the changed enterprise has arrived . . . . . . and you need to get control of it! Wat is er aan de hand op het gebied van security en firewalls? Marcel Derksen System Engineer, Noord Europa
May 08, 2015
the changed enterprise has arrived . . .
. . . and you need to get control of it!
Wat is er aan de hand op het gebied van
security en firewalls?
Marcel DerksenSystem Engineer, Noord Europa
Our enterprise is changing
1. Driven by new generation of Internet-centric users
2. Giant social system - traditional boundaries have been eliminated
3. Built around communication, sharing, collaboration, group knowledge
4. Full, unrestricted access to everything on the Internet is a right
5. IT and business need to determine risk tolerance of Social Enterprise
RewardsRisks
Internet Enterprise
Work Life
Home Life
Enterprise applications take many forms
What’s running on
YOUR
network?
48%
60%
83%
83%
87%
92%
94%
94%
00% 25% 50% 75% 100%
YouTube
Gmail
Sharepoint
Google Docs
WebEx
Gtalk
Most Common Social Enterprise Applications
what we recently found on enterprise networks
•484 total unique applications running on 60 large enterprises
•Application usage and Risk Report
business benefits of enterprise applications
- Twitter – instant alerts on corporate news or information- Blogs – instant perspective and analysis on relevant issues- IM – instant communication with remote employees- Webex – instant meetings with customers in another city- Salesforce – instant update to sales data from any location- YouTube – instant distribution of product training videos- SharePoint – instant collaboration on complex projects
• Better communication, collaboration, information exchange• Increased efficiency, lower cost, higher productivity for all
• Data loss- Unauthorized employee file transfer, data sharing
• Non-compliance- Using unapproved applications – IM, web mail in
financial services
• Operational cost overruns- Excessive bandwidth consumption, desktop cleanup
• Employee productivity loss
- Uncontrolled, excessive use of personal applications
• Business continuity- Malware or application vulnerability induced downtime
internal risks of enterprise applications
but employees are unconcerned about risks
• 64% - understand some apps can result in data leakage
• 33% - experienced security issues when using an app
• 45% - did nothing when confronted with a security breach
• 61% - feel more productive using internet apps
• The inmates are running the asylum
- 59% - admit these apps are completely uncontrolled
• IT is losing control of applications, users, content
- 48% - don’t know what apps are used by employees
the underlying cause of the security problem
• Firewalls should see and
control applications,
users, and threats . . .
• . . . but they only show you
ports, protocols, and IP
addresses –all meaningless!
Internet
The current solving
• Doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 11 |
How to Make the Firewall Useful Again
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Identify and prevent potential threats associated with all high risk applications
4. Granular policy-based control over applications, users, functionality
5. Multi-gigabit, in-line deployment with no performance degradation
enough! it’s time to fix the firewall!
Einde deel 1
Marcel DerksenSystem Engineer, Noord Europa
Palo Alto Next Generation Firewalls
Marcel DerksenSystem Engineer, Noord Europa
How to Make the Firewall Useful Again
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Identify and prevent potential threats associated with all high risk applications
4. Granular policy-based control over applications, users, functionality
5. Multi-gigabit, in-line deployment with no performance degradation
enough! it’s time to fix the firewall!
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 |
About Palo Alto Networks
• Founded in 2005 by security visionary Nir Zuk
• World class team with strong security and networking experience
• Innovations: App-ID, User-ID, Content-ID
• Builds next-generation firewalls that identify and control more than 900 applications; makes firewall strategic again
• Global footprint: presence in 50+ countries, 24/7 support
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 17 |
Unique Technologies Transform the Firewall
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 18 |
Purpose-Built Architecture: PA-4000 Series
Content Scanning HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory
bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for standardized
complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
10Gbps
Content ScanningEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
10 Gig Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
CPU16
. .
SSL IPSecDe-
Compression
CPU1
CPU2
10Gbps
Control Plane Data Plane
RAM
RAMCPU
3
QoS
Route, ARP, MAC
lookup
NAT
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 19 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 19 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 19 |
Enables Executive Visibility
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 20 |
Palo Alto Networks-OS Features
• Strong networking foundation- Dynamic routing (OSPF,
RIPv2)- Site-to-site IPSec VPN - SSL VPN for remote access- Tap mode – connect to SPAN
port- Virtual wire (“Layer 1”) for true
transparent in-line deployment- L2/L3 switching foundation
• QoS traffic shaping- Max/guaranteed and priority - By user, app, interface, zone,
and more
• Zone-based architecture- All interfaces assigned to security
zones for policy enforcement
• High Availability- Active / passive - Configuration and session
synchronization- Path, link, and HA monitoring
• Virtual Systems- Establish multiple virtual firewalls
in a single device (PA-4000 Series only)
• Simple, flexible management- CLI, Web, Panorama, SNMP,
Syslog
Visibility and control of applications, users and content are complemented by core firewall features
PA-500
PA-2020
PA-2050
PA-4020
PA-4050
PA-4060
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 21 |
Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline deployment
• IPS with app visibility & control• Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control
• Firewall + IPS• Firewall + IPS + URL filtering
you decide how much control is needed
• Unprecedented level of application control- Decrypt where appropriate
- Deny – even unknown applications
- Allow
- Allow but scan
- Allow certain users
- Allow certain functions
- Shape (QoS)
- …and various combinations of the above
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 24 |
Leading Organizations Trust Palo Alto NetworksFinancial Services Government
Media / Entertainment / Retail
Service Providers / Services
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 25 |
Leading Organizations Trust Palo Alto NetworksEducationMfg / High Tech / Energy
Healthcare
Industry
thank you!enough talking, show us