Why choose pan

Technology Overview
Palo Alto Networks

Applications Have Changed; Firewalls Have Not
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 2 |
• Need to restore visibility and control in the firewall
BUT…applications have changed
• Ports ≠ Applications
• IP Addresses ≠ Users
• Packets ≠ Content
The gateway at the trust
border is the right place to
enforce policy control
• Sees all traffic
• Defines trust boundary

Applications Carry Risk
Applications can be “threats”
• P2P file sharing, tunneling
applications, anonymizers,
media/video
Applications carry threats
• SANS Top 20 Threats – majority
are application-level threats
Applications & application-level threats result in major breaches – Pfizer, VA, US Army

Traditional Firewall Do NOT Work!
• ACL control on services/ports/protocols only
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• “More stuff” doesn’t solve the problem
Internet
• Putting all of this in the same box is just slow

1. Identify applications regardless of
port, protocol, evasive tactic or SSL
2. Identify users regardless of IP
address
3. Identify and prevent potential threats
associated with all high risk applications
4. Granular policy-based control over
applications, users, functionality
5. Multi-gigabit, in-line deployment with
no performance degradation
Gartner Says: Plan Now for Transition to NGFW

Single-Pass Parallel Processing (SP3) Architecture
•Up to 10Gbps, Low Latency

Technologies That Transforms the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content

Identify traffic
(App-ID)
Is User Allowed?
(User ID)
What Threats?
(Content ID)
Full cycle threat prevention
Intrusion prevention
Malware blocking
Anti-virus control
URL site blocking
Encrypted and compressed
files
PortNumber-TCP
SSL
HTTP
GMail
GoogleTalk
How the ID Technologies Work Together
Data leakage control
Credit card numbers
Custom data strings
Document file types
•Inbound
•Outbound

Application ID | Components
• Detect Protocol in Protocol within a session
• Provide context for application signatures
Protocol Decoders
• “Man in the middle” SSL & SSH decryption
Protocol Decryption
• Detect Layer 7 signatures within a session
Application Signatures
• Looks for patterns of communication when no signature exists
Heuristics
Page 9 | Module – 4 | © 2011 Palo Alto Networks. Proprietary and Confidential 4.0 v1

NGFW: Key differentiation from the Rest
• IPS uses a Negative enforcement model so unless the
administrator knows what is on the network, and configures the
IPS to look for it and kill it, anything else is allowed to traverse
the network.
• Traditional firewall uses a Positive control security model,
which defaults to a deny all traffic except for those ports and
services that are explicitly allowed
• From Security stand point, both (IPS and Firewall) must co-
exist and work together. And with applications visibility &
control; App-ID, user identification; User-ID and content
inspection; Content-ID. Thus achieving NGFW – Palo Alto
Networks!

© 2011 Palo Alto Networks. Proprietary and ConfidentialPage 12 |
PA-500 Specifications
Specs
• 250M FW / 100M VPN / 100M
threat
• 50,000 sessions
• 250 VPN tunnels
• 8 copper gigabit interfaces
• Runs PAN-OS 3.0 and later
General hardware
• 1U rack mountable
• Single non-modular power
supply
• 160GB hard drive
• Dedicated mgmt port
• RJ-45 console port

PA-500 Architecture
Multi-Core Security Processor
• High density processing for
networking and security functions
• Hardware-acceleration for
standardized complex functions (SSL,
IPSec)
• Signature match virtual software
engine
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
Dual-core
CPU
RAM
RAM
HDD
CPU
4
SSL IPSec
CPU
1
CPU
2
Control Plane Data Plane
RAM
RAMCPU
3

PA-2000 Series Specifications
- 1U rack-mountable chassis
- Single non-modular power supply
- 160GB hard drive (cold swappable)
- Dedicated out-of-band management port
- RJ-45 console port, user definable HA port
PA-2050
• 1 Gbps FW
• 500 Mbps threat prevention
• 250,000 sessions
• 16 copper gigabit
• 4 SFP interfaces
PA-2020
• 500 Mbps FW
• 200 Mbps threat prevention

2000 Series Architecture
Route,
ARP,
MAC
lookup
NAT
Signature Match Processor
• Palo Alto Networks’ uniform
signatures
• Multiple memory banks – memory
bandwidth scales performance
• High density processing for flexible
security functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec)
route updates
1Gbps
Signature
Match
Processor
RAM
RAM
RAM
RAM
Dual-core
CPU
RAM
RAM
HDD
Network Processor
• Front-end network processing
offloads security processors
• Hardware accelerated route lookup,
MAC lookup and NAT
CPU
4
SSL IPSec
CPU
1
CPU
2
1Gbps
RAM
RAMCPU
3

PA-4000 Series Specifications
- 2U, 19” rack-mountable chassis
- Dual hot swappable AC power supplies
- Dedicated out-of-band management port
- 2 dedicated HA ports
- DB9 console port
- 160GB hard drive
PA-4050
• 10 Gbps FW
• 5 Gbps threat prevention
• 2,000,000 sessions
PA-4020
• 2 Gbps FW
PA-4060
• 10 Gbps FW
• 2,000,000 sessions
• 4 XFP (10 Gig) I/O
• 4 SFP (1 Gig) I/O

© 2011 Palo Alto Networks. Proprietary and Confidential
PA-4000 Series Architecture
Signature Match HW Engine
• Palo Alto Networks’ uniform signatures
• Vulnerability exploits (IPS), virus, spyware,
CC#, SSN, and other signatures
• High density processing for flexible security
functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec,
decompression)
route updates
10Gbps
Signature
Match
RAM
RAM
RAM
RAM
CPU
1
RAM
RAM
HDD
10 Gig Network Processor
• Front-end network processing offloads
security processors
• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
CPU
16
. .
SSL IPSec
De-
Compression
CPU
1
CPU
2
10Gbps
RAM
RAMCPU
3
QoS
Route,
ARP,
MAC
lookup
NAT
HDD
CPU
2
Page 17 |

PA-5000 Series
• A picture is worth a thousand words…
SFP+ Ports
Hot
Swap
Fan
Tray
Dual AC/DC
Hot Swap
Supplies
Dual 2.5
SSD with
Raid 1
SFP PortsRJ45 Ports
•Note: Systems ship with
•single,120GB SSD

PA-5000 Series Architecture
• 80 Gbps switch fabric
interconnect
• 20 Gbps QoS engine
Signature Match HW Engine
• Stream-based uniform sig.
match
• Vulnerability exploits (IPS),
virus, spyware, CC#, SSN, and
more
Security Processors
• High density parallel
processing for flexible
security functionality
• Hardware-acceleration for
standardized complex
functions (SSL, IPSec,
decompression)
20Gbps
Network Processor
• 20 Gbps front-end network
processing
• Hardware accelerated per-
packet route lookup, MAC
lookup and NAT
10Gbps
Data PlaneSwitch Fabric
10Gbps
... ......
QoS
Flow
control
Route,
ARP,
MAC
lookup
NAT
Switch
Fabric
Signature
Match
Signature
Match
SSL IPSec
De-
Compress.
SSL IPSec
De-
Compress.
SSL IPSec
De-
Compress.
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
• Quad-core mgmt
• High speed logging
and route update
• Dual hard drives
Control Plane
Core 1
RAM
RAM
SSD
SSD
Core 2
Core 3 Core 4
Page 19 |

Palo Alto Networks Next-Gen Firewalls
PA-4050
• 10 Gbps FW/5 Gbps threat
prevention/2,000,000 sessions
• 8 SFP, 16 copper gigabit
PA-4020
prevention/500,000 sessions
PA-4060
• 4 XFP (10 Gig), 4 SFP (1 Gig)
PA-2050
• 1 Gbps FW/500 Mbps threat
PA-2020
• 500 Mbps FW/200 Mbps threat
PA-500
• 250 Mbps FW/100 Mbps threat
PA-5050
• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12
copper gigabit
PA-5020
PA-5060
• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12
copper gigabit

Introducing the PA-5000 Series
• High performance Next Gen Firewall
• 3 Models, up to 20Gbps throughput, 10Gbps threat
PA-4020 PA-4050 PA-4060 PA-5020 PA-5050 PA-5060
Threat Gbps 2 5 5 2 5 10
Firewall Gbps 2 10 10 5 10 20
Mpps 5 5 5 13 13 13
CPS 60K 60K 60K 120K 120K 120K
SSL/VPN Gbps 1 2 2 2 4 4
IPSec Tunnels 2K 4K 4K 2K 4K 8K
Sessions 500K 2M 2M 1M 2M 4M
Ethernet 16xRJ45
8xSFP
16xRJ45
8xSFP
4xXFP
4xSFP
12xRJ45
8xSFP
12xRJ45
8xSFP
4xSFP+
12xRJ45
8xSFP
4xSFP+
•Note: Performance testing and verification are under way….

Thank You
Page 22 |

but why a Firewall?
- What we really deliver compared to
presently available from the competition

Gartner: What is an NGFW NOT? - 1
These are network-based security product spaces that are adjacent to NGFW
but not equivalent:
Unified threat management (UTM) devices
• Target small/medium (SMB).
• No application awareness functions and are not generally integrated, single-
engine products.
• Cost saving approach; Do not scale well in performance and with low quality
IPS engine
• Do not meet the needs of larger enterprises
Messaging security gateways
• Focus on latency-tolerant outbound content policy enforcement and inbound
mail anti-spam and anti-malware enforcement.
• Do not implement wire-speed network security policy.
© 2011 Palo Alto Networks. Proprietary and Confidential 3.1-aPage 24 |

Gartner: What is an NGFW NOT? - 2
Network-based data loss prevention (DLP) appliances:
• Perform deep packet inspection of network traffic, but
• Focus on detecting if previously identified types of data are transiting through
inspection point
• Implement data security policy with no real-time requirement
• Non wire-speed network security policy
Secure Web gateways (SWGs)
• Focus on enforcing outbound user access control and inbound malware
prevention during HTTP browsing over the Internet, through integrated URL
filtering and through Web antivirus.
• Limited protocol support: HTTP, HTTPS, FTP
• Implement more user-centric Web security policy, not network security policy,
on an “any source to any destination using any protocol” basis.
© 2010 Palo Alto Networks. Proprietary and Confidential 3.1-aPage 25 |

Seven Problems with a Traditional IPS
1. It cannot control applications – only
“find it and kill it”
2. It cannot identify or control
encrypted SSL or SSH traffic
3. It cannot identify or control
compressed files or content
4. It cannot protect against threats in
evasive applications
5. It cannot identify specific users that
may be infected
6. It cannot integrate with existing
firewall security policies
7. It cannot perform adequately with
features fully enabled
I HATE
MY IPS

The Business Needs Safe Enablement
• “Block” or “Allow” is not enough
• “Safe Enablement” to minimize risks and maximize rewards
• IT organizations require granular application control
- Block – e.g. – all P2P applications
- Allow - without restrictions
- Allow - but scan for threats
- Allow - but limit app users
- Allow - but limit app functions
- Allow - but shape (QoS)
•…and various combinations of the above
•Low •High
•Network
Control

Manage Use
Stop rogue
deployments
Control by function
Control by user
Create safe
security zone
Secure Data
Protect against
IIS vulnerabilities
Block XSS and
SQL attacks
Scan for
confidential data
Scan for
malware
Safe Enablement: Example

NEW in PAN-OS 4.0: Behavior-based BotNet
Detection
• What if you suspect a BotNet is running – but
the signature does not yet exist?
• Unusual applications, suspicious traffic, new
domains, etc.
• New BotNet detection report
• Correlate data from Traffic, Threat, URL logs to
identify potentially BotNet-infected hosts
• Generate report containing list of infected hosts,
description (why we believe host is infected) and a
Confidence level

NEW in PAN-OS 4.0: More Threat Management
• PDF file scanning
- Blocks viruses in PDF files downloaded by users
• “Drive by” .exe file blocking
- Blocks attempts to download .exe files when users visit
untrusted sites
• SSH Tunneling Control
- Decrypts SSH to ensure its used only for secure remote
terminal session – not circumventing security
• Customizable App-ID
• Up to 6,000 App-IDs for internally developed
applications.

Why choose pan

More Related Content

What's hot

Similar to Why choose pan

Recently uploaded

Why choose pan