sc gmis bernard cobb consulting engineer, dns · next-generation firewalls (ngfws) are deep-packet...

Next Generation FirewallsSC GMIS

Bernard CobbConsulting Engineer, DNS

Some of Our Partnerships…

Agenda• What is a Next Generation Firewall• What are the differences between traditional and NextGen

firewalls• Cover the added features in the NextGen Firewall solution• Review the advantages for the business from the perspective of

understanding what applications are running on the network and what users are doing while consuming bandwidth.

• Key Business Problems Solved by an NextGen Firewall

Next Generation Firewall• Unified Threat Management, Application

Identification, Application Awareness, User Identity, SSL Decryption, URL Filtering, Traffic Priority, Advanced Persistent Threats, Kill Chain, Threat Prevention, Anti-virus, Anti-malware, Vulnerability Protection, IPS, Data Loss Prevention, etc…

NextGen Firewall?• Next-generation firewalls (NGFWs) are deep-

packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or nonenterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated. --Gartner

“What’s that one?” –Mini-BNext-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.

• 5-tuple Firewall• Application Visibility & Control• Integrated IPS• Adding Context (AD integration)

The Differences of a NGFW• Visibility• Reporting• Control• Optimize the network as a business tool

Enterprise-wide NextGen Firewall TopologyP

erim

eter • App visibility and

control in the firewall• All apps, all ports, all

the time• Prevent threats

• Known threats• Unknown/targeted

malware• Simplify security

infrastructure

• App visibility and control in the firewall• All apps, all ports, all

the time• Prevent threats

• Known threats• Unknown/targeted

malware• Simplify security

infrastructure Dat

a C

ente

r • Network segmentation• Based on application

and user, not port/IP• Simple, flexible network

security• Integration into all DC

designs• Highly available, high

performance• Prevent threats• Virtual Environments

• Network segmentation• Based on application

and user, not port/IP• Simple, flexible network

security• Integration into all DC

designs• Highly available, high

performance• Prevent threats• Virtual Environments

Dis

tribu

ted

Ent

erpr

ise • Consistent network

security everywhere• HQ/branch

offices/remote and mobile users

• Logical perimeter• Policy follows

applications and users, not physical location

• Centrally managed

• Consistent network security everywhere• HQ/branch

offices/remote and mobile users

• Logical perimeter• Policy follows

applications and users, not physical location

• Centrally managed

8 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Applications Have Changed, Firewalls Haven’t

9 | ©2012, Palo Alto

Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more

Encrypted Applications: Unseen by Firewalls

What happens traffic is encrypted?• SSL• Proprietary encryption

10 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Applications: Threat Vector and a Target

11 | ©2012, Palo Alto

Threats target applications• Used as a delivery mechanism • Application specific exploits

Applications: Payload Delivery/Command & Control

Applications provide exfiltration• Confidential data• Threat communication

12 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Enabling Applications, Users and Content

13 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Another view of an NGFW—but not perfect

Enterprise Network

• IPS, DLP, IM, AV, URL, Proxy• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Single place for decision making, logging, etc…

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

SSLDLPIPS ProxyURLAV

NGFW

Internet

NGFW Security Platform

15 | ©2012, Palo Alto

Address Three Key Business Problems

• Safely Enable Applications• Identify applications, regardless of port, protocol, encryption, or evasive tactic• Fine-grained control over applications/application functions (allow, deny, limit,

scan, shape)• Addresses the key deficiencies of legacy firewall infrastructure• Systematic management of unknown applications

• Prevent Threats• Stop a variety of known threats – exploits (by vulnerability), viruses, spyware• Detect and stop unknown threats • Stop leaks of confidential data (e.g., credit card #, social security #, file/type)• Enforce acceptable use policies on users for general web site browsing

• Simplify Security Infrastructure• Reduce complexity in architecture and operations• Predictable performance• Holistic Security View down to endpoint level protection

16 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Thank You• Questions?