Next-Generation Firewall Palo Alto Networks

Page 2 | Applications Have Changed, firewalls have not The gateway at the trust border is the right place to enforce policy control - Sees all traffic - Defines trust boundary Need to Restore Visibility and Control in the Firewall Collaboration / Media SaaS Personal

Page 3 | Stateful Inspection Classification The Common Foundation of Nearly All Firewalls Stateful Inspection classifies traffic by looking at the IP header - source IP - source port - destination IP - destination port - protocol Internal table creates mapping to well-known protocols/ports - HTTP = TCP port 80 - SMTP = TCP port 25 - SSL = TCP port 443

Page 4 | Palo Alto Networks Exceeds NGFW Requirements Application Awareness and Full Stack Visibility App-ID Identifies and controls 900+ applications Integrated Rather Than Co-Located IPS Content-ID includes full IPS, without compromising performance Extra-Firewall Intelligence to Identify Users User-ID brings AD users and groups into firewall policy Standard First-Generation Firewall Capabilities Packet filtering, state, flexible NAT, IPSec, SSL VPNs, etc. Support “bump in the wire” Deployments Multiple options for transparent deployment behind existing firewalls In “Defining the Next-Generation Firewall,” Gartner describes what Palo Alto Networks already delivers

Page 5 | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Granular visibility and policy control over application access / functionality 4. Protect in real-time against threats embedded across applications 5. Multi-gigabit, in-line deployment with no performance degradation Palo Alto Networks “Fixes the Firewall”

Page 6 | Identification Technologies Help Manage Risk App-ID Identify the application User-ID Identify the user Content-ID Scan the content

Page 7 | App-ID: Comprehensive Application Visibility Policy-based control about 900 applications distributed across five categories and 25 sub-categories Balanced mix of business, internet and networking applications and networking protocols ~ 5 new applications added weekly

Page 8 | User-ID: Enterprise Directory Integration Users no longer defined solely by IP address - Leverage existing Active Directory infrastructure Understand users application and threat behavior based on actual AD username, not just IP Manage and enforce policy based on user and/or AD group Investigate security incidents, generate custom reports

Page 9 | Making Content-Scanning Network-Ready Stream-based, not file-based, for real-time performance - Dynamic reassembly Uniform signature engine scans for broad range of threats in single pass Threat detection covers vulnerability exploits (IPS), virus, and spyware (both downloads and phone-home ) Time File-based ScanningStream-based Scanning Buffer File Time Scan File Deliver Content ID Content Scan Content Deliver Content Page 9 | ID Content

Page 10 | A better approach Single-Pass Parallel Processing (SP3) Architecture Single Pass Single processes for: - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, DLP, etc. One policy Parallel Processing Function-specific hardware engines Multi-core security processing Separate data/control planes Up to 10Gbps, Low Latency

Page 11 | PAN-OS Core Features Strong networking foundation: - Dynamic routing (OSPF, RIPv2) - Site-to-site IPSec VPN - SSL VPN - Tap mode – connect to SPAN port - Virtual wire (“Layer 1”) for true transparent in-line deployment - L2/L3 switching foundation QoS traffic shaping - Max, guaranteed and priority - By user, app, interface, zone, and more High Availability: - Active / passive - Configuration and session synchronization - Path, link, and HA monitoring Virtualization: - All interfaces (physical or logical) assigned to security zones - Establish multiple virtual systems to fully virtualized the device (PA & PA-2000 only) Intuitive and flexible management - CLI, Web, Panorama, SNMP, Syslog

Page 12 | Palo Alto Networks Next-Gen Firewalls PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces PA Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O PA Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces PA Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces PA Mbps FW 100 Mbps threat prevention 50,000 sessions 8 copper gigabit

Page 13 | Purpose-Built Architecture: PA-4000 Series Flash Matching HW Engine Palo Alto Networks’ uniform signatures Multiple memory banks – memory bandwidth scales performance Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Dedicated Control Plane Highly available mgmt High speed logging and route updates 10Gbps Flash Matching Engine RAM Dual-core CPU RAM HDD 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16. SSLIPSec De- Compression CPU 1 CPU 2 10Gbps Control Plane Data Plane RAM CPU 3 QoS Route, ARP, MAC lookup NAT

Page 14 | Flexible Deployment Options Application Visibility Transparent In-Line Firewall Replacement Connect to span port Provides application visibility without inline deployment Deploy transparently behind existing firewall Provides application visibility & control without networking changes Replace existing firewall Provides application and network-based visibility and control, consolidated policy, high performance

Page 15 | Enterprise Device and Policy Management Intuitive and flexible management - CLI, Web, Panorama, SNMP, Syslog Panorama central management application - Consolidated management, logging, and monitoring of Palo Alto Networks devices - Consistent web interface between Panorama and device UI - Network-wide ACC/monitoring views, log collection, and reporting All interfaces work on current configuration, avoiding sync issues

Requirements for Data Center Firewalls Threat Prevention - Protect against external attacks – including those routed through internal “secure” clients Data Leakage Prevention - Protect confidential and unauthorized content from leaving the network Access Control - Control access – by user or groups of users – to specific applications and content Performance - Minimize latency and maximize throughput to ensure business performance is not compromised © 2009 Palo Alto Networks. Proprietary and Confidential. Page 16 |

Palo Alto Networks Exceeds Requirements Content-ID - Threat Prevention  Stops external attacks with high speed threat prevention engine  Decrypts SSL sessions to identify and stop threats via clients - Data Leakage Prevention  Scans traffic to stop transfer of unauthorized data or file types User-ID and App-ID - Access Control  Policies to create security zones within the data center  Create data center segments to isolate specific users and applications SP3 Architecture - Single pass, minimized latency, maximum throughput up to 10Gbps © 2009 Palo Alto Networks. Proprietary and Confidential. Page 17 |

Data Centre Security Zones Security zones can first be applied to isolate the DC can as a means of protecting the data. Once the network has been divided into distinct zones, positive control model security policies can be applied that control, at a very granular level, which applications, users and content are allowed in and out of the DC security zone. Uniform signature format: Rather than use a separate set of scanning engines and signatures for each type of threat, Palo Alto Networks uses a uniform threat engine and signature format to detect and block a wide range of malware while dramatically reducing latency. © 2009 Palo Alto Networks. Proprietary and Confidential. Page 18 |

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 19 | Isolating the Data with Security Zones Zones isolate client data – irrespective of networking environment Security policies dictate access control, threat prevention and content scanning Logging and reporting against zone simplifies forensics and monitoring Zones isolate client data – irrespective of networking environment Security policies dictate access control, threat prevention and content scanning Logging and reporting against zone simplifies forensics and monitoring Client Servers Development Servers Infrastructure Servers Users Development Servers Infrastructure Servers Client Server Zone Flat network – no security zones All users can access all resources Difficult to protect proprietary data Forensics becomes equally difficult Flat network – no security zones All users can access all resources Difficult to protect proprietary data Forensics becomes equally difficult Security zones: logical container for physical interfaces, VLANs, IP addresses or a combination thereof

Page 20 | Granular Access Control Policies Example: - Only authorized SAP users and access SAP - Inbound and outbound traffic scanned for threats and sensitive data - Limited traffic in the zone helps minimize latency, maximize throughput - Secure IT access for logging, reporting, forensics Users Development Servers Infrastructure Servers Client Server Zone Oracle IT Tools IT Dept WAN and Internet Palo Alto Networks Control access based on application (App-ID) and users (User-ID)

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 21 | Block Threats, Monitor Data Transfer Block inbound threats that target Oracle, monitor outbound traffic for data patterns (Content-ID) Example: - Add threat prevention policy element for Oracle (inbound) - Monitor out bound traffic for proprietary data patterns - Log for forensics and record keeping Users Brokers Development Servers Infrastructure Servers Client Server Zone WAN and Internet Palo Alto Networks

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 22 | Logging and Reporting Forensics and activity monitoring through context aware and expression-based log filtering - Export to excel or syslog for archive and analysis Pre-defined and custom reporting - Create zone specific reports, scheduled to be ed to key personnel

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 23 | Policy Example Rule 1 Limit access to client data to only brokers in Active Directory Only allow Oracle Block threats, watch for client data transfer Rule 2 Only allow IT to use specific tools to access client data Rule 3 Deny and log all else

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 24 | Limitations of Existing Technology Legacy firewalls are ineffective at policy-based segmentation - Unable to identify applications – only ports and protocols - Cannot see user identity from AD – only IP addresses - May require secondary platform to inspect content - Cumbersome management and difficult log correlation Firewall “helpers” are no help - Don’t enforce policy - Are not designed to segment - Cannot understand all applications, slow, cumbersome to manage - Unable to tie applications to users - Impossible to produce reports needed for audit purposes

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 25 | Protecting Proprietary Data Flexible, zone-based architecture facilitates data isolation in any networking environment Policy control over cardholder data access - Allow/deny access based on specific application - Inspect traffic bi-directionally for threats and data transfer - Tie access rules to user identity from Active Directory Powerful logging and reporting for archival and forensics purposes Up to 10 Gbps throughput and up to 24 ports eliminates bottlenecks