Networking, policy, management, reporting

Report
Palo Alto Networks
Technology Update
context |ˈkänˌtekst| noun
the circumstances that form the
setting for an event, statement,
or idea, and in terms of which it
can be fully understood and
assessed
3 | ©2014 Palo Alto Networks. Confidential and Proprietary.
action
intelligence
context
4 | ©2014 Palo Alto Networks. Confidential and Proprietary.
slideshare-uploading
application function
slideshare
roadmap.pdf
application
file name
HTTP
file-sharing
protocol
URL category
SSL
canada
protocol
destination country
172.16.1.10
tcp/443
64.81.2.23
source IP
destination port
destination IP
pdf
file type
prodmgmt
group
bjacobs
user
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
344
KB
exe
file type
finance
group
fthomas
user
web-browsing
shipment.exe
application
file name
HTTP
unknown
protocol
URL category
SSL
china
protocol
destination country
344
KB
172.16.1.10
tcp/443
64.81.2.23
source IP
destination port
destination IP
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Hides within
SSL
New domain,
no reputation
Payload
evades AV
Exploit Kit
Contact New
Domain
ZeroAccess
Delivered
C2
Established
Data Stolen
Custom C2
& Hacking
Spread
Laterally
Secondary
Payload
Exfiltration via
RDP & FTP
No signature for
custom malware
Hides in plain
sight
Payload evades
C2 signatures
7 | ©2014 Palo Alto Networks. Confidential and Proprietary.
C2 hides using nonstandard ports
Context: A Unique Approach to Protecting your Network
 Scans ALL applications (including SSL traffic) to secure all avenues
in/out of a network, reduce the attack surface area, and provide
context for forensics
 Prevents attacks across ALL attack vectors (exploit, malware, DNS,
command & control, and URL) with content-based signatures
 Detects zero day malware & exploits using public/private cloud and
automatically creates signatures for global customer base
8 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Traditional Bolt-on Approach
L7
App Control
---------
L6
Application
Signatures
---------
L5
Firewall-
L4
L3
L2
Source/Dest,
User
--------Port/Protocol
--------Networking,
policy,
management,
reporting
9 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Port/Protocol
--------Networking,
policy,
management,
reporting
IPS
Antivirus/
---------
---------
IPS Signatures,
IPS Decoder
---------
AV Signatures
Decoder &
Proxy
---------
Port/Protocol
--------Networking,
policy,
management,
reporting
Port/Protocol
--------Networking,
policy,
management,
reporting
PA-7050
oracle
datacenter app
100 gbps
network
connection
credit card
data
security zone
10 | ©2014 Palo Alto Networks. Confidential and Proprietary.
finance
group
Security Performance Drivers
Increasing sophistication of application level attacks, insatiable appetite
for more bandwidth drive the need for scalable high performance security
Internet
Gateway
• Secure all users on all devices
• Requires 10+ Gbps
Data
Center
• Secure all apps, control access for all users &
devices
• Requires 20+ Gbps
Network
Segmentation
• Contain and protect internal resources
• Requires 20-40+ Gbps
11 | ©2014 Palo Alto Networks. Confidential and Proprietary.
PA-7050: The Fastest Next-generation Firewall
 Safely enable all applications;
full next-generation firewall
capabilities
 Ground-breaking application
layer performance
 Simple yet flexible chassis
architecture
12 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Our Unique Approach Applied Across the Network
All Applications, All Attack Vectors, All Threats
Datacenter
• Validate business applications & users
• Find rogue/misconfigured apps
• High speed threat prevention
Gateway
• Visibility into all traffic
• Enable apps to reduce exposure
• Block known/unknown threats
Segmentation
• Isolate critical data, business functions
• Enable applications based on users
• Block known/unknown threats
13 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Scalable, Purpose-built Architecture
14 | ©2014 Palo Alto Networks. Confidential and Proprietary.
PA-7050: Performance and Capacities Summary
PA-7050 System
PA-7000 NPC
Firewall Gbps (App-ID)
120
20
Threat Gbps (DSRI)
100
16+
Threat Gbps (Full)
60
10
Firewall PPS (Millions)
72
12
IPSec VPN Gbps
24
4
720,000
120,000
24
4
25/225
--
New sessions per second
Max sessions (Millions)
Virtual systems (base/max2)
• PA-7050 requires PAN-OS 6.0
• All PAN-OS features are supported except Netflow
• DSRI and full threat metrics will be published
15 | ©2013, Palo Alto Networks. Confidential and Proprietary.
NGFW Throughput vs. Advertised Max
100%
83%
75%
50%
25%
13%
15%
18%
Fortinet
Juniper
Check Point
0%
NGFW Rate
Palo Alto
Networks
Advertised Max
Source: Performance metrics are from public facing datasheets for fully loaded Palo Alto Networks PA-7050, Check Point 61000, Juniper SRX 5800 and Fortinet 5140B
16 | ©2014 Palo Alto Networks. Confidential and Proprietary.
NGFW Security Performance Relative to Max
Source: Performance metrics are from public facing datasheets for fully loaded Palo Alto Networks PA-7050, Check Point 61000, Juniper SRX 5800 and Fortinet 5140B
17 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Simple & Flexible Chassis Architecture
Scalable
• Linear performance and interface density with each added card
• High speed backplane supports future network processing cards
Flexible
• Flexible and dynamic load distribution across multiple network
processing modules allows seamless scalability
Simple
• Single system view for administration – all PAN-OS features supported
• System-wide subscriptions and support provide predictable cost model
18 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Virtualization
windows
sharepoint
operating system
container
UUID
VM
instance
19 | ©2014 Palo Alto Networks. Confidential and Proprietary.
production
data center
Transforming network security for the data center
Challenges
Solution
FW doesn’t see the traffic
Automated, transparent services insertion at workload
Incomplete security capabilities
Virtualized next-generation security supporting PAN-OSTM
Static policies
Dynamic security policies with VM context
VM-Series and VMware NSX Integration
21 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Dynamic address groups and VM monitoring
VMware vCenter or ESXi
PAN-OS Dynamic Address Groups
Name
IP
Guest OS
Container
web-sjc-01
10.1.1.2
Ubuntu 12.04
Web
sp-sjc-04
10.1.5.4
Win 2008 R2
SharePoint
web-sjc-02
10.1.1.3
Ubuntu 12.04
Web
exch-mia-03
10.4.2.2
Win 2008 R2
Exchange
exch-dfw-03
10.4.2.3
Win 2008 R2
Exchange
sp-mia-07
10.1.5.8
Win 2008 R2
SharePoint
db-mia-01
10.5.1.5
Ubuntu 12.04
MySQL
db-dfw-02
10.5.1.2
Ubuntu 12.04
MySQL
db-mia-05
10.5.1.9
Ubuntu 12.04
MySQL
Name
Tags
Addresses
SharePoint
Servers
SharePoint
Win 2008 R2
“sp”
10.1.5.4
10.1.5.8
MySQL Servers
MySQL
Ubuntu 12.04
“db”
10.5.1.5
10.5.1.2
10.5.1.9
Miami DC
“mia”
10.4.2.2
10.1.5.8
10.5.1.5
San Jose Linux
Web Servers
“sjc”
“web”
Ubuntu 12.04
10.1.1.2
10.1.1.3
PAN-OS Security Policy
22 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Source
Destination
Action
San Jose Linux
Web Servers
SharePoint
Servers
✔
MySQL
Servers
Miami DC

Introducing VM-Series on Citrix NetScaler SDX
Citrix NetScaler SDX
• VM-Series (running PAN-OSTM) now supported on SDX 11500 and 17550 Series:
• Safely enable applications by apps, users, content
• Protect against known and unknown threats
• Address risk and compliance mandates
• Key use cases (details on next 2 slides):
• Integrated solution for XA/XD deployments
• Multi-tenant (business units, application owners, service provider) cloud deployments
23 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Consolidated Security and Availability for XenApp/XenDesktop
On-premise applications
Internet applications
Any User
Any Device
Anywhere
Citrix Receiver
XenApp/XenDesktop
(VDI Environment)
Citrix NetScaler SDX
with VM-Series
Validated, consolidated security and ADC for XenApp/XenDesktop
•
Secure remote access and high availability
•
Safe application enablement for XenApp/XenDesktop users
•
•
Unique User-ID & Terminal-Services agent integration
Segmentation of XenApp/XenDesktop infrastructure
24 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Multi-tenant Security and ADC Services
Firewall
Citrix NetScaler
with VM-Series
ADC
Tenant 1
Tenant 2
Tenant 3
Multi-tenant security and availability for enterprises and cloud data centers
• Dedicated instances of network services for different tenants
• Addresses independent security and load balancing needs
• Per application load balancing with dedicated firewalling
25 | ©2013, Palo Alto Networks. Confidential and Proprietary.
RAT
download
system file tampering
WildFire
global input
C2 traffic
registry changes
DNS
lookups
26 | ©2014 Palo Alto Networks. Confidential and Proprietary.
visited
URLs
Basic WildFire
WildFire Subscription
PAN-OS 5.0 PAN-OS 6.0 PAN-OS 5.0 PAN-OS 6.0
WF-500
✓
✓
Public Cloud
✓
✓
✓
WF-500 support
✓
✓
N/A
API access
✓
✓
Public Cloud
✓
✓
✓
PDF
✓
✓
Office Documents
✓
✓
Java
✓
✓
30 minute signatures
✓
Integrated logging
Windows PE (DLL & EXE)
✓
✓
Windows XP
✓
✓
✓
✓
✓
Windows 7
✓
✓
✓
✓
✓
Android APK
27 | ©2014 Palo Alto Networks. Confidential and Proprietary.
✓
jailbroken
corporate device
GlobalProtect
OS version
patched
malware installed
encrypted storage
passcode
28 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Home Office
Headquarters
Branch Office
Airport
Hotel
Enterprise-secured
with full protection
29 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Exposed to threats, risky apps,
and data leakage
GlobalProtect Mobile Security Solution
Summary

New, high performance hardware platforms

Continued innovation in the battle against advanced cyber threats

More security automation in virtualized environments

Expanding further into mobile security
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Q&A

similar documents