![Page 1: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/1.jpg)
Next Generation FirewallsSC GMIS
Bernard CobbConsulting Engineer, DNS
![Page 2: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/2.jpg)
Some of Our Partnerships…
![Page 3: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/3.jpg)
Agenda• What is a Next Generation Firewall• What are the differences between traditional and NextGen
firewalls• Cover the added features in the NextGen Firewall solution• Review the advantages for the business from the perspective of
understanding what applications are running on the network and what users are doing while consuming bandwidth.
• Key Business Problems Solved by an NextGen Firewall
![Page 4: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/4.jpg)
Next Generation Firewall• Unified Threat Management, Application
Identification, Application Awareness, User Identity, SSL Decryption, URL Filtering, Traffic Priority, Advanced Persistent Threats, Kill Chain, Threat Prevention, Anti-virus, Anti-malware, Vulnerability Protection, IPS, Data Loss Prevention, etc…
![Page 5: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/5.jpg)
NextGen Firewall?• Next-generation firewalls (NGFWs) are deep-
packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or nonenterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated. --Gartner
![Page 6: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/6.jpg)
“What’s that one?” –Mini-BNext-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
• 5-tuple Firewall• Application Visibility & Control• Integrated IPS• Adding Context (AD integration)
![Page 7: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/7.jpg)
The Differences of a NGFW• Visibility• Reporting• Control• Optimize the network as a business tool
![Page 8: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/8.jpg)
Enterprise-wide NextGen Firewall TopologyP
erim
eter • App visibility and
control in the firewall• All apps, all ports, all
the time• Prevent threats
• Known threats• Unknown/targeted
malware• Simplify security
infrastructure
• App visibility and control in the firewall• All apps, all ports, all
the time• Prevent threats
• Known threats• Unknown/targeted
malware• Simplify security
infrastructure Dat
a C
ente
r • Network segmentation• Based on application
and user, not port/IP• Simple, flexible network
security• Integration into all DC
designs• Highly available, high
performance• Prevent threats• Virtual Environments
• Network segmentation• Based on application
and user, not port/IP• Simple, flexible network
security• Integration into all DC
designs• Highly available, high
performance• Prevent threats• Virtual Environments
Dis
tribu
ted
Ent
erpr
ise • Consistent network
security everywhere• HQ/branch
offices/remote and mobile users
• Logical perimeter• Policy follows
applications and users, not physical location
• Centrally managed
• Consistent network security everywhere• HQ/branch
offices/remote and mobile users
• Logical perimeter• Policy follows
applications and users, not physical location
• Centrally managed
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 9: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/9.jpg)
Applications Have Changed, Firewalls Haven’t
9 | ©2012, Palo Alto
Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more
![Page 10: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/10.jpg)
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?• SSL• Proprietary encryption
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 11: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/11.jpg)
Applications: Threat Vector and a Target
11 | ©2012, Palo Alto
Threats target applications• Used as a delivery mechanism • Application specific exploits
![Page 12: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/12.jpg)
Applications: Payload Delivery/Command & Control
Applications provide exfiltration• Confidential data• Threat communication
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 13: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/13.jpg)
Enabling Applications, Users and Content
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 14: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/14.jpg)
Another view of an NGFW—but not perfect
Enterprise Network
• IPS, DLP, IM, AV, URL, Proxy• Firewall “helpers” have limited view of traffic• Complex and costly to buy and maintain• Single place for decision making, logging, etc…
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
SSLDLPIPS ProxyURLAV
NGFW
Internet
![Page 15: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/15.jpg)
NGFW Security Platform
15 | ©2012, Palo Alto
![Page 16: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/16.jpg)
Address Three Key Business Problems
• Safely Enable Applications• Identify applications, regardless of port, protocol, encryption, or evasive tactic• Fine-grained control over applications/application functions (allow, deny, limit,
scan, shape)• Addresses the key deficiencies of legacy firewall infrastructure• Systematic management of unknown applications
• Prevent Threats• Stop a variety of known threats – exploits (by vulnerability), viruses, spyware• Detect and stop unknown threats • Stop leaks of confidential data (e.g., credit card #, social security #, file/type)• Enforce acceptable use policies on users for general web site browsing
• Simplify Security Infrastructure• Reduce complexity in architecture and operations• Predictable performance• Holistic Security View down to endpoint level protection
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
![Page 17: SC GMIS Bernard Cobb Consulting Engineer, DNS · Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add](https://reader033.vdocument.in/reader033/viewer/2022060212/5f0507b47e708231d410e94c/html5/thumbnails/17.jpg)
Thank You• Questions?