1.-conceptelectronics
DESCRIPTION
Agora Technology Conferences: “Securitate” Bucharest , 18 November 2009 Concept Electronics CISO & Security Architect • The gateway at the trust border is the right place to enforce policy control 9 Defines trust boundary 9 Sees all traffic Page 2 | © 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.TRANSCRIPT
Insight.The Avatars of the Network Perimeter
Gabriel NicolaescuCISO & Security Architect
Concept Electronics
Agora Technology Conferences: “Securitate”Bucharest , 18 November 2009
Page 2 |
Applications Have Changed – Firewalls Have Not
• The gateway at the trust border is the right place to enforce policy control� Sees all traffic� Defines trust boundary
Need to Restore Visibility and Control in the Firewall© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 3 | Page 3 |
Application Control Efforts are Failing• Palo Alto Networks’ Application Usage & Risk Report highlights actual
behavior of cca. 900,000 users across more than 60 organizations� Applications are built for accessibility and used for complex B2B collaboration� Controls are failing – All had Firewalls, many had IPS, proxies, & URL filtering
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 4 | Page 4 |
Application Control Efforts are Failing
• Palo Alto Networks’ Application Usage & Risk Report highlights actual behavior of cca. 900,000 users across more than 60 organizations� P2P and browser-based file sharing usage is rampant� More and more business use of convergent multi-media content delivery � Controls are failing – All had Firewalls, many had IPS, proxies, & URL filtering
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 5 | Page 5 |
Application Control Efforts are Failing• Palo Alto Networks’ Application Usage & Risk Report highlights actual
behavior of cca. 900,000 users across more than 60 organizations� Tools that enable users to circumvent security are common � Controls are failing – All had Firewalls, many had IPS, proxies, & URL filtering
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 6 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of dynamic assignation of IP address
3. Fine-grained visibility and policy control over application access / functionality
4. Protect in real-time against threats embedded across applications
5. Multi-gigabit in-line deployment with no performance degradation
Next-Generation Firewall Agenda
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Palo Alto Networks Solution Overview
Page 8 |
About Palo Alto Networks
• Founded in 2005 by security visionary Nir Zuk
• World class team with vast security experience, strong networking and technology expertise
• Builds innovative next generation firewalls that control more than 800 applications
• Named Gartner Cool Vendor in 2008
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 9 |
Palo Alto Networks Mature & Trusted Technology
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 10 |
Unique Technologies that Transform the Firewall
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 11 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 11 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 11 |
Enables Visibility Into Applications, Users, and Content
Page 12 |
Core PAN-OS Platform Features
• Strong networking foundation- Dynamic routing- Site-to-site IPSec VPN - SSL VPN for remote access- Tap mode – connect to SPAN port- Virtual wire (“Layer 1”) for true transparent in-line deployment- L2 / L3 switching foundation
• QoS traffic shaping- Maximum / guaranteed and priority - By user, application, interface, zone, and more
Visibility and control of applications, users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 13 |
Core PAN-OS Platform Features
• Zone-based architecture- All interfaces assigned to security zones for policy enforcement
• High Availability- Configuration and session synchronization- Path, link, and HA monitoring
• Virtual Systems- Establish multiple virtual firewalls in a single device (PA-4000 Series
only)
• Simple, flexible management- CLI, Web, Panorama, SNMP, Syslog
Visibility and control of applications, users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 14 |
Flexible Deployment Options
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
• Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols.
• Protections work mode adjusted to the requirements – network interfaces in one device can work in any of the different supported modes.
• Security virtualization – VLAN interfaces in L2 and L3, virtual routers and virtual systems.
Page 15 |
Flexible Deployment Options (Examples)Visibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline deployment
• IPS with app visibility & control• Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control
• Firewall + IPS• Firewall + IPS + URL filtering
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 16 |
Flexible Policy Control Responses
• Intuitive policy editor enables appropriate usage policies with flexible policy responses
- Allow or deny individual application usage- Control applications by category, subcategory, technology or characteristic- Proxy decrypt and inspect SSL- Allow or block certain application functions- Allow based on schedule policy- Allow but apply IPS, scan for viruses, spyware- Apply explicit traffic shaping (guaranteed, priority, maximum) - Allow for certain users or groups within AD- Control excessive web surfing- Look for and alert or block file or data transfer
• Consistent and secure local (on device) and remote management interface; CLI, secure web-based and remote native application
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.
Page 17 |
Enterprise Device and Policy Management• Intuitive and flexible management
- Role-based administration enables delegation of tasks to appropriate person- CLI, Web, Panorama, SNMP, Syslog
• Panorama central management application- Shared policies enable consistent application control policies - Consolidated management, logging, and monitoring of Palo Alto Networks devices- Consistent web interface between Panorama and device UI- Network-wide ACC/monitoring views, log collection, and reporting
• All interfaces work on current configuration, avoiding sync issues
agement application
© 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.