Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

About Palo Alto Networks

advertisement 
Palo Alto Networks
Customer Presentation
November 2009
Ozan Ozkara
About Palo Alto Networks
• Founded in 2005 by a world-class team with strong security and
networking experience
• Innovations: App-ID, User-ID, Content-ID
• Builds next-generation firewalls that identify and control more
than 850 applications; makes firewall strategic again
• Global footprint: presence in 50+ countries, 24/7 support
Page 2 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Applications Have Changed – Firewalls Have Not
• The gateway at the trust
border is the right place to
enforce policy control
-
Sees all traffic
-
Defines trust boundary
• BUT…Applications Have Changed
-
Ports ≠Applications
-
IP Addresses ≠Users
-
Packets ≠Content
Need to Restore Visibility and Control in the Firewall
Page 3 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Application Control Efforts are Failing
• Palo Alto Networks’ Application Usage & Risk Report highlights actual behavior of
900,000 users across more than 60 organizations
-
Bottom line: despite all having firewalls, and most having IPS, proxies, & URL filtering – none of
these organizations could control what applications ran on their networks
• Applications evade, transfer files, tunnel other applications, carry threats, consume
bandwidth, and can be misused.
Applications carry risks:
business continuity, data loss,
compliance, productivity, and
operations costs
Page 5 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
The Right Answer: Make the Firewall Do Its Job
New Requirements for the Firewall
1. Identify applications regardless of port,
protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats
embedded across applications
4. Fine-grained visibility and policy control
over application access / functionality
5. Multi-gigabit, in-line deployment with no
performance degradation
Page 7 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Identification Technologies Transform the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
Page 8 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Purpose-Built Architecture: PA-4000 Series
RAM
Content
Scanning
Engine
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
RAM
RAM
RAM
Content Scanning HW Engine
• Palo Alto Networks’ uniform signatures
• Multiple memory banks – memory
bandwidth scales performance
10Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
..
RAM
CPU
16
RAM
RAM
HDD
SSL
IPSec
DeCompression
Multi-Core Security Processor
• High density processing for flexible
security functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec,
decompression)
10Gbps
QoS
Control Plane
Page 9 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Route,
ARP,
MAC
lookup
NAT
10 Gig Network Processor
• Front-end network processing offloads
security processors
• Hardware accelerated QoS, route lookup,
MAC lookup and NAT
Data Plane
Enables Visibility Into Applications, Users, and Content
Page 10 |
© 2008
2009 Palo Alto Networks. Proprietary and Confidential.
PAN-OS Core Firewall Features
Visibility and control of applications, users and
content complement core firewall features
• Strong networking
foundation
-
Dynamic routing (OSPF,
RIPv2)
Tap mode – connect to SPAN
port
Virtual wire (“Layer 1”) for true
transparent in-line deployment
L2/L3 switching foundation
• VPN
-
-
Site-to-site IPSec VPN
SSL VPN
Max/guaranteed and priority
By user, app, interface, zone,
IP and scheduled
Page 11 |
-
All interfaces assigned to security
zones for policy enforcement
PA-4060
• High Availability
-
-
Active / passive
Configuration and session
synchronization
Path, link, and HA monitoring
PA-4050
PA-4020
• Virtual Systems
• QoS traffic shaping
-
• Zone-based architecture
-
Establish multiple virtual firewalls
in a single device (PA-4000 &
PA-2000 Series only)
• Simple, flexible
management
-
CLI, Web, Panorama, SNMP,
Syslog, XML API
© 2009 Palo Alto Networks. Proprietary and Confidential.
PA-2050
PA-2020
PA-500
Flexible Deployment Options
Visibility
• Application, user and content
visibility without inline
deployment
Page 12 |
Transparent In-Line
• IPS with app visibility & control
• Consolidation of IPS & URL
filtering
© 2009 Palo Alto Networks. Proprietary and Confidential.
Firewall Replacement
• Firewall replacement with app
visibility & control
• Firewall + IPS
• Firewall + IPS + URL filtering
Enterprise Device and Policy Management
• Intuitive and flexible management
CLI, Web, Panorama, SNMP, Syslog
- Role-based administration enables delegation of tasks to appropriate person
-
• Panorama central management application
Shared policies enable consistent application control policies
- Consolidated management, logging, and monitoring of Palo Alto Networks devices
- Consistent web interface between Panorama and device UI
- Network-wide ACC/monitoring views, log collection, and reporting
-
• All interfaces work on current configuration, avoiding sync issues
Page 13 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Addresses Three Key Business Problems
• Identify and Control Applications
-
Visibility of over 850 applications, regardless of port, protocol, encryption, or
evasive tactic
-
Fine-grained control over applications (allow, deny, limit, scan, shape)
-
Fixes the firewall
• Prevent Threats
-
Stop a variety of threats – exploits (by vulnerability), viruses, spyware
-
Stop leaks of confidential data (e.g., credit card #, social security #)
-
Stream-based engine ensures high performance
• Simplify Security Infrastructure
-
Fix the firewall, rationalize security infrastructure
-
Reduce complexity in architecture and operations
Page 14 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Thank You
Additional
Information
Speeds and Feeds, Deployment, Customers, TCO, Support, and Management
Palo Alto Networks Next-Gen Firewalls
PA-4060
PA-4050
PA-4020
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
4 XFP (10 Gig) I/O
4 SFP (1 Gig) I/O
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
16 copper gigabit
8 SFP interfaces
2 Gbps FW
2 Gbps threat prevention
500,000 sessions
16 copper gigabit
8 SFP interfaces
PA-2050
PA-2020
PA-500
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
Page 17 |
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
© 2009 Palo Alto Networks. Proprietary and Confidential
250 Mbps FW
100 Mbps threat prevention
50,000 sessions
8 copper gigabit
Leading Organizations Trust Palo Alto Networks
Health Care
Financial Services
Government
Media / Entertainment / Retail
Service Providers / Services
Page 18 |
Mfg / High Tech / Energy
© 2009 Palo Alto Networks. Proprietary and Confidential
Education
Fix The Firewall – and Save Money!
Capital cost – replace multiple devices
•
Legacy firewall, IPS, URL filtering device (e.g.,
proxy, secure web gateway)
-
Cut by as much
as 80%
“Hard” operational expenses
•
Support contracts
Subscriptions
Power and HVAC
-
Save on “soft” costs too
•
-
Page 19 |
Rack space, deployment/integration, headcount,
training, help desk calls
© 2009 Palo Alto Networks. Proprietary and Confidential.
Cut by as much
as 65%
Legendary Customer Support Experience
• Strong TSE team with deep
network security and
infrastructure knowledge
-
Experience with every major
firewall
-
TSEs average over 15 years
of experience
• TSEs co-located with
engineering – in Sunnyvale,
CA
• Premium and Standard
offerings
• Rave reviews from
customers
Page 20 |
© 2007
2009 Palo Alto Networks. Proprietary and Confidential
Confidential.
Customer support has always been
amazing. Whenever I call, I always get
someone knowledgeable right away, and
never have to wait. They give me the
answer I need quickly and completely.
Every support rep I have spoken with
knows his stuff.
-Mark Kimball, Hewlett-Packard
Customer support has been extraordinarily
helpful – which is not the norm when
dealing with technology companies. Their
level of knowledge, their willingness to
participate – it’s night and day compared
to other companies. It’s an incredible
strength of Palo Alto Networks.
-James Jones, UPMC
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
• Operations once per
packet
-
Traffic classification (app
identification)
-
User/group mapping
-
Content scanning –
threats, URLs,
confidential data
• One policy
Parallel Processing
• Function-specific
parallel processing
hardware engines
• Separate data/control
planes
Up to 10Gbps, Low Latency
Page 21 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Comprehensive View of Applications, Users & Content
• Application Command Center (ACC)
-
View applications, URLs, threats, data
filtering activity
• Mine ACC data, adding/removing filters as
needed to achieve desired result
Filter on Skype
Page 22 |
Filter on Skype
and user oharris
© 2009 Palo Alto Networks. Proprietary and Confidential.
Remove Skype to
expand view of oharris
Related documents
Elizabeth Rochin
Elizabeth Rochin
Curbside Composting - League of Women Voters of Palo Alto
Curbside Composting - League of Women Voters of Palo Alto
Medicine VAPAHCS MCL/UTL
Medicine VAPAHCS MCL/UTL
June 6, 2007 - Palo Alto Networks Ignite 2016
June 6, 2007 - Palo Alto Networks Ignite 2016
Palo Alto Networks
Palo Alto Networks
Good evening and welcome to our forum on the impacts of
Good evening and welcome to our forum on the impacts of
Jiang Bian-CEE215 City Palo Alto Project
Jiang Bian-CEE215 City Palo Alto Project
Download
advertisement