Presentation is loading. Please wait.

Presentation is loading. Please wait.

Palo Alto Networks Overview

Published byJanae Lodes Modified over 10 years ago

Similar presentations

Presentation on theme: "Palo Alto Networks Overview"— Presentation transcript:

1 Palo Alto Networks Overview
March 2012 Data Connectors Micah Richardson, Account Manager

2 Agenda Corporate Overview Why a NGFW?
Key Technologies, Architecture Review, Wildfire Web Interface Model Review 2011 Gartner Report Review © 2011 Palo Alto Networks. Proprietary and Confidential.

3 About Palo Alto Networks
Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience Founded in 2005, first customer July 2007, top-tier investors Builds next-generation firewalls that identify / control ~1450+ applications Restores the firewall as the core of enterprise network security infrastructure Innovations: App-ID™, User-ID™, Content-ID™ Global momentum: 7,500+ customers August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters A few of the many enterprises that have deployed more than $1M © 2011 Palo Alto Networks. Proprietary and Confidential. (*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

4 Applications Have Changed; Firewalls Have Not
The firewall is the right place to enforce policy control Sees all traffic Defines trust boundary Enables access via positive control BUT…applications have changed Ports ≠ Applications IP Addresses ≠ Users Packets ≠ Content Need to restore visibility and control in the firewall © 2011 Palo Alto Networks. Proprietary and Confidential.

5 Applications Carry Risk
Applications can be “threats” P2P file sharing, tunneling applications, anonymizers, media/video Applications carry threats Qualys Top 20 Vulnerabilities – majority result in application-level threats Applications & application-level threats result in major breaches – RSA, Comodo, FBI © 2011 Palo Alto Networks. Proprietary and Confidential.

6 Enterprise 2.0 Applications and Risks Widespread
Palo Alto Networks’ latest Application Usage & Risk Report highlights actual behavior of 1M+ users in 1253 organizations More enterprise 2.0 application use for personal and business reasons. Tunneling and port hopping are common Bottom line: all had firewalls, most had IPS, proxies, & URL filtering – but none of these organizations could control what applications ran on their networks Google Docs and Calendar resource consumption* is up significantly Google Talk Gadget shot up by 56% while Google Talk dropped 76% Bandwidth consumed by Facebook, per organization, is a staggering 4.9 GB Bandwidth consumed by Sharepoint and LinkedIn is up 14% and 48% respectively 67% of the applications use port 80, port 443, or hop ports Many (190) are client–server 177 can tunnel other applications, a feature no longer reserved for SSL or SSH © 2011 Palo Alto Networks. Proprietary and Confidential.

7 Technology Sprawl & Creep Are Not The Answer
Internet “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain Putting all of this in the same box is just slow © 2011 Palo Alto Networks. Proprietary and Confidential.

8 The Right Answer: Make the Firewall Do Its Job
New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation © 2011 Palo Alto Networks. Proprietary and Confidential.

9 Why Visibility & Control Must Be In The Firewall
IPS App Ctrl Policy Decision Scan Application for Threats Applications Application Traffic NGFW Application Control Application control is in the firewall = single policy Visibility across all ports, for all traffic, all the time Implications Network access decision is made based on application identity Safely enable application usage Application Control as an Add-on Port-based FW + App Ctrl (IPS) = two policies Applications are threats; only block what you expressly look for Implications Network access decision is made with no information Cannot safely enable applications Firewall IPS Applications Traffic Port Port Policy Decision App Ctrl Policy Decision © 2011 Palo Alto Networks. Proprietary and Confidential.

10 What You See…with Port-Based FW + Application Control Add-on
You can only see what you are looking for. With a Palo Alto Networks Next Generation Firewall, its like walking into a dark room and turning on the light. <CLICK> Complete visibility and control. © 2011 Palo Alto Networks. Proprietary and Confidential.

11 What You See with a True Next-Generation Firewall
You can only see what you are looking for. With a Palo Alto Networks Next Generation Firewall, its like walking into a dark room and turning on the light. <CLICK> Complete visibility and control. © 2011 Palo Alto Networks. Proprietary and Confidential.

12 Your Control With Port-based Firewall Add-on
Even with the best standalone IPS on the market behind your firewall you are still playing “whack the mole” trying to identify threats and block them after they have already bypassed your firewall and invaded your network. © 2011 Palo Alto Networks. Proprietary and Confidential.

13 Your Control With a Next-Generation Firewall
Safely enable the applications relevant to your business Only allow the apps you need Control the Threat Vector By first controlling which applications run on the network, organizations greatly reduce their attack surface Control All Allowed Traffic With Industry Leading IPS Identify and stop threats Scan inside SSL and compressed content Stop leaks of confidential data (e.g., credit card #) The important takeway for the slide: When we use the full power of the Palo Alto Networks NGFW we can expand the conversation from one about point solutions to one about fundamentally changing the risk profile of the enterprise. If someone is trying to shoot you, make yourself as small as possible! Traffic limited to approved business use cases based on App and User Attack surface reduced by orders of magnitude Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels The ever-expanding universe of applications, services and threats © 2011 Palo Alto Networks. Proprietary and Confidential.

14 Identification Technologies Transform the Firewall
App-ID™ Identify the application User-ID™ Identify the user Content-ID™ Scan the content © 2011 Palo Alto Networks. Proprietary and Confidential.

15 Single-Pass Parallel Processing™ (SP3) Architecture
Operations once per packet Traffic classification (app identification) User/group mapping Content scanning – threats, URLs, confidential data One policy Parallel Processing Function-specific parallel processing hardware engines Separate data/control planes Up to 20Gbps, Low Latency © 2011 Palo Alto Networks. Proprietary and Confidential.

16 INSERT WILDFIRE SLID HERE
© 2011 Palo Alto Networks. Proprietary and Confidential.

17 Transforming The Perimeter and Datacenter
Application visibility and control Threat prevention for allowed application traffic Unified policy based on applications, users, and content Datacenter High-performance firewalling and threat prevention; simple deployment Segmentation by application and user Identification/control of rogue applications Perimeter Datacenter Same Next-Generation Firewall, Different Benefits… © 2011 Palo Alto Networks. Proprietary and Confidential.

18 Comprehensive View of Applications, Users & Content
Filter on Facebook-base and user cook Remove Facebook to expand view of cook Application Command Center (ACC) View applications, URLs, threats, data filtering activity Add/remove filters to achieve desired result Filter on Facebook-base © 2010 Palo Alto Networks. Proprietary and Confidential.

19 PAN-OS Core Firewall Features
Visibility and control of applications, users and content complement core firewall features PA-5060 Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation Policy-based forwarding VPN Site-to-site IPSec VPN SSL VPN QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor Zone-based architecture All interfaces assigned to security zones for policy enforcement High Availability Active/active, active/passive Configuration and session synchronization Path, link, and HA monitoring Virtual Systems Establish multiple virtual firewalls in a single device (PA-5000, PA-4000, and PA-2000 Series) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog PA-5050 PA-5020 PA-4060 PA-4050 PA-4020 PA-2050 PA-2020 PA-500 © 2011 Palo Alto Networks. Proprietary and Confidential. 19 19

20 2011 Magic Quadrant for Enterprise Network Firewalls
“Palo Alto Networks' high-performance NGFW functionality continues to drive competitors to react in the firewall market. It is assessed as a Leader mostly because of its NGFW design, redirection of the market along the NGFW path, consistent displacement of Leaders and Challengers, and market disruption forcing Leaders to react.” Source: Gartner, December 14, 2011 © 2011 Palo Alto Networks. Proprietary and Confidential.

21 2010 Magic Quadrant for Enterprise Network Firewalls
Palo Alto Networks Check Point Software Technologies Juniper Networks Cisco Fortinet McAfee Stonesoft SonicWALL WatchGuard NETASQ Astaro phion 3Com/H3C completeness of vision visionaries ability to execute As of March 2010 niche players Source: Gartner © 2011 Palo Alto Networks. Proprietary and Confidential.

22 Continual Customer Driven Innovation
App-ID: Traffic classification by application; all ports, all the time SSL decryption/inspection, control unknowns, PCAPs, App override, function enablement, custom App-IDs, QoS, PBF, SSH control… User-ID: User identity becomes pervasive; visibility, policy, logging and reporting Active Directory, terminal services, LDAP, eDirectory, XML API… Content-ID: Single engine stream-based scanning of allowed content Exploits, viruses, confidential data, botnets, modern malware… Enterprise-Class Platform: Scalable, deployable, predictable Dual-plane architecture; single pass software, function specific processing, tap mode, Vwire, L2/L3/mixed mode, IPv6… Customer Count 2007 2011 © 2011 Palo Alto Networks. Proprietary and Confidential.

23 Addresses Three Key Business Problems
Identify and Control Applications Visibility of ~1450+ applications, regardless of port, protocol, encryption, or evasive tactic Fine-grained control over applications (allow, deny, limit, scan, shape) Addresses the key deficiencies of legacy firewall infrastructure Prevent Threats Stop a variety of threats – exploits (by vulnerability), viruses, spyware Stop leaks of confidential data (e.g., credit card #, social security #, file/type) Stream-based engine ensures high performance Enforce acceptable use policies on users for general web site browsing Simplify Security Infrastructure Put the firewall at the center of the network security infrastructure Reduce complexity in architecture and operations © 2011 Palo Alto Networks. Proprietary and Confidential.

24 Thank You © 2010 Palo Alto Networks. Proprietary and Confidential.

25 Additional Information
Speeds and Feeds, Deployment, Customers, TCO, Support, and Management

26 Global Support. Local Availability. Enterprise Class.
Global support infrastructure Global TACs (Santa Clara HQ, Dallas, Antwerp, Singapore, Tokyo) Global Hardware Depots (Santa Clara, Amsterdam, Singapore) Programs and features to address global support demands On-line Support Knowledge Portal Premium Support (24 x 7) Standard Support (8 x 5) Technical Account Managers Hardware support/replacement options (standard, premium, 4-hour, on-site spares, and system HA) Integrated approach to services, training, and support © 2011 Palo Alto Networks. Proprietary and Confidential.

27 Next-Generation Firewalls Are Network Security
© 2011 Palo Alto Networks. Proprietary and Confidential.

28 August 2011: Extraordinary Business Results
(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st. © 2011 Palo Alto Networks. Proprietary and Confidential.

29 Palo Alto Networks Next-Gen Firewalls
20 Gbps FW/10 Gbps threat prevention/4,000,000 sessions 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit PA-5050 10 Gbps FW/5 Gbps threat prevention/2,000,000 sessions 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit PA-5020 5 Gbps FW/2 Gbps threat prevention/1,000,000 sessions 8 SFP, 12 copper gigabit PA-4060 10 Gbps FW/5 Gbps threat prevention/2,000,000 sessions 4 XFP (10 Gig), 4 SFP (1 Gig) PA-4050 10 Gbps FW/5 Gbps threat prevention/2,000,000 sessions 8 SFP, 16 copper gigabit PA-4020 2 Gbps FW/2 Gbps threat prevention/500,000 sessions 8 SFP, 16 copper gigabit PA-2050 1 Gbps FW/500 Mbps threat prevention/250,000 sessions 4 SFP, 16 copper gigabit PA-2020 500 Mbps FW/200 Mbps threat prevention/125,000 sessions 2 SFP, 12 copper gigabit PA-500 250 Mbps FW/100 Mbps threat prevention/50,000 sessions 8 copper gigabit © 2011 Palo Alto Networks. Proprietary and Confidential 29

30 Introducing GlobalProtect
Users never go “off-network” regardless of location All firewalls work together to provide “cloud” of network security How it works: Small agent determines network location (on or off the enterprise network) If off-network, the agent automatically connects the laptop to the nearest firewall via SSL VPN Agent submits host information profile (patch level, asset type, disk encryption, and more) to the gateway Gateway enforces security policy using App-ID, User-ID, Content-ID AND host information profile © 2011 Palo Alto Networks. Proprietary and Confidential.

31 A Modern Architecture for Enterprise Network Security
exploits malware botnets Establishes a logical perimeter that is not bound to physical limitations Users receive the same depth and quality of protection both inside and out Security work performed by purpose-built firewalls, not end-user laptops Unified visibility, compliance and reporting © 2011 Palo Alto Networks. Proprietary and Confidential.

32 Redefine Network Security – and Save Money!
Capital cost – replace multiple devices Legacy firewall, IPS, URL filtering device (e.g. proxy, secure web gateway…) Cut by as much as 80% “Hard” operational expenses Support contracts Subscriptions Power and HVAC Save on “soft” costs too Rack space, deployment/integration, headcount, training, help desk calls Cut by as much as 65% © 2011 Palo Alto Networks. Proprietary and Confidential.

33 Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering © 2011 Palo Alto Networks. Proprietary and Confidential.

34 Enables Visibility Into Applications, Users, and Content

35

36 A few simple guidelines…
Never use ‘PAN’ in slides, always use Palo Alto Networks. The easiest way to avoid typing that all the time is by using an automatic text expansion tool, such as: Typinator for Mac OS (€19.99) Texter for Windows (free) Our corporate colors in PowerPoint are: Green Blue © 2011 Palo Alto Networks. Proprietary and Confidential.

Download ppt "Palo Alto Networks Overview"

Similar presentations

Whats New in Fireware XTM v11.5.2. New Features in Fireware XTM v11.5.2 Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.

Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
Introduction to the WatchGuard AP Device

Introduction to the WatchGuard AP Device
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Nairobi, Kenya, 30 – 31 July 2010 Interoperability Challenges in ISPs Operations Tamer M. Kamel, Networks Operation & Maintenance Division, TE-DATA Egypt.

Nairobi, Kenya, 30 – 31 July 2010 Interoperability Challenges in ISPs Operations Tamer M. Kamel, Networks Operation & Maintenance Division, TE-DATA Egypt.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
Application Usage and Risk Report 7 th Edition, May 2011.

Application Usage and Risk Report 7 th Edition, May 2011.
Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.

Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
2010 Labs & Tools for ITE 1 Gratitude Kudyachete, Manager - SSA CATC Lab Tools for IT E 4.1.

2010 Labs & Tools for ITE 1 Gratitude Kudyachete, Manager - SSA CATC Lab Tools for IT E 4.1.
The IP Revolution. Page 2 The IP Revolution IP Revolution Why now? The 3 Pillars of the IP Revolution How IP changes everything.

The IP Revolution. Page 2 The IP Revolution IP Revolution Why now? The 3 Pillars of the IP Revolution How IP changes everything.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.

The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.
Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing MPLS VPN Architecture.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
Enabling business beyond the corporate network.

Enabling business beyond the corporate network.
© Blue Coat Systems, Inc. 2011. All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.

© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.

Similar presentations

Ads by Google