Palo Alto Networks Overview March 2012 Data Connectors Micah Richardson, Account Manager.

Palo Alto Networks OverviewMarch 2012

Data Connectors

Micah Richardson, Account Manager

Agenda

• Corporate Overview

• Why a NGFW?

• Key Technologies, Architecture Review, Wildfire

• Web Interface

• Model Review

• 2011 Gartner Report

• Review

© 2011 Palo Alto Networks. Proprietary and Confidential. |

About Palo Alto Networks

• Palo Alto Networks is the Network Security Company

• World-class team with strong security and networking experience

- Founded in 2005, first customer July 2007, top-tier investors

• Builds next-generation firewalls that identify / control ~1450+ applications

- Restores the firewall as the core of enterprise network security infrastructure

- Innovations: App-ID™, User-ID™, Content-ID™

• Global momentum: 7,500+ customers

- August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters

(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable

orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

• A few of the many enterprises that have deployed more than $1M


Applications Have Changed; Firewalls Have Not


Need to restore visibility and control in the firewall

BUT…applications have changed

• Ports ≠ Applications

• IP Addresses ≠ Users

• Packets ≠ Content

The firewall is the right place to enforce policy control

• Sees all traffic

• Defines trust boundary

• Enables access via positive control

Technology Sprawl & Creep Are Not The Answer

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

© 2011 Palo Alto Networks. Proprietary and Confidential.Page 7 |

Internet

• Putting all of this in the same box is just slow

The Right Answer: Make the Firewall Do Its Job


New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect in real-time against threats embedded across applications

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

Why Visibility & Control Must Be In The Firewall


• Port PolicyDecision

• App Ctrl PolicyDecision

Application Control as an Add-on• Port-based FW + App Ctrl (IPS) = two policies • Applications are threats; only block what you

expressly look for

Implications • Network access decision is made with no

information• Cannot safely enable applications

IPS

Applications

Firewall

PortTraffic

Firewall IPS

• App Ctrl PolicyDecision

• Scan Applicationfor Threats

Applications

ApplicationTraffic

NGFW Application Control • Application control is in the firewall = single policy• Visibility across all ports, for all traffic, all the time

Implications • Network access decision is made based on

application identity • Safely enable application usage

Your Control With Port-based Firewall Add-on


Identification Technologies Transform the Firewall


• App-ID™

• Identify the application

• User-ID™

• Identify the user

• Content-ID™

• Scan the content

Single-Pass Parallel Processing™ (SP3) Architecture


Single Pass• Operations once per

packet

- Traffic classification (app identification)

- User/group mapping

- Content scanning – threats, URLs, confidential data

• One policy

Parallel Processing• Function-specific parallel

processing hardware engines

• Separate data/control planes

• Up to 20Gbps, Low Latency

INSERT WILDFIRE SLID HERE


Comprehensive View of Applications, Users & Content

• Application Command Center (ACC)- View applications, URLs,

threats, data filtering activity

• Add/remove filters to achieve desired result

© 2010 Palo Alto Networks. Proprietary and Confidential.Page 18 | Filter on Facebook-base Filter on Facebook-base

and user cookRemove Facebook to expand view of cook


PAN-OS Core Firewall Features

• Strong networking foundation- Dynamic routing (BGP, OSPF,

RIPv2)- Tap mode – connect to SPAN port- Virtual wire (“Layer 1”) for true

transparent in-line deployment- L2/L3 switching foundation- Policy-based forwarding

• VPN- Site-to-site IPSec VPN - SSL VPN

• QoS traffic shaping- Max/guaranteed and priority - By user, app, interface, zone, & more- Real-time bandwidth monitor

• Zone-based architecture- All interfaces assigned to

security zones for policy enforcement

• High Availability- Active/active, active/passive - Configuration and session

synchronization- Path, link, and HA monitoring

• Virtual Systems- Establish multiple virtual

firewalls in a single device (PA-5000, PA-4000, and PA-2000 Series)

• Simple, flexible management- CLI, Web, Panorama, SNMP,

Syslog

Visibility and control of applications, users and content complement core firewall features

PA-500

PA-2020

PA-2050

PA-4020

PA-4050

PA-4060

PA-5060

PA-5050

PA-5020

2011 Magic Quadrant for Enterprise Network Firewalls


Source: Gartner, December 14, 2011

“Palo Alto Networks' high-performance NGFW functionality continues to drive competitors to react in the firewall market. It is assessed as a Leader mostly because of its NGFW design, redirection of the market along the NGFW path, consistent displacement of Leaders and Challengers, and market disruption forcing Leaders to react.”

Addresses Three Key Business Problems

• Identify and Control Applications- Visibility of ~1450+ applications, regardless of port, protocol, encryption, or

evasive tactic

- Fine-grained control over applications (allow, deny, limit, scan, shape)

- Addresses the key deficiencies of legacy firewall infrastructure

• Prevent Threats- Stop a variety of threats – exploits (by vulnerability), viruses, spyware

- Stop leaks of confidential data (e.g., credit card #, social security #, file/type)

- Stream-based engine ensures high performance

- Enforce acceptable use policies on users for general web site browsing

• Simplify Security Infrastructure- Put the firewall at the center of the network security infrastructure

- Reduce complexity in architecture and operations


Thank You


Additional InformationSpeeds and Feeds, Deployment, Customers,

TCO, Support, and Management

Global Support. Local Availability. Enterprise Class.

• Global support infrastructure- Global TACs (Santa Clara HQ, Dallas, Antwerp, Singapore, Tokyo)

- Global Hardware Depots (Santa Clara, Amsterdam, Singapore)

• Programs and features to address global support demands- On-line Support Knowledge Portal

- Premium Support (24 x 7)

- Standard Support (8 x 5)

- Technical Account Managers

- Hardware support/replacement options (standard, premium, 4-hour, on-site spares, and system HA)

• Integrated approach to services, training, and support


Next-Generation Firewalls Are Network Security


http://www.sandisk.com/Default.aspx

https://www4.acuity.com/acuityweb/home

http://www.hp.com/country/us/en/welcome.html

http://www.adp.com/

http://www.kimberly-clark.com/

http://www.google.com/imgres?imgurl=http://daveibsen.typepad.com/5_blogs_before_lunch/images/univision_logo1.gif&imgrefurl=http://daveibsen.typepad.com/5_blogs_before_lunch/2007/02/univision_fined.html&h=221&w=220&sz=10&tbnid=THenkGO2rEsJ::&tbnh=107&tbnw=107&prev=/images?q=univision+logo&hl=en&sa=X&oi=image_result&resnum=2&ct=image&cd=1

August 2011: Extraordinary Business Results


(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

© 2011 Palo Alto Networks. Proprietary and ConfidentialPage 29 |

Palo Alto Networks Next-Gen Firewalls

PA-4050• 10 Gbps FW/5 Gbps threat

prevention/2,000,000 sessions• 8 SFP, 16 copper gigabit


prevention/500,000 sessions• 8 SFP, 16 copper gigabit


prevention/2,000,000 sessions• 4 XFP (10 Gig), 4 SFP (1 Gig)

PA-2050• 1 Gbps FW/500 Mbps threat


PA-2020• 500 Mbps FW/200 Mbps threat


PA-500• 250 Mbps FW/100 Mbps threat

prevention/50,000 sessions• 8 copper gigabit


prevention/2,000,000 sessions• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12

copper gigabit


prevention/1,000,000 sessions• 8 SFP, 12 copper gigabit


prevention/4,000,000 sessions• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12

copper gigabit

Introducing GlobalProtect


• Users never go “off-network” regardless of location

• All firewalls work together to provide “cloud” of network security

• How it works:- Small agent determines network

location (on or off the enterprise network)

- If off-network, the agent automatically connects the laptop to the nearest firewall via SSL VPN

- Agent submits host information profile (patch level, asset type, disk encryption, and more) to the gateway

- Gateway enforces security policy using App-ID, User-ID, Content-ID AND host information profile

A Modern Architecture for Enterprise Network Security

• Establishes a logical perimeter that is not bound to physical limitations

• Users receive the same depth and quality of protection both inside and out

• Security work performed by purpose-built firewalls, not end-user laptops

• Unified visibility, compliance and reporting


malware

botnets

exploits

Redefine Network Security – and Save Money!


Cut by as much as 80%

Cut by as much as 65%

• Capital cost – replace multiple devices- Legacy firewall, IPS, URL filtering device (e.g.

proxy, secure web gateway…)

• “Hard” operational expenses- Support contracts- Subscriptions

- Power and HVAC

• Save on “soft” costs too- Rack space, deployment/integration, headcount,

training, help desk calls

Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement

• Application, user and content visibility without inline

deployment

• IPS with app visibility & control• Consolidation of IPS & URL

filtering

• Firewall replacement with app visibility & control• Firewall + IPS

• Firewall + IPS + URL filtering


Enables Visibility Into Applications, Users, and Content

A few simple guidelines…

• Never use ‘PAN’ in slides, always use Palo Alto Networks.

• The easiest way to avoid typing that all the time is by using an automatic text expansion tool, such as:- Typinator for Mac OS (€19.99)

http://www.ergonis.com/products/typinator/

- Texter for Windows (free) http://lifehacker.com/software/texter/lifehacker-code-texter-windows-238306.php

• Our corporate colors in PowerPoint are:


Green Blue



http://lifehacker.com/software/texter/lifehacker-code-texter-windows-238306.php

http://lifehacker.com/software/texter/lifehacker-code-texter-windows-238306.php

Palo Alto Networks Overview March 2012 Data Connectors Micah Richardson, Account Manager.

Documents

Transcript of Palo Alto Networks Overview March 2012 Data Connectors Micah Richardson, Account Manager.