Next-Generation Firewall Palo Alto Networks. Page 2 | Applications Have Changed, firewalls have not The gateway at the trust border is the right place

Next-Generation FirewallPalo Alto Networks

Page 2 |

Applications Have Changed, firewalls have not

• The gateway at the trust border is the right place to enforce policy control

- Sees all traffic

- Defines trust boundary

Need to Restore Visibility and Control in the Firewall

Collaboration / MediaSaaS Personal

• BUT…Applications Have Changed

- Ports ≠Applications

- IP Addresses ≠Users

- Packets ≠Content

Page 3 |

Stateful Inspection ClassificationThe Common Foundation of Nearly All Firewalls

• Stateful Inspection classifies traffic by looking at the IP header- source IP

- source port

- destination IP

- destination port

- protocol

• Internal table creates mapping to well-known protocols/ports- HTTP = TCP port 80

- SMTP = TCP port 25

- SSL = TCP port 443

Page 4 |

Palo Alto Networks Exceeds NGFW Requirements

Application Awareness and Full Stack Visibility

App-ID Identifies and controls 900+ applications

Integrated Rather Than Co-Located IPS

Content-ID includes full IPS, without compromising performance

Extra-Firewall Intelligence to Identify Users

User-ID brings AD users and groups into firewall policy

Standard First-Generation Firewall Capabilities

Packet filtering, state, flexible NAT, IPSec, SSL VPNs, etc.

Support “bump in the wire” Deployments

Multiple options for transparent deployment behind existing firewalls

In “Defining the Next-Generation Firewall,”

Gartner describes what Palo Alto Networks already delivers

Page 5 |

New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Granular visibility and policy control over application access / functionality

4. Protect in real-time against threats embedded across applications

5. Multi-gigabit, in-line deployment with no performance degradation

Palo Alto Networks “Fixes the Firewall”

Page 6 | Page 6 |

Identification Technologies Help Manage Risk

App-IDIdentify the application

User-IDIdentify the user

Content-IDScan the content

Page 7 |

App-ID: Comprehensive Application Visibility

• Policy-based control about 900 applications distributed across five categories and 25 sub-categories

• Balanced mix of business, internet and networking applications and networking protocols

• ~ 5 new applications added weekly

Page 8 |

User-ID: Enterprise Directory Integration

• Users no longer defined solely by IP address- Leverage existing Active Directory infrastructure

• Understand users application and threat behavior based on actual AD username, not just IP

• Manage and enforce policy based on user and/or AD group

• Investigate security incidents, generate custom reports

User-ID

Page 9 |

Making Content-Scanning Network-Ready

• Stream-based, not file-based, for real-time performance- Dynamic reassembly

• Uniform signature engine scans for broad range of threats in single pass • Threat detection covers vulnerability exploits (IPS), virus, and

spyware (both downloads and phone-home)

TimeTime

File-based Scanning Stream-based Scanning

Buffer FileBuffer File

TimeTime

Scan FileScan File

Deliver ContentDeliver Content

ID Content

ID Content

Scan ContentScan Content

Deliver ContentDeliver Content

Page 9 |

ID Content

ID Content

Page 10 | Page 10 |

A better approach

Single-Pass Parallel Processing (SP3) Architecture

Single Pass•Single processes for:

- Traffic classification (app identification)

- User/group mapping

- Content scanning – threats, URLs, DLP, etc.

•One policy

Parallel Processing•Function-specific hardware engines

•Multi-core security processing

•Separate data/control planes

Up to 10Gbps, Low Latency

Page 11 |

PAN-OS Core Features

• Strong networking foundation: - Dynamic routing (OSPF, RIPv2)

- Site-to-site IPSec VPN

- SSL VPN

- Tap mode – connect to SPAN port

- Virtual wire (“Layer 1”) for true transparent in-line deployment

- L2/L3 switching foundation

•QoS traffic shaping- Max, guaranteed and priority

- By user, app, interface, zone, and more

• High Availability: - Active / passive

- Configuration and session synchronization

- Path, link, and HA monitoring

• Virtualization:- All interfaces (physical or logical)

assigned to security zones

- Establish multiple virtual systems to fully virtualized the device (PA-4000 & PA-2000 only)

• Intuitive and flexible management- CLI, Web, Panorama, SNMP,

Syslog

Page 12 |

Palo Alto Networks Next-Gen Firewalls

PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces

PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces

PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP (10 Gig) I/O• 4 SFP (1 Gig) I/O

PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces

PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces

PA-500• 250 Mbps FW• 100 Mbps threat prevention• 50,000 sessions• 8 copper gigabit

Page 13 |

Purpose-Built Architecture: PA-4000 Series

Flash Matching HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory

bandwidth scales performance

Multi-Core Security Processor• High density processing for flexible

security functionality• Hardware-acceleration for standardized

complex functions (SSL, IPSec, decompression)

Dedicated Control Plane• Highly available mgmt• High speed logging and

route updates

10Gbps

Flash MatchingEngine

RAM

RAM

RAM

RAM

Dual-coreCPU

RAM

RAM

HDD

10 Gig Network Processor• Front-end network processing offloads

security processors• Hardware accelerated QoS, route lookup,

MAC lookup and NAT

CPU16

. .

SSL IPSecDe-

Compression

CPU1

CPU2

10Gbps

Control Plane Data Plane

RAM

RAMCPU

3

QoS

Route, ARP, MAC

lookup

NAT

Page 14 |

Flexible Deployment OptionsApplication Visibility Transparent In-Line Firewall Replacement

• Connect to span port

• Provides application visibility without inline deployment

• Deploy transparently behind existing firewall

• Provides application visibility & control without networking changes

• Replace existing firewall

• Provides application and network-based visibility and control, consolidated policy, high performance

Page 15 |

Enterprise Device and Policy Management

• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog

• Panorama central management application- Consolidated management, logging, and monitoring of Palo Alto Networks

devices

- Consistent web interface between Panorama and device UI

- Network-wide ACC/monitoring views, log collection, and reporting

• All interfaces work on current configuration, avoiding sync issues

Requirements for Data Center Firewalls

• Threat Prevention- Protect against external attacks – including those routed through

internal “secure” clients

• Data Leakage Prevention- Protect confidential and unauthorized content from leaving the

network

• Access Control- Control access – by user or groups of users – to specific

applications and content

• Performance- Minimize latency and maximize throughput to ensure business

performance is not compromised

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 |

Palo Alto Networks Exceeds Requirements

• Content-ID- Threat Prevention

Stops external attacks with high speed threat prevention engine

Decrypts SSL sessions to identify and stop threats via clients

- Data Leakage Prevention Scans traffic to stop transfer of unauthorized data or file types

• User-ID and App-ID- Access Control

Policies to create security zones within the data center

Create data center segments to isolate specific users and applications

• SP3 Architecture- Single pass, minimized latency, maximum throughput up to 10Gbps


Data Centre Security Zones

• Security zones can first be applied to isolate the DC can as a means of protecting the data. Once the network has been divided into distinct zones, positive control model security policies can be applied that control, at a very granular level, which applications, users and content are allowed in and out of the DC security zone.

• Uniform signature format: Rather than use a separate set of scanning engines and signatures for each type of threat, Palo Alto Networks uses a uniform threat engine and signature format to detect and block a wide range of malware while dramatically reducing latency.



Isolating the Data with Security Zones

Zones isolate client data – irrespective of networking environment

Security policies dictate access control, threat prevention and content scanning

Logging and reporting against zone simplifies forensics and monitoring

Zones isolate client data – irrespective of networking environment

Security policies dictate access control, threat prevention and content scanning

Logging and reporting against zone simplifies forensics and monitoring

Client Servers

Development Servers

InfrastructureServers Users

Users

Users

Development Servers

InfrastructureServers

ClientServerZone

Flat network – no security zones

All users can access all resources

Difficult to protect proprietary data

Forensics becomes equally difficult

Flat network – no security zones

All users can access all resources

Difficult to protect proprietary data

Forensics becomes equally difficult

•Security zones: logical container for physicalinterfaces, VLANs, IP addresses or a combination thereof

Page 20 |

Granular Access Control Policies

• Example:

- Only authorized SAP users and access SAP

- Inbound and outbound traffic scanned for threats and sensitive data

- Limited traffic in the zone helps minimize latency, maximize throughput

- Secure IT access for logging, reporting, forensics Users

Users

Development Servers


ClientServerZone

Oracle

IT Tools

IT Dept

WAN and Internet

Palo Alto Networks

• Control access based on application (App-ID) and users (User-ID)


Block Threats, Monitor Data Transfer

• Block inbound threats that target Oracle, monitor outbound traffic for data patterns (Content-ID)

• Example:

- Add threat prevention policy element for Oracle (inbound)

- Monitor out bound traffic forproprietary data patterns

- Log for forensics and record keeping

Users

Brokers

Development Servers


ClientServerZone

WAN and Internet

Palo Alto Networks


Logging and Reporting

• Forensics and activity monitoring through context aware and expression-based log filtering - Export to excel or syslog for archive and analysis

• Pre-defined and custom reporting- Create zone specific reports, scheduled to be emailed to key

personnel


Policy Example

Rule 1

• Limit access to client data to only brokers in Active Directory

• Only allow Oracle

• Block threats, watch for client data transfer

Rule 2

• Only allow IT to use specific tools to access client data

Rule 3

• Deny and log all else


Limitations of Existing Technology

• Legacy firewalls are ineffective at policy-based segmentation- Unable to identify applications – only ports and protocols

- Cannot see user identity from AD – only IP addresses

- May require secondary platform to inspect content

- Cumbersome management and difficult log correlation

• Firewall “helpers” are no help - Don’t enforce policy

- Are not designed to segment

- Cannot understand all applications, slow, cumbersome to manage

- Unable to tie applications to users

- Impossible to produce reports needed for audit purposes


Protecting Proprietary Data

• Flexible, zone-based architecture facilitates data isolation in any networking environment

• Policy control over cardholder data access - Allow/deny access based on specific application

- Inspect traffic bi-directionally for threats and data transfer

- Tie access rules to user identity from Active Directory

• Powerful logging and reporting for archival and forensics purposes

• Up to 10 Gbps throughput and up to 24 ports eliminates bottlenecks

Documents

Next-Generation Firewall Palo Alto Networks. Page 2 | Applications Have Changed, firewalls have not The gateway at the trust border is the right place