notes to presenter slides 3-6 are very different than what you may have seen before. review the...
TRANSCRIPT
Palo Alto Networks Technology Update
context |ˈkänˌtekst| nounthe circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed
3 | ©2014 Palo Alto Networks. Confidential and Proprietary.
context
intelligence
action
4 | ©2014 Palo Alto Networks. Confidential and Proprietary.
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
344 KB
file-sharingURL category
pdffile type
roadmap.pdffile name
bjacobsuser
prodmgmtgroup
canadadestination
country
172.16.1.10
source IP
64.81.2.23destination IP
tcp/443destination port
SSLprotocol
HTTPprotocol
slideshareapplication
slideshare-uploadingapplication function
344 KB
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
unknownURL category
exefile type
shipment.exefile name
fthomasuser
financegroup
chinadestination
country
SSLprotocol
HTTPprotocol
web-browsingapplication
172.16.1.10
source IP
64.81.2.23destination IP
tcp/443destination port
SecondaryPayload
Spread Laterally
Custom C2 & Hacking
Data Stolen
Exploit Kit Contact New Domain
ZeroAccessDelivered
C2 Established
Hides withinSSL
New domain, no reputation
Payload evades AV
C2 hides using non-standard ports
No signature for custom malware
Hides in plain sight
Payload evades C2 signatures
Exfiltration via RDP & FTP
7 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Context: A Unique Approach to Protecting your Network
Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base
8 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Traditional Bolt-on Approach
App Control
---------
Application Signatures
---------
Port/Protocol---------
Networking, policy,
management, reporting
Firewall-
Source/Dest, User
---------Port/Protocol
---------Networking,
policy, management,
reporting
IPS
---------
IPS Signatures,IPS Decoder
---------
Port/Protocol---------
Networking, policy,
management, reporting
Antivirus/
---------
AV SignaturesDecoder &
Proxy---------
Port/Protocol---------
Networking, policy,
management, reporting
L2
L3
L4
L5
L6
L7
9 | ©2014 Palo Alto Networks. Confidential and Proprietary.
PA-7050
100 gbpsnetwork
connection
oracledatacenter app
credit card data
security zone financegroup
10 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Security Performance Drivers
Increasing sophistication of application level attacks, insatiable appetite for more bandwidth drive the need for scalable high performance security
Internet Gateway
• Secure all users on all devices• Requires 10+ Gbps
Data Center
• Secure all apps, control access for all users & devices
• Requires 20+ Gbps
NetworkSegmentation
• Contain and protect internal resources• Requires 20-40+ Gbps
11 | ©2014 Palo Alto Networks. Confidential and Proprietary.
PA-7050: The Fastest Next-generation Firewall
Safely enable all applications; full next-generation firewall capabilities
Ground-breaking application layer performance
Simple yet flexible chassis architecture
12 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Our Unique Approach Applied Across the Network
All Applications, All Attack Vectors, All Threats
Segmentation• Isolate critical data, business functions • Enable applications based on users• Block known/unknown threats
Gateway • Visibility into all traffic • Enable apps to reduce exposure• Block known/unknown threats
Datacenter• Validate business applications & users• Find rogue/misconfigured apps• High speed threat prevention
13 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Scalable, Purpose-built Architecture
14 | ©2014 Palo Alto Networks. Confidential and Proprietary.
PA-7050: Performance and Capacities Summary
PA-7050 System PA-7000 NPC
Firewall Gbps (App-ID) 120 20
Threat Gbps (DSRI) 100 16+
Threat Gbps (Full) 60 10
Firewall PPS (Millions) 72 12
IPSec VPN Gbps 24 4
New sessions per second 720,000 120,000
Max sessions (Millions) 24 4
Virtual systems (base/max2) 25/225 --
15 | ©2013, Palo Alto Networks. Confidential and Proprietary.
• PA-7050 requires PAN-OS 6.0• All PAN-OS features are supported except Netflow• DSRI and full threat metrics will be published
NGFW Throughput vs. Advertised Max
Fortinet Juniper Check Point Palo Alto Networks
0%
25%
50%
75%
100%
13% 15% 18%
83%
NGFW Rate Advertised Max
16 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Source: Performance metrics are from public facing datasheets for fully loaded Palo Alto Networks PA-7050, Check Point 61000, Juniper SRX 5800 and Fortinet 5140B
NGFW Security Performance Relative to Max
17 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Source: Performance metrics are from public facing datasheets for fully loaded Palo Alto Networks PA-7050, Check Point 61000, Juniper SRX 5800 and Fortinet 5140B
Scalable• Linear performance and interface density with each added card
• High speed backplane supports future network processing cards
Simple & Flexible Chassis Architecture
Flexible• Flexible and dynamic load distribution across multiple network
processing modules allows seamless scalability
Simple• Single system view for administration – all PAN-OS features supported
• System-wide subscriptions and support provide predictable cost model
18 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Virtualization
windows
operating system
sharepoint
container
UUIDVM
instance
production
data center
19 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Transforming network security for the data center
Challenges SolutionFW doesn’t see the traffic Automated, transparent services insertion at workload
Incomplete security capabilities Virtualized next-generation security supporting PAN-OSTM
Static policies Dynamic security policies with VM context
VM-Series and VMware NSX Integration
21 | ©2014 Palo Alto Networks. Confidential and Proprietary.
VMware vCenter or ESXi
Dynamic address groups and VM monitoring
Name IP Guest OS Container
web-sjc-01 10.1.1.2 Ubuntu 12.04 Web
sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint
web-sjc-02 10.1.1.3 Ubuntu 12.04 Web
exch-mia-03 10.4.2.2 Win 2008 R2 Exchange
exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange
sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint
db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL
db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL
PAN-OS Security Policy
Source Destination Action
PAN-OS Dynamic Address Groups
Name Tags Addresses
SharePoint Servers
MySQL Servers
Miami DC
San Jose LinuxWeb Servers
Name Tags Addresses
SharePoint Servers
SharePointWin 2008 R2
“sp”
MySQL ServersMySQL
Ubuntu 12.04“db”
Miami DC “mia”
San Jose LinuxWeb Servers
“sjc”“web”
Ubuntu 12.04
Name Tags Addresses
SharePoint Servers
SharePointWin 2008 R2
“sp”10.1.5.410.1.5.8
MySQL ServersMySQL
Ubuntu 12.04“db”
10.5.1.510.5.1.2
Miami DC “mia”10.4.2.210.1.5.810.5.1.5
San Jose LinuxWeb Servers
“sjc”“web”
Ubuntu 12.0410.1.1.210.1.1.3
IP
10.1.1.2
10.1.5.4
10.1.1.3
10.4.2.2
10.4.2.3
10.1.5.8
10.5.1.5
10.5.1.2
Name
SharePoint Servers
MySQL Servers
Miami DC
San Jose LinuxWeb Servers
Source Destination Action
San Jose LinuxWeb Servers
SharePoint Servers ✔
MySQLServers Miami DC
db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL
10.5.1.9
22 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Introducing VM-Series on Citrix NetScaler SDX
• VM-Series (running PAN-OSTM) now supported on SDX 11500 and 17550 Series:
• Safely enable applications by apps, users, content
• Protect against known and unknown threats
• Address risk and compliance mandates
• Key use cases (details on next 2 slides):
• Integrated solution for XA/XD deployments
• Multi-tenant (business units, application owners, service provider) cloud deployments
23 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Citrix NetScaler SDX
Consolidated Security and Availability for XenApp/XenDesktop
24 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Validated, consolidated security and ADC for XenApp/XenDesktop• Secure remote access and high availability
• Safe application enablement for XenApp/XenDesktop users
• Unique User-ID & Terminal-Services agent integration
• Segmentation of XenApp/XenDesktop infrastructure
Any UserAny DeviceAnywhere
Internet applications
Citrix NetScaler SDX with VM-Series
On-premise applications
Citrix Receiver
XenApp/XenDesktop(VDI Environment)
Multi-tenant Security and ADC Services
25 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Multi-tenant security and availability for enterprises and cloud data centers• Dedicated instances of network services for different tenants
• Addresses independent security and load balancing needs
• Per application load balancing with dedicated firewalling
Firewall
ADC
Tenant 1 Tenant 2 Tenant 3
Citrix NetScaler with VM-Series
WildFire
registry changes
DNS lookups
visited URLs
C2 traffic
system file tampering
RAT download
global input
26 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Basic WildFire WildFire SubscriptionWF-500
PAN-OS 5.0 PAN-OS 6.0 PAN-OS 5.0 PAN-OS 6.0
30 minute signatures ✓ ✓ Public Cloud
Integrated logging ✓ ✓ ✓ ✓
WF-500 support ✓ ✓ N/A
API access ✓ ✓ Public Cloud
Windows PE (DLL & EXE) ✓ ✓ ✓ ✓ ✓
PDF ✓ ✓
Office Documents ✓ ✓
Java ✓ ✓
Windows XP ✓ ✓ ✓ ✓ ✓
Windows 7 ✓ ✓ ✓ ✓ ✓
Android APK ✓
27 | ©2014 Palo Alto Networks. Confidential and Proprietary.
GlobalProtect patched
encrypted storage
corporate device
OS version
jailbroken
passcode
malware installed
28 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Headquarters Branch OfficeHome Office
Hotel
Airport
Enterprise-secured with full protection
Exposed to threats, risky apps, and data leakage
29 | ©2014 Palo Alto Networks. Confidential and Proprietary.
GlobalProtect Mobile Security Solution
Summary
New, high performance hardware platforms
Continued innovation in the battle against advanced cyber threats
More security automation in virtualized environments
Expanding further into mobile security
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Q&A