Palo Alto Networks 28.5.2013
•Download as PPTX, PDF•
8 likes•9,813 views
Präsentation anlässich des Belsoft Best Practice - Next Generation Firewalls
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (18)
Similar to Palo Alto Networks 28.5.2013
Similar to Palo Alto Networks 28.5.2013 (20)
More from Belsoft
More from Belsoft (20)
Recently uploaded
Recently uploaded (20)
Palo Alto Networks 28.5.2013
- 1. Palo Alto Networks Product Overview Kilian Zantop 28. Mai 2013 Belsoft Best Practice - Next Generation Firewalls
- 2. Palo Alto Networks at a Glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally 1,800 4,700 11,000 0 2,000 4,000 6,000 8,000 10,000 12,000 Jul-10 Jul-11 $13 $49 $255 $119 $0 $50 $100 $150 $200 $250 $300 FY09 FY10 FY11 FY12 Revenue Enterprise customers $MM FYE July Feb-13 3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
- 3. Applications Have Changed, Firewalls Haven’t 4 | ©2012, Palo Alto Networks. Confidential and Proprietary. Network security policy is enforced at the firewall • Sees all traffic • Defines boundary • Enables access Traditional firewalls don’t work any more
- 4. Encrypted Applications: Unseen by Firewalls What happens traffic is encrypted? • SSL • Proprietary encryption 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 5. Technology Sprawl and Creep Aren’t the Answer Enterprise Network • “More stuff” doesn’t solve the problem • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Doesn’t address application “accessibility” features 8 | ©2012, Palo Alto Networks. Confidential and Proprietary. IMDLPIPS ProxyURLAV UTM Internet
- 6. 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment The Answer? Make the Firewall Do Its Job 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 7. Application Control Belongs in the Firewall Port Policy Decision App Ctrl Policy Decision Application Control as an Add-on • Port-based decision first, apps second • Applications treated as threats; only block what you expressly look for Ramifications • Two policies/log databases, no reconciliation • Unable to effectively manage unknowns IPS Applications Firewall PortTraffic Firewall IPS App Ctrl Policy Decision Scan Application for Threats Applications ApplicationTraffic Application Control in the Firewall • Firewall determines application identity; across all ports, for all traffic, all the time • All policy decisions made based on application Ramifications • Single policy/log database – all context is shared • Policy decisions made based on shared context • Unknowns systematically managed 10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 8. Enabling Applications, Users and Content 11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 9. Making the Firewall a Business Enablement Tool Applications: Enablement begins with application classification by App-ID. Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire. 12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 10. Single Pass Platform Architecture 13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 11. PAN-OS Core Firewall Features Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation Policy-based forwarding VPN Site-to-site IPSec VPN Remote Access (SSL) VPN QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor Zone-based architecture All interfaces assigned to security zones for policy enforcement High Availability Active/active, active/passive Configuration and session synchronization Path, link, and HA monitoring Virtual Systems Establish multiple virtual firewalls in a single device (PA-5000, PA-4000, PA- 3000, and PA-2000 Series) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog 14 | ©2012, Palo Alto Networks. Confidential and Proprietary. Visibility and control of applications, users and content complement core firewall features PA-500 PA-200 PA-2000 Series PA-2050, PA-2020 PA-3000 Series PA-3050, PA-3020 PA-4000 Series PA-4060, PA-4050 PA-4020 PA-5000 Series PA-5060, PA-5050 PA-5020 VM-Series VM-300, VM-200, VM-100
- 13. Panorama Deployment Recommendations 16 | ©2012, Palo Alto Networks. Confidential and Proprietary. Panorama VM < 10 devices < 10,000 logs/sec Sites with need for virtual appliance Panorama M-100 < 100 devices < 10,000 logs/sec Panorama Distributed Architecture < 1,000 devices > 10,000 logs/sec (50,000 per collector) Deployments with need for collector proximity
- 14. Panorama Distributed Architecture With the M-100, manager and log collector functions can be split Deploy multiple log collectors to scale collection infrastructure 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 15. M-100 Hardware Appliance Simple, high-performance, dedicated appliance for Panorama Simplifies deployment and support Introduces distributed log collection capability for large scale deployments License migration path available for current Panorama customers 18 | ©2012, Palo Alto Networks. Confidential and Proprietary. Specifications 1 RU form factor Intel Xeon 4 core 3.4 GHz CPU 16 GB memory 64bit Panorama kernel 120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)
- 16. Panorama Architecture – Configuration Device Groups are used to share common Policies and Objects Templates are used to share common Networking and Device configuration 19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 18. The Lifecycle of Network Attacks - Rehearsal 21 | ©2012, Palo Alto Networks. Confidential and Proprietary. Bait the end-user 1 End-user lured to a dangerous application or website containing malicious content Exploit 2 Infected content exploits the end- user, often without their knowledge Download Backdoor 3 Secondary payload is downloaded in the background. Malware installed Establish Back-Channel 4 Malware establishes an outbound connection to the attacker for ongoing control Explore & Steal 5 Remote attacker has control inside the network and escalates the attack
- 19. An Integrated Approach to Threat Prevention 22 | ©2012, Palo Alto Networks. Confidential and Proprietary. App-ID URL IPS Spyware AV Files WildFire Bait the end-user Exploit Download Backdoor Command/Control Block high-risk apps Block known malware sites Block the exploit Block malware Prevent drive- by-downloads Detect 0-day malware Block new C2 traffic Block spyware, C2 traffic Block fast-flux, bad domains Block C2 on open ports
- 20. Why Traditional Antivirus Protection Fails Modern/Targeted malware is increasingly able to: Avoid hitting traditional AV honeypots Evolve before protection can be delivered, using polymorphism, re- encoding, and changing URLs 23 | ©2012, Palo Alto Networks. Confidential and Proprietary. ☣Targeted and custom malware ☣Polymorphic malware ☣Newly released malware Highly variable time to protection
- 21. WildFire Architecture 10Gbps threat prevention and file scanning on all traffic, all ports (web, email, SMB, etc.) Malware ran in the cloud with open internet access to discover hidden behaviors Sandbox logic updated routinely with no customer impact Malware signatures automatically created based on payload data Stream-based malware engine performs true inline enforcement 24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 22. WildFire Subscription Service WildFire signatures every 30 minutes Integrated logging & reporting REST API for scripted file uploads 25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 23. Reaching Effects of WildFire 26 | ©2012, Palo Alto Networks. Confidential and Proprietary. Threat Intelligence Sources WildFire Users AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
- 24. Introducing the WildFire Appliance (WF-500) Appliance-based version of WildFire for on- premises deployments All sandbox analysis performed locally on the WildFire appliance WF-500 has option to send locally identified malware to WildFire public cloud Signatures only are created in public cloud WildFire signatures for all customers distributed via normal update service Detection capabilities in sync with public cloud 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. WildFire Cloud Eagle Appliance All samples Malware Signatures
- 25. Global Protect Securing your road worriers
- 26. Challenge: Quality of Security Tied to Location Enterprise-secured with full protection Headquarters Branch Offices malware botnets exploits 29 | ©2012, Palo Alto Networks. Confidential and Proprietary. Airport Hotel Home Office Exposed to threats, risky apps, and data leakage
- 27. GlobalProtect: Consistent Security Everywhere •Headquarters •Branch Office malware botnets exploits • VPN connection to a purpose built firewall that is performing the security work • Automatic protected connectivity for users both inside and outside • Unified policy control, visibility, compliance & reporting 30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 28. LSVPN Large scale satellite VPN
- 29. 3 2 © 2011 Palo Alto Networks. Proprietary and Confidential. The Concept Easy deployment of large scale VPN infrastructure • GlobalProtect Satellites automatically acquire authentication credentials and initial configuration from GlobalProtect Portal • GlobalProtect Satellite establishes tunnels with available Gateways • Satellites and Gateways automatically exchange routing configuration
- 30. Magic Quadrant for Enterprise Network Firewalls 35 | ©2013, Palo Alto Networks. Confidential and Proprietary. “Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.” Gartner, February 2013
- 31. Thank You Page 37 |© 2010 Palo Alto Networks. Proprietary and Confidential.
- 32. Next-Generation Firewall Virtualized Platforms 38 | ©2012, Palo Alto Networks. Confidential and Proprietary. Specifications Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels VM-100 50,000 250 10 2,500 25 25 VM-200 100,000 2,000 20 4,000 500 200 VM-300 250,000 5,000 40 10,000 2,000 500 Supported on VMware ESX/ESXi 4.0 or later Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames Performance Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second 2 Core 500 Mbps 200 Mbps 100 Mbps 8,000 4 Core 1 Gbps 600 Mbps 250 Mbps 8,000 8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
- 33. Differentiating: App-ID vs. Two Step Scanning Operational ramifications of two step scanning Two separate policies with duplicate info – impossible to reconcile them Two log databases decrease visibility Unable to systematically manage unknown traffic Weakens the deny-all-else premise Every firewall competitor uses two step scanning 39 | ©2012, Palo Alto Networks. Confidential and Proprietary. Port Policy Decision App Ctrl Policy Decision IPS Applications Firewall Allow port 80 traffic Traffic 300 or more applications 300 or more applications 300 or more applications
- 34. Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement • Application, user and content visibility without inline deployment • IPS with app visibility & control • Consolidation of IPS & URL filtering • Firewall replacement with app visibility & control • Firewall + IPS • Firewall + IPS + URL filtering 40 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Editor's Notes
- A quick summary of who we are. We were founded in 2005; in 2007 we brought to market the first next generation firewall to classify traffic based on application, regardless of the port, protocol, encryption or other evasive tactic. We have been described by Gartner as a disruptive security platform because we took a fresh, from the ground up approach to building a firewall for modern networks. Our key differentiator is the ability to Safely Enable Applications: this means more than allowing or blocking – it means using business-relevant elements such as the application identity, who is using the application, and the type of content or threat as a more meaningful way to control network access and grow your business. This means you can build firewall policies to allow the application but apply function control, or bandwidth shaping, or threat prevention to the application. Able to Address All Network Security Needs: We have a broad range of platforms that all support a rich firewall feature-set that can protect your perimeter, datacenter, distributed enterprise with Exceptional Growth and Global Presence: Refer to the charts on the right for growth. We have over 11,000 customers in over 100 customers with support centers and hardware depots distributed worldwide. Experienced Technology and Management Team: The technology team drives our innovation and our continued efforts at disrupting the network security market – they are our most valued team members. The management team brings a rich history of steering a rapidly growing dynamic company like ours.
- The fundamental problem that we set out to solve is this: applications have changed, the firewall has not kept pace. And what we sometimes forget is that the firewall was designed to act as the security boundary for your network. It sees all traffic and enables access. The evolution of the application landscape has not happened over night – although it has accelerated dramatically in recent years. Antivirus applications began using port 80 as their avenue for updates back in 1997. AV is not a web application. The vendors did this to simplify access and better support their customers.AOL instant messenger (AIM) used to prompt you with “Find an open port?” if it could not establish a connection. BitTorrent, Skype both port hop and MS sharepoint uses a range of ports. Finally, MS-Lync – the messaging component for MS live 365 requires port 443, 3478 (stun), 5223 and a range of ports between 20,000-45,000 and 50,000-59,999.These are just a few examples of how applications have changed to mainly simplify access. Think about it, if you’re an application developer, you want your application used – so you will do what is necessary to achieve that goal. The ramifications of these changes result in an increase in business and security risks - applications act as (1) a threat vector (Email delivering a video URL but is really malware) and (2) they are threat targets (SQL injection attacks), and (3) they act as the command and control/exfiltration avenue. So while applications were rapidly evolving, port-based firewalls were stuck in the late 1990s – they did not keep pace. To try and address the problem, the industry’s response has been to sell more stuff!-------------Goals of this slide. This slide establishes the problem: Firewalls have always been designed to be the security boundary. They have not kept pace with the application trends. Use interesting examples that are not Facebook and Twitter to show that applications have changes firewalls have not. Use examples of applications that may use evasive techniques to simplify use and in so doing, avoid detection. Use applications that change state as added functions are used – they are hard for UTMS to identify, control and enable.
- OPTIONAL slide Threat ramifications: Applications are a threat vector (malware) and a target (exploits)
- OPTIONAL slide exfiltrationExfiltration ramifications: Today’s threats are applications – their command/control/exfiltration requires network communications. Apps can act as the conduit for data theft.
- OPTIONAL slide SSL and SSH: more and more applications use encryption, rendering existing FWs useless.
- Now…this is probably what your current network infrastructure looks like: Behind your port blocking firewall there is most likely a stand alone IPS, Quality of Service, URL Filtering, Data Leakage Prevention, Proxy, Antivirus, and maybe others…but our position is that sprawl is not the answer. <Click to animate>And bolting it all in one box, as UTM vendors have done, doesn’t work for several reasons: UTMs are all stateful inspection based – it is part of the UTM definition: stateful inspection + IPS + AV as outlined by IDC around 10 years ago. In all UTMs, the port-based decision is made first – this cannot be changed. Then the application, IPS, AV, URL decisions are made sequentially using a silo-based scanning approach – but it is all still based on what the stateful inspection (port-based) decision was. None of the information learned by the first scan is shared with the second, third or fourth. So ultimately, the decisions are either allow or deny – nothing in between. Sheet metal integration merely puts everything in one box for the sole purpose of lowering costs – nothing more. Nothing has changed.It’s all the same stuff just a lot slower and cheaper. We believe that the firewall is STILL the ideal location to exert control over traffic flowing across the network. But we believe control needs to be based on the application identify, regardless of which port/ports it uses – and here’s why… -------------------Explain why customers have deployed all of these devices – the control that once existed in the firewall has eroded over time. Added devices or scanning engines do not solve the problem. UTMs exist for the sole purpose of consolidating devices to save money UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etcUTMs are all stateful inspection based – the all make their first decision on port. This is not our value-add
- Today, every firewall vendor will say they can control applications – let’s take a look how they address the application control challenge in a bit more detail. Folks like check point, juniper, fortinet, cisco are all adding control elements to their stateful inspection firewalls. Just like a UTM. Some add new application control blades, other use the IPS engine with new signatures. What ever mechanism used, the application control decision is made after stateful inspection. So you will need to open port 80 and 443 in order to try and control web applications like twitter and facebook. This means you are allowing roughly 300 applications (app usage and risk report) – just to try and control 2 or 3 applications. What happens to the other 297? The operational ramifications of this are significant. Multiple policies/log databases . A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. Traffic is logged in two databases – the firewall and the app control element. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. There are no tools to reconcile the two policies in order to make sure nothing sneaks by. Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Blocking it all may cripple the business. Allowing it all is high risk. Port-based ‘allow’ rule defeats ‘deny all’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the Application Usage and ThreatReport, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a firewall’s default deny all else policy is significantly weakened. What sets us apart? As soon as we see the traffic, we determine what the application is, regardless of the port, and we then use that information as the basis for all security policy decisions. This means: Single policy/log database: Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies. Systematic management of unknowns: We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy. We act as a firewall should – deny-all else. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.
- Palo Alto Networks allows you to build enablement policies that are based on business relevant elements – applications, users and content. It makes perfect sense, right? Your business runs on applications, users and content – shouldn’t your security policies? At the perimeter, you can reduce your organizationsthreat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats - both known and unknown. <point out gmail, ultrasurf, tor as examples of applications you would allow and scan for threats; or outright block>In the datacenter, application enablement translates to confirming the applications users and content are allowed and protected from threats while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration. <point out Oracle and Sharepoint as examples>Expanding outwards to enterprise branch offices and remote users, enablement is delivered through policy consistency - the same policy deployed at the corporate location and is extended, seamlessly to other locations.In short, our technology allows you to enable applications for users and protect the associated content – without hindering your business.
- Lets talk for a moment about how our technology can enable applications, users and content – along with your business. Safe enablement policies begin with accurate classification of the application using App-ID. App-ID uses a combination of signatures, application and protocol decoders, and heuristics to identify all applications, across all ports, all the time - as soon as traffic hits the firewall. The application identity then becomes the basis for your positive enforcement model firewall policies. This means you can safely allow or block certain applications, or specific functionality within or across multiple applications like file sharing or instant messaging.Users make up the next piece of a safe enablement policy. We can tie users, regardless of the device platform, to the application with User-ID and GlobalProtect. User-ID integrates with the widest range of directory services on the market, including Active Directory, and Microsoft Exchange (which brings you Linux or MAC-OS users and LDAP to enable you to build policy aroundusers and groups of users by name, not just IPaddresses. An API is also available for non-standard directory integration. For remote or traveling employees working on a laptop, an iOS or Android platform from say, a Starbucks or a customer site, we can include them in the safe application enablement policies with our Global Protect end point solution. Scanning the content within the application is the final enablement policy and that is delivered by Content-ID. IPS, AV, antispyware and URL filtering within Content-IDwill allow you to apply very specific threat prevention profiles to your business critical traffic and/or users. The threat prevention engine is stream based and it utilizes a uniform signature format. It looks for a combination of things in a single pass, unlike the silo based AV, IPS and URL filtering. Wildfire provides the ability to identify malicious behaviors typically associated with zero-day attacks found in executable files by running them in a virtual environment and observing their behaviors. When a malicioussample is identified, it is then passed on to the signature generator, which automatically writes a signature for the sample and tests it for accuracy. Signatures are then delivered to all Palo Alto Networks customers as part of the daily malware signature updates.This slide summarizes one of our Core Value Propositions and Main Differentiators from the other vendors: The ability to SAFELY ENABLE APPLICATIONS, USERS AND CONTENT. Now, real quick I want to talk about how the device is sold: We sell a purpose built appliance with a purpose built operating system. Included with the base appliance are all the firewall capabilities: App-ID, User-ID, SSL and IPSEC VPN, SSL decryption and re-encryption, QoS, and Data Filtering. If you are interested in Threat Prevention, URL Filtering – or - Global Protect, these would each require a separate license. Oh, and just so you are aware…there are no user counts anywhere in our licensing model.ONE OF THE MAIN POINTS IS TO EMPHASIZE IS THAT WE INNOVATED HEAVILY TO DELIVER ON THE REQUIREMENTS. IT’S A BIG PART OF OUR CULTURE.
- One of the common questions we get is around how we perform with services enabled. The best way I can describe the platform is it is purpose-built. I like to use a racing analogy. Any racing vehicle – indy, nascar, F1, Rally, motocross, motorcycle, go-kart, dragster – does not go fast because of one thing. It is a combination of engine, frame, suspension, aerodynamics and of course driver. We followed the same path. We first built a single-pass software engine which scans traffic only once – as opposed to the UTM approach which uses multiple, silo-like scans to protect the network. We then married the software to a high-performance hardware platform that uses the same architecture across all platforms. Each platform has either dedicated processors or dedicated computing resources for networking, security, threat prevention and management – as an example, the high-end PA-5000 Series has 40 processing cores that deliver predictable performance with all services enabled. The control plane and management plane are physically separated to provide some built-in resiliency. This is Fundamentally Differentthan UTM vendors who have bolted on an IPS engine, and AV engine, a QoS engine, and others, onto their firewall engine, usually all driven by a single processor. ****EVEN WHEN THEY’VE GOT MULTIPLE PROCESSORS, THE SILO-BASED APPROACH KILLS THEIR PERFORMANCEWe were a part of a NetworkWorldtest, where with every feature enabled, we were able to maintain 80% of marketed throughput, as compared with all other vendors, some of whom dropped below 50% and some as much as 90%...quite alarming, isn’t it?
- DEVICE GROUPSThe collection of objects available to an operator include Shared, DG specific, or device specific. All can be used in policy.Shared in this instance means it is applied to all devices managed by Panorama.There are also Device Group rules (policy) and device specific rules.DG rules include pre and post rules (applied before and after device rules).DG rules can only utilize Shared and DG objects. Objects pushed by Panorama.Device specific rules can use all objects.Any rule base available in PANOS (e.g. Security, NAT, QOS, etc.) is available in Panorama as well.There is a Shared global policy as well which is applied to all DGs The shared rules can only be edited by Panorama or Superuser admins. This allows tiered access control models for large organizations which have multiple administrators with different levels of responsibilityTargets can be used to create Shared rules which apply to the devices of one or more DGs or specific devicesShared rules are essentially a pre-pre and post-post rulebaseAll of these rules are put into an ordered list on the firewall.The firewall itself does the sanity checking and installs the rulesTEMPLATESTemplates allow for central management of the Device and Network config elements from PanoramaAll config elements in these tabs can be managed centrally. Eg. Network elements (Interface, zones, VR, etc). Device elements (setup items [eg. DNS server], Auth Profiles, Server profiles, etc)This allows for staging of changes centrally before a maintenance period for all elements of the devices configurationIt also allows for applying common settings across multiple devices to allow for one change instead of manyEg. DNS server update across 100 FWs
- Until now, we have been talking about how Palo Alto Networks can help you securely enable the applications traversing your Perimeter firewall. That makes sense right? The Perimeter is the place where ALL traffic passes. And at the end of the day, that is the ideal location for safe application enablement. That being said, we know that the perimeter is not the only location where firewalls are deployed. We have many customers who are deploying our firewalls in their Data Center as well. When looking at those locations, the value proposition changes slightly. In the Data Center, you’re not too concerned with end user applications like webmail or social networking. You’re more concerned about isolating the Data Center applications along with the tools you may use to manage those applications - or in other words, you need network segmentation. By using App-ID and User-ID to verify the approved set of applications and users, you are able to segment the network all while using high performance IPS to protect the data. In the Distributed Enterprise, the value proposition is also slightly different. Here, it’s about consistency: You need to deliver the best protection, by using either a Device or GlobalProtect, to implement the same policies that are in use at the Corporate Perimeter. Much to the delight of our customers, and many IT organizations, we offer solutions for all three use cases, the Perimeter, Data Center, as well as the Distributed Enterprise.
- In this MQ Gartner is validating that the next-generation firewall has gone mainstream, stating "Advances in threats have driven mainstream firewall demand for next- generation firewall capabilities. Buyers should focus on the quality, not quantity, of the features and the R&D behind them." With our placement in the upper right for the 2nd consecutive Gartner is validating that we are a leader in the enterprise FW market: "Palo Alto Networks continued through 2012 to generate the most firewall inquiries among Gartner customers by a significant margin. Palo Alto Networks was consistently on most NGFW competitive shortlists, and we observed high customer loyalty and satisfaction from early adopters." We came to market in 2007 with an innovative, disruptive firewall solution and a singular focus on customers, which Gartner validates in the MQ: "Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward.”As far as what not to say – stick to the script, do NOT: 1. Put words in Gartner's mouth.2. Anticipate future MQ positions.3. Talk about other vendors. We have plenty of strong stuff in the bullets below.
- Exact same feature set available in HW FW is now available in virtualized form factorLicensed by capacities – not CPU or other money sucking scheme.
- We believe application enablement belongs in the FW, not in a secondary scanning process. And that is what we do with app-id. In 2007 when we launched our first product, competitors dismissed the concept of application enablement. Now, many existing firewall vendors say, “we do what Palo Alto Networks does”, validating our direction set forth at that time. In reality, there are some fundamental differences that cannot be overlooked, starting with the foundation of your existing firewalls. Stateful inspection makes all access control decisions based on port and protocol. This cannot be changed, yet it is easily bypassed by many of today’s applications. Existing firewall vendors try to address application enablement by adding application control features to their Stateful inspection firewall, much like they have done with IPS. There are several significant ramifications to this add-on approach. Multiple policies with duplicate information increases management effort. A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies. Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Blocking it all may cripple the business. Allowing it all is high risk. We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy. Port-based ‘allow’ rule defeats ‘deny all’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the December 2011 Application Usage and Risk Report, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.
- You can ease into deploying us. We designed our devices to be deployed in several different ways. Tap Mode provides visibility only, and is generally where we deploy a device during a product evaluation. With a device in Tab Mode for a short period of time, we can provide you with an Application Visibility and Risk Report that will show you the traffic traversing your network with your current policies still in place. We usually EVALUATE IN Tap Mode. We can also sit In-line, where our device would be deployed behind the existing firewall like a more traditional IPS. You will now gain visibility and control without having to rip out your current firewall. And finally we can be deployed in layer 2 or 3, as a Replacement for your existing firewall. Typically, we are moving clients from left to right as the value of our Next-Generation Firewall Platform is realized over time.