Domenico Stranieri
Pre-Sales Engineer | EMEA Italy & Malta
Rome, 7th July
Zero Trust Network Security for the Software Defined Data Center
The Digital Disruption Has Already Happened
© 2016, Palo Alto Networks
o Most popular media owner creates no content (Facebook)
o Fastest growing banks have no actual money (SocietyOne)
o Largest accommodation provider owns no real estates (Airbnb)
o Largest phone companies own no telco infra (Skype, WeChat)
o World’s most valuable retailer has no inventory (Alibaba)
o World’s largest movie house owns no cinemas (Netflix)
o Largest software vendors don’t write the apps (Apple & Google)
o World’s largest taxi company owns no taxis (Uber)
SaaS SOCIAL +
CONSUMERIZATION
CLOUD +
VIRTUALIZATION MOBILITY +
BYOD
Massive opportunity
for cyber criminals
WHAT’S CHANGED? THE EVOLUTION OF BUSINESS
THIS IS WHAT REALLY CHANGED! THE EVOLUTION OF THE ATTACKER…
Majority of adversaries are just doing their job…. They have bosses, families, bills to pay.
They want to get in, accomplish their task, and get out (un-detected).
The goal isn’t making your life hard.
= 24 / 7
MALWARE UPDATES
support
$1.2B+/
SALES IN 18 MONTHS
WHAT’S CHANGED?
© 2016, Palo Alto Networks
…NOT MUTUALLY EXCLUSIVE EXPLORING ACTOR MOTIVATIONS…
This is what CHANGED!
Cyber Hacktivism
Cyber Mischief
Cyber Warfare
Cyber Crime
Cyber Espionage
Cyber Terrorism
$$$ 100+ nations
CYBER WARFARE
$1+ CYBERCRIME NOW
trillion industry
© 2016, Palo Alto Networks
…YOU BETTER KNOW YOUR ENEMY THE CYBER ATTACK LIFECYCLE…
Are you CHANGING as well?
Reconnaissance Weaponization and Delivery
Exploitation Command-and-Control Actions on the Objective
Unauthorized Access Unauthorized Use
Installation
“ There is no predictable path for the
advanced adversary ”
© 2016, Palo Alto Networks
…MUST INCREASE THE COST OF THE ATTACK ATTACK TECHNIQUES / TOOLS…
ADVANCED PERSISTENT THREATS
Reality Myth
o Highly customized and unique tools are used
for every attack.
o Customized protocols, with unique
encryption types are used for CnC.
o Malicious Website are used to distribute
Malware
o Off-the-shelf tools are the most common
method of attack.
o HTTP and/or SSL are most common for
custom backdoors.
o Compromised Legitimate Websites are used
as “trusted” distribution center for Malware
© 2016, Palo Alto Networks
BADs GOODs v
s
WHY BREACHES STILL HAPPEN?
Port-based Firewall
Static IPS
0-Day Malware &
Exploits
ID Credentials Hijacking
Why “Blacklisting-only” fails… © 2016, Palo Alto Networks
Zero Trust Network
“ Why a Next Generation Security
Approach is Needed…. “
Must improve your Security Posture…
What About Zero Trust Network?
The Zero Trust architecture approach, first proposed by Forrester Research
(2009), is intended to address this by promoting "never trust, always
verify" as its guiding principle.
With Zero Trust there is no default trust for any entity — including users,
devices, applications, and packets — regardless of what it is and its location
on or relative to the corporate network.
By establishing Zero Trust boundaries that effectively compartmentalize
different segments of the network, you can protect critical intellectual
property from unauthorized applications or users, reduce the exposure of
vulnerable systems, and prevent the lateral movement of malware
throughout your network
The Zero Trust Model Of Information Security
© 2016, Palo Alto Networks
Zero Trust Networks
Access control is on a “need-to-know” basis and is strictly enforced.
All resources are accessed in a secure manner regardless of location.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the inside out.
Zero Trust Concepts
© 2016, Palo Alto Networks
Zero Trust Network?
Core
Distribution
Acces
s
Edge
To secure a Multi-Layer
Infrastructure is a hard
job Traditional Hierarchal Network
© 2016, Palo Alto Networks
Zero Trust Network? Adding more and more
security functions at each
layer is necessary to get
a more granular control
Core
Distribution
Acces
s
Edge
DAM DB ENC VPN DLP WAF Email WCF
IPS
FW
FW FW WLAN GW NAC
IPS IPS
Security is an Overlay
© 2016, Palo Alto Networks
Zero Trust Network? Many security functions provided
by different different Vendors is
not really scalable / agile, not
easy to manage, and does not
provide a natively integrated
security platform
Deconstructing the Network
Core
Distribution
Edge
Access
WAF DAM DB ENC VPN DLP Email WCF
IPS
FW FW WLAN GW NAC
IPS
IPS
FW
© 2016, Palo Alto Networks
Zero Trust Network? Re-building the Secure Network
IPS FIREWALL
WAF DAM WLAN GW
DLP WCF
NAC
DB ENC
Integrated
Security
Platform FW IPS
CRYPT
O
AM CF
AC
Packet Forwarding Engine
VPN
FW
AC
Natively Integrated Security Functions
© 2016, Palo Alto Networks
Zero Trust Network? Re-building the Secure Network
FW
AC
o Very High Performance
o Multiple 10GE Interfaces
o Application Awareness
o Content Awareness
o User Awareness
o Known Threats Detection
o Unknown Threats Prevention
o URL-Filtering
o VPN / Access Management
o Security Events Logging
o Security Events Correlation
Next Generation Firewall
© 2016, Palo Alto Networks
Zero Trust Network? Zero Trust Drives Future Network
Design
MCAP resources
have similar
functionality and
share global policy
attributes
MCAPs are
centrally managed
to create a unified
switching fabric
MCAP – Micro Core And Perimeter
FW
AC
Segmentation Gateway
Centralized MGMT
FW
AC
MCAP M
CA
P
FW
AC
MC
A
P
MCAP
Users MCAP
WWW MCAP
APP MCAP
© 2016, Palo Alto Networks
Zero Trust Network
per il Software Defined IT “ Enhancing Security
in the Digital Age... “
Must improve your Security Posture…
* Non-GAAP financial measures. See appendix for reconciliation to most comparable GAAP measure.
Evolution towards a software defined data center
Server Virtualization Software Defined Data Center
A Software Defined Data Center is agile, flexible, elastic and simple
• Fast workload provisioning – reduce from weeks to hours
• Flexible workload placement
• Simplified data center operations & economics
Security is a critical component of the software defined data center
© 2016, Palo Alto Networks
Security Challenges Physical firewalls may not see the East-West traffic
o Firewalls placement is designed
around expectation of layer 3
segmentation
o Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex
o Ability to transparently insert
security into the traffic flow is
needed
MS-SQL SharePoint Web Front End
© 2016, Palo Alto Networks
Security Challenges Incomplete security features on existing virtual security solutions
In the Cloud, applications of different trust levels now run on a single server
o VM-VM traffic (East-West) needs to be inspected
o Port & Protocol-based security is not sufficient
o Virtualized Next-Generation Security is needed to:
Safely Enable Application traffic between VMs
Protect against against cyber attacks
MS-SQL SharePoint Web Front
End
© 2016, Palo Alto Networks
Security Challenges Static Policies cannot keep pace with dynamic workload deployments
o Provisioning of applications
can occur in minutes with
frequent changes
o Security approvals and
configurations may take
weeks/months
o Dynamic Security Policies that
understand VM context are
needed
© 2016, Palo Alto Networks
Next Generation Firewall Technologies Visibility and Safe Enablement of All Traffic
Applications: Safe enablement in the data center begins with
application classification
Applications classified regardless of ports, protocols, evasive tactic,
encryption
Classify custom applications and unknowns in the data center
Users: Tying users and groups, regardless of location or
devices, to applications
Differentiate access based on user, device and endpoint profile
Content: Scanning content and protecting against all threats –
both known and unknown;
with
Protect any type of traffic from targeted attacks
© 2016, Palo Alto Networks
Next Generation Firewall Technologies NGFW as a VM versus as a Service
VM-Series as a Guest VM
o Virtual Networking configured to pass
traffic through Firewall
o Requires vSwitch and Port Group
Configuration
o Connects as L3, L2, V-wire, or Tap
VM-Series NGFW as a Service
o NGFW is a SDN Service
o Resides below the vSwitch and above vNIC
o SDN steers traffic to and from VM before
Networking
© 2016, Palo Alto Networks
Technology Partnership – VMware NSX Integration How it works (Complete Picture)
© 2016, Palo Alto Networks
Technology Partnership – Citrix NetScaler SDX Security and Availability for XenApp/XenDesktop
Validated, Consolidated Security and ADC for XenApp/XenDesktop
Secure Remote Access and High Availability
Safe application enablement for XenApp/XenDesktop users
• Unique User-ID & Terminal-Services agent integration
Segmentation of XenApp/XenDesktop infrastructure
Any User
Any Device
Anywhere
Internet applications
Citrix NetScaler SDX
with PANW VM-Series
On-premise applications
Citrix Receiver
XenApp/XenDesktop
(VDI Environment)
© 2016, Palo Alto Networks
Lifecycle Orchestration
• Provisioning and deployment
• Management and updating
• Decommissioning
Traffic flow and Policy Management
• Software Defined Networking and Network
Virtualization
• Service insertion and chaining
• Policy definition and enforcement
Context Awareness and Sharing
• From the environment to Palo Alto Networks
• From Palo Alto Networks back to the environment
Next Generation Firewall Technology Partnerships
Zero Trust for the Software Defined Data Center
Inter-host Segmentation
Intra-host Segmentation
Physical Servers Virtualized servers
HA
Physical Firewalls
Virtualized Firewalls
Security
Network
Applicatio
n
Orchestration Systems
Physical security devices will continue to be deployed to secure and segment data centers.
VM-Series provides the ability to safely enable east-west communication
Orchestration Integration through API, VM Monitoring and Dynamic Address Groups provide the key to tracking VM movement and automating workflows for deployments and network changes.
Users / Corp Net / DMZ
© 2016, Palo Alto Networks
Palo Alto Networks Leadership
© 2016, Palo Alto Networks
In our 36-criteria evaluation of automated malware analysis providers, we identified the 11 most significant ones — Blue Coat, Check Point, Cisco, Cyphort, Fidelis Cybersecurity, FireEye, Fortinet, Intel Security, Palo Alto Networks, Lastline, and Trend Micro — and researched, analyzed, and scored them.
Leaders
“…Palo Alto Networks’ strategy going forward is comprehensive, covering prevention as well as detection and response, and its development of AutoFocus to leverage threat intelligence looks promising…”
Palo Alto Networks Leadership
© 2016, Palo Alto Networks
A GARTNER LEADER AGAIN. AGAIN.
Now a five-time Gartner Magic Quadrant Leader
Palo Alto Networks is assessed as a Leader mostly because of its NGFW focus and its record of delivering NGFW features ahead of competitors, and because of its consistent visibility in Gartner shortlists for advanced firewall use cases, frequently beating its competition on feature granularity and depth.
© 2016, Palo Alto Networks
THANK YOU!
Domenico Stranieri Pre-Sales Engineer