© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Palo Alto Networks – next page in firewalling It’s time to fix the firewall! Tiit Sokolov.

Slides:



Advertisements
Similar presentations
Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.
Advertisements

Palo Alto Networks Jay Flanyak Channel Business Manager
Business Solutions Network Security Solutions Gateway Security
Palo Alto Networks Product Overview
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Next Generation Network Security Carlos Heller System Engineering.
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
About Palo Alto Networks
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
Palo Alto Networks Solution Overview May 2010 Denis Pechnov Sales, EMEA.
© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO.
Palo Alto Networks Customer Presentation
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
MIGRATION FROM SCREENOS TO JUNOS based firewall
Internet Protocol Security (IPSec)
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Barracuda Networks Steve Scheidegger Commercial Account Manager
Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.
Next-Generation Firewall Palo Alto Networks. Page 2 | Applications Have Changed, firewalls have not The gateway at the trust border is the right place.
Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP.
Course 201 – Administration, Content Inspection and SSL VPN
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
PURE SECURITY Check Point UTM-1 Luděk Hrdina Marketing Manager, Eastern Europe Check Point Software Technologies Kongres bezpečnosti sítí 11. dubna 2007,
Barracuda Load Balancer Server Availability and Scalability.
ShareTech 2015 Next-Gen UTM.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
What Did You Do At School Today Junior?
NEXT GENERATION FIREWALLS Why NGFWs are Next-Generation FWs?
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
© 2014 VMware Inc. All rights reserved. Palo Alto Networks VM-Series for VMware vCloud ® Air TM Next-Generation Security for Hybrid Clouds Palo Alto Networks.
1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.
Chapter 5: Implementing Intrusion Prevention
High Performance Web Accelerator WEB INSIGHT AG Product Introduction March – 2007 MONITORAPP Co.,Ltd.
Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
About Palo Alto Networks
APPLICATION PERFORMANCE MANAGEMENT The Next Generation.
PART1: NETWORK COMPONENTS AND TRANSMISSION MEDIUM Wired and Wireless network management 1.
©2013 Check Point Software Technologies Ltd. Small Business. Big Security New SMB Appliances Clinton Cutajar Team Leader – Information Security Computime.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
NSA 240 Overview For End Users. 2 New Challenges To Solve  Threats Are Increasing  Web 2.0 & SaaS  Impacts to servers, users & networks  Threats go.
Model: DS-600 5x 10/100/1000Mbps Ethernet Port Centralized WLAN management and Access Point Discovery Manages up to 50 APs with access setting control.
Palo Alto Networks - Next Generation Security Platform
Palo Alto Networks SLO WUG NG Silvester Drobnič, CHS d.o.o.
Secure WAN Acceleration Michael Favinsky Senior Systems Engineer
Agenda Current Network Limitations New Network Requirements About Enterasys Security Branch Office Routers Overall Enterprise Requirements Proposed Solution.
Firewall requirements to secure IPv6 networks – finished playing! LANCom seminar, Maribor Ides Vanneuville, Palo Alto Networks – Next-Generation firewall.
Web Content Security Unlock the Power of the Web
Barracuda NG Firewall ™
Palo Alto Networks Certified Network Security Engineer
CompTIA Security+ Study Guide (SY0-401)
Barracuda Firewall The Next-Generation Firewall for Everyone
Web Content Security Unlock the Power of the Web
Barracuda Web Security Flex
PCNSE7 Palo Alto Networks Certified Network Security Engineer
Barracuda Firewall The Next-Generation Firewall for Everyone
Barracuda Web Filtering Service
Securing the Network Perimeter with ISA 2004
Basic Policy Overview Palo Alto.
CompTIA Security+ Study Guide (SY0-401)
Prevent Costly Data Leaks from Microsoft Office 365
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
AT&T Firewall Battlecard
Presentation transcript:

© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Palo Alto Networks – next page in firewalling It’s time to fix the firewall! Tiit Sokolov AS Stallion

About Palo Alto Networks Founded in 2005 by security visionary Nir Zuk World-class team with strong security and networking experience Innovations: App-ID, User-ID, Content-ID Builds next-generation firewalls that identify and control more than 900 applications; makes firewall strategic again Global footprint: presence in 50+ countries, 24/7 support Named Gartner Cool Vendor in 2008

Application Control Efforts are Failing Palo Alto Networks’ Application Usage & Risk Report highlights actual behavior of 900,000 users across more than 60 organizations - Bottom line: despite all having firewalls, and most having IPS, proxies, & URL filtering – none of these organizations could control what applications ran on their networks Applications evade, transfer files, tunnel other applications, carry threats, consume bandwidth, and can be misused. Applications carry risks: business continuity, data loss, compliance, productivity, and operations costs

Trends

Applications Have Changed – Firewalls Have Not The gateway at the trust border is the right place to enforce policy control - Sees all traffic - Defines trust boundary Need to Restore Visibility and Control in the Firewall

Internet Sprawl Is Not The Answer “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Putting all of this in the same box is just slow

Traditional Multi-Pass Architectures are Slow Port/Protocol-based ID L2/L3 Networking, HA, Config Management, Reporting Port/Protocol-based ID HTTP Decoder L2/L3 Networking, HA, Config Management, Reporting URL Filtering Policy Port/Protocol-based ID IPS Signatures L2/L3 Networking, HA, Config Management, Reporting IPS Policy Port/Protocol-based ID AV Signatures L2/L3 Networking, HA, Config Management, Reporting AV Policy Firewall Policy IPS Decoder AV Decoder & Proxy Application inspection in common UTM is performed on many inspection modules (IPS, AV, WF, etc.) based on products from different vendors. It makes huge performance degradation. It makes huge performance degradation.

Palo Alto Networks – unique features Performs accurate application inspection (IPS, AV, etc.) without performance degradation (one inspection path - shared database of universal signatures, purpose-built hardware architecture). L2/L3 Networking, HA, Config Management, Reporting App-ID Content-ID Policy Engine Application Protocol Detection and Decryption Application Protocol Decoding Heuristics Application Signatures URL Filtering Threat Prevention Data Filtering User-ID

Single-Pass Parallel Processing (SP3) Architecture Single Pass Operations once per packet - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, confidential data One policy Parallel Processing Function-specific parallel processing hardware engines Separate data/control planes Up to 10Gbps, Low Latency

New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation The Right Answer: Make the Firewall Do Its Job

Identification Technologies Transform the Firewall App-ID Identify the application User-ID Identify the user Content-ID Scan the content

App-ID: Comprehensive Application Visibility Policy-based control more than 900 applications distributed across five categories and 25 sub-categories Balanced mix of business, internet and networking applications and networking protocols new applications added weekly App override and custom HTTP applications help address internal applications

User-ID: Enterprise Directory Integration Users no longer defined solely by IP address - Leverage existing Active Directory infrastructure without complex agent rollout - Identify Citrix users and tie policies to user and group, not just the IP address Understand user application and threat behavior based on actual AD username, not just IP Manage and enforce policy based on user and/or AD group Investigate security incidents, generate custom reports

Content-ID: Real-Time Content Scanning Stream-based, not file-based, for real-time performance - Uniform signature engine scans for broad range of threats in single pass - Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home) Block transfer of sensitive data and file transfers by type - Looks for CC # and SSN patterns - Looks into file to determine type – not extension based Web filtering enabled via fully integrated URL database - Local 20M URL database (76 categories) maximizes performance (1,000’s URLs/sec) - Dynamic DB adapts to local, regional, or industry focused surfing patterns Detect and block a wide range of threats, limit unauthorized data transfer and control non-work related web surfing

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 15 | © 2008 Palo Alto Networks. Proprietary and Confidential. Page 15 | © 2008 Palo Alto Networks. Proprietary and Confidential. Page 15 | Enables Visibility Into Applications, Users, and Content

Comprehensive View of Applications, Users & Content Application Command Center (ACC) - View applications, URLs, threats, data filtering activity Mine ACC data, adding/removing filters as needed to achieve desired result Filter on Skype Remove Skype to expand view of oharris Filter on Skype and user oharris

PAN-OS Core Firewall Features Strong networking foundation - Dynamic routing (OSPF, RIPv2) - Tap mode – connect to SPAN port - Virtual wire (“Layer 1”) for true transparent in-line deployment - L2/L3 switching foundation VPN - Site-to-site IPSec VPN - SSL VPN QoS traffic shaping - Max/guaranteed and priority - By user, app, interface, zone, and more Zone-based architecture - All interfaces assigned to security zones for policy enforcement High Availability - Active / passive - Configuration and session synchronization - Path, link, and HA monitoring Virtual Systems - Establish multiple virtual firewalls in a single device (starting from PA-2000 Series) Simple, flexible management - CLI, Web, Panorama, SNMP, Syslog Visibility and control of applications, users and content complement core firewall features PA-500 PA-2020 PA-2050 PA-4020 PA-4050 PA-4060

Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering

Site-to-Site and Remote Access VPN Secure connectivity - Standards-based site-to-site IPSec VPN - SSL VPN for remote access Policy-based visibility and control over applications, users and content for all VPN traffic Included as features in PAN-OS at no extra charge Site-to-site VPN connectivity Remote user connectivity

Traffic Shaping Expands Policy Control Options Traffic shaping policies ensure business applications are not bandwidth starved - Guaranteed and maximum bandwidth settings - Flexible priority assignments, hardware accelerated queuing - Apply traffic shaping policies by application, user, source, destination, interface, IPSec VPN tunnel and more Enables more effective deployment of appropriate application usage policies Included as a feature in PAN-OS at no extra charge

Flexible Policy Control Responses Intuitive policy editor enables appropriate usage policies with flexible policy responses Allow or deny individual application usageAllow but apply IPS, scan for viruses, spyware Control applications by category, subcategory, technology or characteristic Apply traffic shaping (guaranteed, priority, maximum) Decrypt and inspect SSLAllow for certain users or groups within AD Allow or block certain application functionsControl excessive web surfing Allow based on scheduleLook for and alert or block file or data transfer

Enterprise Device and Policy Management Intuitive and flexible management - CLI, Web, Panorama, SNMP, Syslog - Role-based administration enables delegation of tasks to appropriate person Panorama central management application - Shared policies enable consistent application control policies - Consolidated management, logging, and monitoring of Palo Alto Networks devices - Consistent web interface between Panorama and device UI - Network-wide ACC/monitoring views, log collection, and reporting All interfaces work on current configuration, avoiding sync issues

Our Platform Family… Performance Remote Office/ Medium Enterprise Large Enterprise PA-2000 Series 1Gbps; 500Mbps threat prevention PA-4000 Series 500Mbps; 200Mbps threat prevention 2Gbps; 2Gbps threat prevention 10Gbps; 5Gbps threat prevention 10Gbps; 5Gbps threat prevention (XFP interfaces) PA Mbps; 100Mbps threat prevention

Purpose-Built Architecture: PA-4000 Series Content Scanning HW Engine Palo Alto Networks’ uniform signatures Multiple memory banks – memory bandwidth scales performance Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Dedicated Control Plane Highly available mgmt High speed logging and route updates 10Gbps Content Scanning Engine RAM Dual-core CPU RAM HDD 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16. SSLIPSec De- Compression CPU 1 CPU 2 10Gbps Control Plane Data Plane RAM CPU 3 QoS Route, ARP, MAC lookup NAT

Palo Alto Networks Next-Gen Firewalls PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces PA Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O PA Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces PA Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces PA Mbps FW 100 Mbps threat prevention 50,000 sessions 8 copper gigabit

Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government Mfg / High Tech / Energy Education Service Providers / Services Media / Entertainment / Retail

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.