Implementing Policy and Control

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 1 |

Implementing Policy and Control

Steve Mullaney

Vice President, Marketing

What IT Needs to Control Has Changed

• Before, “applications” were well-understood.

- Network utilities, OLTP

- Internally-developed enterprise client server

- Known behavior, studied risks, predictable

- Power users are rare

• Now, “applications” are likely to be employed by users for months before IT hears about them

- Collaboration, media, interactivity

- Externally-sourced, browser-based, Web 2.0

- Unknown behavior, unknown risks, unpredictable

- Everybody is a power user

Both Applications and Users Have Evolved

Enterprise Users Do What They Want

• The Application Usage & Risk Report highlights actual behavior of 350,000 users across 20 organizations:

- End-users actively circumvent controls - 80% of organizations

- Port 80 traffic isn’t what you think it is – most Port 80 apps not web browsing

- Non-business applications chew up all available bandwidth – video, P2P, audio, etc.

Presents Risks to Your Business That You Can’t Control

© 2008 Palo Alto Networks. Proprietary and ConfidentialPage 4 |

IT is Blind to Applications on the Network

• Applications have gone evasive

- Encryption

- Port-agnostic (80 or 443)

- Port-agile

• Need to enable agile business technology adoption

• Threats target applications

• Leads to increased business risks

- Productivity

- Compliance

- Operational cost

- Business continuity

- Data loss

Need to Safely Enable Some New Applications, Effectively Block Others

Problem Why it Matters

InternetGateway

The Strategy is Fine, but the Execution Stinks

© 2008 Palo Alto Networks. Proprietary and ConfidentialPage 5 |

Internet

• The gateway on the trust border is the right place to exert control

- All traffic goes through

- Defines trust boundary

- Since biblical times, the natural place to apply policy

• BUT…

- What firewalls need to do has changed

- Unfortunately, firewalls haven’t changed

• Fix the execution, make the firewall do its job

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 6 |

Classify Applications, Not Ports or Protocols

• Applications use port 80 or 443

• Applications are evasive

• Need multiple ways to identify

- Decryption

- Decoding

- Pattern recognition

Need to ID and control all sorts of applications

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 7 |

New Requirements for the Firewall

1. Identify applications regardless of port, protocol or evasive tactic

2. Policy based decryption, identification and control of SSL

3. Granular visibility and policy control over application access / functionality

4. Protect in real-time against broad threats embedded across applications

5. Multi-gigabit, in-line deployment with no performance degradation

Making the Firewall Do Its Job

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 8 |

About Palo Alto Networks

• Founded in 2005 by Nir Zuk, inventor of stateful inspection technology

• Builds next generation firewalls; visibility and control of 600+ applications

• Integrated URL filtering and high-speed threat prevention

• Named Gartner Cool Vendor in 2008; 2008 Best of Interop Grand Prize

Visibility of Apps/Users/Risk = Common Language

Palo Alto Networks Enables Safe Use of New Applications

RiskUsers

Applications

IT

Threats

Viruses

Hackers

IP addresses

Ports

NO

Business

Growth

Profit

Revenue

Competition

Business process

YES…but HOW?

Eliminate Risk Manage Risk

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 10 |

Thank You!