the network security companytm
Palo Alto Networks Overview Carlos Alberto Pérez
Systems Engineer Manager LATAM [email protected]
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
1,000+ employees globally 1,800
4,700
11,000
0
2,000
4,000
6,000
8,000
10,000
12,000
Jul-10 Jul-11
$13 $49
$255
$119
$0 $50
$100 $150 $200 $250 $300
FY09 FY10 FY11 FY12
Revenue
Enterprise customers
$MM
FYE July
Feb-13
2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Applications Have Changed, Firewalls Haven’t
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Network security policy is enforced at the firewall • Sees all traffic • Defines boundary • Enables access • Traditional firewalls don’t work any more
The Right Answer: Make the Firewall Do Its Job
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 4 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
Enabling Applications, Users and Content
5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Single-Pass Parallel Processing™ (SP3) Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 6 |
Single Pass • Operations once per
packet - Traffic classification (app
identification)
- User/group mapping
- Content scanning – threats, URLs, confidential data
• One policy
Parallel Processing • Function-specific parallel
processing hardware engines
• Separate data/control planes
• Up to 20Gbps, Low Latency
Application Control Belongs in the Firewall
• Port Policy Decision
• App Ctrl Policy Decision
Application Control as an Add-on • Port-based decision first, apps second
• Applications treated as threats; only block what you expressly look for
Ramifications • Two policies/log databases, no reconciliation • Unable to effectively manage unknowns
IPS
Applications
Firewall Port Traffic
Firewall IPS
• App Ctrl Policy Decision
• Scan Application for Threats
Applications
Application Traffic
Application Control in the Firewall • Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications • Single policy/log database – all context is shared • Policy decisions made based on shared context • Unknowns systematically managed
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
NGFW in The Enterprise Network P
erim
eter
• App visibility and control in the firewall • All apps, all ports,
all the time • Prevent threats
• Known threats • Unknown/
targeted malware • Simplify security
infrastructure
Dat
a C
ente
r • Network segmentation • Based on
application and user, not port/IP
• Simple, flexible network security • Integration into all
DC designs • Highly available,
high performance • Prevent threats
Dis
tribu
ted
Ent
erpr
ise • Consistent
network security everywhere • HQ/branch
offices/remote and mobile users
• Logical perimeter • Policy follows
applications and users, not physical location
• Centrally managed
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline
deployment
• IPS with app visibility & control • Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control • Firewall + IPS
• Firewall + IPS + URL filtering
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 9 |
WildFire Architecture
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 10 |
✓ ✓
✓
• WildFire Analysis Center!
• Potentially malicious files from Internet
• Protection delivered to all customer firewalls
• Policy-based forwarding to WildFire for analysis
• Sandbox-based analysis looks for over 80 malicious behaviors
• Generates detailed forensics report • Creates antivirus and C&C signatures
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 Hours
The First 24 Hours is Critical
• 11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
* Sample size = 50 malware files
What is the WF-500?
§ Appliance-based version of the WildFire sandbox for on-premises, private cloud deployments
§ Ideal for customers that want to avoid sending all files to the public cloud § All files analyzed locally on the WF-500
§ Identical detection as the public cloud
§ Optionally sends confirmed malware to the WildFire public cloud for signature generation
§ Provides a private cloud where all firewalls can integrate with the WF-500
• WildFire Cloud
• All unknown files
• Confirmed Malware • (optional)
• Signatures
• Customer Firewalls
• Local Customer Network
• 12 | ©2013 Palo Alto Networks. Confidential and Proprietary.
© 2011 Palo Alto Networks. Proprietary and Confidential Page 13 |
PA-‐3050 • 4 Gbps FW • 2 Gbps Threat Prevention • 500,000 sessions • 8 SFP, 12 copper gigabit
PA-‐3020 • 2 Gbps FW • 1 Gbps Threat Prevention • 250,000 sessions • 8 SFP, 12 copper gigabit
PA-‐500 • 250 Mbps FW • 100 Mbps Threat Prevention • 64,000 sessions • 8 copper gigabit
PA-‐200 • 100 Mbps FW • 50 Mbps Threat
Prevention • 64,000 sessions • 4 copper gigabit
Palo Alto Networks Next-Gen Firewalls
PA-‐5050 • 10 Gbps FW • 5 Gbps threat preven:on • 2,000,000 sessions • 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit
PA-‐5020 • 5 Gbps FW • 2 Gbps threat preven:on • 1,000,000 sessions • 8 SFP, 12 copper gigabit
PA-‐5060 • 20 Gbps FW • 10 Gbps threat preven:on • 4,000,000 sessions • 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit
Segmenting Traffic in the Virtual Datacenter
• Hardware firewalls will continue to be deployed to secure and segment datacenters at the edge and for legacy servers
• VM-Series introduces the ability for secure segmentation to be done within VMware ESXi
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• VLAN • VLAN
Panorama Distributed Architecture
§ With M-100, manager and log collector functions can be split
§ Deploy multiple log collectors to scale collection infrastructure
• 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
© 2009 Palo Alto Networks. Proprietary and Confidential. Page 16 |
New Threats Require a Different Model for IPS Functions
• Stand-alone IPS has a negative security model – can only “find it and kill it”
• Stand-alone IPS can’t see into growing volumes of SSL-encrypted traffic, nor into compressed content
• Next-generation firewalls enable “allow application, but scan for threats” policy response
• Gartner’s Recommendations:
- Move to next-generation firewalls at the next refresh opportunity – whether for firewall, IPS, or the combination of the two.
• 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.