
© 2011 Palo Alto Networks. Proprietary and ConfidentialPage 13 |
PA-­‐3050	
  
•  4 Gbps FW
•  2 Gbps Threat Prevention
• ...
Segmenting Traffic in the Virtual Datacenter
•  Hardware firewalls will continue to be deployed to secure and segment
data...
Panorama Distributed Architecture
§  With M-100, manager and log collector functions can be split
§  Deploy multiple log...
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 |
New Threats Require a Different Model for IPS Functions
...
• 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Upcoming SlideShare
Loading in …5
×

Palo Alto Networks y la tecnología de Next Generation Firewall

3,009 views

Published on

Carlos Alberto Pérez, SE Manager para Latinoamérica de Palo Alto Networks

Published in: Technology
  • Be the first to comment

Palo Alto Networks y la tecnología de Next Generation Firewall

  1. 1. the network security company tm Palo Alto Networks Overview Carlos Alberto Pérez Systems Engineer Manager LATAM cperez@paloaltonetworks.com
  2. 2. Palo Alto Networks at a Glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally 1,800 4,700 11,000 0 2,000 4,000 6,000 8,000 10,000 12,000 Jul-10 Jul-11 $13 $49 $255 $119 $0 $50 $100 $150 $200 $250 $300 FY09 FY10 FY11 FY12 Revenue Enterprise customers $MM FYE July Feb-13 2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
  3. 3. Applications Have Changed, Firewalls Haven’t 3 | ©2012, Palo Alto Networks. Confidential and Proprietary. • Network security policy is enforced at the firewall •  Sees all traffic •  Defines boundary •  Enables access • Traditional firewalls don’t work any more
  4. 4. The Right Answer: Make the Firewall Do Its Job © 2011 Palo Alto Networks. Proprietary and Confidential.Page 4 | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation
  5. 5. Enabling Applications, Users and Content 5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  6. 6. Single-Pass Parallel Processing™ (SP3) Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 | Single Pass •  Operations once per packet -  Traffic classification (app identification) -  User/group mapping -  Content scanning – threats, URLs, confidential data •  One policy Parallel Processing •  Function-specific parallel processing hardware engines •  Separate data/control planes • Up to 20Gbps, Low Latency
  7. 7. Application Control Belongs in the Firewall • Port Policy Decision • App Ctrl Policy Decision Application Control as an Add-on •  Port-based decision first, apps second •  Applications treated as threats; only block what you expressly look for Ramifications •  Two policies/log databases, no reconciliation •  Unable to effectively manage unknowns IPS Applications Firewall PortTraffic Firewall IPS • App Ctrl Policy Decision • Scan Application for Threats Applications ApplicationTraffic Application Control in the Firewall •  Firewall determines application identity; across all ports, for all traffic, all the time •  All policy decisions made based on application Ramifications •  Single policy/log database – all context is shared •  Policy decisions made based on shared context •  Unknowns systematically managed 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  8. 8. NGFW in The Enterprise NetworkPerimeter • App visibility and control in the firewall • All apps, all ports, all the time • Prevent threats • Known threats • Unknown/ targeted malware • Simplify security infrastructure DataCenter • Network segmentation • Based on application and user, not port/IP • Simple, flexible network security • Integration into all DC designs • Highly available, high performance • Prevent threats DistributedEnterprise • Consistent network security everywhere • HQ/branch offices/remote and mobile users • Logical perimeter • Policy follows applications and users, not physical location • Centrally managed 8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  9. 9. Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement •  Application, user and content visibility without inline deployment •  IPS with app visibility & control •  Consolidation of IPS & URL filtering •  Firewall replacement with app visibility & control •  Firewall + IPS •  Firewall + IPS + URL filtering © 2011 Palo Alto Networks. Proprietary and Confidential.Page 9 |
  10. 10. WildFire Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 10 | ✓ ✓ ✓ • WildFire Analysis Center! • Potentially malicious files from Internet • Protection delivered to all customer firewalls • Policy-based forwarding to WildFire for analysis •  Sandbox-based analysis looks for over 80 malicious behaviors •  Generates detailed forensics report •  Creates antivirus and C&C signatures
  11. 11. 0   1,000   2,000   3,000   4,000   5,000   6,000   7,000   8,000   9,000   1   3   5   7   9   11   13   15   17   19   21   23   25   27   29   31   33   35   Hours   The First 24 Hours is Critical • 11 | ©2012, Palo Alto Networks. Confidential and Proprietary. * Sample size = 50 malware files
  12. 12. What is the WF-500? §  Appliance-based version of the WildFire sandbox for on-premises, private cloud deployments §  Ideal for customers that want to avoid sending all files to the public cloud §  All files analyzed locally on the WF-500 §  Identical detection as the public cloud §  Optionally sends confirmed malware to the WildFire public cloud for signature generation §  Provides a private cloud where all firewalls can integrate with the WF-500 • WildFire Cloud • All unknown files • Confirmed Malware • (optional) • Signatures • Customer Firewalls • Local Customer Network • 12 | ©2013 Palo Alto Networks. Confidential and Proprietary.
  13. 13. © 2011 Palo Alto Networks. Proprietary and ConfidentialPage 13 | PA-­‐3050   •  4 Gbps FW •  2 Gbps Threat Prevention •  500,000 sessions •  8 SFP, 12 copper gigabit PA-­‐3020   •  2 Gbps FW •  1 Gbps Threat Prevention •  250,000 sessions •  8 SFP, 12 copper gigabit PA-­‐500   •  250 Mbps FW •  100 Mbps Threat Prevention •  64,000 sessions •  8 copper gigabit PA-­‐200   •  100 Mbps FW •  50 Mbps Threat Prevention •  64,000 sessions •  4 copper gigabit Palo Alto Networks Next-Gen Firewalls PA-­‐5050   •  10  Gbps  FW   •  5  Gbps  threat  preven:on   •  2,000,000  sessions   •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),   12  copper  gigabit   PA-­‐5020   •  5  Gbps  FW   •  2  Gbps  threat  preven:on   •  1,000,000  sessions   •  8  SFP,  12  copper  gigabit   PA-­‐5060   •  20  Gbps  FW   •  10  Gbps  threat  preven:on   •  4,000,000  sessions   •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),   12  copper  gigabit  
  14. 14. Segmenting Traffic in the Virtual Datacenter •  Hardware firewalls will continue to be deployed to secure and segment datacenters at the edge and for legacy servers •  VM-Series introduces the ability for secure segmentation to be done within VMware ESXi 14 | ©2012, Palo Alto Networks. Confidential and Proprietary. • VLAN   • VLAN  
  15. 15. Panorama Distributed Architecture §  With M-100, manager and log collector functions can be split §  Deploy multiple log collectors to scale collection infrastructure • 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
  16. 16. © 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 | New Threats Require a Different Model for IPS Functions •  Stand-alone IPS has a negative security model – can only “find it and kill it” •  Stand-alone IPS can’t see into growing volumes of SSL-encrypted traffic, nor into compressed content •  Next-generation firewalls enable “allow application, but scan for threats” policy response •  Gartner’s Recommendations: -  Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two.
  17. 17. • 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

×