Palo alto safe application enablement


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Our laser-like focus on innovation allows us to safely enable applications, user and content. Our broad family of platforms and rich feature set allow us to address all NW security needs (FW, VPN, IPS, URL filtering, Content inspection)The innovation we deliver to the market is influenced heavily by our customers who like us are innovating how their company is securing the NW. Our growth is driven by a product that works and a seasoned management team.
  • Use interesting examples that are not Facebook and Twitter to show that applications have changes firewalls have not. They use evasive techniques to simplify use and avoid detection. AV in the late 90s started using port 80 (it is a C/S app), AIM prompted you to find an open port, BitTorrent and Skype hop ports, use encryption, MS Lync uses 443, 3489 and a host of ports above 50,000, SharePoint and function control use a range of web ports, but it is not a web app (it uses Office! SAP, Oracle, DropBox,
  • Threat ramifications: Applications are a threat vector and a target
  • Exfiltration ramifications: Today’s threats are applications – their command/control requires network communications. Apps can act as the conduit for data theft.
  • SSL and SSH: more and more applications use encryption, rendering existing FWs useless.
  • the control that once existed in the firewall has eroded over time. UTMs exist for the sole purpose of consolidating devices to save money – just google the IDC definition from 2004UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etcUTMs are all stateful inspection based – the all make their first decision on port. We are not a utm.
  • Talk about how Stateful FWs default policy is deny all versus IPS being allow all. This is how competitive application identification technologies work unless tunedDiscuss need to forward traffic from Stateful FW engine to IPS engine. How do you determine what to send?Point out that in IPS model need to know what to block. What happens if you don’t know all components of an application or what is even available to me. How do you spend time doing this.Multiple rulebases, multiple databases, multiple log databases, etc – all mean policy reconciliation challenges, and a weakening of the deny all else premise…
  • The goal is to use applications, users and content as a means of talking about all 5 technologies and services: app-id, user-id, contentid, globalprotect and wildfire – not just the 3 core ones. This slide includes several good application examples – none of which are Facebook or Twitter . Each example has a user, an app and some content – doc, file, threat – when traversing the FW, those elements are either allowed or blocked for specific groups of users**********************Classifying all applications, across all ports, all the time with App-ID. Palo Alto Networks next-generation firewalls are built upon App-ID, a traffic classification technology that identifies the applications traversing the network, regardless of port, encryption (SSL or SSH) or evasive technique employed. The knowledge of exactly which applications are traversing the network, not just the port and protocol, then becomes the basis for all security policy decisions. Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically categorized for systematic management, which can include policy control and inspection, threat forensics, creation of a custom App-ID, or submission of a packet capture App-ID for development.Tying users and devices, not just IP addresses to applications with User-ID and GlobalProtect. The application identity is tied to the user through User-ID, allowing organizations to deploy enablement policies that are not based solely on the IP address. These policies can then be extended to any device at any location with GlobalProtect. User-ID integrates with a wide range of enterprise user repositories to provide the identity of the Microsoft Windows, Mac OS X, Linux or Android, iOS users accessing the application. GlobalProtect ensures that the remote user is protected consistently, in the same manner as they would be if they were operating on the local network. The combined visibility and control over a users' application activity means organizations can safely enable the use of Oracle, BitTorrent, or Gmail, or any other application traversing the network, no matter where or how the user is accessing the network.Protecting against all threats, both known and unknown, with Content-ID and WildFire. To protect against a blend of known exploits, malware and spyware as well as completely unknown and targeted threats, organizations can first reduce the threat footprint through an explicit deny policy for unwanted applications. Content-ID can then be used to protect the applications and associated features by blocking known vulnerability exploits, viruses, and spyware in the allowed traffic. Content-ID addresses common threat evasion tactics by executing the prevention policy using the application and protocol context generated by the decoders in App-ID. Custom or unknown malware that is not controlled through traditional signatures is addressed through WildFire, which executes unknown files and monitors for more than 100 malicious behaviors in a virtualized sandbox environment. If malware is found, a signature is automatically developed and delivered to the user community.Enterprise wide enablement: Safe application enablement policies can help organizations improve their security posture, regardless of the deployment location. At the perimeter, organizations can reduce their threat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats - both known and unknown. In the datacenter, application enablement translates to confirming the applications users and content are allowed and protected from threats while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration. Expanding outwards to enterprise branch offices and remote users, enablement is delivered through policy consistency - the same policy deployed at the corporate location and is extended, seamlessly to other locations.
  • Major benefit is predictable performance. It doesn’t matter if we enable 1 profile with one signature or all profiles/all signatures we have very consistent performance. Good spot to mention competitors recommend up to 20X of our TP performance number when they are sizing in the same deal.We are the only vendor where consistently, across all of our platforms, have dedicated dataplane processing to handle L7 inspection. Our competitors have a couple of platforms sprinkled throughout their extensive portfolios that do this…the rest of their products need to use their central CPU to process this traffic.Most other products have some scanning components that are proxy based
  • Take this slide as an opportunity to talk about VSYS and how we don’t have any feature loss when enabling it as well as don’t need additional products/OS to deploy it.Discuss how reporting is built in to the FW and the same when using Panorama which is mainly used to manage many firewallsI like to take some time to discuss QoS and how we can shape traffic during widely viewed events such as March Madness, etc and tie this into our App-ID story
  • Palo alto safe application enablement

    2. 2. Palo Alto Networks Product James Sherlow Overview& Africa SE Manager WEUR @jsherlow
    3. 3. Palo Alto Networks at a Glance Revenue Corporate Highlights $MM $300 $255 Disruptive Network Security Platform $250 $200 $150 $119 Safely Enabling Applications $100 $49 $50 $13 $0 FY09 FY10 FY11 FY12 Able to Address All Network Security Needs FYE July Enterprise Customers Exceptional Growth and Global Presence 10,000 9,000 8,000 6,000Experienced Technology and Management Team 4,700 4,000 1,800 2,000 800+ Employees 0 Jul-10 Jul-11 Jul-12 3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    4. 4. Applications Get Through the FirewallNetwork security policy is enforcedat the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work anymore 4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    5. 5. Applications Get Through the Firewall: ThreatsThreats target applications• Used as a threat vector• Application specific exploits 5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    6. 6. Applications Get Through the Firewall: ExfiltrationApplications provide exfiltration• Threat communication• Confidential data 6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    7. 7. Applications Get Through the Firewall: EncryptionWhat happens traffic is encrypted?• SSL• Proprietary encryption 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    8. 8. Technology Sprawl and Creep Aren’t the Answer “More stuff” doesn’t solve the problem • • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Doesn’t address application control challenges UTMInternet IPS DLP IM AV URL Proxy Enterprise Network 8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    9. 9. The Answer? Make the Firewall Do Its Job1. Identify applications regardless of port, protocol, evasive tactic or SSL2. Identify and control users regardless of IP address, location, or device3. Protect against known and unknown application-borne threats4. Fine-grained visibility and policy control over application access / functionality5. Multi-gigabit, low latency, in-line deployment 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    10. 10. Why Visibility & Control Must Be InTraffic The Firewall Application Control as an Add-on Port • Port-based FW + App Ctrl (IPS) = two policies • Applications are threats; only block what you Firewall IPS expressly look for Applications Implications Port Policy App Ctrl Policy • Network access decision is made with no information Decision Decision • Cannot safely enable applications NGFW Application Control • Application control is in the firewall = single policy Traffic Application • Visibility across all ports, for all traffic, all the time Firewall IPS Implications Applications • Network access decision is made based on application identity App Ctrl Policy Scan Application • Safely enable application usage Decision for Threats 10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    11. 11. Enabling Applications, Users and Content11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    12. 12. Enabling Applications, Users and Content • Applications: Safe enablement begins with application classification by App-ID. • Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. • Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID and WildFire.12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    13. 13. Single-Pass Parallel Processing™ (SP3) ArchitectureSingle Pass • Operations once per packet – Traffic classification (app identification) – User/group mapping – Content scanning – threats, URLs, confidential data One policy • Parallel Processing • Function-specific parallel processing hardware engines Separate data/control planes Up to 20Gbps, Low Latency 13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    14. 14. PAN-OS Core Firewall Features Visibility and control of applications, users and content complement core firewall features•Strong networking •Zone-based foundation architecture – Dynamic routing (BGP, OSPF, RIPv2) – All interfaces assigned to security – Tap mode – connect to SPAN port zones for policy enforcement – Virtual wire (“Layer 1”) for true transparent in-line deployment •High Availability – L2/L3 switching foundation – Active/active, active/passive – Policy-based forwarding – Configuration and session synchronization•VPN – Path, link, and HA monitoring – Site-to-site IPSec VPN – SSL VPN •Virtual Systems – Establish multiple virtual firewalls•QoS traffic shaping in a single device (PA-5000, PA- 4000, and PA-2000 Series) – Max/guaranteed and priority – – By user, app, interface, zone, & more Real-time bandwidth Networks. 14 | ©2012, Palo Alto monitor •Simple, flexible Confidential and Proprietary.
    15. 15. Palo Alto Networks NGFW Hardware Platforms Firewall Firewall Throughput Threat Prevention Ports Session Capacity Throughput 4 SFP+ (10 Gig)PA-5060 20 Gbps 10 Gbps 8 SFP (1 Gig) 4,000,000 12 copper gigabit 4 SFP+ (10 Gig)PA-5050 10 Gbps 5 Gbps 8 SFP (1 Gig) 2,000,000 12 copper gigabitPA-5020 5 Gbps 2 Gbps 8 SFP 1,000,000 12 copper gigabitPA-4060 10 Gbps 5 Gbps 4 XFP (10 Gig) 2,000,000 4 SFP (1 Gig)PA-4050 10 Gbps 5 Gbps 8 SFP 2,000,000 16 copper gigabitPA-4020 2 Gbps 2 Gbps 8 SFP 500,000 16 copper gigabitPA-3050 4 Gbps 2 Gbps 8 SFP 500,000 12 copper gigabitPA-3020 2 Gbps 1 Gbps 8 SFP 250,000 12 copper gigabitPA-2050 1 Gbps 500 Mbps 4 SFP 250,000 16 copper gigabitPA-2020 500 Mbps 250 Mbps 8 copper gigabit 125,000PA-500 250 Mbps 100 Mbps 8 copper gigabit 64,000PA-200 100 Mbps 50 Mbps 4 copper gigabit 64,000 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    16. 16. Palo Alto Networks NGFW Virtualized Platforms• Delivers the same next-generation firewall Capacities features available in our hardware platforms Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN TunnelsVM-100 50,000 250 10 2,500 25 25 in a virtualized form-factorVM-200 100,000 2,000 20 4,000 500 200VM-300 250,000 5,000 40 10,000 2,000 500 Performance Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second2 Core 500 Mbps 200 Mbps 100 Mbps 8,0004 Core 1 Gbps 600 Mbps 250 Mbps 8,0008 Core 1 Gbps 1 Gbps 400 Mbps 8,000Supported on VMware ESX/ESXi 4.0 or laterMinimum of 2 dedicated CPU cores, 4GB dedicated RAM, 40GB HD, 2 interfacesSupports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames 16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    17. 17. NGFW in The Enterprise NetworkPerimeter Data Center Distributed Enterprise • App visibility and • Network • Consistent network control in the segmentation security everywhere firewall • Based on • HQ/branch • All apps, all ports, application and offices/remote and all the time user, not port/IP mobile users • Prevent threats • Simple, flexible • Logical perimeter • Known threats network security • Policy follows • Unknown/targeted • Integration into all applications and malware DC designs users, not physical • Simplify security • Highly available, location infrastructure high performance • Centrally managed • Prevent threats 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    18. 18. Addresses Three Key Business Problems• Identify and Control Applications – Identifies over 1,500 applications, regardless of port, protocol, encryption, or evasive tactic – Fine-grained control over applications (allow, deny, limit, scan, shape) – Addresses the key deficiencies of legacy firewall infrastructure• Prevent Threats – Stop a variety of known threats – exploits (by vulnerability), viruses, spyware 18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    19. 19. Many Third Parties Reach Same• - Conclusion Gartner Enterprise Network Firewall Magic Quadrant Palo Alto Networks leading the market• Forrester IPS Market Overview - Strong IPS solution; demonstrates effective consolidation• NetworkWorld Test - Most stringent NGFW test to date; validated sustained performance and key differences• NSS Tests - IPS: Palo Alto Networks NGFW tested against competitors’ standalone IPS devices; NSS Recommended - Firewall: traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended - NGFW: Palo Alto Networks best combination of protection, performance, and value; NSS Recommended (1 of only 3) 19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    20. 20. 20 | ©2012, Palo AltoNetworks. Confidential and Proprietary.