Palo Alto Networks 28.5.2013
-
Upload
belsoft -
Category
Technology
-
view
2.504 -
download
3
description
Transcript of Palo Alto Networks 28.5.2013
Palo Alto Networks Product Overview
Kilian Zantop
28. Mai 2013
Belsoft Best Practice - Next Generation Firewalls
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
1,000+ employees globally0
2,000
4,000
6,000
8,000
10,000
12,000
1,800
4,700
11,000
Jul-10 Jul-11
FY09 FY10 FY11 FY12$0
$50
$100
$150
$200
$250
$300
$13
$49
$255
$119
Revenue
Enterprise customers
$MM
FYE July
Feb-13
3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Applications Have Changed, Firewalls Haven’t
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?• SSL• Proprietary encryption
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Technology Sprawl and Creep Aren’t the Answer
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application “accessibility” features
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IMDLPIPS ProxyURLAV
UTM
Internet
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
The Answer? Make the Firewall Do Its Job
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Application Control Belongs in the Firewall
Port PolicyDecision
App Ctrl PolicyDecision
Application Control as an Add-on• Port-based decision first, apps second
• Applications treated as threats; only block what you expressly look for
Ramifications• Two policies/log databases, no reconciliation• Unable to effectively manage unknowns
IPS
Applications
FirewallPortTraffic
Firewall IPS
App Ctrl PolicyDecision
Scan Applicationfor Threats
Applications
ApplicationTraffic
Application Control in the Firewall• Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications• Single policy/log database – all context is shared
• Policy decisions made based on shared context• Unknowns systematically managed
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Enabling Applications, Users and Content
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Making the Firewall a Business Enablement Tool
Applications: Enablement begins with application classification by App-ID.
Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.
Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire.
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Single Pass Platform Architecture
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
PAN-OS Core Firewall Features
Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true
transparent in-line deployment L2/L3 switching foundation Policy-based forwarding
VPN Site-to-site IPSec VPN Remote Access (SSL) VPN
QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor
Zone-based architecture All interfaces assigned to security
zones for policy enforcement
High Availability Active/active, active/passive Configuration and session
synchronization Path, link, and HA monitoring
Virtual Systems Establish multiple virtual firewalls in a
single device (PA-5000, PA-4000, PA-3000, and PA-2000 Series)
Simple, flexible management CLI, Web, Panorama, SNMP, Syslog
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Visibility and control of applications, users and content complement core firewall features
PA-500
PA-200
PA-2000 SeriesPA-2050, PA-2020
PA-3000 SeriesPA-3050, PA-3020
PA-4000 SeriesPA-4060, PA-4050 PA-4020
PA-5000 SeriesPA-5060, PA-5050 PA-5020
VM-SeriesVM-300, VM-200, VM-100
Panorama
Central management
Panorama Deployment Recommendations
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Panorama VM< 10 devices< 10,000 logs/secSites with need for virtual appliance
Panorama M-100 < 100 devices< 10,000 logs/sec
Panorama Distributed Architecture< 1,000 devices> 10,000 logs/sec (50,000 per collector)Deployments with need for collector proximity
Panorama Distributed Architecture
With the M-100, manager and log collector functions can be split
Deploy multiple log collectors to scale collection infrastructure
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
M-100 Hardware Appliance
Simple, high-performance, dedicated appliance for Panorama
Simplifies deployment and support
Introduces distributed log collection capability for large scale deployments
License migration path available for current Panorama customers
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Specifications
1 RU form factor Intel Xeon 4 core 3.4 GHz CPU
16 GB memory 64bit Panorama kernel
120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)
Panorama Architecture – Configuration
Device Groups are used to share common Policies and Objects
Templates are used to share common Networking and Device configuration
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Wildfire
0-day Malware defense
The Lifecycle of Network Attacks - Rehearsal
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
EstablishBack-Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
An Integrated Approach to Threat Prevention
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
App-ID
URL
IPS
Spyware
AV
Files
WildFire
Bait the end-user Exploit Download Backdoor Command/Control
Block high-risk apps
Block known malware sites
Block the exploit
Block malware
Prevent drive-by-downloads
Detect 0-day malware
Block new C2 traffic
Block spyware, C2 traffic
Block fast-flux, bad domains
Block C2 on open ports
Why Traditional Antivirus Protection Fails
Modern/Targeted malware is increasingly able to:
Avoid hitting traditional AV honeypots
Evolve before protection can be delivered, using polymorphism, re-encoding, and changing URLs
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
☣ Targeted and custom malware
☣ Polymorphic malware
☣ Newly released malware
Highly variable time to protection
WildFire Architecture
10Gbps threat prevention and file scanning on all traffic, all ports (web, email, SMB, etc.)
Malware ran in the cloud with open internet access to discover hidden behaviors
Sandbox logic updated routinely with no customer impact
Malware signatures automatically created based on payload data
Stream-based malware engine performs true inline enforcement
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Subscription Service
WildFire signatures every 30 minutes
Integrated logging & reporting
REST API for scripted file uploads
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Reaching Effects of WildFire
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Threat Intelligence Sources
WildFire Users
AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
WildFire
Introducing theWildFire Appliance (WF-500)
Appliance-based version of WildFire for on-premises deployments
All sandbox analysis performed locally on the WildFire appliance
WF-500 has option to send locally identified malware to WildFire public cloud Signatures only are created in public cloud
WildFire signatures for all customers distributed via normal update service
Detection capabilities in sync with public cloud
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Cloud
Eagle Appliance
All samples
Malware
Signatures
Global Protect
Securing your road worriers
Challenge: Quality of Security Tied to Location
Enterprise-secured with full protection
Headquarters Branch Offices
malware
botnets
exploits
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Airport Hotel Home Office
Exposed to threats, risky apps, and data leakage
GlobalProtect: Consistent Security Everywhere
•Headquarters •Branch Office
malware
botnets
exploits
• VPN connection to a purpose built firewall that is performing the security work • Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance & reporting
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
LSVPN
Large scale satellite VPN
32
© 2011 Palo Alto Networks. Proprietary and Confidential.
The Concept
Easy deployment of large scale VPN infrastructure
• GlobalProtect Satellites automatically acquire authentication credentials and initial configuration from GlobalProtect Portal
• GlobalProtect Satellite establishes tunnels with available Gateways
• Satellites and Gateways automatically exchange routing configuration
Magic Quadrant for Enterprise Network Firewalls
35 | ©2013, Palo Alto Networks. Confidential and Proprietary.
“Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.”
Gartner, February 2013
Thank You
Page 37 | © 2010 Palo Alto Networks. Proprietary and Confidential.
Next-Generation Firewall Virtualized Platforms
38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Specifications
Model Sessions Rules Security Zones
Address Objects
IPSec VPN Tunnels
SSL VPN Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 2,000 500
Supported on VMware ESX/ESXi 4.0 or later
Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces
Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames
Performance
Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second
2 Core 500 Mbps 200 Mbps 100 Mbps 8,000
4 Core 1 Gbps 600 Mbps 250 Mbps 8,000
8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
Differentiating: App-ID vs. Two Step Scanning
Operational ramifications of two step scanning Two separate policies with duplicate info – impossible to reconcile them Two log databases decrease visibility Unable to systematically manage unknown traffic Weakens the deny-all-else premise
Every firewall competitor uses two step scanning
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Port PolicyDecision
App Ctrl PolicyDecision
IPS
Applications
FirewallAllow port 80 traffic
Traffic 300 or more applications
300 or more applications 300 or more applications
Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline deployment
• IPS with app visibility & control• Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control
• Firewall + IPS• Firewall + IPS + URL filtering
40 | ©2012, Palo Alto Networks. Confidential and Proprietary.