palo alto networks solution overview may 2010 denis pechnov sales, emea
Post on 19-Dec-2015
216 views
TRANSCRIPT
Palo Alto Networks Solution Overview
May 2010
Denis Pechnov
Sales, EMEA
About Palo Alto Networks
• Founded in 2005 by security visionaries and engineers from NetScreen, Juniper Networks, McAfee, Blue Coat, Cisco, …
• Build innovative Next Generation Firewalls that control more than 900 applications, users & data carried by them
• Backed by $65 Million in venture capital from leading Silicon Valley investors including Sequoia Capital, Greylock Partners, Globespan Capital Partners, …
• Global footprint with over 1000 customers, we are passionate about customer satisfaction and deliver 24/7 global support and have presence in 50+ countries
• Independent recognition from analysts like Gartner
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 2 |
Why is there a need for a NGFW?
The Social Enterprise 2.0
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 3 |
Enterprise 2.0 Applications Take Many Forms
5 Things You Need To Know About Enterprise 2.0
1. Driven by new generation of addicted Internet users – smarter than you?
2. Full, unrestricted access to everything on the Internet is a right
3. They’re creating a giant social system - collaboration, group knowledge
4. Not waiting around for IT support or endorsement – IT is irrelevant
5. Result - a Social Enterprise full of potential risks … and rewards
RewardsRisks
Internet Enterprise
Work Life
Home Life
What the 2010 User’s Expectation
How Will You Respond To This Challenge?
• How can you regain control of enterprise 2.0?
• What value do these applications provide to your business?
• What is your organization’s risk tolerance for these applications?
• How can you “safely enable” the right applications?
• Where do you start?
Start by Understanding What’s Really Happening
• Application Usage and Risk Report- Findings
347 large enterprises worldwide
750+ different Internet applications
Employees have created Enterprise 2.0
- Rewards Enterprises are embracing social networking apps
Proven to deliver measurable value to business
- Risks Incoming threats are increasing
Potential for data leakage is increasing
Existing security infrastructure ineffective
• Page 8 |
What’s the Problem?
• The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of millions of users across hunderds of organizations:
- Applications are designed for accessibility. More than half (57%) of the 700+ applications found can bypass security infrastructure – hopping from port to port, using
port 80 or port 443.
- Applications that enable users to circumvent security controls are common. Proxies Bypass Tools that are typically not endorsed by corporate IT (CGIProxy, PHProxy, Hopster) and remote desktop
access applications (LogMeIn!, RDP, PCAnywhere) were found 81% and 95% of time, respectively. Encrypted tunnel applications such as SSH, TOR, GPass, and Gbridge were also found.
- File sharing usage is rampant. P2P was found 92% of the time, with BitTorrent and Gnutella as the most common of 21 variants found. Browser-based
file sharing was found 76% of the time with YouSendit! and MediaFire among the most common of the 22 variants.
• Enterprises are spending heavily to protect their networks – yet they cannot control the applications on the network. - Collectively, enterprises spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products. The
analysis showed that 100% of the organizations had firewalls and 87% also had one or more of these firewall helpers (a proxy, an IPS, URL filtering) – yet they were unable to exercise control over the application traffic traversing the network.
• Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 10 |
Enterprise End Users Do What They Want!
Seeing is Believing
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 11 |
• Request a free 30-day evaluation
• Request a free Application Visibility and Risk report
• Take back control of your social enterprise
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 12 |
The Cause:Applications Have Changed – Firewalls nor Firewall Helpers Have
Need to Restore Visibility and Control in the Firewall
• Firewalls should see and control applications, users, and threats . . .
• . . . but they only show you ports, protocols, and IP
addresses –all meaningless!
Internet
Sprawl Is Not The Answer
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 13 |
• Putting all of this in the same box is just slow
SO WHAT IS THE SOLUTION?
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 14 |
Gartner, Forrester, …
• Forrester- If you do not have IPS you deserve to be hacked.
• Gartner- John Pescatore and Grey Young publish a note on October 12th 2009.
- Key Findings The stateful protocol filtering and limited application awareness offered by first
generation firewalls are not effective in dealing with current and emerging threats. Next-generation firewalls (NGFWs) are emerging that can detect application-
specific attacks and enforce application-specific granular security policy, both inbound and outbound.
- Recommendations If you have not yet deployed network intrusion prevention, require NGFW
capabilities of all vendors at your next firewall refresh point. If you have deployed both network firewalls and network intrusion prevention,
synchronize the refresh cycle for both technologies and migrate to NGFW capabilities.
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 18 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Fine-grained visibility and policy control
over application access / functionality
4. Protect in real-time against threats embedded across applications
5. Multi-gigabit, in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Firewall
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 19 |
Unique Technologies Transform the Firewall
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 20 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass• Operations once per
packet- Traffic classification (app
identification)
- User/group mapping
- Content scanning – threats, URLs, confidential data
• One policy
Parallel Processing• Function-specific
hardware engines
• Separate data/control planes
Up to 10Gbps, Low Latency
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 21 |
Purpose-Built Architecture: PA-4000 Series
Flash Matching HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory
bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for standardized
complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
10Gbps
Flash MatchingEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
10 Gig Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
CPU16
. .
SSL IPSecDe-
Compression
CPU1
CPU2
10Gbps
Control Plane Data Plane
RAM
RAMCPU
3
QoS
Route, ARP, MAC
lookup
NAT
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 22 |
Visibility into Application, Users & Content
• Application Command Center (ACC)- View applications, URLs, threats, data
filtering activity
• Mine ACC data, adding/removing filters as needed to achieve desired result
Filter on Skype Remove Skype to expand view of harris
Filter on Skype and user harris
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 23 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 23 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 23 |
Enables Visibility Into Applications, Users, and Content
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 24 |
PAN-OS Features
• Strong networking foundation- Dynamic routing (OSPF,
RIPv2)- Site-to-site IPSec VPN - SSL VPN for remote access- Tap mode – connect to SPAN
port- Virtual wire (“Layer 1”) for true
transparent in-line deployment- L2/L3 switching foundation
• QoS traffic shaping- Max/guaranteed and priority - By user, app, interface, zone,
and more
• Zone-based architecture- All interfaces assigned to security
zones for policy enforcement
• High Availability- Active / passive - Configuration and session
synchronization- Path, link, and HA monitoring
• Virtual Systems- Establish multiple virtual firewalls
in a single device (PA-4000 Series only)
• Simple, flexible management- CLI, Web, Panorama, SNMP,
Syslog
Visibility and control of applications, users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 25 |
Our Platform Family…Pe
rform
an
ce
Remote Office/Medium Enterprise
Large Enterprise
•PA-2000 Series
• 1Gbps; 500Mbps threat prevention
•PA-4000 Series
• 500Mbps; 200Mbps threat prevention
2Gbps; 2Gbps threat prevention
10Gbps; 5Gbps threat prevention
10Gbps; 5Gbps threat prevention (XFP interfaces)
•PA-500• 250Mbps; 100Mbps threat prevention
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 26 |
Palo Alto Networks Next-Gen Firewalls
PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP (10 Gig) I/O• 4 SFP (1 Gig) I/O
PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces
PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces
PA-500• 250 Mbps FW• 100 Mbps threat prevention• 50,000 sessions• 8 copper gigabit
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 27 |
Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline deployment
• IPS with app visibility & control• Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control
• Firewall + IPS• Firewall + IPS + URL filtering
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 28 |
Fix The Firewall – and Save Money!
• Capital cost – replace multiple devices- Legacy firewall, IPS, URL filtering device (e.g.,
proxy, secure web gateway)
Cut by as much as 80%
Cut by as much as 65%
• “Hard” operational expenses- Support contracts- Subscriptions- Power and HVAC
• Save on “soft” costs too- Rack space, deployment/integration, headcount,
training, help desk calls
Now We Fixed The Firewall…What’s Next?
Global Protect!
Solved the “Inside” Problem - But Users Leave…
Headquarters Branch Office Hotel Home
Enterprise Secured Open to threats, app usage, & more
How do you secure your applications and your users when they are both moving off the “controlled” network?
DATA
Apps
Users
Get the Same Visibility and Control for All Users
Headquarters Branch Office Hotel Home
Enterprise Secured Enterprise Secured
Palo Alto Networks GlobalProtectTM will enable organizations to safely enable applications, regardless of user location
Apps
Users
Palo Alto Networks Continuing to Innovate
• Enterprises basing network security on Palo Alto Networks next-generation firewalls
• GlobalProtectTM will bring roaming users into next-generation firewall-based control- Applications/Users/Content
• GlobalProtectTM will support Windows-based machines initially- Windows 7 (32 & 64-bit)
- Windows Vista (32 & 64-bit)
- Windows XP
• Pricing: subscription (per firewall, not user-based)
• Available end of 2010
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 32 |
Next-Generation Firewalls Are Network Security
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 33 |
What about the Middle East?
• Higher College of Technology in Abu Dhabi
• American University of Sharjah
• Abu Dhabi Government Services
• Cairo Aman Bank in Jordan
• Dubai World
• …
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 34 |
Thank You
Additional Information
Next-Generation Firewall Solutions
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 37 |
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 38 |
Legendary Customer Support Experience
• Strong TSE team with deep network security and infrastructure knowledge- Experience with every major firewall
- TSEs average over 15 years of experience
• TSEs co-located with engineering – in Sunnyvale, CA
• Premium and Standard offerings
• Rave reviews from customers
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 38 |
Customer support has always been amazing. Whenever I call, I always get someone knowledgeable right away, and never have to wait. They give me the answer I need quickly and completely. Every support rep I have spoken with knows his stuff.
-Mark Kimball, Hewlett-Packard
Customer support has been extraordinarily helpful – which is not the norm when dealing with technology companies. Their level of knowledge, their willingness to participate – it’s night and day compared to other companies. It’s an incredible strength of Palo Alto Networks.
-James Jones, UPMC
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 39 |
Site-to-Site and Remote Access VPN
• Secure connectivity- Standards-based site-to-site IPSec VPN
- SSL VPN for remote access
• Policy-based visibility and control over applications, users and content for all VPN traffic
• Included as features in PAN-OS at no extra charge
Site-to-site VPN connectivity
Remote user connectivity
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 40 |
Traffic Shaping Expands Policy Control Options
• Traffic shaping policies ensure business applications are not bandwidth starved - Guaranteed and maximum bandwidth settings
- Flexible priority assignments, hardware accelerated queuing
- Apply traffic shaping policies by application, user, source, destination, interface, IPSec VPN tunnel and more
• Enables more effective deployment of appropriate application usage policies
• Included as a feature in PAN-OS at no extra charge
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 41 |
Flexible Policy Control Responses
• Intuitive policy editor enables appropriate usage policies with flexible policy responses• Allow or deny individual application usage • Allow but apply IPS, scan for viruses, spyware
• Control applications by category, subcategory, technology or characteristic
• Apply traffic shaping (guaranteed, priority, maximum)
• Decrypt and inspect SSL • Allow for certain users or groups within AD
• Allow or block certain application functions • Control excessive web surfing
• Allow based on schedule • Look for and alert or block file or data transfer
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 42 |
App-ID: Comprehensive Application Visibility
• Policy-based control more than 800 applications distributed across five categories and 25 sub-categories
• Balanced mix of business, internet and networking applications and networking protocols
• 3 - 5 new applications added weekly
• App override and custom HTTP applications help address internal applications
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 43 |
User-ID: Enterprise Directory Integration
• Users no longer defined solely by IP address- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group, not just the IP address
• Understand user application and threat behavior based on actual AD username, not just IP
• Manage and enforce policy based on user and/or AD group
• Investigate security incidents, generate custom reports
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 44 |
Content-ID: Real-Time Content Scanning
• Stream-based, not file-based, for real-time performance- Uniform signature engine scans for broad range of threats in single pass- Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)
• Block transfer of sensitive data and file transfers by type- Looks for CC # and SSN patterns - Looks into file to determine type – not extension based
• Web filtering enabled via fully integrated URL database- Local 20M URL database (76 categories) maximizes performance (1,000’s URLs/sec)- Dynamic DB adapts to local, regional, or industry focused surfing patterns
Detect and block a wide range of threats, limit unauthorized data transfer and control non-work related web surfing
Internet
Sprawl Is Not The Answer
• Doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 45 |
Internet
UTM Is Still Sprawl…Just Slower
• Doesn’t solve the problem
• Firewall “helper” functions have limited view of traffic
• Turning on functions kills performance
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 46 |
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 47 |
Traditional Multi-Pass Architectures are Slow
Port/Protocol-based ID
L2/L3 Networking, HA, Config Management,
Reporting
Port/Protocol-based ID
HTTP Decoder
L2/L3 Networking, HA, Config Management,
Reporting
URL Filtering Policy
Port/Protocol-based ID
IPS Signatures
L2/L3 Networking, HA, Config Management,
Reporting
IPS Policy
Port/Protocol-based ID
AV Signatures
L2/L3 Networking, HA, Config Management,
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder & Proxy
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 48 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass• Operations once per
packet- Traffic classification (app
identification)
- User/group mapping
- Content scanning – threats, URLs, confidential data
• One policy
Parallel Processing• Function-specific
hardware engines
• Separate data/control planes
Up to 10Gbps, Low Latency
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 49 |
Enterprise Device and Policy Management
• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog- Role-based administration enables delegation of tasks to appropriate person
• Panorama central management application- Shared policies enable consistent application control policies - Consolidated management, logging, and monitoring of Palo Alto Networks devices- Consistent web interface between Panorama and device UI- Network-wide ACC/monitoring views, log collection, and reporting
• All interfaces work on current configuration, avoiding sync issues
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 50 |
PA-4000 Series Specifications
- 2U, 19” rack-mountable chassis
- Dual hot swappable AC power supplies
- Dedicated out-of-band management port
- 2 dedicated HA ports
- DB9 console port
PA-4050• 10 Gbps FW• 5 Gbps threat
prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4020• 2 Gbps FW• 2 Gbps threat
prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4060• 10 Gbps FW• 5 Gbps threat
prevention• 2,000,000 sessions• 4 XFP (10 Gig) I/O• 4 SFP (1 Gig) I/O
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 51 |
Purpose-Built Architecture: PA-4000 Series
Content Scanning HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory
bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for standardized
complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
10Gbps
Content ScanningEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
10 Gig Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
CPU16
. .
SSL IPSecDe-
Compression
CPU1
CPU2
10Gbps
Control Plane Data Plane
RAM
RAMCPU
3
QoS
Route, ARP, MAC
lookup
NAT
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 52 |
PA-2000 Series Specifications
- 1U rack-mountable chassis
- Single non-modular power supply
- 80GB hard drive (cold swappable)
- Dedicated out-of-band management port
- RJ-45 console port, user definable HA port
PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces
PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 53 |
Purpose-Built Architecture: PA-2000 Series
Route, ARP, MAC
lookup
NAT
Flash Matching HW Engine• Palo Alto Networks’ uniform
signatures• Multiple memory banks – memory
bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for standardized
complex functions (SSL, IPSec)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
1Gbps
Flash MatchingEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
Network Processor• Front-end network processing
offloads security processors• Hardware accelerated route lookup,
MAC lookup and NAT
CPU4
SSL IPSec
CPU1
CPU2
1Gbps
Control Plane Data Plane
RAM
RAMCPU
3
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 54 |
PA-500 Specifications
Specs• 250 Mbps FW • 100 Mbps IPSec VPN • 100 Mbps threat prevention • 50,000 sessions• 250 VPN tunnels• 8 copper gigabit interfaces• Runs PAN-OS 3.0 and later
General hardware• 1U rack mountable• Single non-modular power
supply• 80GB hard drive• Dedicated mgmt port• RJ-45 console port
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 55 |
PA-500 Purpose-Built Architecture
• Common dedicated data plane and control plane architecture• Network processing and signature matching engine virtualized into the multi-core
security processor• Same software architecture as all Palo Alto Networks platforms
Multi-Core Security Processor• High density processing for networking
and security functions• Hardware-acceleration for standardized
complex functions (SSL, IPSec)• Signature match virtual software engine
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
Dual-coreCPU
RAM
RAM
HDD
CPU4
SSL IPSec
CPU1
CPU2
Control Plane Data Plane
RAM
RAMCPU
3