© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO.

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 1 |

Next Generation Firewalls

Nir ZukFounder and CTO

About the Speaker

• 2005-today Founder and CTO at Palo Alto Networks- Next Generation Firewall

• 2002-2005 CTO at NetScreen/Juniper

• 2000-2002 Founder and CTO at OneSecure- World’s first Network IPS

• 1994-1999 Principal Engineer at Check Point Software

Some Simple Questions

Question #1 : Who has a firewall?

Question #2 : What is your firewall doing?

Your firewall is controlling access to your network? Really?

Is the Firewall Controlling Network Access?

• Let’s look at a typical enterprise server

No…. These are only 10% of your servers

90% of your servers are on end user desktops

•eMule

•eMule Server

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 5 |

Real Data – What’s on Enterprise Networks

• Application usage assessment of 60 enterprises - 960,000 users

- Across verticals: financial services, health care, manufacturing, government, retail, education

• Looks at - Real enterprise traffic

- How are networks being used?

- What applications are running on enterprise networks?

- Which applications are considered high-risk?

- What are the risks associated with the existing application mix?

- What threats are on enterprise networks?

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 6 |

6 Months Application Trends

April Sept.

Some Simple Questions

Question #1 : Who has a firewall?

Question #2 : What is your firewall doing?

Your firewall is controlling access to your network? Really?

Question #3 : If you were me, how’d you break into your network?

Applications Have Changed – Firewalls Have Not

Page 8 |

Collaboration / Media• The Firewall is using port

numbers and IP addresses to classify applications and indentify users

• BUT…Applications Have Changed- Ports ≠ Applications

- IP Addresses ≠ Users

Problem: IT Can’t Safely Enable Internet Applications

SaaS Personal

• Leaving IT blind to apps, users & content

2006 Time Magazine’s Person of the Year

There is a direct relationship between Google, Yahoo, MSN, etc. and the end user

Can’t IPS Block Applications?

• Blocking applications, even if possible, is not the answer

• Yes, there are harmful applications that need to be blocked

• Many “Web 2.0” applications are useful- Enhancing productivity

- Giving competitive advantage to the business

- Employee retention and productivity

• Some applications are good but have bad features

• IPS cannot- Explicitly allow good traffic (can only block bad traffic)

- Identify users

- Identify which feature within the application is being used

Can Proxies Block Applications?

• Proxies cannot run at multi-gig

• High latency

• Cannot support millions of concurrent connections

• Proxies only work for proxied applications- Cannot build a proxy for 100’s of modern applications

- Break applications

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 12 |

HTTP: Universal Application Protocol

• HTTP is 64% of enterprise bandwidth

• Most HTTP traffic is client/server (54%) – proxies cannot deal with it

• Browser-based applications are 46% - some work with proxies and some don’t

• Web browsing is 23%

All HTTP Applications

Web Browsing

Browser-based Applications

Can Proxies Block Applications?

• Proxies cannot run at multi-gig

• High latency

• Cannot support millions of concurrent connections

• Proxies only work for proxied applications- Cannot build a proxy for 100’s of modern applications

- Break applications

• Oh… I almost forgot… Proxies can be bypassed easily

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 14 |

Circumvention Tools Get Around Security

• Users circumvent IT security controls• Public proxy services/private proxies at home• Encrypted tunnels

Some Simple Questions

Question #1 : Who has a firewall?

Question #2 : What is your firewall doing?

Your firewall is controlling access to your network? Really?

Question #3 : If you were me, how’d you break into your network?

Question #4 : Which threats to your network worry you?

Network Threats: Today’s Thinking

• When talking about network threats, the following threats come into mind:- Viruses

- Spyware

- Exploits/Intrusions

- Worms

- Bots

- Trojans

- Etc.

• But these are not threats. These are technologies and mechanisms which carry threats

Network Threats: The Real Threats

• From the business’s perspective, network-born threats include:- Data loss

- Productivity loss

- Increasing operations costs (e.g., helpdesk overload)

- Non-compliance with regulations

- Business continuity

- Bad PR

• These threats can be introduced by viruses, spyware and exploits but through other mechanisms as well

• Uncontrolled applications carry risks of all the threats in the list above

Applications’ Double Threat

• Applications bring threats:- Data loss

- Productivity loss

- Increasing operations costs (e.g., helpdesk overload)

- Non-compliance with regulations

- Business continuity

- Bad PR

• Applications also carry traditional threat vectors- Viruses, Spyware, Exploits

• When allowing an application to be used, its traffic needs to be secured- Scan for Viruses, Spyware, Exploits, Data Loss, etc.

IPSECVPN

IPS

Anti-Virus

Content Filtering

DoS Protection

Anti-Spyware

WormMitigation

DLP/ILP

WebApp Security

IM Security

IDS

XML SecuritySpyware (2006)

Eavesdropping (1994)

Resource Access (1992)

Info Leakage (2005)

Viruses (1997)

Worms (2005)

IM Attacks (2002)

Denial of Service (2000)

Content Access (1998)

Exploits (1996)

XML/W.S. Attacks (2004)

Web App Attacks (2002)

Corporate AssetsCorporate Assets WANWAN

Internet

Security PerimeterSecurity Perimeter

The Traditional Approach to Network Security

The “UTM” Approach

Port/Protocol-based IDPort/Protocol-based ID

L2/L3 Networking, HA, Config Management,

Reporting

L2/L3 Networking, HA, Config Management,

Reporting

Port/Protocol-based IDPort/Protocol-based ID

HTTP DecoderHTTP Decoder

L2/L3 Networking, HA, Config Management,

Reporting

L2/L3 Networking, HA, Config Management,

Reporting

URL Filtering PolicyURL Filtering Policy

Port/Protocol-based IDPort/Protocol-based ID

IPS SignaturesIPS Signatures

L2/L3 Networking, HA, Config Management,

Reporting

L2/L3 Networking, HA, Config Management,

Reporting

IPS PolicyIPS Policy

Port/Protocol-based IDPort/Protocol-based ID

AV SignaturesAV Signatures

L2/L3 Networking, HA, Config Management,

Reporting

L2/L3 Networking, HA, Config Management,

Reporting

AV PolicyAV Policy

Firewall PolicyFirewall Policy IPS DecoderIPS Decoder AV Decoder & ProxyAV Decoder & Proxy

Page 20 | © 2008 Palo Alto Networks. Proprietary and Confidential

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 21 |

May I suggest a better approach?

Single-Pass Parallel Processing (SP3) Architecture

Single Pass•Single processes for:

- Traffic classification (app identification)

- User/group mapping

- Content scanning – threats, URLs, DLP, etc.

•One policy

Parallel Processing•Function-specific hardware engines

•Multi-core security processing

•Separate data/control planes

Up to 10Gbps, Low Latency

Making Content-Scanning Network-Ready

• Stream-based, not file-based, for real-time performance- Dynamic reassembly

• Uniform signature engine scans for broad range of threats in single pass • Threat detection covers vulnerability exploits (IPS), virus, and

spyware (both downloads and phone-home)

TimeTime

File-based Scanning Stream-based Scanning

Buffer FileBuffer File

TimeTime

Scan FileScan File

Deliver ContentDeliver Content

ID Content

ID Content

Scan ContentScan Content

Deliver ContentDeliver Content

Page 22 | © 2008 Palo Alto Networks. Proprietary and Confidential

ID Content

ID Content

Page 23 |

New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Granular visibility and policy control over application access / functionality

4. Protect in real-time against threats embedded across applications

5. Multi-gigabit, in-line deployment with no performance degradation

Next Generation Firewalls: Requirements

Palo Alto Networks Next Generation Firewalls…Pe

rfor

man

ce

Branch Office/Medium Enterprise Large Enterprise

• Application identification (~800)

• User identification

• Granular visibility & control

• Real time content security

• Multi-gigabit low latency

• Transparent deployments

•PA-2000 Series

•1Gb

•PA-4000 Series

•500Mb

•2Gb

•10Gb

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 25 |

Identification Technologies Change the Game

App-IDIdentify the application

User-IDIdentify the user

Content-IDScan the content

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 26 |

PAN-OS Features

• Strong networking foundation: - Flexible Mix-and-Match port

configuration Virtual wire (“L1”) for true transparent

in-line deployment L2 with full VLAN support L3 with NAT and dynamic routing

(OSPF, RIP, etc.) Tap mode – monitoring via SPAN port

- Site-to-site IPSec VPN

• Zone-based architecture:- All interfaces assigned to security

zones for policy enforcement

• High Availability: - Configuration and session

synchronization- Path, link, and HA monitoring- Active / passive

• Virtual Systems:- Establish multiple virtual firewalls in a

single device

• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog

Visibility and control of applications, users and content are complemented by core firewall features

Flexible Deployment OptionsApplication Visibility Transparent In-Line Firewall Replacement

• Connect to span port

• Provides application visibility without inline deployment

• Deploy transparently behind existing firewall

• Provides application visibility & control without networking changes

• Replace existing firewall

• Provides application and network-based visibility and control, consolidated policy, high performance

Purpose-Built Architecture: PA-4000 Series

Flash Matching HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory

bandwidth scales performance

Multi-Core Security Processor• High density processing for flexible

security functionality• Hardware-acceleration for standardized

complex functions (SSL, IPSec, decompression)

Dedicated Control Plane• Highly available mgmt• High speed logging and

route updates

10Gbps

Flash MatchingEngine

RAM

RAM

RAM

RAM

Dual-coreCPU

RAM

RAM

HDD

10 Gig Network Processor• Front-end network processing offloads

security processors• Hardware accelerated QoS, route lookup,

MAC lookup and NAT

CPU16

. .

SSL IPSecDe-

Compression

CPU1

CPU2

10Gbps

Control Plane Data Plane

RAM

RAMCPU

3

QoS

Route, ARP, MAC

lookup

NAT

Users Do What They Want…Which Presents Risk

• Most users can employ any application they want- Applications are evasive

- Proxies and encrypted tunnels are common

• Applications carry risk- Application behavior – threats, file transfer, etc.

- Business risk – compliance, data loss, business continuity, operational costs, productivity

• Enterprise security and control infrastructure isn’t keeping up- Network security is more expensive, harder to manage, and

less effective

• IT Needs to start thinking like the business

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 30 |

Thank You!