Palo Alto Networks - magellan-net.de

The Ultimate Test Drive

With Palo Alto Networks

Agenda

Introductions, Goals and Objectives

Product Overview

Break (RDP install)

Hand-on Workshop

Lunch with Q&A

•2 | ©, 2013 Palo Alto Networks. Confidential and Proprietary.

Goals & Objectives

•3 | ©2013, Palo Alto Networks. Confidential and Proprietary.

By the end of this workshop you should be able to:

• Navigate the Palo Alto Networks GUI

• Create and update policies

• Understand how changes to the configuration affects the behavior of traffic across the firewall

• Understand the basic operation of Logs and Reporting

Palo Alto Networks Product Overview

6 | ©2013, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks at a Glance

Corporate highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications

Able to address all network security needs

Exceptional ability to support global customers

Experienced technology and management team

850+ employees globally

1.800

4.700

10.000

0

2.000

4.000

6.000

8.000

10.000

12.000

Jul-10 Jul-11

$13

$49

$255

$119

$0

$50

$100

$150

$200

$250

$300

FY09 FY10 FY11 FY12

Revenue

Enterprise customers

$MM

FYE July

Nov-12

Applications Have Changed, Firewalls Haven’t


•Network security policy is enforced at the firewall

• Sees all traffic

• Defines boundary

• Enables access

•Traditional firewalls don’t work any more

Applications: Threat Vector and a Target


Threats target applications

• Used as a delivery mechanism

• Application specific exploits

Applications: Payload Delivery/Command & Control


Applications provide exfiltration

• Confidential data

• Threat communication

Encrypted Applications: Unseen by Firewalls


What happens traffic is encrypted?

• SSL

• Proprietary encryption

Technology Sprawl and Creep Aren’t the Answer


Enterprise Network

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address applications

•IM •DLP •IPS •Proxy •URL •AV

UTM

Internet


The Answer? Make the Firewall Do Its Job

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

Differentiating: App-ID vs. Two Step Scanning

Operational ramifications of two step scanning

Two separate policies with duplicate info – impossible to reconcile them

Two log databases decrease visibility

Unable to systematically manage unknown traffic

Weakens the deny-all-else premise

Every firewall competitor uses two step scanning


•Port Policy Decision

•App Ctrl Policy Decision

IPS

Applications

Firewall Allow port 80 traffic

Traffic 300 or more applications

300 or more applications 300 or more applications

Enabling Applications, Users and Content


Making the Firewall a Business Enablement Tool

Applications: Enablement begins with

application classification by App-ID.

Users: Tying users and devices, regardless of

location, to applications with User-ID and

GlobalProtect.

Content: Scanning content and protecting

against all threats, both known and unknown,

with Content-ID and WildFire.


Single Pass Platform Architecture


PAN-OS Core Firewall Features

Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2)

Tap mode – connect to SPAN port

Virtual wire (“Layer 1”) for true

transparent in-line deployment

L2/L3 switching foundation

Policy-based forwarding

VPN

Site-to-site IPSec VPN

Remote Access (SSL) VPN

QoS traffic shaping Max/guaranteed and priority

By user, app, interface, zone, & more

Real-time bandwidth monitor

Zone-based architecture All interfaces assigned to security

zones for policy enforcement

High Availability

Active/active, active/passive

Configuration and session

synchronization

Path, link, and HA monitoring

Virtual Systems Establish multiple virtual firewalls in a

single device (PA-5000, PA-4000, PA-

3000, and PA-2000 Series)

Simple, flexible management CLI, Web, Panorama, SNMP, Syslog


Visibility and control of applications, users and content complement core firewall features

Next-Generation Firewall Virtualized Platforms


Specifications

Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels

VM-100 50,000 250 10 2,500 25 25

VM-200 100,000 2,000 20 4,000 500 200

VM-300 250,000 5,000 40 10,000 2,000 500

Supported on VMware ESX/ESXi 4.0 or later

Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces

Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames

Performance

Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second

2 Core 500 Mbps 200 Mbps 100 Mbps 8,000

4 Core 1 Gbps 600 Mbps 250 Mbps 8,000

8 Core 1 Gbps 1 Gbps 400 Mbps 8,000

Enterprise-wide Next-Generation Firewall Security Pe

rim

eter

•App visibility and control in the firewall

•All apps, all ports, all the time

•Prevent threats

•Known threats

•Unknown/targeted malware

•Simplify security infrastructure

Dat

a C

ente

r •Network segmentation

•Based on application and user, not port/IP

•Simple, flexible network security

• Integration into all DC designs

•Highly available, high performance

•Prevent threats

Dis

trib

ute

d E

nte

rpri

se

•Consistent network security everywhere

•HQ/branch offices/remote and mobile users

•Logical perimeter

•Policy follows applications and users, not physical location

•Centrally managed


Addresses Three Key Business Problems

Safely Enable Applications

Identify more than 1,500 applications, regardless of port, protocol, encryption, or

evasive tactic

Fine-grained control over applications/application functions (allow, deny, limit, scan,

shape)

Addresses the key deficiencies of legacy firewall infrastructure

Systematic management of unknown applications

Prevent Threats

Stop a variety of known threats – exploits (by vulnerability), viruses, spyware

Detect and stop unknown threats with WildFire

Stop leaks of confidential data (e.g., credit card #, social security #, file/type)

Enforce acceptable use policies on users for general web site browsing

Simplify Security Infrastructure

Put the firewall at the center of the network security infrastructure

Reduce complexity in architecture and operations


Many Third Parties Reach Same Conclusion

Gartner Enterprise Network Firewall Magic Quadrant

Palo Alto Networks leading the market

Forrester IPS Market Overview

Strong IPS solution; demonstrates effective consolidation

NetworkWorld Test

Most stringent NGFW test to date; validated sustained performance

NSS Tests

IPS: Palo Alto Networks NGFW tested against competitors’ standalone IPS devices; NSS Recommended

Firewall: Traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended

NGFW: Palo Alto Networks provides the best combination of protection, performance, and value; NSS Recommended (1 of only 3 NGFW recommended)


Hands-on Workshop

Activity 1: Controlling Social Media

Scenario: Every organization is trying to determine how to exert controls over

social media applications – allowing them all is high risk while blocking them

all can cripple the business.

Policy considerations: who can use social media, what are the risks of data

loss/data transfer, and how to eliminate the propagation of malware

PAN-OS features to be used:

App-ID and function control

User-ID

Logging and reporting for verification


Activity 2: Controlling Evasive Applications

Scenario: Evasive applications are found on almost every network. Some are

purposely evasive, making every effort to avoid controls and hide. Examples

include Ultrasurf, Tor and P2P.

Policy considerations for controlling applications include: Protection from

RIAA threats, data loss – both inadvertent or otherwise, and malware

propagation


App-ID and dynamic filters

User-ID



Activity 3: Applications on Non-Standard Ports

Scenario: Limit the use of remote access tools to IT and support; force over

their standard port (SSH)

Policy considerations: Control which applications and users can punch

through the firewall


Logging and reporting to show SSH on non-standard ports

App-ID, groups function and service (port)

User-ID (groups)



Activity 4: Decryption

Scenario: More and more traffic is decrypted with SSL by default, making it

difficult to allow and scan that traffic, yet blindly allowing it is high risk. Using

policy based SSL decryption will allow you to enable encrypted applications,

apply policy, then re-encrypt and send the traffic to its final destination.

Policy considerations: Which applications to decrypt, protection from malware

propagation and data/file transfer


App-ID

User-ID

SSL decryption



Activity 5: Modern Malware Protection

Scenario: Modern malware is at the heart of many of today's most

sophisticated network attacks, and is increasingly customized to avoid

traditional security solutions. WildFire exposes targeted and unknown

malware through direct observation in a virtual environment, while the next-

generation firewall ensures full visibility and control of all traffic including

tunneled, evasive, encrypted and even unknown traffic.

Policy considerations: Which applications to apply the WildFire file

blocking/upload profile PAN-OS features to be used:

Profiles: Virus, Spyware, file blocking & WildFire

WildFire portal



Activity 6: URL Filtering

Scenario: Application control and URL filtering complement each other,

providing you with the ability to deliver varied levels of control that are

appropriate for your security profile.

Policy considerations: URL category access; which users can or cannot

access the URL category, and prevention of malware propagation


URL filtering category match



Activity 7: Traffic Reporting

Scenario: Define and generate traffic reports required by management


Reporting (pre-defined)

Top applications, threats, URL categories, Etc.

Manage custom reports

Create a custom report using traffic stats logs


Activity 8: Systematically Manage Unknown Traffic (Demo)

Scenario: Investigate unknown traffic, determine risk level, implement

appropriate policies

Policy considerations: Many internal applications – blocking all is

unreasonable, may be a commercial application but no App-ID, or possible

threat

PAN-OS features to highlight (Demo only):

App-ID Unknown TCP/UDP

Policy editor for unknown TCP/UDP – allow but scan

App Override, custom App-ID

Behavioral botnet report


Get Your Free AVR Report


•Request a free evaluation/AVR Report and get entered into today’s PA-200 drawing

•And get entered into the Ultimate Grand Prize Drawing

•A two-day all expense paid driving experience at the Audi Driving School in Seefeld/Tyrol Austria!

Thank You

© 2012 Palo Alto Networks. Proprietary and Confidential. Page 32 |

Palo Alto Networks - magellan-net.de

Documents