Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Virtualized Firewall: Is it the panacea to secure distributed enterprises?

Your applications are moving to the cloud, and your firewall is sure to follow. The concept of only protecting your network no longer makes sense. But, can a virtualized firewall adequately secure organizations as they become more and more distributed? What are your options to determine where your firewalls will reside? How can you evaluate which solution is best for your enterprise?

  • Login to see the comments

Virtualized Firewall: Is it the panacea to secure distributed enterprises?

  1. 1. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION0 Virtualized Firewall: Is it the panacea to secure distributed enterprises? ZSCALER CONFIDENTIAL INFORMATION Dr. Amit Sinha CTO, EVP of Engineering and Cloud Operations
  2. 2. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION1 Keynote Speaker • Dr. Amit Sinha is a skilled entrepreneur and technology leader who has driven the research and development of disruptive security and wireless technologies at both start-ups and market-leading organizations. • Prior to Zscaler, Dr. Sinha served as CTO for Motorola’s enterprise networking and communications business, which he joined via its acquisition of AirDefense where he held the same role. He has also served as Chief Technologist at Engim, which he co-founded. • Amit earned an MS and PhD in Electrical Engineering and Computer Science from the Massachusetts Institute of Technology, and a B.Tech. in Electrical Engineering from the Indian Institute of Technology, Delhi, where he graduated summa cum laude and was awarded the President of India Gold Medal. He holds 27 US patents and has contributed to several books and dozens of conference and journal papers. ©2017 Zscaler, Inc. All rights reserved. Dr. Amit Sinha Chief Technology Officer, Executive Vice President of Engineering and Cloud Operations Zscaler, Inc.
  3. 3. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION2 Engage in the Discussion • Type your questions into the chat box in the Webex panel or email us at webcast@zscaler.com • We’ll try to get to all questions during the Q&A session. If we do not get to your question, we’ll make sure to follow up afterwards • At the end of the webcast – please let us know how we did! ©2017 Zscaler, Inc. All rights reserved.
  4. 4. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION33 ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION Cloud and mobility require a fundamental change in network and security architecture
  5. 5. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION4 FW / IPS Internet Gateway URL Filter Antivirus DLP SSL Sandbox Global LB DDoS Ext. FW/IPS RAS (VPN) Internal FW Internal LB Internet gateways Secure access to the Internet VPN gateways Remote access to DC apps CORPORATE NETWORK Internet & VPN Gateway Internet Gateway: Security perimeter to protect the corporate network Circa 1987 – 1994– 1999 – 2000 – 2004
  6. 6. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION5 HQ EMEA Branch APJ Branch Branch Branch Branch Branch BranchBranch Home, Coffee Shop Airport, Hotel SaaS Open Internet IaaS Cloud and mobility break network security The Internet is Your New Corporate NetworkHow do you secure a network (Internet) you don’t control? “GE will run 70 percent of its workload in the cloud by 2020” Jim Fowler, CIO “The Internet will be our new corporate network by 2020” Frederik Janssen, Head of Infrastructure “Office 365 was built to be accessed via direct Internet connection”
  7. 7. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION6 Zscaler enables secure IT transformation to the cloud Internet and VPN Gateway Ext. FW / IPS URL Filtering Antivirus DLP SSL Sandbox Global LB DDoS Ext FW/IPS RAS (VPN) Internal FW Internal LB SaaSOpen Internet External APPS Data CenterIaaS Internal Internal (cloud or data center) Connect a user to an authorized private app (not network) Fast and secure policy-based access to apps and services over the Internet Any device, any location, on-net or off-net External (open Internet or SaaS) Nothing bad comes in, nothing good leaks out Zscaler Internet Access Zscaler Private Access HQMOBILE BRANCHIOT
  8. 8. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION77 ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION How do you architect a global security cloud?
  9. 9. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION8 A Cloud Gateway MUST be Comprehensive INTERNET ACCESS PRIVATE APP ACCESS ADVANCED THREAT PREVENTION DATA LOSS PREVENTION SECURE WEB GATEWAY CLOUD FIREWALL MICRO SEGEMENTATION OF APPS BANDWIDTH CONTROL QOS GLOBAL LOAD BALANCING DDOS PROTECTION CASB FOR INTERNAL APPS SECURE APP ACCESS – WITHOUT VPN AND NGFW APIs Deep Malware Analysis Dynamic Risk Scoring of all page objects Data Privacy Data must reside in the geography of choice regardless of where the access Any User Anywhere Any Device Policies follows the user for consistency Multitenant Security Platform – Inline – Extensible with APIs Native SSL Inspection Full inline, high-performance, content inspections
  10. 10. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION9 Standard Enterprise Internet Gateway is VERY COMPLEX Aggregation Firewall Load Balancers & VPNs Web Filter Sandbox Flow Management Edge Next- Gen Firewall DLP SSL HQ 11 9 8 7 6 5 4 3 2 1 12 10 13 14 16 17 18 19 20 21 22 2324 25 26 27 28 https:// 15 Content Inspection A simple web request takes 28 hops Despite this massive investment, breaches are on the rise Internet
  11. 11. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION10 New Threat New Threat New Threat New Threat New Threat New Threat New Threat New Threat New Threat New Threat DNS at 100Tbps NGFW at 100Gbps IPS at 10Gbps LB at 100Gbps Full AV at 10Mbps SSL Proxy at 100Mbps DLP at 10Mbps Sandbox 1 file 5 every minutes Challenges • Single-tenant systems (kernel) • Separate control, enforcement and logging • No single policy object to share context • Expensive to deploy and scale • Poor user experience New Threat New Threat New Threat New Threat New Threat +1 +2 +3 +4 +5 +6 +7 +8 +9 +10 +11 +12 Latency Building Cloud in 2007 with Appliances Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log How do you scale this stack to 40Gbps?
  12. 12. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION11 New Threat New Threat New Threat New Threat New Threat New Threat New Threat New Threat New Threat New Threat DNS at 100Tbps NGFW at 100Gbps IPS at 10Gbps LB at 100Gbps Full AV at 10Mbps SSL Proxy at 100Mbps DLP at 10Mbps Sandbox 1 file 5 every minutes Remaining Challenges • Single-tenant systems (kernel) • Separate control, enforcement and logging • No single policy object to share context • Poor user experience New Threat New Threat New Threat New Threat New Threat +1 +2 +3 +4 +5 +6 +7 +8 +9 +10 +11 +12 Latency In 2017: Virtualization ? Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log Control, Enforce, Log VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Solves • Horizontal scaling • Hardware headaches
  13. 13. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION12 Every Appliance Vendor’s Dream Traditional approach to local Internet breakouts with appliances Expensive to Deploy Security CompromisesComplex to Manage New York Management Platform Logging & Reporting Identity Management Server Additional Requirements
  14. 14. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION13 C E L C E L C E L C E L LEGACY MODEL C E L C E L • Multiple appliances, multiple hops • Disparate control, logging and enforcement policies • Constrained by throughput of slowest appliance C E L ZSCALER’S CLOUD • Integrated control, logging and enforcement planes • Single pass architecture • Infinitely scalable 5MB 10MB 10GB 100MB 1GB 100GB X X Zscaler Cloud vs Service Chaining
  15. 15. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION14 Central Authority (CA): The control plane • Data store for infrequent changes but millions of reads Nanolog: The log plane • Data store that can do millions of writes but relatively infrequent reads Zscaler Enforcement Nodes (ZENs): The data plane • Inline inspection of data packets and policy enforcement at massive scale 700 Man Years of Code and over 100 Patents Zscaler Software Defined Architecture Would you build a power plant with home generators? HOME POWER GENERATORS POWER PLANT NY USER A (policy follows) USA EU USER A Private London Sydney Enforce Log Control
  16. 16. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION15 Secure Ongoing third- party testing CertifiedReliable Redundancy within and failover across DCs Transparent Trust portal for service availability monitoring Zscaler – the largest security cloud. Reliable. Available. Fast. 35B+ Requests/day 125M+ Threats blocked/day 120K+ Unique security updates/day 100 data centers across 5 continents Peering in Internet exchanges 150+ Vendors peered
  17. 17. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION1616 ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION Secure network transformation from hub-and-spoke to cloud-enabled enterprise ZSCALER INTERNET ACCESS
  18. 18. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION17 Direct to Internet Block the bad, protect the good The best approach for SD-WAN and Office 365 Zscaler Internet Access – Fast, secure access to the Internet and SaaS Data Center APPSMPLS HQMOBILE BRANCHIOT Your security stack as a service Data Loss Prevention Cloud Apps (CASB) File Type Controls Data Protection Cloud Firewall URL Filtering Bandwidth Control DNS Filtering Access Control Adv. Protection Cloud Sandbox Anti-Virus DNS Security Threat PreventionReal-time policy engine Polices follow the user Changes are immediately enforced, worldwide Business analytics Global visibility into apps and threats blocked Identify botnet infected machines for remediation Real-time policy and analytics
  19. 19. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION18 CONTROL BANDWIDTH SECURE ALL PORTS & PROTOCOLS MULTIPLE PROPRIETARY INSPECTION METHODS ADVANCED THREAT PROTECTION Behavioral Analysis Sandbox CLOUD EFFECT SSMA™ All security engines fire with each content scan – only microsecond delay ByteScan™ Each outbound/inbound byte scanned, native SSL scanning PageRisk™ Risk of each object computed inline, dynamically NanoLog™ 50:1 compression, real-time global log consolidation PolicyNow™ Polices follow the user for Same on-premise, off- premise protection™ 120,000 Unique updates per day 125 Million Threats blocked per Day Cutting edge security capabilities in the cloud Dynamic Content Classification Proprietary Risk Index Anti-Malware XSS Protection CVE Protection Bandwidth Control QoSURL Filtering Proxy (SSL) Block Lists File Type Control DNS Filtering Cloud FW (NGFW) Browser Control Full Inline Inspection & Correlation of Threat Indicators 60+ threat feeds Find once, block everywhere 35 Billion Requests per Day
  20. 20. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION19 When the Board asks, “Have We been Compromised?” THREATS BLOCKED 13.5 M 1092.0 K 270.3 K 47.7 K 45.6 K 33.8 K 5.2 K 383 Malicious Content Botnet Spyware or Adware Phishing Browser Exploit Cross-site Scripting Unauthorized Communication Peer-to-Peer BOTNET TRAFFIC BY LOCATION 313.5 K 273.9 K 203.2 K 115.8 K 76.2 K Beijing Sau Paulo San Francisco Tokyo France Zscaler applied immediate value during the proof-of-concept when we identified botnet infected machines. We’ve easily seen a 60% drop in malware related tickets after rolling out Zscaler. — Seth McCallister, Head of Global Information Security, Beam Suntory BOTNETC&CUSER BOTNET INFECTED MACHINES Actionable intelligence to remediate botnet infected machines
  21. 21. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION20 ZSCALERTECHNOLOGY PARTNERS Securely enable the usage of cloud apps Zscaler provides inline CASB functionality and partners for out-of-band controls VISIBILITY APP RISK SCORING DATA LOSS PREVENTION ACCESS CONTROL INLINE CASB OUT-OF-BAND CASB (API) THREAT PREVENTIONAPI Integration (In development) SaaSOpen Internet External APPS Data CenterIaaS Internal HQMOBILE BRANCHIOT
  22. 22. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION21 When the auditor asks, “Which cloud apps are we using?” It starts with processing all Internet traffic (including SSL), not a few sites MEDIA AND FILE SHARING Is YouTube hogging Internet bandwidth? How big are logs for 10K users? 30M trans/day, 60GB logs/day Often sit at many locations/GWs Power of Zscaler NanoLog All logs for all users, all locations at your console within a minute – interactive analysis and and drill-down Good reporting and actionable info starts with good logs Can you prioritize Office 365 over streaming? BUSINESS APPS WEBMAIL Do you allow access to Russian webmail? DEVELOPMENT Is your intellectual property stored on GitHub?
  23. 23. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION22 Enabling leadings brands to securely transform their IT to the cloud Business Drivers • Enable a user-centric experience • Build a scalable architecture • Enable a fast and secure direct-to-cloud experience Bringing secure Internet access to 315K employees The Zscaler Difference • Immediate 30% savings on MPLS costs • Fast Internet experience – home experience • Foundation for the Internet-only branch Secure 270 retail locations Business Drivers • Reduce number of botnet infected machines • Support an aggressive acquisition strategy • Meet external security requirements The Zscaler Difference • Eliminated the need to buy 540 branch NGFWs/UTMs • Full security stack – SSL inspection • Deployed in 2 months – quick to turn on new sites WAN Transformation: Fast Office 365 experience Business Drivers • Fast Office 365 experience – eliminate WAN congestion • Support increase in firewall sessions without refreshing firewalls (cost) • Avoid deploying branch NGFWs – too expensive (650 locations) The Zscaler Difference • Local Internet breakouts for fast connections • Cloud Firewall - scales elastically, per user, not bandwidth • One-click Office 365 URL and IP updates Office 365 is finally the highest use – not YouTube 40% of bandwidth reserved for O365 during periods of contention YouTube capped at 20%
  24. 24. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION2323 ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION Secure application transformation from data center to public or private cloud ZSCALER PRIVATE ACCESS
  25. 25. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION24 Global LB DDoS Ext. FW / IPSInternal LB Internal FW RAS (VPN) Internet VPN Gateway: Complex, expensive, and poor user experience Site-to-site VPN Apps moved to a modern platform. Access is still using 30-year old technology. How do you access internal apps on Azure of AWS?
  26. 26. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION25 Zscaler Private Access – Fast, secure access to apps in Azure and AWS Z-APP 2 Innovative design Cloud policy engine – define user app access rights (auth before access) 1 Z-APP – Request access to app2 Z-Connectors – sits in front of apps. Starts inside out connection 3 Zscaler cloud brokers a secure connection between the Z-Connector and Z-App Z-CONNECTORS 3 3 1 POLICY (Brokers) DATA CENTER Internal application access without bringing users on the network Secure App Access without VPN and NGFWs App Discovery (CASB for Internal Apps) App and User Monitoring (DLP with Zscaler Internet Access) Data Protection User to App Policies Multifactor Auth. – Private Certificates Access Control Users never on the network DDoS Prevention – apps not exposed to the Internet App Micro Segmentation – not network segmentation Threat Prevention
  27. 27. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION26 Gain visibility into internal applications, and then tailor policies Over 4K apps discovered Policies enforced for 1 user over 8K times High helpdesk transaction volume HVAC consultants can only access the HVAC app Only execs and Finance can access financial apps
  28. 28. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION27 Enabling leadings brands to securely transform their IT to the cloud Business Drivers • 100% cloud – AWS, SaaS • Didn’t want to get into the datacenter, networking or security business • Better user experience to access apps on AWS Access to Apps on AWS – no site-to-site VPNs The Zscaler Difference • Business policies connected users to apps – not networks • Eliminated the need to network VPC together • Users no longer need to know which VPC to connect, only the domain Business Drivers • Aggressive acquisition strategy (33), 2017 St. Jude Medical – 18K employees • Typical network integration would take 9-12 months • Needed quicker integration velocity Mergers and Acquisitions The Zscaler Difference • No network integration needed – policy defined access, not networks • Shortened integration timeframe to 2-3 months. Business Drivers • Partner Insurance Agents targeted with phishing attack • To limit network exposure, VPN had to be disabled • Insurance Agents ability to sell Mass Mutual severely hindered VPN Replacement The Zscaler Difference • App access provided without bringing users on the network • No threat of lateral movement • From start to finish, Mass Mutual fully deployed in 1 week with ZPA! Business Drivers • Extensive partner ecosystem for engine manufacturing • Need quick and secure way to give partner’s access to apps Secure Partner Access The Zscaler Difference • Quickly grant access to apps – didn’t require network access • Eliminated the threat of lateral movement
  29. 29. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION2828 ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION About Zscaler
  30. 30. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION29 Zscaler: The market leader in cloud security Most Discerning Enterprise Customers 2,700 CUSTOMERS Over 80 of the Fortune 500 54% International Global Partners 100 Data centers 35B Daily requests 185 Countries served Unparalleled Cloud Scale Largest Cloud Security Platform in the World Mature Global Cloud Operations
  31. 31. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION30 PROTECTION ACROSS COUNTRIES 190 130 125 113 70 LOCATIONS PROTECTED 30,000 12,000 6,000 900 500 EMPLOYEES PROTECTED 400K 125K 120K 80K 1.6M 1.3M OFFICE 365 MONTHLY TRAFFIC 83 TB 44 TB 37 TB 35 TB Unparalleled Cloud Scale All users – All traffic
  32. 32. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION31 Leader – 7 years in a row Leading industry analysts agree… Zscaler is a very strong choice for any organization interested in a cloud gateway. …On-premises web content security can’t protect digital business…
  33. 33. ©2017 Zscaler, Inc. All rights reserved.32 Access to the Internet and apps1 IDENTITY & ACCESS4 REPORTING & ANALYTICS5 DEVICE MANAGEMENT & PROTECTION 3 Critical integration partner positioned in the data path BRANCH (SD-WAN)2 APPS HQMOBILE BRANCHIOT
  34. 34. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION33 Thank You! Questions and Next Steps 33 ©2016 Zscaler, Inc. All rights reserved. Dr. Amit Sinha Chief Technology Officer, Executive Vice President of Engineering and Cloud Operations Zscaler, Inc. Learn more about Zscaler The Definitive Guide to Networking for Office 365 https://www.zscaler.com/O365 Request a demonstration https://www.zscaler.com/firewall Upcoming Webcasts Pitfalls to avoid when deploying Office 365 Tuesday, Nov 7th, 2017 Register @ www.zscaler.com/company/webcasts

×