Palo Alto Networks y la tecnología de Next Generation Firewall

the network security companytm

Palo Alto Networks Overview Carlos Alberto Pérez

Systems Engineer Manager LATAM [email protected]

Palo Alto Networks at a Glance

Corporate highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications

Able to address all network security needs

Exceptional ability to support global customers

Experienced technology and management team

1,000+ employees globally 1,800

4,700

11,000

0

2,000

4,000

6,000

8,000

10,000

12,000

Jul-10 Jul-11

$13 $49

$255

$119

$0 $50

$100 $150 $200 $250 $300

FY09 FY10 FY11 FY12

Revenue

Enterprise customers

$MM

FYE July

Feb-13

2 | ©2013, Palo Alto Networks. Confidential and Proprietary.

Applications Have Changed, Firewalls Haven’t

3 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• Network security policy is enforced at the firewall •  Sees all traffic •  Defines boundary •  Enables access • Traditional firewalls don’t work any more

The Right Answer: Make the Firewall Do Its Job

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 4 |

New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect in real-time against threats embedded across applications

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

Enabling Applications, Users and Content

5 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Single-Pass Parallel Processing™ (SP3) Architecture

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 6 |

Single Pass •  Operations once per

packet -  Traffic classification (app

identification)

-  User/group mapping

-  Content scanning – threats, URLs, confidential data

•  One policy

Parallel Processing •  Function-specific parallel

processing hardware engines

•  Separate data/control planes

• Up to 20Gbps, Low Latency

Application Control Belongs in the Firewall

• Port Policy Decision

• App Ctrl Policy Decision

Application Control as an Add-on •  Port-based decision first, apps second

•  Applications treated as threats; only block what you expressly look for

Ramifications •  Two policies/log databases, no reconciliation •  Unable to effectively manage unknowns

IPS

Applications

Firewall Port Traffic

Firewall IPS

• App Ctrl Policy Decision

• Scan Application for Threats

Applications

Application Traffic

Application Control in the Firewall •  Firewall determines application identity; across all

ports, for all traffic, all the time

•  All policy decisions made based on application

Ramifications •  Single policy/log database – all context is shared •  Policy decisions made based on shared context •  Unknowns systematically managed

7 | ©2012, Palo Alto Networks. Confidential and Proprietary.

NGFW in The Enterprise Network P

erim

eter

• App visibility and control in the firewall • All apps, all ports,

all the time • Prevent threats

• Known threats • Unknown/

targeted malware • Simplify security

infrastructure

Dat

a C

ente

r • Network segmentation • Based on

application and user, not port/IP

• Simple, flexible network security •  Integration into all

DC designs • Highly available,

high performance • Prevent threats

Dis

tribu

ted

Ent

erpr

ise • Consistent

network security everywhere • HQ/branch

offices/remote and mobile users

• Logical perimeter • Policy follows

applications and users, not physical location

• Centrally managed

8 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement

•  Application, user and content visibility without inline

deployment

•  IPS with app visibility & control •  Consolidation of IPS & URL

filtering

•  Firewall replacement with app visibility & control •  Firewall + IPS

•  Firewall + IPS + URL filtering

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 9 |

WildFire Architecture

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 10 |

✓ ✓

✓

• WildFire Analysis Center!

• Potentially malicious files from Internet

• Protection delivered to all customer firewalls

• Policy-based forwarding to WildFire for analysis

•  Sandbox-based analysis looks for over 80 malicious behaviors

•  Generates detailed forensics report •  Creates antivirus and C&C signatures

0  

1,000  

2,000  

3,000  

4,000  

5,000  

6,000  

7,000  

8,000  

9,000  

1   3   5   7   9   11   13   15   17   19   21   23   25   27   29   31   33   35  Hours  

The First 24 Hours is Critical

• 11 | ©2012, Palo Alto Networks. Confidential and Proprietary.

* Sample size = 50 malware files

What is the WF-500?

§  Appliance-based version of the WildFire sandbox for on-premises, private cloud deployments

§  Ideal for customers that want to avoid sending all files to the public cloud §  All files analyzed locally on the WF-500

§  Identical detection as the public cloud

§  Optionally sends confirmed malware to the WildFire public cloud for signature generation

§  Provides a private cloud where all firewalls can integrate with the WF-500

• WildFire Cloud

• All unknown files

• Confirmed Malware • (optional)

• Signatures

• Customer Firewalls

• Local Customer Network

• 12 | ©2013 Palo Alto Networks. Confidential and Proprietary.

© 2011 Palo Alto Networks. Proprietary and Confidential Page 13 |

PA-­‐3050  •  4 Gbps FW •  2 Gbps Threat Prevention •  500,000 sessions •  8 SFP, 12 copper gigabit

PA-­‐3020  •  2 Gbps FW •  1 Gbps Threat Prevention •  250,000 sessions •  8 SFP, 12 copper gigabit

PA-­‐500  •  250 Mbps FW •  100 Mbps Threat Prevention •  64,000 sessions •  8 copper gigabit

PA-­‐200  •  100 Mbps FW •  50 Mbps Threat

Prevention •  64,000 sessions •  4 copper gigabit

Palo Alto Networks Next-Gen Firewalls

PA-­‐5050  •  10  Gbps  FW  •  5  Gbps  threat  preven:on  •  2,000,000  sessions  •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),  12  copper  gigabit  

PA-­‐5020  •  5  Gbps  FW  •  2  Gbps  threat  preven:on  •  1,000,000  sessions  •  8  SFP,  12  copper  gigabit  

PA-­‐5060  •  20  Gbps  FW  •  10  Gbps  threat  preven:on  •  4,000,000  sessions  •  4  SFP+  (10  Gig),  8  SFP  (1  Gig),  12  copper  gigabit  

Segmenting Traffic in the Virtual Datacenter

•  Hardware firewalls will continue to be deployed to secure and segment datacenters at the edge and for legacy servers

•  VM-Series introduces the ability for secure segmentation to be done within VMware ESXi

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• VLAN   • VLAN  

Panorama Distributed Architecture

§  With M-100, manager and log collector functions can be split

§  Deploy multiple log collectors to scale collection infrastructure

• 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 16 |

New Threats Require a Different Model for IPS Functions

•  Stand-alone IPS has a negative security model – can only “find it and kill it”

•  Stand-alone IPS can’t see into growing volumes of SSL-encrypted traffic, nor into compressed content

•  Next-generation firewalls enable “allow application, but scan for threats” policy response

•  Gartner’s Recommendations:

-  Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two.

• 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.