Palo Alto Networks Soc Ent Okt2009

the changed enterprise has arrived . . .

. . . and you need to get control of it!

Wat is er aan de hand op het gebied van

security en firewalls?

Marcel DerksenSystem Engineer, Noord Europa

Our enterprise is changing

1. Driven by new generation of Internet-centric users

2. Giant social system - traditional boundaries have been eliminated

3. Built around communication, sharing, collaboration, group knowledge

4. Full, unrestricted access to everything on the Internet is a right

5. IT and business need to determine risk tolerance of Social Enterprise

RewardsRisks

Internet Enterprise

Work Life

Home Life

Enterprise applications take many forms

What’s running on

YOUR

network?

48%

60%

83%

83%

87%

92%

94%

94%

00% 25% 50% 75% 100%

FaceBook

YouTube

Gmail

Sharepoint

Google Docs

Twitter

WebEx

Gtalk

Most Common Social Enterprise Applications

what we recently found on enterprise networks

•484 total unique applications running on 60 large enterprises

•Application usage and Risk Report

business benefits of enterprise applications

- Twitter – instant alerts on corporate news or information- Blogs – instant perspective and analysis on relevant issues- IM – instant communication with remote employees- Webex – instant meetings with customers in another city- Salesforce – instant update to sales data from any location- YouTube – instant distribution of product training videos- SharePoint – instant collaboration on complex projects

• Better communication, collaboration, information exchange• Increased efficiency, lower cost, higher productivity for all

• Data loss- Unauthorized employee file transfer, data sharing

• Non-compliance- Using unapproved applications – IM, web mail in

financial services

• Operational cost overruns- Excessive bandwidth consumption, desktop cleanup

• Employee productivity loss

- Uncontrolled, excessive use of personal applications

• Business continuity- Malware or application vulnerability induced downtime

internal risks of enterprise applications

but employees are unconcerned about risks

• 64% - understand some apps can result in data leakage

• 33% - experienced security issues when using an app

• 45% - did nothing when confronted with a security breach

• 61% - feel more productive using internet apps

• The inmates are running the asylum

- 59% - admit these apps are completely uncontrolled

• IT is losing control of applications, users, content

- 48% - don’t know what apps are used by employees

the underlying cause of the security problem

• Firewalls should see and

control applications,

users, and threats . . .

• . . . but they only show you

ports, protocols, and IP

addresses –all meaningless!

Internet

The current solving

• Doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 11 |

How to Make the Firewall Useful Again

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Identify and prevent potential threats associated with all high risk applications

4. Granular policy-based control over applications, users, functionality

5. Multi-gigabit, in-line deployment with no performance degradation

enough! it’s time to fix the firewall!

Einde deel 1

Marcel DerksenSystem Engineer, Noord Europa

Palo Alto Next Generation Firewalls

Marcel DerksenSystem Engineer, Noord Europa

How to Make the Firewall Useful Again

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Identify and prevent potential threats associated with all high risk applications

4. Granular policy-based control over applications, users, functionality

5. Multi-gigabit, in-line deployment with no performance degradation

enough! it’s time to fix the firewall!

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 16 |

About Palo Alto Networks

• Founded in 2005 by security visionary Nir Zuk

• World class team with strong security and networking experience

• Innovations: App-ID, User-ID, Content-ID

• Builds next-generation firewalls that identify and control more than 900 applications; makes firewall strategic again

• Global footprint: presence in 50+ countries, 24/7 support

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 17 |

Unique Technologies Transform the Firewall

App-IDIdentify the application

User-IDIdentify the user

Content-IDScan the content

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 18 |

Purpose-Built Architecture: PA-4000 Series

Content Scanning HW Engine• Palo Alto Networks’ uniform signatures• Multiple memory banks – memory

bandwidth scales performance

Multi-Core Security Processor• High density processing for flexible

security functionality• Hardware-acceleration for standardized

complex functions (SSL, IPSec, decompression)

Dedicated Control Plane• Highly available mgmt• High speed logging and

route updates

10Gbps

Content ScanningEngine

RAM

RAM

RAM

RAM

Dual-coreCPU

RAM

RAM

HDD

10 Gig Network Processor• Front-end network processing offloads

security processors• Hardware accelerated QoS, route lookup,

MAC lookup and NAT

CPU16

. .

SSL IPSecDe-

Compression

CPU1

CPU2

10Gbps

Control Plane Data Plane

RAM

RAMCPU

3

QoS

Route, ARP, MAC

lookup

NAT

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 19 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 19 | © 2008 Palo Alto Networks. Proprietary and Confidential.Page 19 |

Enables Executive Visibility

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 20 |

Palo Alto Networks-OS Features

• Strong networking foundation- Dynamic routing (OSPF,

RIPv2)- Site-to-site IPSec VPN - SSL VPN for remote access- Tap mode – connect to SPAN

port- Virtual wire (“Layer 1”) for true

transparent in-line deployment- L2/L3 switching foundation

• QoS traffic shaping- Max/guaranteed and priority - By user, app, interface, zone,

and more

• Zone-based architecture- All interfaces assigned to security

zones for policy enforcement

• High Availability- Active / passive - Configuration and session

synchronization- Path, link, and HA monitoring

• Virtual Systems- Establish multiple virtual firewalls

in a single device (PA-4000 Series only)

• Simple, flexible management- CLI, Web, Panorama, SNMP,

Syslog

Visibility and control of applications, users and content are complemented by core firewall features

PA-500

PA-2020

PA-2050

PA-4020

PA-4050

PA-4060

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 21 |

Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement

• Application, user and content visibility without inline deployment

• IPS with app visibility & control• Consolidation of IPS & URL

filtering

• Firewall replacement with app visibility & control

• Firewall + IPS• Firewall + IPS + URL filtering

you decide how much control is needed

• Unprecedented level of application control- Decrypt where appropriate

- Deny – even unknown applications

- Allow

- Allow but scan

- Allow certain users

- Allow certain functions

- Shape (QoS)

- …and various combinations of the above

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 24 |

Leading Organizations Trust Palo Alto NetworksFinancial Services Government

Media / Entertainment / Retail

Service Providers / Services

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 25 |

Leading Organizations Trust Palo Alto NetworksEducationMfg / High Tech / Energy

Healthcare

Industry

thank you!enough talking, show us