Palo_Alto_Networks_Cust_June_2009.ppt

Palo Alto Networks
Product Overview
Karsten Dindorp, Computerlinks

© 2009 Palo Alto Networks. Proprietary and Confidential
Page 2 |
Applications Have Changed – Firewalls Have Not
• The gateway at the trust
border is the right place to
enforce policy control
 Sees all traffic
 Defines trust boundary
Collaboration / Media
SaaS Personal
• But applications have changed
 Ports ≠ Applications
 IP addresses ≠ Users
 Headers ≠ Content
Need to Restore Application Visibility & Control in the Firewall

Page 3 |
Stateful Inspection Classification
The Common Foundation of Nearly All Firewalls
• Stateful Inspection classifies traffic by looking at the IP header
- source IP
- source port
- destination IP
- destination port
- protocol
• Internal table creates mapping to well-known protocols/ports
- HTTP = TCP port 80
- SMTP = TCP port 25
- SSL = TCP port 443
- etc, etc, etc…

© 2009 Palo Alto Networks. Proprietary and Confidential.
Page 4 |
Enterprise End Users Do What They Want
• The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000
users across 60 organizations:
- HTTP is the universal app protocol – 64% of BW, most HTTP apps not browser-based
- Video is king of the bandwidth hogs – 30x P2P filesharing
- Applications are the major unmanaged threat vector
• Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss

Page 5 |
Firewall “helpers” Is Not The Answer
• Complex to manage
• Expensive to buy and maintain
• Firewall “helpers” have limited view of traffic
• Ultimately, doesn’t solve the problem
Internet

Page 6 |
New Requirements for the Firewall
1. Identify applications regardless of
port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Scan application content in real-time
(prevent threats and data leaks)
4. Granular visibility and policy control
over application access / functionality
5. Multi-gigabit, in-line deployment with
no performance degradation
The Right Answer: Make the Firewall Do Its Job

Page 7 |
Identification Technologies Transforming the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content

Page 8 |
Purpose-Built Architectures (PA-4000 Series)
Signature Match HW Engine
• Palo Alto Networks’ uniform
signatures
• Vulnerability exploits (IPS), virus,
spyware, CC#, SSN, and other
signatures
Multi-Core Security Processor
• High density processing for flexible
security functionality
• Hardware-acceleration for
standardized complex functions (SSL,
IPSec, decompression)
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
10Gbps
Signature
Match
RAM
RAM
RAM
RAM
Dual-core
CPU
RAM
RAM
HDD
10 Gig Network Processor
• Front-end network processing offloads
security processors
• Hardware accelerated QoS, route
lookup, MAC lookup and NAT
CPU
16
. .
SSL IPSec
De-
Compression
CPU
1
CPU
2
10Gbps
Control Plane Data Plane
RAM
RAM
CPU
3
QoS
Route,
ARP,
MAC
lookup
NAT

Page 9 |
PAN-OS Core Features
• Strong networking
foundation:
- Dynamic routing (OSPF, RIPv2)
- Site-to-site IPSec VPN
- SSL VPN
- Tap mode – connect to SPAN port
- Virtual wire (“Layer 1”) for true
transparent in-line deployment
- L2/L3 switching foundation
• QoS traffic shaping
- Max, guaranteed and priority
- By user, app, interface, zone, and
more
• High Availability:
- Active / passive
- Configuration and session
synchronization
- Path, link, and HA monitoring
• Virtualization:
- All interfaces (physical or logical)
assigned to security zones
- Establish multiple virtual systems to
fully virtualized the device (PA-4000
& PA-2000 only)
• Intuitive and flexible
management
- CLI, Web, Panorama, SNMP, Syslog

© 2008 Palo Alto Networks. Proprietary and Confidential.
Page 10 |
Flexible Deployment Options
Application Visibility Transparent In-Line Firewall Replacement
• Connect to span port
• Provides application visibility
without inline deployment
• Deploy transparently behind existing
firewall
• Provides application visibility &
control without networking changes
• Replace existing firewall
• Provides application and network-
based visibility and control,
consolidated policy, high
performance

Page 11 |
Palo Alto Networks Next-Gen Firewalls
PA-4050
• 10 Gbps FW
• 5 Gbps threat prevention
• 2,000,000 sessions
• 16 copper gigabit
• 8 SFP interfaces
PA-4020
• 2 Gbps FW
• 500,000 sessions
PA-4060
• 10 Gbps FW
• 2,000,000 sessions
• 4 XFP (10 Gig) I/O
• 4 SFP (1 Gig) I/O
PA-2050
• 1 Gbps FW
• 500 Mbps threat prevention
PA-2020
• 500 Mbps FW
PA-500
• 250 Mbps FW
• 50,000 sessions

Page 12 |
PAN-OS 3.0 Summary of Features
• Networking
- Quality of Service Enforcement
- SSL VPN
- IPv6 Firewall (Virtual Wire)
- IPsec Multiple Phase 2 SAs
- 802.3ad link aggregation
- PA-2000 virtual systems licenses (+5)
• App-ID
- Custom Web-based App-IDs
- Custom App-ID Risk and Timeouts
- CRL checking within SSL forward proxy
• Threat Prevention & URL Filtering
- Dynamic URL Filtering DB
- Increased signature capacity
- Threat Exception List
- CVE in Threat Profiles
• User Identification
- Citrix/Terminal Server User ID
- Proxy X-Forwarded-For Support
• Visibility and Reporting
- User Activity Report
• Management
- Multi-zone Rules
- Automated Config Backup in Panorama
- Role-based admins in Panorama
- SNMP Enhancements
 Custom community string
 Extended MIB support
- XML-based REST API
- Ability to Duplicate Objects
- Log Export Enhancements
 Support for FTP
 Scheduler
- Custom Admin Login Banner
- Web-based Tech Support Export
- Database indexing
- Configurable management I/O settings

Palo_Alto_Networks_Cust_June_2009.ppt

Recommended

Recommended

More Related Content

Similar to Palo_Alto_Networks_Cust_June_2009.ppt

Similar to Palo_Alto_Networks_Cust_June_2009.ppt (20)

Recently uploaded

Recently uploaded (20)

Palo_Alto_Networks_Cust_June_2009.ppt