More Related Content
Similar to Palo alto networks product overview
Similar to Palo alto networks product overview (20)
Palo alto networks product overview
- 1. Palo Alto Networks Product Overview
Kilian Zantop
28. Mai 2013
Belsoft Best Practice - Next Generation Firewalls
- 2. Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
1,000+ employees globally
1'800
4'700
11,000
0
2'000
4'000
6'000
8'000
10'000
12'000
Jul-10 Jul-11
$13
$49
$255
$119
$0
$50
$100
$150
$200
$250
$300
FY09 FY10 FY11 FY12
Revenue
Enterprise customers
$MM
FYE July
Feb-13
3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
- 3. Applications Have Changed, Firewalls Haven’t
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network security policy is enforced
at the firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any
more
- 4. Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?
• SSL
• Proprietary encryption
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 5. Technology Sprawl and Creep Aren’t the Answer
Enterprise
Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application “accessibility” features
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IMDLPIPS ProxyURLAV
UTM
Internet
- 6. 1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
The Answer? Make the Firewall Do Its Job
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 7. Application Control Belongs in the Firewall
Port Policy
Decision
App Ctrl Policy
Decision
Application Control as an Add-on
• Port-based decision first, apps second
• Applications treated as threats; only block what
you expressly look for
Ramifications
• Two policies/log databases, no reconciliation
• Unable to effectively manage unknowns
IPS
Applications
Firewall
PortTraffic
Firewall IPS
App Ctrl Policy
Decision
Scan Application
for Threats
Applications
ApplicationTraffic
Application Control in the Firewall
• Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications
• Single policy/log database – all context is shared
• Policy decisions made based on shared context
• Unknowns systematically managed
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 9. Making the Firewall a Business Enablement Tool
Applications: Enablement begins with
application classification by App-ID.
Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
Content: Scanning content and protecting
against all threats, both known and unknown,
with Content-ID and WildFire.
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 11. PAN-OS Core Firewall Features
Strong networking foundation
Dynamic routing (BGP, OSPF, RIPv2)
Tap mode – connect to SPAN port
Virtual wire (“Layer 1”) for true
transparent in-line deployment
L2/L3 switching foundation
Policy-based forwarding
VPN
Site-to-site IPSec VPN
Remote Access (SSL) VPN
QoS traffic shaping
Max/guaranteed and priority
By user, app, interface, zone, & more
Real-time bandwidth monitor
Zone-based architecture
All interfaces assigned to security
zones for policy enforcement
High Availability
Active/active, active/passive
Configuration and session
synchronization
Path, link, and HA monitoring
Virtual Systems
Establish multiple virtual firewalls in a
single device (PA-5000, PA-4000, PA-
3000, and PA-2000 Series)
Simple, flexible management
CLI, Web, Panorama, SNMP, Syslog
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Visibility and control of applications, users and content
complement core firewall features
PA-500
PA-200
PA-2000 Series
PA-2050, PA-2020
PA-3000 Series
PA-3050, PA-3020
PA-4000 Series
PA-4060, PA-4050 PA-4020
PA-5000 Series
PA-5060, PA-5050 PA-5020
VM-Series
VM-300, VM-200, VM-100
- 13. Panorama Deployment Recommendations
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Panorama VM
< 10 devices
< 10,000 logs/sec
Sites with need for virtual appliance
Panorama M-100
< 100 devices
< 10,000 logs/sec
Panorama Distributed Architecture
< 1,000 devices
> 10,000 logs/sec (50,000 per collector)
Deployments with need for collector proximity
- 14. Panorama Distributed Architecture
With the M-100, manager and log collector functions can be split
Deploy multiple log collectors to scale collection infrastructure
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 15. M-100 Hardware Appliance
Simple, high-performance, dedicated appliance for Panorama
Simplifies deployment and support
Introduces distributed log collection capability for large scale deployments
License migration path available for current Panorama customers
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Specifications
1 RU form factor Intel Xeon 4 core 3.4 GHz CPU
16 GB memory 64bit Panorama kernel
120 GB SSD system disk Up to 4 TB of RAID1 storage for logs (ships with two 1TB drives)
- 16. Panorama Architecture – Configuration
Device Groups are used to share
common Policies and Objects
Templates are used to share
common Networking and Device
configuration
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 18. The Lifecycle of Network Attacks - Rehearsal
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Bait the
end-user
1
End-user lured to a
dangerous
application or
website containing
malicious content
Exploit
2
Infected content
exploits the end-
user, often
without their
knowledge
Download
Backdoor
3
Secondary
payload is
downloaded in
the background.
Malware installed
Establish
Back-Channel
4
Malware
establishes an
outbound
connection to the
attacker for
ongoing control
Explore &
Steal
5
Remote attacker has
control inside the
network and
escalates the attack
- 19. An Integrated Approach to Threat Prevention
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
App-ID
URL
IPS
Spyware
AV
Files
WildFire
Bait the end-user Exploit Download Backdoor Command/Control
Block high-risk
apps
Block known
malware sites
Block the
exploit
Block malware
Prevent drive-
by-downloads
Detect 0-day
malware
Block new C2
traffic
Block spyware,
C2 traffic
Block fast-flux,
bad domains
Block C2 on
open ports
- 20. Why Traditional Antivirus Protection Fails
Modern/Targeted malware is increasingly able to:
Avoid hitting traditional AV honeypots
Evolve before protection can be delivered, using polymorphism, re-encoding,
and changing URLs
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
☣Targeted and custom malware
☣Polymorphic malware
☣Newly released malware
Highly variable time to protection
- 21. WildFire Architecture
10Gbps threat prevention and
file scanning on all traffic, all
ports (web, email, SMB, etc.)
Malware ran in the cloud with
open internet access to
discover hidden behaviors
Sandbox logic updated routinely
with no customer impact
Malware signatures
automatically created based on
payload data
Stream-based malware engine
performs true inline
enforcement
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 22. WildFire Subscription Service
WildFire signatures every 30 minutes
Integrated logging & reporting
REST API for scripted file uploads
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 23. Reaching Effects of WildFire
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Threat Intelligence
Sources
WildFire Users
AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
- 24. Introducing the
WildFire Appliance (WF-500)
Appliance-based version of WildFire for on-
premises deployments
All sandbox analysis performed locally on
the WildFire appliance
WF-500 has option to send locally identified
malware to WildFire public cloud
Signatures only are created in public cloud
WildFire signatures for all customers
distributed via normal update service
Detection capabilities in sync with public
cloud
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Cloud
Eagle Appliance
All samples
Malware
Signatures
- 26. Challenge: Quality of Security Tied to Location
Enterprise-secured with
full protection
Headquarters Branch Offices
malware
botnets
exploits
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Airport Hotel Home Office
Exposed to threats, risky
apps, and data leakage
- 27. GlobalProtect: Consistent Security Everywhere
•Headquarters •Branch Office
malware
botnets
exploits
• VPN connection to a purpose built firewall that is performing the security work
• Automatic protected connectivity for users both inside and outside
• Unified policy control, visibility, compliance & reporting
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
- 29. 3
2
© 2011 Palo Alto Networks. Proprietary and Confidential.
The Concept
Easy deployment of
large scale VPN
infrastructure
• GlobalProtect Satellites
automatically acquire
authentication
credentials and initial
configuration from
GlobalProtect Portal
• GlobalProtect Satellite
establishes tunnels with
available Gateways
• Satellites and Gateways
automatically exchange
routing configuration
- 30. Magic Quadrant for Enterprise Network Firewalls
35 | ©2013, Palo Alto Networks. Confidential and Proprietary.
“Palo Alto Networks continues to
both drive competitors to react in the
firewall market and to move the
overall firewall market forward. It is
assessed as a Leader, mostly
because of its NGFW design,
direction of the market along the
NGFW path, consistent
displacement of competitors, rapidly
increasing revenue and market
share, and market disruption that
forces competitors in all quadrants to
react.”
Gartner, February 2013
- 32. Next-Generation Firewall Virtualized Platforms
38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Specifications
Model Sessions Rules Security Zones Address Objects IPSec VPN
Tunnels SSL VPN Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 2,000 500
Supported on VMware ESX/ESXi 4.0 or later
Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces
Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames
Performance
Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second
2 Core 500 Mbps 200 Mbps 100 Mbps 8,000
4 Core 1 Gbps 600 Mbps 250 Mbps 8,000
8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
- 33. Differentiating: App-ID vs. Two Step Scanning
Operational ramifications of two step scanning
Two separate policies with duplicate info – impossible to reconcile them
Two log databases decrease visibility
Unable to systematically manage unknown traffic
Weakens the deny-all-else premise
Every firewall competitor uses two step scanning
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Port Policy
Decision
App Ctrl Policy
Decision
IPS
Applications
Firewall
Allow port 80 traffic
Traffic
300 or more applications
300 or more applications
300 or more applications
- 34. Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement
• Application, user and content
visibility without inline
deployment
• IPS with app visibility & control
• Consolidation of IPS & URL
filtering
• Firewall replacement with app
visibility & control
• Firewall + IPS
• Firewall + IPS + URL filtering
40 | ©2012, Palo Alto Networks. Confidential and Proprietary.