Steven Schmidt Christian Etzold - DFN · About Palo Alto Networks • Palo Alto Networks is the Network Security Company • World-class team with strong security and networking experienceclass

Steven SchmidtSenior Consultant & Trainer Security Solutions, Unified Comms

Christian Etzold© 2011 Netfarmers GmbH 1

Christian EtzoldSenior System Engineer

Gegründet 2005 - NETFARMERS GmbH

Fokus Cisco / Juniper / PaloAlto

Schulungen:- herstellerzertifizierte Trainings für verschiedene Learning Partner (Cisco/Juniper)

eigenentwickelte Workshops- eigenentwickelte Workshops

Consulting:- Beratungs- Implementierungs- und Schulungsdienstleistungen im High-End Networking- Beratungs-, Implementierungs- und Schulungsdienstleistungen im High-End Networking - IP-Kommunikation, Internetworking, drahtlose Netzwerke und Netzwerksicherheit - Fokus: Voice und Security, speziell mit dem Hersteller Cisco Systems

Service & Support:- 2nd und 3rd Level Troubleshooting

Projektgeschäft:- Projektleitung - Projektdurchführung j g- Ausschreibungserstellung und –begleitung

• Security Solutions

© 2011 Netfarmers GmbH. 2

• Network Management• Unified Communications

Palo Alto NetworksRe-Inventing Network Securityg y

It’s Time To Fix The Firewall ?!It s Time To Fix The Firewall ?!

Christian EtzoldSenior System Engineer

About the speaker

• Christian Etzold, Senior Systems Engineer

• > 15 years security experience

• Informatik Studium – Diploma Thesis about advanced IDS systems, Mail Administrator FH Rosenheim (studentische Hilfskraft)( )

• ODS Networks / Intrusion (1998: first host based IDS system - CMDS)

• Rainfinity Systems / EMC2 (2001: Loadbalancing Software for FWs)• Rainfinity Systems / EMC (2001: Loadbalancing Software for FWs)

• IronPort Systems / Cisco Systems (2004: Email / Websecurity / Encryption)

P l Alt N t k (2010 N t G ti Fi ll )• Palo Alto Networks (2010: Next Generation Firewalls)

© 2010 Palo Alto Networks. Proprietary and Confidential.Page 4 |

About Palo Alto Networks

• Palo Alto Networks is the Network Security Company

• World class team with strong security and networking experience• World-class team with strong security and networking experience

- Founded in 2005, first customer July 2007, top-tier investors

• Builds next-generation firewalls that identify / control 1,300+ applications

- Restores the firewall as the core of enterprise network security infrastructure

- Innovations: App-ID™, User-ID™, Content-ID™

• Global momentum: 4 500+ customers• Global momentum: 4,500+ customers

- August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters

A few of the many enterprises that have deployed more than $1M

© 2011 Palo Alto Networks. Proprietary and Confidential.Page 5 | (*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

A few of the many enterprises that have deployed more than $1M

The Internet World Anno 1995

• Virtually no application traffic, no known threatsy pp

• Simple assumptions worked; HTTP traffic = browsing

Fi ll b k i l ffi f i i• Firewalls were born to keep simple traffic from coming in or going out; in 15 years time it became a $5B industry


Security v1.0 Response: Rip Holes in Firewall

• BackgroundTraditional Applications• DNS• Gopher

Dynamic Applications• FTP• RPC

• Appeared mid 1980’s

• Typically embedded in routers

Gopher• SMTP• HTTP

RPC• Java/RMI• Multimedia

• Classify individual packets based on port numbers

• Challenge

• Could not support dynamic applications

• Flawed solution was to open large groups of ports

Internet• Opened the entire network to

attack

Security v2.0: Stateful Inspection

• BackgroundTraditional Applications• DNS• Gopher

Dynamic Applications• FTP• RPC

• Innovation created Check Point in 1994

• Used state table to fix

Gopher• SMTP• HTTP

RPC• Java/RMI• Multimedia

Used state table to fix packet filter shortcomings

Cl ifi d t ffi b d

Evasive Applications• Encrypted• Web 2.0• P2P • Classified traffic based

on port numbers but in the context of a flow

• P2P• Instant Messenger• Skype• Music

• Challenge

• Games• Desktop Applications• Spyware• Crimeware

Internet

• Cannot identify Evasive Applications

• Embedded throughout

Crimeware

• Embedded throughout existing security products

The Internet World Anno 2010

• Many applications; many more threatsy pp y

• Applications are evasive and are the #1 threat vector

T di i l fi ll d f l d ff i• Traditional firewalls are defenseless and offer no protection to enterprises


How Do You Protect Your Network?

© 2010 Palo Alto Networks. Proprietary and Confidential.

FirewallsFirewalls

Applications Have Changed; Firewalls Have Not

The gateway at the trustb d i th i ht l tborder is the right place toenforce policy control

• Sees all traffic

• Defines trust boundary

BUT…applications have changed

• Ports ≠ Applications

• IP Addresses ≠ Users

• Packets ≠ Content

Need to restore visibility and control in the firewall

• Packets ≠ Content


y

Application Based Firewall

stateful inspection – legacy firewallstcp/443tcp/443

What’s really going ony g g

© 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 13 |

App-ID is Fundamentally Different • Sees all traffic across all ports

• Scalable and extensible

• Always on, always the first action

• Built-in intelligence Scalable and extensibleBuilt in intelligence

© 2010 Palo Alto Networks. Proprietary and Confidential.Much more than just a signature….

Technology Sprawl & Creep Are Not The Answer

InternetInternet

• “More stuff” doesn’t solve the problemp

• Firewall “helpers” have limited view of traffic

C l d tl t b d i t i• Complex and costly to buy and maintain• Putting all of this in the same box is just slow


Traditional Systems Have Limited Understanding

Some port‐based apps caught by firewalls (if they behave!!!)

Some web‐based apps caught by URL filtering or proxy

Some evasive apps caught by an IPS

None give a comprehensive view of what is going on in the networkwhat is going on in the network


Applications Carry RiskApplications can be “threats”

• P2P file sharing tunnelingApplications carry threats

• SANS Top 20 Threats majority• P2P file sharing, tunneling applications, anonymizers, media/video

• SANS Top 20 Threats – majority are application-level threats

Applications & application-level threats result in major breaches – Pfizer, VA, US Army


Firewall Blades?

• Will identify 50,000 applications…44 500 are social networking widgets- 44,500 are social networking widgets

- “Real” applications are a mix of clients and servers

• More is not “better”- Visibility requires you to enable every signature – what’s not ID’ed is allowedy q y y g

- Policy control will be limited and cumbersome

- Performance will crater when Application Control blade is enabled

• A UTM feature ADDED to the firewall…reiterate the value of App-ID

© 2010 Palo Alto Networks. Proprietary and Confidential.

The Right Answer: Make the Firewall Do Its Job

New Requirements for the Firewall

1 Identify applications regardless of port1. Identify applications regardless of port, protocol, evasive tactic or SSL

2 Identify users regardless of IP address2. Identify users regardless of IP address

3. Protect in real-time against threats gembedded across applications

4. Fine-grained visibility and policy control4. Fine grained visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no5. Multi gigabit, in line deployment with no performance degradation


Identification Technologies Transform the Firewall

•App ID™•App-ID™

•Identify the application

•User-ID™

•Identify the user

•Content-ID™Content ID

•Scan the content


Application Control Center

Central location to viewCentral location to view the state of the Network

© 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 21 |

Comprehensive View of Applications, Users & Content• Application Command

Center (ACC)Vi li i URL- View applications, URLs, threats, data filtering activity

• Add/remove filters to• Add/remove filters to achieve desired result

© 2010 Palo Alto Networks. Proprietary and Confidential.Page 22 | Filter on Facebook-base Filter on Facebook-baseand user cook

Remove Facebook to expand view of cook

Palo Alto Networks Controls the Threat Vector

• Simple yet• Simple, yet powerful control of 1300+of 1300+ applications –block or allow butblock, or allow but scan for threats

Your Control With legacy Firewalls and IPS

Design and Implementation of theDesign and Implementation of the

Palo Alto Networks Firewall™Palo Alto Networks Firewall™Version 4.0

PAN-OS Core Firewall FeaturesVisibility and control of applications, users and content

complement core firewall features

• Strong networking foundationDynamic routing (BGP OSPF RIPv2)

• Zone-based architecture- All interfaces assigned to security- Dynamic routing (BGP, OSPF, RIPv2)

- Tap mode – connect to SPAN port- Virtual wire (“Layer 1”) for true

transparent in-line deployment

- All interfaces assigned to security zones for policy enforcement

• High AvailabilityA ti / ti

PA-4060

p p y- L2/L3 switching foundation- Policy-based forwarding

VPN

- Active / active- Configuration and session

synchronizationP th li k d HA it i

PA-4050

• VPN- Site-to-site IPSec VPN - SSL VPN / GlobalProtect

- Path, link, and HA monitoring

• Virtual SystemsEstablish multiple virtual firewalls

PA-4020

• QoS traffic shaping- Max/guaranteed and priority

- Establish multiple virtual firewalls in a single device (PA-4000 and PA-2000 Series only)

• Simple, flexiblePA 2020

PA-2050

- By user, app, interface, zone, & more- Real-time bandwidth monitor

Simple, flexible management

- CLI, Web, Panorama, SNMP, SyslogPA 500

PA-2020


y gPA-500

PA-5000 Series Architecture

Signature Match HW Engine• Highly available mgmt RAM RAMSignature Match HW Engine• Stream‐based uniform sig. match• Vulnerability exploits (IPS), virus, spyware, CC#, SSN, and more

g y g• High speed logging and route update

• Dual hard drivesSignature Match

Signature MatchRAM

RAM

RAM

RAM

• 40+ processors• 30+ GB of RAM

10Gbps 10Gbps

Quad‐coreCPU

RAM

RAMRAM RAM

RAM RAMRAM

30 GB of RAM• Separate high speed data and

control planes

Control Plane

... ......

SSL IPS De‐ SSL IPS De‐SSL IPS De‐

CPU CPU12

CPU1

CPU2

CPU12

CPU1

CPU2

CPU12

CPU1

CPU2

HDD

HDDRAM

RAM

RAM

RAM

RAM

RAM

• 20 Gbps firewall throughput• 10 Gbps threat prevention throughput

• 80 Gbps switch fabric i Security Processors

20Gbps

Control Plane SSL IPSec Compress. SSL IPSec Compress.SSL IPSec Compress.10 Gbps threat prevention throughput

• 4 Million concurrent sessions

interconnect• 20 Gbps QoS engine

Security Processors• High density parallel processing for flexible security functionality

• Hardware‐acceleration for

Network Processor• 20 Gbps front‐end network Flow

control

Route, ARP, MAC NAT

Switch standardized complex functions (SSL, IPSec, decompression)

processing• Hardware accelerated per‐packet route lookup, MAC lookup and NATData PlaneSwitch Fabric

QoScontrol MAC

lookupSwitchFabric


Single‐Pass Parallel Processing (SP3) Architecture

Single PassOperations once per• Operations once per packet

- Traffic classification (app f )identification)

- User/group mapping

- Content scanning – threats- Content scanning threats, URLs, confidential data

• One policy

Parallel Processing• Function‐specific h d ihardware engines

• Separate data/control planes

Up to 10Gbps, Low Latency

p

Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement

• Application, user and content visibility without inline

• IPS with app visibility & control• Consolidation of IPS & URL

• Firewall replacement with app visibility & control

deploymentConsolidation of IPS & URL filtering • Firewall + IPS

• Firewall + IPS + URL filtering


Q&AQ&A

Christian EtzoldChristian EtzoldSenior System Engineer

Hochschule Magdeburg

Steven Schmidt Christian Etzold - DFN · About Palo Alto Networks • Palo Alto Networks is the Network Security Company • World-class team with strong security and networking experienceclass

Documents