Zion Ezra InnoCom LTD Critical application visibility and control with Palo Alto Networks Zion Ezra VP Security InnoCom LTD
Zion Ezra
InnoCom LTD
Critical application visibility and control
with Palo Alto Networks
Zion Ezra
VP Security
InnoCom LTD
NETWORK SECURITY
Select InnoCom Vendors
bullWAN Optimization
HIGH SPEED NETWORKING
bullGiga Load Balancers bull80211n WLAN
EMAIL amp MOBILE SECURITY
bullNext Generation Firewall bullCloud ndashbased Web Security bullNext Generation Cyber Attacks
bullSmart Phones amp Tablet Security bullEmail Security
About Palo Alto Networks
bull Palo Alto Networks is the Network Security Company
bull World-class team with strong security and networking experience
- Founded in 2005 first customer July 2007 top-tier investors
bull Builds next-generation firewalls that identify control 1300+ applications
- Restores the firewall as the core of enterprise network security infrastructure
- Innovations App-IDtrade User-IDtrade Content-IDtrade
bull Global momentum 5300+ customers
- August 2011 Annual bookings run rate is over US$200 million cash-flow positive last five consecutive quarters
() Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter Bookings are defined as non-cancellable
orders received during the fiscal period Palo Alto Networksrsquo fiscal year runs from August 1st until July 31st
bullA few of the many enterprises that have deployed more than $1M
copy 2011 Palo Alto Networks Proprietary and Confidential Page 3 |
2010 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 4 |
Palo Alto Networks
Check Point Software Technologies
Juniper Networks
Cisco
Fortinet
McAfee
Stonesoft
SonicWALL
WatchGuard
NETASQ Astaro phion
3ComH3C
completeness of vision
visionaries
ab
ilit
y t
o e
xe
cu
te
As of March 2010 niche players
Source Gartner
2011 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 5 |
Source Gartner
Gartner Palo Alto Networks is a Leader
bull Enterprises need next-generation firewalls
- In 2010 and 2011 Gartner saw market pressures accelerate the demand and available offerings for next-generation firewall (NGFW) platforms that provide the capability to detect and block sophisticated attacks as well as enforce granular security policy at the application (versus port and protocol) level
- As enterprises increase the use of Web-based applications mdash with more complex connections within applications more complex data centers and more data being presented to customers mdash firewalls have had to keep up with features and performance to meet these changing needs
- Less than 5 of Internet connections today are secured using NGFWs By year-end 2014 this will rise to 35 of the installed base with 60 of new purchases being NGFWs
bull Gartner notes
- ldquoPalo Alto Networks high-performance NGFW functionality continues to drive competitors to react in the firewall market It is assessed as a Leader mostly because of its NGFW design redirection of the market along the NGFW path consistent displacement of Leaders and Challengers and market disruption forcing Leaders to reactrdquo
copy 2011 Palo Alto Networks Proprietary and Confidential Page 6 |
About the Founder
bull 2005-today Founder and CTO at
Palo Alto Networks
- Next Generation Firewall
bull 2002-2005 CTO at NetScreenJuniper
bull 2000-2002 Founder and CTO at OneSecure
- Worldrsquos first Network IPS
bull 1994-1999 Principal Engineer at Check Point Software
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
NETWORK SECURITY
Select InnoCom Vendors
bullWAN Optimization
HIGH SPEED NETWORKING
bullGiga Load Balancers bull80211n WLAN
EMAIL amp MOBILE SECURITY
bullNext Generation Firewall bullCloud ndashbased Web Security bullNext Generation Cyber Attacks
bullSmart Phones amp Tablet Security bullEmail Security
About Palo Alto Networks
bull Palo Alto Networks is the Network Security Company
bull World-class team with strong security and networking experience
- Founded in 2005 first customer July 2007 top-tier investors
bull Builds next-generation firewalls that identify control 1300+ applications
- Restores the firewall as the core of enterprise network security infrastructure
- Innovations App-IDtrade User-IDtrade Content-IDtrade
bull Global momentum 5300+ customers
- August 2011 Annual bookings run rate is over US$200 million cash-flow positive last five consecutive quarters
() Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter Bookings are defined as non-cancellable
orders received during the fiscal period Palo Alto Networksrsquo fiscal year runs from August 1st until July 31st
bullA few of the many enterprises that have deployed more than $1M
copy 2011 Palo Alto Networks Proprietary and Confidential Page 3 |
2010 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 4 |
Palo Alto Networks
Check Point Software Technologies
Juniper Networks
Cisco
Fortinet
McAfee
Stonesoft
SonicWALL
WatchGuard
NETASQ Astaro phion
3ComH3C
completeness of vision
visionaries
ab
ilit
y t
o e
xe
cu
te
As of March 2010 niche players
Source Gartner
2011 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 5 |
Source Gartner
Gartner Palo Alto Networks is a Leader
bull Enterprises need next-generation firewalls
- In 2010 and 2011 Gartner saw market pressures accelerate the demand and available offerings for next-generation firewall (NGFW) platforms that provide the capability to detect and block sophisticated attacks as well as enforce granular security policy at the application (versus port and protocol) level
- As enterprises increase the use of Web-based applications mdash with more complex connections within applications more complex data centers and more data being presented to customers mdash firewalls have had to keep up with features and performance to meet these changing needs
- Less than 5 of Internet connections today are secured using NGFWs By year-end 2014 this will rise to 35 of the installed base with 60 of new purchases being NGFWs
bull Gartner notes
- ldquoPalo Alto Networks high-performance NGFW functionality continues to drive competitors to react in the firewall market It is assessed as a Leader mostly because of its NGFW design redirection of the market along the NGFW path consistent displacement of Leaders and Challengers and market disruption forcing Leaders to reactrdquo
copy 2011 Palo Alto Networks Proprietary and Confidential Page 6 |
About the Founder
bull 2005-today Founder and CTO at
Palo Alto Networks
- Next Generation Firewall
bull 2002-2005 CTO at NetScreenJuniper
bull 2000-2002 Founder and CTO at OneSecure
- Worldrsquos first Network IPS
bull 1994-1999 Principal Engineer at Check Point Software
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
About Palo Alto Networks
bull Palo Alto Networks is the Network Security Company
bull World-class team with strong security and networking experience
- Founded in 2005 first customer July 2007 top-tier investors
bull Builds next-generation firewalls that identify control 1300+ applications
- Restores the firewall as the core of enterprise network security infrastructure
- Innovations App-IDtrade User-IDtrade Content-IDtrade
bull Global momentum 5300+ customers
- August 2011 Annual bookings run rate is over US$200 million cash-flow positive last five consecutive quarters
() Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter Bookings are defined as non-cancellable
orders received during the fiscal period Palo Alto Networksrsquo fiscal year runs from August 1st until July 31st
bullA few of the many enterprises that have deployed more than $1M
copy 2011 Palo Alto Networks Proprietary and Confidential Page 3 |
2010 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 4 |
Palo Alto Networks
Check Point Software Technologies
Juniper Networks
Cisco
Fortinet
McAfee
Stonesoft
SonicWALL
WatchGuard
NETASQ Astaro phion
3ComH3C
completeness of vision
visionaries
ab
ilit
y t
o e
xe
cu
te
As of March 2010 niche players
Source Gartner
2011 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 5 |
Source Gartner
Gartner Palo Alto Networks is a Leader
bull Enterprises need next-generation firewalls
- In 2010 and 2011 Gartner saw market pressures accelerate the demand and available offerings for next-generation firewall (NGFW) platforms that provide the capability to detect and block sophisticated attacks as well as enforce granular security policy at the application (versus port and protocol) level
- As enterprises increase the use of Web-based applications mdash with more complex connections within applications more complex data centers and more data being presented to customers mdash firewalls have had to keep up with features and performance to meet these changing needs
- Less than 5 of Internet connections today are secured using NGFWs By year-end 2014 this will rise to 35 of the installed base with 60 of new purchases being NGFWs
bull Gartner notes
- ldquoPalo Alto Networks high-performance NGFW functionality continues to drive competitors to react in the firewall market It is assessed as a Leader mostly because of its NGFW design redirection of the market along the NGFW path consistent displacement of Leaders and Challengers and market disruption forcing Leaders to reactrdquo
copy 2011 Palo Alto Networks Proprietary and Confidential Page 6 |
About the Founder
bull 2005-today Founder and CTO at
Palo Alto Networks
- Next Generation Firewall
bull 2002-2005 CTO at NetScreenJuniper
bull 2000-2002 Founder and CTO at OneSecure
- Worldrsquos first Network IPS
bull 1994-1999 Principal Engineer at Check Point Software
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
2010 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 4 |
Palo Alto Networks
Check Point Software Technologies
Juniper Networks
Cisco
Fortinet
McAfee
Stonesoft
SonicWALL
WatchGuard
NETASQ Astaro phion
3ComH3C
completeness of vision
visionaries
ab
ilit
y t
o e
xe
cu
te
As of March 2010 niche players
Source Gartner
2011 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 5 |
Source Gartner
Gartner Palo Alto Networks is a Leader
bull Enterprises need next-generation firewalls
- In 2010 and 2011 Gartner saw market pressures accelerate the demand and available offerings for next-generation firewall (NGFW) platforms that provide the capability to detect and block sophisticated attacks as well as enforce granular security policy at the application (versus port and protocol) level
- As enterprises increase the use of Web-based applications mdash with more complex connections within applications more complex data centers and more data being presented to customers mdash firewalls have had to keep up with features and performance to meet these changing needs
- Less than 5 of Internet connections today are secured using NGFWs By year-end 2014 this will rise to 35 of the installed base with 60 of new purchases being NGFWs
bull Gartner notes
- ldquoPalo Alto Networks high-performance NGFW functionality continues to drive competitors to react in the firewall market It is assessed as a Leader mostly because of its NGFW design redirection of the market along the NGFW path consistent displacement of Leaders and Challengers and market disruption forcing Leaders to reactrdquo
copy 2011 Palo Alto Networks Proprietary and Confidential Page 6 |
About the Founder
bull 2005-today Founder and CTO at
Palo Alto Networks
- Next Generation Firewall
bull 2002-2005 CTO at NetScreenJuniper
bull 2000-2002 Founder and CTO at OneSecure
- Worldrsquos first Network IPS
bull 1994-1999 Principal Engineer at Check Point Software
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
2011 Magic Quadrant for Enterprise Network Firewalls
copy 2011 Palo Alto Networks Proprietary and Confidential Page 5 |
Source Gartner
Gartner Palo Alto Networks is a Leader
bull Enterprises need next-generation firewalls
- In 2010 and 2011 Gartner saw market pressures accelerate the demand and available offerings for next-generation firewall (NGFW) platforms that provide the capability to detect and block sophisticated attacks as well as enforce granular security policy at the application (versus port and protocol) level
- As enterprises increase the use of Web-based applications mdash with more complex connections within applications more complex data centers and more data being presented to customers mdash firewalls have had to keep up with features and performance to meet these changing needs
- Less than 5 of Internet connections today are secured using NGFWs By year-end 2014 this will rise to 35 of the installed base with 60 of new purchases being NGFWs
bull Gartner notes
- ldquoPalo Alto Networks high-performance NGFW functionality continues to drive competitors to react in the firewall market It is assessed as a Leader mostly because of its NGFW design redirection of the market along the NGFW path consistent displacement of Leaders and Challengers and market disruption forcing Leaders to reactrdquo
copy 2011 Palo Alto Networks Proprietary and Confidential Page 6 |
About the Founder
bull 2005-today Founder and CTO at
Palo Alto Networks
- Next Generation Firewall
bull 2002-2005 CTO at NetScreenJuniper
bull 2000-2002 Founder and CTO at OneSecure
- Worldrsquos first Network IPS
bull 1994-1999 Principal Engineer at Check Point Software
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Gartner Palo Alto Networks is a Leader
bull Enterprises need next-generation firewalls
- In 2010 and 2011 Gartner saw market pressures accelerate the demand and available offerings for next-generation firewall (NGFW) platforms that provide the capability to detect and block sophisticated attacks as well as enforce granular security policy at the application (versus port and protocol) level
- As enterprises increase the use of Web-based applications mdash with more complex connections within applications more complex data centers and more data being presented to customers mdash firewalls have had to keep up with features and performance to meet these changing needs
- Less than 5 of Internet connections today are secured using NGFWs By year-end 2014 this will rise to 35 of the installed base with 60 of new purchases being NGFWs
bull Gartner notes
- ldquoPalo Alto Networks high-performance NGFW functionality continues to drive competitors to react in the firewall market It is assessed as a Leader mostly because of its NGFW design redirection of the market along the NGFW path consistent displacement of Leaders and Challengers and market disruption forcing Leaders to reactrdquo
copy 2011 Palo Alto Networks Proprietary and Confidential Page 6 |
About the Founder
bull 2005-today Founder and CTO at
Palo Alto Networks
- Next Generation Firewall
bull 2002-2005 CTO at NetScreenJuniper
bull 2000-2002 Founder and CTO at OneSecure
- Worldrsquos first Network IPS
bull 1994-1999 Principal Engineer at Check Point Software
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
About the Founder
bull 2005-today Founder and CTO at
Palo Alto Networks
- Next Generation Firewall
bull 2002-2005 CTO at NetScreenJuniper
bull 2000-2002 Founder and CTO at OneSecure
- Worldrsquos first Network IPS
bull 1994-1999 Principal Engineer at Check Point Software
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 9 |
Leading Organizations Trust Palo Alto Networks Health Care Financial Services Government
Mfg High Tech Energy Education Service Providers Services
Media Entertainment Retail
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Health amp Finance
Service Providers
Industry amp
Retail Media amp
Communication
Government Hi Tech
InnoCom Customers - Palo Alto Networks
משרד ndashנתיב
ראש הממשלה
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
The Modern Threats amp attacks
11
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Known Attacks
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
bait exploit download back
channel steal
The 5 Steps for Smart Attacks
protection is needed at all stages
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Applications Carry Risk
copy 2011 Palo Alto Networks Proprietary and Confidential Page 14 |
Applications can be ldquothreatsrdquo
bull P2P file sharing tunneling applications anonymizers
mediavideo
Applications carry threats
bull Qualys Top 20 Vulnerabilities ndash majority result in application-
level threats
Applications amp application-level threats result in major breaches ndash RSA Comodo FBI
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
exploits come in thru many applications
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 | copy 2009 Palo Alto Networks Proprietary and Confidential Page 16 |
Application Control Efforts are Failing bull Palo Alto Networksrsquo Application Usage amp Risk Report highlights actual behavior of
900000 users across more than 60 organizations
- Applications are built for accessibility
- Tools that enable users to circumvent security are common
- File sharing usage ndash P2P and browser-based ndash is rampant
- Controls are failing ndash All had Firewalls many had IPS proxies amp URL filtering
Applications carry risks business continuity data loss compliance productivity and operations costs
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Enterprise 20 Applications and Risks Widespread
copy 2011 Palo Alto Networks Proprietary and Confidential Page 17 |
Palo Alto Networksrsquo latest Application Usage amp Risk Report highlights actual behavior of 1M+ users in 1253 organizations
- More enterprise 20 application use for personal and business reasons
- Tunneling and port hopping are common
- Bottom line all had firewalls most had IPS proxies amp URL filtering ndash but none of these organizations could control what applications ran on their networks
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
3
3
9
13
15
14
15
27
30
30
42
53
62
76
80
00 20 40 60 80
RDP
SSH
telnet
LogM eIn
Team Viewer
CGIProxy
PHProxy
CoralCDN
FreeGate
Glype Proxy
Tor
Ham achi
UltraSurf
Gbridge
Gpass
bull Remote Access
- 27 variants found 95 of the time
bull External Proxies
- 22 variants found 76 of the time
bull Encrypted Tunnels
- Non-VPN related ndash found 30 of the time
Users Will Find A Wayhellip
Source Palo Alto Networks Application Usage and Risk Report
Spring 2010
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 20 |
From The news
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Why Visibility amp Control Must Be In The Firewall
copy 2011 Palo Alto Networks Proprietary and Confidential Page 21 |
bullPort Policy Decision
bullApp Ctrl Policy Decision
Application Control as an Add-on
bull Port-based FW + App Ctrl (IPS) = two policies
bull Applications are threats only block what you expressly look for
Implications
bull Network access decision is made with no information
bull Cannot safely enable applications
IPS
Applications
Firewall
Port Traffic
Firewall IPS
bullApp Ctrl Policy Decision
bullScan Application for Threats
Applications
Application Traffic
NGFW Application Control
bull Application control is in the firewall = single policy
bull Visibility across all ports for all traffic all the time
Implications
bull Network access decision is made based on application identity
bull Safely enable application usage
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 22 |
HTTP Universal Application Protocol
bull HTTP is 64 of enterprise bandwidth
bull Most HTTP traffic is clientserver (54) ndash proxies cannot deal with it
bull Browser-based applications are 46 - some work with proxies and some donrsquot
bull Web browsing is 23
All HTTP Applications
Web Browsing
Browser-based Applications
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Application Control vs Blocking
bull Blocking applications even if possible is not the answer
bull Yes there are harmful applications that need to be blocked
bull Many ldquoWeb 20rdquo applications are useful
- Enhancing productivity
- Giving competitive advantage to the business
bull Itrsquos all about visibility and control
- Who is using what
- Control and secure modern applications
- Control features use
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Palo Alto
Palo Alto ndash Next Generation FW
copy 2008 Palo Alto Networks Proprietary and Confidential Page 24 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 25 |
New Requirements for Security Device
1 Identify applications regardless of port protocol evasive tactic or SSL
2 Identify users regardless of IP address
3 Granular visibility and policy control over application access functionality
4 Protect in real-time against threats embedded across applications
5 Multi-gigabit in-line deployment with no performance degradation
Palo Alto Networks Next-Generation Security Device
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 26 |
Palo Alto Networks Exceeds NGFW Requirements
Application Awareness and Full Stack Visibility
App-ID Identifies and controls 1300+ applications
Integrated Rather Than Co-Located IPS
Content-ID includes full IPS without compromising performance
Extra-Firewall Intelligence to Identify Users
User-ID brings AD users and groups into firewall policy
Standard First-Generation Firewall Capabilities
Packet filtering state flexible NAT IPSec SSL VPNs etc
Support ldquobump in the wirerdquo Deployments
In ldquoDefining the Next-Generation Firewallrdquo
Gartner describes what Palo Alto Networks already delivers
Gartnerrsquos Recommendations
Move to next-generation firewalls at the next refresh
opportunity ndash whether for firewall IPS or the
combination of the two
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 28 |
Unique Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 29 |
App-ID Comprehensive Application Visibility
bull Policy-based control more than 1200+ applications distributed across five categories and 25 sub-categories
bull Balanced mix of business internet and networking applications and networking protocols
bull ~ 5 - 10 new applications added weekly
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 30 |
User-ID Enterprise Directory Integration
bull Users no longer defined solely by IP address
- Leverage existing Active Directory infrastructure without complex agent rollout
- Identify Citrix users and tie policies to user and group not just the IP address
bull Understand user application and threat behavior based on actual AD username not just IP
bull Manage and enforce policy based on user andor AD group
bull Investigate security incidents generate custom reports
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 31 |
Content-ID Real-Time Content Scanning
bull Stream-based not file-based for real-time performance
- Uniform signature engine scans for broad range of threats in single pass
- Vulnerability exploits (IPS) viruses and spyware (both downloads and phone-home)
bull Block transfer of sensitive data and file transfers by type
- Looks for CC and SSN patterns
- Looks into file to determine type ndash not extension based
bull Web filtering enabled via fully integrated URL database
- Local 20M URL database (76 categories) maximizes performance (1000rsquos URLssec)
- Dynamic DB adapts to local regional or industry focused surfing patterns
Detect and block a wide range of threats limit unauthorized data transfer and control non-work related web surfing
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 32 |
bullNSS Labs the worldrsquos largest security and performance testing lab have recently
completed in-depth IPS testing of the Palo Alto Networksrsquo next-gen firewall Our solution
was tested against 1179 live exploits in what was the industrys most comprehensive IPS
test to date The results were crystal clear and provided the hard proof of what our next-
generation firewalls can really do Key results include
bullbull The highest IPS block rate in recent history (934)
bull 100 resistance to IPS evasion techniques
bull Simple IPS configuration and tuning
bull Provided all the above while exceeding the datasheet performance metrics by 115
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 33 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 34 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
bull Operations once per packet
- Traffic classification (app identification)
- Usergroup mapping
- Content scanning ndash threats URLs confidential data
bull One policy
Parallel Processing
bull Function-specific hardware engines
bull Separate datacontrol planes
Up to 10Gbps Low Latency
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2011 Palo Alto Networks Proprietary and Confidential
PA-5000 Series Architecture
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual solid-state drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow
control
Route ARP MAC
lookup
NAT Switch
Fabric
Signature Match
Signature Match
SSL IPSec De-
Compress SSL IPSec
De-Compress
SSL IPSec De-
Compress
Quad-core
CPU CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
CPU
12
CPU
1
CPU
2
RAM
RAM
SSD
SSD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
bull 40+ processors
bull 30+ GB of RAM
bull Separate high speed data and control planes
bull 20 Gbps firewall throughput
bull 10 Gbps threat prevention throughput
bull 4 Million concurrent sessions
Page 35 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 36 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 37 |
Powerful Policy-Based Control
bull Browse more than 1300 applications based on name category technology or characteristic
bull Immediately translate results into positive enforcement model firewall rules
bull Policy enforcement by end-user group identities from Active Directory or IP address
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Palo Alto
Palo Alto ndash Network Sniffer
copy 2008 Palo Alto Networks Proprietary and Confidential Page 38 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 39 |
Visibility into Applications Users amp Content
User hzielinski Filter on Skype
Remove Skype to expand view of hzielinski
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Palo Alto
Palo Alto ndash Rich reports
copy 2008 Palo Alto Networks Proprietary and Confidential Page 40 |
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 41 |
Demo (offline) ndash Traffic Log
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 42 |
Enables Executive Visibility
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 43 |
PAN-OS Features
bull Strong networking foundation
- Dynamic routing (OSPF RIPv2)
- Site-to-site IPSec VPN
- SSL VPN for remote access
- Tap mode ndash connect to SPAN port
- Virtual wire (ldquoLayer 1rdquo) for true transparent in-line deployment
- L2L3 switching foundation
bull QoS traffic shaping - Maxguaranteed and priority
- By user app interface zone and more
bull Zone-based architecture
- All interfaces assigned to security zones for policy enforcement
bull High Availability
- Active Active
- Configuration and session synchronization
- Path link and HA monitoring
bull Virtual Systems
- Establish multiple virtual firewalls in a single device (PA-4000 Series only)
bull Simple flexible management
- CLI Web Panorama SNMP Syslog
Visibility and control of applications users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 44 |
Enterprise Device and Policy Management
bull Intuitive and flexible management
- CLI Web Panorama SNMP Syslog
- Role-based administration enables delegation of tasks to appropriate person
bull Panorama central management application
- Shared policies enable consistent application control policies
- Consolidated management logging and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACCmonitoring views log collection and reporting
bull All interfaces work on current configuration avoiding sync issues
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
NGFW for mobile devices
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 46 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 48 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Zero Day Attacks Protection
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
a sandbox at the core
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Flexible Deployment Options
Transparent In-Line Firewall Replacement
bull IPS with app visibility amp control
bull Consolidation of IPS amp URL filtering
bull Firewall replacement with app visibility amp control
bull Firewall + IPS
bull Firewall + IPS + URL filtering
Ultimate segmentation
Datacenter 1 Datacenter 2
bull Controls applications amp users for datacenter resource access
bull IPS with app visibility amp content control
Segment A Segment B
Segment C
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Palo Alto Networks IPS Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 53 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2011 Palo Alto Networks Proprietary and Confidential Page 54 |
Palo Alto Networks Next-Gen Firewalls
PA-4050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 8 SFP 16 copper gigabit
PA-4020 bull 2 Gbps FW2 Gbps threat
prevention500000 sessions
bull 8 SFP 16 copper gigabit
PA-4060 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 XFP (10 Gig) 4 SFP (1 Gig)
PA-2050 bull 1 Gbps FW500 Mbps threat
prevention250000 sessions
bull 4 SFP 16 copper gigabit
PA-2020 bull 500 Mbps FW200 Mbps threat
prevention125000 sessions
bull 2 SFP 12 copper gigabit
PA-500 bull 250 Mbps FW100 Mbps threat
prevention50000 sessions
bull 8 copper gigabit
PA-5050 bull 10 Gbps FW5 Gbps threat
prevention2000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
PA-5020 bull 5 Gbps FW2 Gbps threat
prevention1000000 sessions
bull 8 SFP 12 copper gigabit
PA-5060 bull 20 Gbps FW10 Gbps threat
prevention4000000 sessions
bull 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
the innovative approach
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
extend security to all network traffic extend security to all network traffic
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Thank You Zion Ezra
VP Sales
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 60 |
POC and AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 61 |
AVR Report
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 62 |
AVR Report
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Internet
UTM Is Still SprawlhellipJust Slower
bull Doesnrsquot solve the problem
bull Firewall ldquohelperrdquo functions have limited view of traffic
bull Turning on functions kills performance
copy 2009 Palo Alto Networks Proprietary and Confidential Page 63 |
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2009 Palo Alto Networks Proprietary and Confidential Page 64 |
Traditional Multi-Pass Architectures are Slow
PortProtocol-based ID
L2L3 Networking HA Config Management
Reporting
PortProtocol-based ID
HTTP Decoder
L2L3 Networking HA Config Management
Reporting
URL Filtering Policy
PortProtocol-based ID
IPS Signatures
L2L3 Networking HA Config Management
Reporting
IPS Policy
PortProtocol-based ID
AV Signatures
L2L3 Networking HA Config Management
Reporting
AV Policy
Firewall Policy IPS Decoder AV Decoder amp Proxy
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2008 Palo Alto Networks Proprietary and Confidential Page 65 |
Applications Have Changed ndash Firewalls Have Not
bull The gateway at the trust border is the right place to enforce policy control
- Sees all traffic
- Defines trust boundary
bull Need to Restore Visibility and Control in the Firewall
Collaboration Media SaaS Personal
bull BUThellipApplications Have Changed
- Ports neApplications
- IP AddressesneUsers
- PacketsneContent
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
exploit protection
many months pass between black-hat discovery white hat discovery and protection being available
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
need to protect all applications
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
a sandbox at the core
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
needs user-based access control
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
needs high-speed IPS and AV
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
need to perform across all applications
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
need to block the unknown
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
conclusion advanced-malware protection belongs in a next generation firewall
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
DEMO httpsca2demopaloaltonetworkscomesploginesp
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
INSANITY doing the same thing over and
over again and expecting different results
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
block applications and users
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
the innovative approach
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
extend security to all network traffic extend security to all network traffic
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
20 Gpbs Firewall 10 Gbps Threat Prevention
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
bull 80 Gbps switch fabric interconnect
bull 20 Gbps QoS engine
Signature Match HW Engine
bull Stream-based uniform sig match
bull Vulnerability exploits (IPS) virus spyware CC SSN and more
Security Processors
bull High density parallel processing for flexible security functionality
bull Hardware-acceleration for standardized complex functions (SSL IPSec decompression)
bull Highly available mgmt
bull High speed logging and route update
bull Dual hard drives
20Gbps
Network Processor
bull 20 Gbps front-end network processing
bull Hardware accelerated per-packet route lookup MAC lookup and NAT
10Gbps
Control Plane
Data Plane Switch Fabric
10Gbps
QoS
Flow control
Route ARP MAC lookup
NAT
Switch Fabric
Signature Match
Signature Match
SSL IPSec De-Compress
SSL IPSec De-Compress
SSL IPSec De-Compress
Quad-core CPU
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
CPU 12
CPU 1
CPU 2
RAM
RAM
HDD
HDD
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
RAM
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
NGFW for mobile devices
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Source Gartner (March 2010) As of March 2010
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2011 Palo Alto Networks Proprietary and Confidential Page 87 |
Data Center Network Security in Transition
bull Ports ne Applications
bull IP addresses ne Users
bull Threats gt Exploits
Need to Restore Application Visibility amp Control in the Firewall
Todayrsquos network security is based on outdated
assumptionshellip Port 135
Port 137
RP
C
SM
S
SQ
L
Sh
are
Po
int
SM
B
Port 80
Port 139
Applications employ dynamic random and heavily-used ports - fundamentally breaking port-based network security
Port 443
Ne
tBIO
S
Plus random high ports
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Palo Alto Networks Protection + Performance
copy 2011 Palo Alto Networks Proprietary and Confidential Page 88 |
bull Strong threat prevention
- NSS 934 block rate 100 resistance to evasion 115 of rated performance
- The only IPS that catches threats on non-standard ports
- Scan inbound and outbound SSL (decrypt) and compressed traffic
- Assure only authorized applications are using network resources
- Allow SSHRDP but only for authorized staff
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2011 Palo Alto Networks Proprietary and Confidential Page 89 |
NGFW Networking Power and Flexibility
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
PA-5000 Series Models and Specifications
copy 2011 Palo Alto Networks Proprietary and Confidential Page 90 |
PA-5050 bull 10 Gbps FW
bull 5 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 10000 SSL VPN Users
bull 2000000 sessions
bull Up to 125 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5020 bull 5 Gbps FW
bull 2 Gbps threat prevention
bull 2 Gbps IPSec VPN
bull 5000 SSL VPN Users
bull 1000000 sessions
bull Up to 20 VSYS
bull (8) SFP (1 Gig) IO
bull (12) 101001000
PA-5060 bull 20 Gbps FW
bull 10 Gbps threat prevention
bull 4 Gbps IPSec VPN
bull 20000 SSL VPN Users
bull 4000000 sessions
bull Up to 225 VSYS
bull (4) SFP+ (10 Gig) IO
bull (8) SFP (1 Gig) IO
bull (12) 101001000
bull Hot swappable fans power supplies
bull Dual solid state hard drives
bull Dedicated HA and management interfaces
bull 2U standard rack mount form factor
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
NGFWs Eliminate Data Center Compromise
bull Prevent Threats
- Stop a wide range of threats on all allowed traffic
- Proven quality (NSS tested and ldquoRecommendedrdquo)
- Security by policy not hardwired into deployment
bull Comply and Compartmentalize
- Save time and cost to compliance with network segmentation
- Segment by user group and application
bull Simplify with Flexible Network Security Infrastructure
- With up to 20Gbps of firewall throughput and integrated high-performance threat prevention
- With simpler easier deployments
- With reduced network security rack space requirements lower TCO (power HVAC subscriptions maintenance)
copy 2011 Palo Alto Networks Proprietary and Confidential Page 91 |
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2011 Palo Alto Networks Proprietary and Confidential Page 92 | copy 2007 Palo Alto Networks Proprietary and Confidential Page 92 |
GlobalProtect
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Today Quality of Security Tied to Location
copy 2011 Palo Alto Networks Proprietary and Confidential Page 93 |
botnets
Enterprise Network Security bull Security Based on Best-Practices
bull Full-Featured NGFW and Threat Prevention
No Network Security bull Security Based on Best-Effort
bull Exposed to threats risky app usage and more
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Existing Solutions Fall Short
Software on the PC
bull Each security app perform a specific function
bull Limited focus and functionality heavy performance load on PC
bull Examples antivirus host firewall USB port control DLP etc
copy 2011 Palo Alto Networks Proprietary and Confidential Page 94 |
Cloud-Based Services
bull Client forces web traffic to cloud-based proxy for scanning and policy enforcement
bull Supports limited number of apps and protocols weak threat prevention
bull Examples ScanSafe Purewire etc
Traditional VPN
bull Agent tunnels traffic back to corporate gateway
bull Same poor security only slower
bull Examples AnyConnect Juniper Pulse
Higher Costs More Work for Lower Security
bull Inconsistent policy and protections when outside vs inside the network
bull Lack of visibility into applications users and content fails to control modern apps and threats
bull Expensive to purchase duplicates operational and management overhead
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
Introducing GlobalProtect
bull Users never go ldquooff-networkrdquo regardless of location
bull All firewalls work together to provide ldquocloudrdquo of network security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 95 |
bull How it works
- Small agent determines network location (on or off the enterprise network)
- If off-network the agent automatically connects the laptop to the nearest firewall via SSL VPN
- Agent submits host information profile (patch level asset type disk encryption and more) to the gateway
- Gateway enforces security policy using App-ID User-ID Content-ID AND host information profile
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
A Modern Architecture for Enterprise Security
copy 2011 Palo Alto Networks Proprietary and Confidential Page 96 |
bull Establishes a logical perimeter that is not bound to physical limitations
bull Users receive the same depth and quality of protection both inside and out
bull Security work performed by purpose-built firewalls not end-user laptops
bull Unified visibility compliance and reporting
malware
botnets
exploits
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money
copy 2007 Palo Alto Networks Proprietary and Confidential Page 112 | copy 2008 Palo Alto Networks Proprietary and Confidential Page 112 |
Regain Visibility and Control Save Money
bull IT canrsquot manage risk with traditional security infrastructure
- Users do what they want
- Port hopping tunneling and encryption of applications get around port-based classification of statefull inspection based firewalls
- Leads to increased risks for the business
bull Palo Alto Networks defines next-generation firewall with unique identification technologies
- App-ID identify applications regardless of port protocol or SSL encryption
- User-ID integrated with enterprise directory
- Content-ID threats URLs data
- High performance architecture high throughput low latency
bull Easy enterprise integration and consolidation saves money
- Flexible deployment options for seamless integration
- Consolidation of functionality into firewall simplifies and saves money