Upload
cornelius-hines
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Next-Generation FirewallPalo Alto Networks
Page 2 |
Applications Have Changed, firewalls have not
• The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
Need to Restore Visibility and Control in the Firewall
Collaboration / MediaSaaS Personal
• BUT…Applications Have Changed
- Ports ≠Applications
- IP Addresses ≠Users
- Packets ≠Content
Page 3 |
Stateful Inspection ClassificationThe Common Foundation of Nearly All Firewalls
• Stateful Inspection classifies traffic by looking at the IP header- source IP
- source port
- destination IP
- destination port
- protocol
• Internal table creates mapping to well-known protocols/ports- HTTP = TCP port 80
- SMTP = TCP port 25
- SSL = TCP port 443
Page 4 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 900+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS, without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering, state, flexible NAT, IPSec, SSL VPNs, etc.
Support “bump in the wire” Deployments
Multiple options for transparent deployment behind existing firewalls
In “Defining the Next-Generation Firewall,”
Gartner describes what Palo Alto Networks already delivers
Page 5 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Granular visibility and policy control over application access / functionality
4. Protect in real-time against threats embedded across applications
5. Multi-gigabit, in-line deployment with no performance degradation
Palo Alto Networks “Fixes the Firewall”
Page 6 | Page 6 |
Identification Technologies Help Manage Risk
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
Page 7 |
App-ID: Comprehensive Application Visibility
• Policy-based control about 900 applications distributed across five categories and 25 sub-categories
• Balanced mix of business, internet and networking applications and networking protocols
• ~ 5 new applications added weekly
Page 8 |
User-ID: Enterprise Directory Integration
• Users no longer defined solely by IP address- Leverage existing Active Directory infrastructure
• Understand users application and threat behavior based on actual AD username, not just IP
• Manage and enforce policy based on user and/or AD group
• Investigate security incidents, generate custom reports
User-ID
Page 9 |
Making Content-Scanning Network-Ready
• Stream-based, not file-based, for real-time performance- Dynamic reassembly
• Uniform signature engine scans for broad range of threats in single pass • Threat detection covers vulnerability exploits (IPS), virus, and
spyware (both downloads and phone-home)
TimeTime
File-based Scanning Stream-based Scanning
Buffer FileBuffer File
TimeTime
Scan FileScan File
Deliver ContentDeliver Content
ID Content
ID Content
Scan ContentScan Content
Deliver ContentDeliver Content
Page 9 |
ID Content
ID Content
Page 10 | Page 10 |
A better approach
Single-Pass Parallel Processing (SP3) Architecture
Single Pass•Single processes for:
- Traffic classification (app identification)
- User/group mapping
- Content scanning – threats, URLs, DLP, etc.
•One policy
Parallel Processing•Function-specific hardware engines
•Multi-core security processing
•Separate data/control planes
Up to 10Gbps, Low Latency
Page 11 |
PAN-OS Core Features
• Strong networking foundation: - Dynamic routing (OSPF, RIPv2)
- Site-to-site IPSec VPN
- SSL VPN
- Tap mode – connect to SPAN port
- Virtual wire (“Layer 1”) for true transparent in-line deployment
- L2/L3 switching foundation
•QoS traffic shaping- Max, guaranteed and priority
- By user, app, interface, zone, and more
• High Availability: - Active / passive
- Configuration and session synchronization
- Path, link, and HA monitoring
• Virtualization:- All interfaces (physical or logical)
assigned to security zones
- Establish multiple virtual systems to fully virtualized the device (PA-4000 & PA-2000 only)
• Intuitive and flexible management- CLI, Web, Panorama, SNMP,
Syslog
Page 12 |
Palo Alto Networks Next-Gen Firewalls
PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP (10 Gig) I/O• 4 SFP (1 Gig) I/O
PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces
PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces
PA-500• 250 Mbps FW• 100 Mbps threat prevention• 50,000 sessions• 8 copper gigabit
Page 13 |
Purpose-Built Architecture: PA-4000 Series
Flash Matching HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory
bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for standardized
complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
10Gbps
Flash MatchingEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
10 Gig Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
CPU16
. .
SSL IPSecDe-
Compression
CPU1
CPU2
10Gbps
Control Plane Data Plane
RAM
RAMCPU
3
QoS
Route, ARP, MAC
lookup
NAT
Page 14 |
Flexible Deployment OptionsApplication Visibility Transparent In-Line Firewall Replacement
• Connect to span port
• Provides application visibility without inline deployment
• Deploy transparently behind existing firewall
• Provides application visibility & control without networking changes
• Replace existing firewall
• Provides application and network-based visibility and control, consolidated policy, high performance
Page 15 |
Enterprise Device and Policy Management
• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog
• Panorama central management application- Consolidated management, logging, and monitoring of Palo Alto Networks
devices
- Consistent web interface between Panorama and device UI
- Network-wide ACC/monitoring views, log collection, and reporting
• All interfaces work on current configuration, avoiding sync issues
Requirements for Data Center Firewalls
• Threat Prevention- Protect against external attacks – including those routed through
internal “secure” clients
• Data Leakage Prevention- Protect confidential and unauthorized content from leaving the
network
• Access Control- Control access – by user or groups of users – to specific
applications and content
• Performance- Minimize latency and maximize throughput to ensure business
performance is not compromised
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 |
Palo Alto Networks Exceeds Requirements
• Content-ID- Threat Prevention
Stops external attacks with high speed threat prevention engine
Decrypts SSL sessions to identify and stop threats via clients
- Data Leakage Prevention Scans traffic to stop transfer of unauthorized data or file types
• User-ID and App-ID- Access Control
Policies to create security zones within the data center
Create data center segments to isolate specific users and applications
• SP3 Architecture- Single pass, minimized latency, maximum throughput up to 10Gbps
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 17 |
Data Centre Security Zones
• Security zones can first be applied to isolate the DC can as a means of protecting the data. Once the network has been divided into distinct zones, positive control model security policies can be applied that control, at a very granular level, which applications, users and content are allowed in and out of the DC security zone.
• Uniform signature format: Rather than use a separate set of scanning engines and signatures for each type of threat, Palo Alto Networks uses a uniform threat engine and signature format to detect and block a wide range of malware while dramatically reducing latency.
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 18 |
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 19 |
Isolating the Data with Security Zones
Zones isolate client data – irrespective of networking environment
Security policies dictate access control, threat prevention and content scanning
Logging and reporting against zone simplifies forensics and monitoring
Zones isolate client data – irrespective of networking environment
Security policies dictate access control, threat prevention and content scanning
Logging and reporting against zone simplifies forensics and monitoring
Client Servers
Development Servers
InfrastructureServers Users
Users
Users
Development Servers
InfrastructureServers
ClientServerZone
Flat network – no security zones
All users can access all resources
Difficult to protect proprietary data
Forensics becomes equally difficult
Flat network – no security zones
All users can access all resources
Difficult to protect proprietary data
Forensics becomes equally difficult
•Security zones: logical container for physicalinterfaces, VLANs, IP addresses or a combination thereof
Page 20 |
Granular Access Control Policies
• Example:
- Only authorized SAP users and access SAP
- Inbound and outbound traffic scanned for threats and sensitive data
- Limited traffic in the zone helps minimize latency, maximize throughput
- Secure IT access for logging, reporting, forensics Users
Users
Development Servers
InfrastructureServers
ClientServerZone
Oracle
IT Tools
IT Dept
WAN and Internet
Palo Alto Networks
• Control access based on application (App-ID) and users (User-ID)
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 21 |
Block Threats, Monitor Data Transfer
• Block inbound threats that target Oracle, monitor outbound traffic for data patterns (Content-ID)
• Example:
- Add threat prevention policy element for Oracle (inbound)
- Monitor out bound traffic forproprietary data patterns
- Log for forensics and record keeping
Users
Brokers
Development Servers
InfrastructureServers
ClientServerZone
WAN and Internet
Palo Alto Networks
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 22 |
Logging and Reporting
• Forensics and activity monitoring through context aware and expression-based log filtering - Export to excel or syslog for archive and analysis
• Pre-defined and custom reporting- Create zone specific reports, scheduled to be emailed to key
personnel
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 23 |
Policy Example
Rule 1
• Limit access to client data to only brokers in Active Directory
• Only allow Oracle
• Block threats, watch for client data transfer
Rule 2
• Only allow IT to use specific tools to access client data
Rule 3
• Deny and log all else
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 24 |
Limitations of Existing Technology
• Legacy firewalls are ineffective at policy-based segmentation- Unable to identify applications – only ports and protocols
- Cannot see user identity from AD – only IP addresses
- May require secondary platform to inspect content
- Cumbersome management and difficult log correlation
• Firewall “helpers” are no help - Don’t enforce policy
- Are not designed to segment
- Cannot understand all applications, slow, cumbersome to manage
- Unable to tie applications to users
- Impossible to produce reports needed for audit purposes
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 25 |
Protecting Proprietary Data
• Flexible, zone-based architecture facilitates data isolation in any networking environment
• Policy control over cardholder data access - Allow/deny access based on specific application
- Inspect traffic bi-directionally for threats and data transfer
- Tie access rules to user identity from Active Directory
• Powerful logging and reporting for archival and forensics purposes
• Up to 10 Gbps throughput and up to 24 ports eliminates bottlenecks