© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of © 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk...
© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 1 |
Next Generation Firewalls
Nir ZukFounder and CTO
About the Speaker
• 2005-today Founder and CTO at Palo Alto Networks- Next Generation Firewall
• 2002-2005 CTO at NetScreen/Juniper
• 2000-2002 Founder and CTO at OneSecure- World’s first Network IPS
• 1994-1999 Principal Engineer at Check Point Software
Some Simple Questions
Question #1 : Who has a firewall?
Question #2 : What is your firewall doing?
Your firewall is controlling access to your network? Really?
Is the Firewall Controlling Network Access?
• Let’s look at a typical enterprise server
No…. These are only 10% of your servers
90% of your servers are on end user desktops
•eMule
•eMule Server
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 5 |
Real Data – What’s on Enterprise Networks
• Application usage assessment of 60 enterprises - 960,000 users
- Across verticals: financial services, health care, manufacturing, government, retail, education
• Looks at - Real enterprise traffic
- How are networks being used?
- What applications are running on enterprise networks?
- Which applications are considered high-risk?
- What are the risks associated with the existing application mix?
- What threats are on enterprise networks?
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 6 |
6 Months Application Trends
April Sept.
Some Simple Questions
Question #1 : Who has a firewall?
Question #2 : What is your firewall doing?
Your firewall is controlling access to your network? Really?
Question #3 : If you were me, how’d you break into your network?
Applications Have Changed – Firewalls Have Not
Page 8 |
Collaboration / Media• The Firewall is using port
numbers and IP addresses to classify applications and indentify users
• BUT…Applications Have Changed- Ports ≠ Applications
- IP Addresses ≠ Users
Problem: IT Can’t Safely Enable Internet Applications
SaaS Personal
• Leaving IT blind to apps, users & content
2006 Time Magazine’s Person of the Year
There is a direct relationship between Google, Yahoo, MSN, etc. and the end user
Can’t IPS Block Applications?
• Blocking applications, even if possible, is not the answer
• Yes, there are harmful applications that need to be blocked
• Many “Web 2.0” applications are useful- Enhancing productivity
- Giving competitive advantage to the business
- Employee retention and productivity
• Some applications are good but have bad features
• IPS cannot- Explicitly allow good traffic (can only block bad traffic)
- Identify users
- Identify which feature within the application is being used
Can Proxies Block Applications?
• Proxies cannot run at multi-gig
• High latency
• Cannot support millions of concurrent connections
• Proxies only work for proxied applications- Cannot build a proxy for 100’s of modern applications
- Break applications
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 12 |
HTTP: Universal Application Protocol
• HTTP is 64% of enterprise bandwidth
• Most HTTP traffic is client/server (54%) – proxies cannot deal with it
• Browser-based applications are 46% - some work with proxies and some don’t
• Web browsing is 23%
All HTTP Applications
Web Browsing
Browser-based Applications
Can Proxies Block Applications?
• Proxies cannot run at multi-gig
• High latency
• Cannot support millions of concurrent connections
• Proxies only work for proxied applications- Cannot build a proxy for 100’s of modern applications
- Break applications
• Oh… I almost forgot… Proxies can be bypassed easily
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 14 |
Circumvention Tools Get Around Security
• Users circumvent IT security controls• Public proxy services/private proxies at home• Encrypted tunnels
Some Simple Questions
Question #1 : Who has a firewall?
Question #2 : What is your firewall doing?
Your firewall is controlling access to your network? Really?
Question #3 : If you were me, how’d you break into your network?
Question #4 : Which threats to your network worry you?
Network Threats: Today’s Thinking
• When talking about network threats, the following threats come into mind:- Viruses
- Spyware
- Exploits/Intrusions
- Worms
- Bots
- Trojans
- Etc.
• But these are not threats. These are technologies and mechanisms which carry threats
Network Threats: The Real Threats
• From the business’s perspective, network-born threats include:- Data loss
- Productivity loss
- Increasing operations costs (e.g., helpdesk overload)
- Non-compliance with regulations
- Business continuity
- Bad PR
• These threats can be introduced by viruses, spyware and exploits but through other mechanisms as well
• Uncontrolled applications carry risks of all the threats in the list above
Applications’ Double Threat
• Applications bring threats:- Data loss
- Productivity loss
- Increasing operations costs (e.g., helpdesk overload)
- Non-compliance with regulations
- Business continuity
- Bad PR
• Applications also carry traditional threat vectors- Viruses, Spyware, Exploits
• When allowing an application to be used, its traffic needs to be secured- Scan for Viruses, Spyware, Exploits, Data Loss, etc.
IPSECVPN
IPS
Anti-Virus
Content Filtering
DoS Protection
Anti-Spyware
WormMitigation
DLP/ILP
WebApp Security
IM Security
IDS
XML SecuritySpyware (2006)
Eavesdropping (1994)
Resource Access (1992)
Info Leakage (2005)
Viruses (1997)
Worms (2005)
IM Attacks (2002)
Denial of Service (2000)
Content Access (1998)
Exploits (1996)
XML/W.S. Attacks (2004)
Web App Attacks (2002)
Corporate AssetsCorporate Assets WANWAN
Internet
Security PerimeterSecurity Perimeter
The Traditional Approach to Network Security
The “UTM” Approach
Port/Protocol-based IDPort/Protocol-based ID
L2/L3 Networking, HA, Config Management,
Reporting
L2/L3 Networking, HA, Config Management,
Reporting
Port/Protocol-based IDPort/Protocol-based ID
HTTP DecoderHTTP Decoder
L2/L3 Networking, HA, Config Management,
Reporting
L2/L3 Networking, HA, Config Management,
Reporting
URL Filtering PolicyURL Filtering Policy
Port/Protocol-based IDPort/Protocol-based ID
IPS SignaturesIPS Signatures
L2/L3 Networking, HA, Config Management,
Reporting
L2/L3 Networking, HA, Config Management,
Reporting
IPS PolicyIPS Policy
Port/Protocol-based IDPort/Protocol-based ID
AV SignaturesAV Signatures
L2/L3 Networking, HA, Config Management,
Reporting
L2/L3 Networking, HA, Config Management,
Reporting
AV PolicyAV Policy
Firewall PolicyFirewall Policy IPS DecoderIPS Decoder AV Decoder & ProxyAV Decoder & Proxy
Page 20 | © 2008 Palo Alto Networks. Proprietary and Confidential
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 21 |
May I suggest a better approach?
Single-Pass Parallel Processing (SP3) Architecture
Single Pass•Single processes for:
- Traffic classification (app identification)
- User/group mapping
- Content scanning – threats, URLs, DLP, etc.
•One policy
Parallel Processing•Function-specific hardware engines
•Multi-core security processing
•Separate data/control planes
Up to 10Gbps, Low Latency
Making Content-Scanning Network-Ready
• Stream-based, not file-based, for real-time performance- Dynamic reassembly
• Uniform signature engine scans for broad range of threats in single pass • Threat detection covers vulnerability exploits (IPS), virus, and
spyware (both downloads and phone-home)
TimeTime
File-based Scanning Stream-based Scanning
Buffer FileBuffer File
TimeTime
Scan FileScan File
Deliver ContentDeliver Content
ID Content
ID Content
Scan ContentScan Content
Deliver ContentDeliver Content
Page 22 | © 2008 Palo Alto Networks. Proprietary and Confidential
ID Content
ID Content
Page 23 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Granular visibility and policy control over application access / functionality
4. Protect in real-time against threats embedded across applications
5. Multi-gigabit, in-line deployment with no performance degradation
Next Generation Firewalls: Requirements
Palo Alto Networks Next Generation Firewalls…Pe
rfor
man
ce
Branch Office/Medium Enterprise Large Enterprise
• Application identification (~800)
• User identification
• Granular visibility & control
• Real time content security
• Multi-gigabit low latency
• Transparent deployments
•PA-2000 Series
•1Gb
•PA-4000 Series
•500Mb
•2Gb
•10Gb
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 25 |
Identification Technologies Change the Game
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 26 |
PAN-OS Features
• Strong networking foundation: - Flexible Mix-and-Match port
configuration Virtual wire (“L1”) for true transparent
in-line deployment L2 with full VLAN support L3 with NAT and dynamic routing
(OSPF, RIP, etc.) Tap mode – monitoring via SPAN port
- Site-to-site IPSec VPN
• Zone-based architecture:- All interfaces assigned to security
zones for policy enforcement
• High Availability: - Configuration and session
synchronization- Path, link, and HA monitoring- Active / passive
• Virtual Systems:- Establish multiple virtual firewalls in a
single device
• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog
Visibility and control of applications, users and content are complemented by core firewall features
Flexible Deployment OptionsApplication Visibility Transparent In-Line Firewall Replacement
• Connect to span port
• Provides application visibility without inline deployment
• Deploy transparently behind existing firewall
• Provides application visibility & control without networking changes
• Replace existing firewall
• Provides application and network-based visibility and control, consolidated policy, high performance
Purpose-Built Architecture: PA-4000 Series
Flash Matching HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory
bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for standardized
complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
10Gbps
Flash MatchingEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
10 Gig Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
CPU16
. .
SSL IPSecDe-
Compression
CPU1
CPU2
10Gbps
Control Plane Data Plane
RAM
RAMCPU
3
QoS
Route, ARP, MAC
lookup
NAT
Users Do What They Want…Which Presents Risk
• Most users can employ any application they want- Applications are evasive
- Proxies and encrypted tunnels are common
• Applications carry risk- Application behavior – threats, file transfer, etc.
- Business risk – compliance, data loss, business continuity, operational costs, productivity
• Enterprise security and control infrastructure isn’t keeping up- Network security is more expensive, harder to manage, and
less effective
• IT Needs to start thinking like the business