2011.06.23 Banking - Palo Alto Networks

Bruce Lan

Technical Manager , TaiwanPalo alto Networks

|

Agenda

------

Paloalto Networks

2010 Palo Alto Networks. Proprietary and Confidential.Page 3 |


Internet

Internal

Remote site

Server farm


Internet

Server farm


Ultrasurf

Freegate

Applications!!!

:

?


P2P P2P

TEAMVIEWER FACEBOOKEmail/

! 2009 Palo Alto Networks. Proprietary and Confidential.Page 8 |

Client PC


P2P


TEAMVIEWER

ITTEAMVIEWER


webmail

FacebookFacebook Mail , Posting



Internet

Traditional Applications DNS Gopher SMTP HTTP

Traditional Applications DNS Gopher SMTP HTTP

Dynamic Applications FTP RPC Java/RMI Multimedia

Dynamic Applications FTP RPC Java/RMI Multimedia

Evasive Applications Encrypted Web 2.0 P2P Instant Messenger Skype Music Games Desktop Applications Spyware Crime ware

Evasive Applications Encrypted Web 2.0 P2P Instant Messenger Skype Music Games Desktop Applications Spyware Crime ware

Layer 4 FirewallStateful Inspection

2008 Palo Alto Networks. Proprietary and Confidential.

Enterprise 2.0

Easy to pass-through Firewall

What traffic in network?

Comment SourceIP DestinationIP Service/port Action

HTTP,HTTPSOnly 192.168.10.0/24 Any 80,443 Allow

.. X.X.X.X X.X.X.X 5001 Allow

Others Any Any Any Deny

Internet


Applications Became Evasive- Needed to traverse the

firewall

- Would look for commonly open ports

Port 80, 443, 53

- Or look for any available port

Open high ports

Port 22

Port 23

Port 531

F

T

P

S

S

H

T

e

l

n

e

t

H

T

T

P

I

M

Port 20

Port 80

Evasive applications fundamentally break the

port-based model

Non-StandardIs the New Standard

67% of the apps use port 80, port 443, or hop ports

190 of them are client/server

177 can tunnel other applications, a feature no longer reserved for SSL or SSH

83%78% 77% 73%

60% 60%55% 54% 51%

42%

0%

20%

40%

60%

80%

100%

Sharepoint iTunes MS RPC Skype BitTorrent MSN Voice Ooyla Mediafire eMule Teamviewer

M ost Frequently Detected "Dynam ic" Applications

10 4 1

6 7 4

8 12 13

18 25 12

36 18 17 2

0 25 50 75

Networking (73)

Collaboration (46)

Media (24)

General-Internet (17)

Business-Systems (15)

Applications That are Capable of Tunneling

Client-server (78) Browser-based (66)

Network-protocol (19) Peer-to-peer (12)

Source: Palo Alto Networks Application Usage and Risk Report, Spring 2010

Ma

l

w

a

r

e

U

R

L

s

W

o

r

m

s

E

x

p

l

o

i

t

s

P

2

P

X

S

S

B

o

t

n

e

t

s

I

M

s

Broadening Threats


IDP/IPS

A

p

p

l

i

c

a

t

i

o

n

s

Encryption (e.g. SSL)

Compression (e.g. GZIP)Proxies (e.g UltraSurf)

Tunneled Apps (e.g. Facebook)

?!?

Outbound Phone Home Traffic


Ultrasurf

IDP/IPS

Identifies applications regardless of port numbers, tunneling and encryption protocols (including P2P and IM). Firewall policy rules explicitly define what applications are permitted.

More then 60% of applications are hidden from network firewalls.

ISO 27001, A.11.4.1. Policy on use of network services. The users should only be provided with access to the services that they have been specifically authorized to use.

Control of applications is an essential requirement of IT security standards (ISO 27001, PCI, etc.) - The Principle of Least Privilege. Common firewall, IPS and UTM are not able to fulfill this requirement.


ISO 27001, PCI

Least Privilege (Need to Know)

-

Separation of Duties

-

Best Effort

-


- CISSP

1. Proactively reduce the attack surface

1. Proactively reduce the attack surface

2. Control the application-enabled vectors

2. Control the application-enabled vectors

3. Protect against all threats in theory and in practice

3. Protect against all threats in theory and in practice

4. Shift to user-aware enforcement and reporting

4. Shift to user-aware enforcement and reporting

Gartners Recommendation:Move to next-generation firewalls at the next refresh opportunity whether for firewall, IPS, or the combination of the two

Read the full Gartner report here

Gartners Recommendation:Move to next-generation firewalls at the next refresh opportunity whether for firewall, IPS, or the combination of the two

Read the full Gartner report here

To truly protect the network, enterprises need capabilities beyond what traditional IPS solutions provide


- Gartner

2010 Palo Alto Networks. Proprietary and Confidential.

Next-Generation Threat Prevention

Actively reduce the attack surface

Control application enabled threats

User-aware enforcement and reporting

Actively reduce the attack surface

Control application enabled threats

User-aware enforcement and reporting

Traditional IPS Requirements

Proven IPS Accuracy Anti-Virus / Spyware Performance Research

Proven IPS Accuracy Anti-Virus / Spyware Performance Research

Palo Alto Networks Next-Generation Firewall

Traffic limited to approved business use cases based on App and User

Attack surface reduced by orders of magnitude

Complete threat library with no blind spotsBi-directional inspectionScans inside of SSLScans inside

compressed filesScans inside proxies

and tunnels


Identify traffic(App-ID)

Is User Allowed?(User ID)

What Threats?(Content ID)

P

o

r

t

N

u

m

b

e

r

-

T

C

P

S

S

L

H

T

T

P

G

M

a

i

l

G

o

o

g

l

e

T

a

l

k

Inbound

Outbound

Full cycle threat preventionIntrusion preventionMalware blockingAnti-virus controlURL site blockingEncrypted & compressed files

Data leakage controlCredit card numbersCustom data stringsDocument file types


PORT 80


Who use P2P


For Accounting allow web-browsing

For Marketing Allow web-browsing & facebook-chat


Who Access it What Application

Where ?

Which secure rule

What threat is detected


Effective Security- By application- By user- Content scanning

Flexible Integration- L1/L2/L3/mixed mode- VLAN trunking, link

aggregation

Example: Network Segmentation (PCI)

Example: Safe Enablement- Developers stand up SQL instances

on any port

- Only Oracle, SQL Server, MySQL, and DB/2 traffic allowed access to the databases segment


WAN and Internet

Users

DomainUsers

Development Servers

InfrastructureServers

Exchange OWAServers

Appropriate protection of IT systems requires the safeguards controlling many network segments in different modes L3, transparent (L2) and sniffer.

Cost effectiveness requires the protections virtualization VLAN interfaces, virtual routes, and virtual systems.

Networks and threats are changing

Palo Alto Networks solution

L2 VLAN 10L2 VLAN 20

L3 DMZ L3 InternetVwire

Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols.

Protections work mode adjusted to the requirements network interfaces in one device can work in different modes.

Security virtualization VLAN interfaces in L2 and L3, virtual routers and virtual systems.

Tap Core Switch



Visibility Transparent In-Line Firewall Replacement

Application, user and content visibility without inline deployment

IPS with app visibility & control Consolidation of IPS & URL

filtering

Firewall replacement with app visibility & control

Firewall + IPS Firewall + IPS + URL filtering

Founded in 2005 by Nir Zuk, inventor of stateful inspection technology20052007Next-Generation Firewalls (NGFW) Check Point, NetScreen, McAfee, Juniper Networks, Blue Coat, And Cisco.60+ 3500+ (Until 2010,Q4

Nir Zuk

1994-1999Check Point CTOStateful Inspection

2000-2002 CTO at OneSecure2002-2005CTO at Netscreen / Juniper 2005Founder & CTO at Paloalto Networks


Palo alto Networks

2011.06.23 Banking - Palo Alto Networks

Documents