Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.

Published byKaty Costin Modified over 10 years ago

Similar presentations

Presentation on theme: "Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager."— Presentation transcript:

1 Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager

2 The Strategic Role of Modern Malware Infection Escalation Remote Control Malware Industry: 1 Trillion Dollar A new unknown MALWARE in each 1,5 sec Hidden in SSL or SSH tunneld / encrypted traffic Resource consuming MALWARE

3 Industry Challenges in Controlling Malware © 2011 Palo Alto Networks. Proprietary and Confidential.Page 3 | Unreliable enforcement Sandboxes lack enforcement, while enforcement points lack sandbox intelligence Lack of outbound traffic controls Lack of actionable information Inability to recognize files as malware Targeted malware New and refreshed malware Long windows to protection Infecting files are hidden Inside applications Encrypted traffic, proxies Non-standard ports Drive-by-downloads

4 Applications Have Changed; Firewalls Have Not © 2011 Palo Alto Networks. Proprietary and Confidential.Page 4 | Need to restore visibility and control in the firewall BUT…applications have changed Ports Applications IP Addresses Users Packets Content More than %67 of all applications use port 80 and 443

5 Why we need a NGFW? Applications Carry Risk © 2011 Palo Alto Networks. Proprietary and Confidential.Page 5 | Applications can be threats P2P file sharing, tunneling applications, anonymizers, media/video Applications carry threats Qualys Top 20 Vulnerabilities – majority result in application- level threats Applications & application-level threats result in major breaches – RSA, Comodo, FBI

6 Why we need a NGFW? Traditional Solutions are no longer a solution... More stuff doesnt solve the problem Firewall helpers have limited view of traffic Complex and costly to buy and maintain © 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 | Internet Putting all of this in the same box is just slow

7 Why we need a NGFW? Control Must Be In The Firewall © 2011 Palo Alto Networks. Proprietary and Confidential.Page 7 | Port Policy Decision App Ctrl Policy Decision Application Control as an Add-on Port-based FW + App Ctrl (IPS) = two policies Applications are threats; only block what you expressly look for Implications Network access decision is made with no information Cannot safely enable applications IPS Applications Firewall PortTraffic Firewall IPS App Ctrl Policy Decision Scan Application for Threats Applications ApplicationTraffic NGFW Application Control Application control is in the firewall = single policy Visibility across all ports, for all traffic, all the time Implications Network access decision is made based on application identity Safely enable application usage

8 How a NGFW Should Be!!! The Right Answer: Make the Firewall Do Its Job © 2011 Palo Alto Networks. Proprietary and Confidential.Page 8 | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation

9 How a NGFW Should Be!!! Palo Alto Networks Controls the Threat Vector Simple, yet powerful control of 900+ applications – block, or allow but scan for threats

10 How a NGFW Should Be!!! Negative Security Method No Longer Works... © 2011 Palo Alto Networks. Proprietary and Confidential.Page 10 |

11 How a NGFW Should Be!!! Positive Security Methodology... » The ever-expanding universe of applications, services and threats » Traffic limited to approved business use cases based on App and User » Attack surface reduced by orders of magnitude » Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels Only allow the apps you need Safely enable the applications relevant to your business © 2011 Palo Alto Networks. Proprietary and Confidential.Page 11 |

12 How a NGFW Should Be!!!Secure Enablement Secure Enablement - Block – e.g. – all P2P applications - Allow - but scan for threats - Allow - but limit app users - Allow - but limit app functions - Allow - but limit apps in a session - Allow - but limit access time - Allow - but shape (QoS) Low High Network Control

13 How a NGFW Shoud Be!!! Application Identification Algorithm

14 How a NGFW Should Be!!! BitTorrent

15 How a NGFW Should Be!!! BitTorrent: As Seen by Security Infrastructure

16 How a NGFW Should Be!!! Realtime Monitoring for Applications, Users & Content Application Command Center (ACC) - Uygulama, URL, tehditler ve data filtreleme aktivitelerini görüntüler © 2010 Palo Alto Networks. Proprietary and Confidential.Page 16 | Facebook için Filtre oluştur Facebook ve Ginger kullanıcısı İçin Filtre oluştur Sadece Ginger kullanıcısını görüntülemek için Facebooku kaldır

17 How a NGFW Should Be!!! WildFire Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 17 | Unknown files comming from Internet cloud Compare to Known Files Sandbox Environment Signature Generator Admin Web Portal FW sends the unknown file to Wildfire Cloud New signitures are updated on all FWs.

18 How a NGFW Should Be!!! A Realtime Application Identification Throughput L3/L4 UDP Packet throupghput is no longer reflects your requirements!!! APP - ID Application Identification Enabled Throughput is important for you!!! L7 Throughput should be considered No Acceptance for Dramatic Performance Decrease !!!

19 How a NGFW Should Be!!! Single-Pass Parallel Processing (SP3) Architecture © 2011 Palo Alto Networks. Proprietary and Confidential.Page 19 | Single Pass Operations once per packet - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, confidential data One policy Parallel Processing Function-specific parallel processing hardware engines Separate data/control planes Up to 20Gbps, Low Latency

20 © 2010 Palo Alto Networks. Proprietary and Confidential How a NGFW Should Be!!! Multi Gigs realtime High Throughput 80 Gbps switch fabric interconnect 20 Gbps QoS engine Signature Match HW Engine Stream-based uniform sig. match Vulnerability exploits (IPS), virus, spyware, CC#, SSN, and more Security Processors High density parallel processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) 20Gbps Network Processor 20 Gbps front-end network processing Hardware accelerated per- packet route lookup, MAC lookup and NAT 10Gbps Data PlaneSwitch Fabric 10Gbps... QoS Flow control Route, ARP, MAC lookup NAT Switch Fabric Signature Match SSLIPSec De- Compress. SSLIPSec De- Compress. SSLIPSec De- Compress. CPU 12 CPU 1 CPU 2 CPU 12 CPU 1 CPU 2 CPU 12 CPU 1 CPU 2 RAM Quad-core mgmt High speed logging and route update Dual hard drives Control Plane Core 1 RAM SSD Core 2 Core 3 Core 4

21 Technology Sprawl & Creep Are Not The Answer More stuff doesnt solve the problem Firewall helpers have limited view of traffic Complex and costly to buy and maintain © 2011 Palo Alto Networks. Proprietary and Confidential.Page 21 | Internet Putting all of this in the same box is just slow

22

Download ppt "Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager."

Similar presentations

1 May 19th, 2009 Announcement. 2 Drivers for Web Application Delivery Web traffic continues to increase More processing power at data aggregation points.

1 May 19th, 2009 Announcement. 2 Drivers for Web Application Delivery Web traffic continues to increase More processing power at data aggregation points.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Application Usage and Risk Report 7 th Edition, May 2011.

Application Usage and Risk Report 7 th Edition, May 2011.
Dynamic Computing & Dynamic Threats Requires Dynamic Security.

Dynamic Computing & Dynamic Threats Requires Dynamic Security.
Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive Network Security Platform Safely Enabling Applications.

Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive Network Security Platform Safely Enabling Applications.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Palo Alto Networks Overview

Palo Alto Networks Overview
© Blue Coat Systems, Inc. 2011. All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.

© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Palo Alto Networks Product Overview

Palo Alto Networks Product Overview
Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.

Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Next Generation Network Security Carlos Heller System Engineering.

Next Generation Network Security Carlos Heller System Engineering.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.

Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.
“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.

“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

Similar presentations

Ads by Google