34
Palo Alto Networks Product Overview Kilian Zantop 28. Mai 2013 Belsoft Best Practice - Next Generation Firewalls

Palo Alto Networks 28.5.2013

  • Upload
    belsoft

  • View
    2.504

  • Download
    3

Embed Size (px)

DESCRIPTION

Präsentation anlässich des Belsoft Best Practice - Next Generation Firewalls

Citation preview

Page 1: Palo Alto Networks 28.5.2013

Palo Alto Networks Product Overview

Kilian Zantop

28. Mai 2013

Belsoft Best Practice - Next Generation Firewalls

Page 2: Palo Alto Networks 28.5.2013

Palo Alto Networks at a Glance

Corporate highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications

Able to address all network security needs

Exceptional ability to support global customers

Experienced technology and management team

1,000+ employees globally0

2,000

4,000

6,000

8,000

10,000

12,000

1,800

4,700

11,000

Jul-10 Jul-11

FY09 FY10 FY11 FY12$0

$50

$100

$150

$200

$250

$300

$13

$49

$255

$119

Revenue

Enterprise customers

$MM

FYE July

Feb-13

3 | ©2013, Palo Alto Networks. Confidential and Proprietary.

Page 3: Palo Alto Networks 28.5.2013

Applications Have Changed, Firewalls Haven’t

4 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more

Page 4: Palo Alto Networks 28.5.2013

Encrypted Applications: Unseen by Firewalls

What happens traffic is encrypted?• SSL• Proprietary encryption

7 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 5: Palo Alto Networks 28.5.2013

Technology Sprawl and Creep Aren’t the Answer

Enterprise Network

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address application “accessibility” features

8 | ©2012, Palo Alto Networks. Confidential and Proprietary.

IMDLPIPS ProxyURLAV

UTM

Internet

Page 6: Palo Alto Networks 28.5.2013

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

The Answer? Make the Firewall Do Its Job

9 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 7: Palo Alto Networks 28.5.2013

Application Control Belongs in the Firewall

Port PolicyDecision

App Ctrl PolicyDecision

Application Control as an Add-on• Port-based decision first, apps second

• Applications treated as threats; only block what you expressly look for

Ramifications• Two policies/log databases, no reconciliation• Unable to effectively manage unknowns

IPS

Applications

FirewallPortTraffic

Firewall IPS

App Ctrl PolicyDecision

Scan Applicationfor Threats

Applications

ApplicationTraffic

Application Control in the Firewall• Firewall determines application identity; across all

ports, for all traffic, all the time

• All policy decisions made based on application

Ramifications• Single policy/log database – all context is shared

• Policy decisions made based on shared context• Unknowns systematically managed

10 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 8: Palo Alto Networks 28.5.2013

Enabling Applications, Users and Content

11 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 9: Palo Alto Networks 28.5.2013

Making the Firewall a Business Enablement Tool

Applications: Enablement begins with application classification by App-ID.

Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.

Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire.

12 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 10: Palo Alto Networks 28.5.2013

Single Pass Platform Architecture

13 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 11: Palo Alto Networks 28.5.2013

PAN-OS Core Firewall Features

Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true

transparent in-line deployment L2/L3 switching foundation Policy-based forwarding

VPN Site-to-site IPSec VPN Remote Access (SSL) VPN

QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor

Zone-based architecture All interfaces assigned to security

zones for policy enforcement

High Availability Active/active, active/passive Configuration and session

synchronization Path, link, and HA monitoring

Virtual Systems Establish multiple virtual firewalls in a

single device (PA-5000, PA-4000, PA-3000, and PA-2000 Series)

Simple, flexible management CLI, Web, Panorama, SNMP, Syslog

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Visibility and control of applications, users and content complement core firewall features

PA-500

PA-200

PA-2000 SeriesPA-2050, PA-2020

PA-3000 SeriesPA-3050, PA-3020

PA-4000 SeriesPA-4060, PA-4050 PA-4020

PA-5000 SeriesPA-5060, PA-5050 PA-5020

VM-SeriesVM-300, VM-200, VM-100

Page 12: Palo Alto Networks 28.5.2013

Panorama

Central management

Page 13: Palo Alto Networks 28.5.2013

Panorama Deployment Recommendations

16 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Panorama VM< 10 devices< 10,000 logs/secSites with need for virtual appliance

Panorama M-100 < 100 devices< 10,000 logs/sec

Panorama Distributed Architecture< 1,000 devices> 10,000 logs/sec (50,000 per collector)Deployments with need for collector proximity

Page 14: Palo Alto Networks 28.5.2013

Panorama Distributed Architecture

With the M-100, manager and log collector functions can be split

Deploy multiple log collectors to scale collection infrastructure

17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 15: Palo Alto Networks 28.5.2013

M-100 Hardware Appliance

Simple, high-performance, dedicated appliance for Panorama

Simplifies deployment and support

Introduces distributed log collection capability for large scale deployments

License migration path available for current Panorama customers

18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Specifications

1 RU form factor Intel Xeon 4 core 3.4 GHz CPU

16 GB memory 64bit Panorama kernel

120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)

Page 16: Palo Alto Networks 28.5.2013

Panorama Architecture – Configuration

Device Groups are used to share common Policies and Objects

Templates are used to share common Networking and Device configuration

19 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 17: Palo Alto Networks 28.5.2013

Wildfire

0-day Malware defense

Page 18: Palo Alto Networks 28.5.2013

The Lifecycle of Network Attacks - Rehearsal

21 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

Exploit

2

Infected content exploits the end-user, often without their knowledge

DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

EstablishBack-Channel

4

Malware establishes an outbound connection to the attacker for ongoing control

Explore & Steal

5

Remote attacker has control inside the network and escalates the attack

Page 19: Palo Alto Networks 28.5.2013

An Integrated Approach to Threat Prevention

22 | ©2012, Palo Alto Networks. Confidential and Proprietary.

App-ID

URL

IPS

Spyware

AV

Files

WildFire

Bait the end-user Exploit Download Backdoor Command/Control

Block high-risk apps

Block known malware sites

Block the exploit

Block malware

Prevent drive-by-downloads

Detect 0-day malware

Block new C2 traffic

Block spyware, C2 traffic

Block fast-flux, bad domains

Block C2 on open ports

Page 20: Palo Alto Networks 28.5.2013

Why Traditional Antivirus Protection Fails

Modern/Targeted malware is increasingly able to:

Avoid hitting traditional AV honeypots

Evolve before protection can be delivered, using polymorphism, re-encoding, and changing URLs

23 | ©2012, Palo Alto Networks. Confidential and Proprietary.

☣ Targeted and custom malware

☣ Polymorphic malware

☣ Newly released malware

Highly variable time to protection

Page 21: Palo Alto Networks 28.5.2013

WildFire Architecture

10Gbps threat prevention and file scanning on all traffic, all ports (web, email, SMB, etc.)

Malware ran in the cloud with open internet access to discover hidden behaviors

Sandbox logic updated routinely with no customer impact

Malware signatures automatically created based on payload data

Stream-based malware engine performs true inline enforcement

24 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 22: Palo Alto Networks 28.5.2013

WildFire Subscription Service

WildFire signatures every 30 minutes

Integrated logging & reporting

REST API for scripted file uploads

25 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 23: Palo Alto Networks 28.5.2013

Reaching Effects of WildFire

26 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Threat Intelligence Sources

WildFire Users

AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering

WildFire

Page 24: Palo Alto Networks 28.5.2013

Introducing theWildFire Appliance (WF-500)

Appliance-based version of WildFire for on-premises deployments

All sandbox analysis performed locally on the WildFire appliance

WF-500 has option to send locally identified malware to WildFire public cloud Signatures only are created in public cloud

WildFire signatures for all customers distributed via normal update service

Detection capabilities in sync with public cloud

27 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Cloud

Eagle Appliance

All samples

Malware

Signatures

Page 25: Palo Alto Networks 28.5.2013

Global Protect

Securing your road worriers

Page 26: Palo Alto Networks 28.5.2013

Challenge: Quality of Security Tied to Location

Enterprise-secured with full protection

Headquarters Branch Offices

malware

botnets

exploits

29 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Airport Hotel Home Office

Exposed to threats, risky apps, and data leakage

Page 27: Palo Alto Networks 28.5.2013

GlobalProtect: Consistent Security Everywhere

•Headquarters •Branch Office

malware

botnets

exploits

• VPN connection to a purpose built firewall that is performing the security work • Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance & reporting

30 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Page 28: Palo Alto Networks 28.5.2013

LSVPN

Large scale satellite VPN

Page 29: Palo Alto Networks 28.5.2013

32

© 2011 Palo Alto Networks. Proprietary and Confidential.

The Concept

Easy deployment of large scale VPN infrastructure

• GlobalProtect Satellites automatically acquire authentication credentials and initial configuration from GlobalProtect Portal

• GlobalProtect Satellite establishes tunnels with available Gateways

• Satellites and Gateways automatically exchange routing configuration

Page 30: Palo Alto Networks 28.5.2013

Magic Quadrant for Enterprise Network Firewalls

35 | ©2013, Palo Alto Networks. Confidential and Proprietary.

“Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.”

Gartner, February 2013

Page 31: Palo Alto Networks 28.5.2013

Thank You

Page 37 | © 2010 Palo Alto Networks. Proprietary and Confidential.

Page 32: Palo Alto Networks 28.5.2013

Next-Generation Firewall Virtualized Platforms

38 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Specifications

Model Sessions Rules Security Zones

Address Objects

IPSec VPN Tunnels

SSL VPN Tunnels

VM-100 50,000 250 10 2,500 25 25

VM-200 100,000 2,000 20 4,000 500 200

VM-300 250,000 5,000 40 10,000 2,000 500

Supported on VMware ESX/ESXi 4.0 or later

Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces

Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames

Performance

Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second

2 Core 500 Mbps 200 Mbps 100 Mbps 8,000

4 Core 1 Gbps 600 Mbps 250 Mbps 8,000

8 Core 1 Gbps 1 Gbps 400 Mbps 8,000

Page 33: Palo Alto Networks 28.5.2013

Differentiating: App-ID vs. Two Step Scanning

Operational ramifications of two step scanning Two separate policies with duplicate info – impossible to reconcile them Two log databases decrease visibility Unable to systematically manage unknown traffic Weakens the deny-all-else premise

Every firewall competitor uses two step scanning

39 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Port PolicyDecision

App Ctrl PolicyDecision

IPS

Applications

FirewallAllow port 80 traffic

Traffic 300 or more applications

300 or more applications 300 or more applications

Page 34: Palo Alto Networks 28.5.2013

Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement

• Application, user and content visibility without inline deployment

• IPS with app visibility & control• Consolidation of IPS & URL

filtering

• Firewall replacement with app visibility & control

• Firewall + IPS• Firewall + IPS + URL filtering

40 | ©2012, Palo Alto Networks. Confidential and Proprietary.