Migrating from Juniper to Palo Alto Networks Agenda Overview Key Differences Key Reasons to Migrate Migration Best Practices Q&A 2 | ©2014, Palo Alto Networks. Confidential and Proprietary. Applications Have Changed, Firewalls Haven’t Network security policy is enforced at the firewall • Sees all traffic • Defines boundary • Enables access Traditional firewalls don’t work any more 3 | ©2014, Palo Alto Networks. Confidential and Proprietary. The Firewall as a Business Enablement Tool Applications: Enablement begins with application classification by App-ID. Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire. 4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Controlling Applications, Content and Users 5 | ©2014, Palo Alto Networks. Confidential and Proprietary. Broad Range of Hardware Platforms Firewall PA-7050 Firewall Throughput Threat Prevention Throughput Ports 24 SFP+ (10 Gig) 48 SFP (1 Gig) 72 copper gigabit Session Capacity System: 120 Gbps System: 60 Gbps NPC: 20 Gbps NPC: 10 Gbps PA-5060 20 Gbps 10 Gbps PA-5050 10 Gbps 5 Gbps PA-5020 5 Gbps 2 Gbps 8 SFP 12 copper gigabit 1,000,000 PA-3050 4 Gbps 2 Gbps 8 SFP 12 copper gigabit 500,000 PA-3020 2 Gbps 1 Gbps 8 SFP 12 copper gigabit 250,000 PA-2050 1 Gbps 500 Mbps 4 SFP 16 copper gigabit 250,000 PA-2020 500 Mbps 250 Mbps 8 copper gigabit 125,000 PA-500 250 Mbps 100 Mbps 8 copper gigabit 64,000 PA-200 100 Mbps 50 Mbps 4 copper gigabit 64,000 PA-7000-NPC 6 | ©2014, Palo Alto Networks. Confidential and Proprietary. 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 24,000,000 4,000.000 4,000,000 2,000,000 Juniper SRX Overview SRX = Security services gateways. Successor to the NetScreen/ScreenOS products Uses JUNOS – a high performance routing OS Two platform families Enterprise and datacenter (SRX1400 to SRX5800) Small, distributed enterprise (SRX100 to SRX650) AppSecure addresses next-generation firewall features NGFW feature components added to Stateful inspection AppTrack (visibility), AppFW (id apps), AppQoS (QoS) and AppDoS (DoS) Application identification and control are performed after an initial port-based firewall decision is made 7 | ©2014, Palo Alto Networks. Confidential and Proprietary. AppSecure 8 | ©2014, Palo Alto Networks. Confidential and Proprietary. Three Reasons to Migrate Top 3 Reasons to Migrate 1. Context-based policy management 2. Positive control model? 3. APT prevention 10 | ©2014, Palo Alto Networks. Confidential and Proprietary. slideshare-uploading application function pdf file type slideshare 344 KB application shipment.exe roadmap.pdf file name HTTP unknown file-sharing protocol URL category SSL china canada protocol destination country 172.16.1.10 tcp/443 188.8.131.52 source IP destination port destination IP prodmgmt group context-based policy management bjacobs user Shared Context Highlights the Value of Integration Apps | Functions | Users | IPS | AV | AS | Malware | QoS | Files | Patterns Safe Enablement Policies Applications ------Users ------Content Reporting | Logging | Forensics | Panorama 12 | ©2014, Palo Alto Networks. Confidential and Proprietary. Operational Efficiency: Unified Policy Control Users/User Groups Application Threat Prevention Antivirus Anti-Spyware Vulnerability Protection URL Filtering WildFire Single Policy for application, user and content (threat prevention) 13 | ©2014, Palo Alto Networks. Confidential and Proprietary. AppSecure Management Different policy management components AppSecure Management Challenges Multiple management components required – Space, CLI, STRM = more work, less visibility & control, slows responsiveness User information is not natively integrated – requires UAC + Pulse = more work, more devices and components to manage, less effective 14 | ©2014, Palo Alto Networks. Confidential and Proprietary. Application Control in the Firewall X Firewall Allow Facebook App-ID Policy Decision positive control Key Difference Benefit Single firewall policy • Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated. Positive control model • Allow by policy, all else is denied. It’s a firewall. Single log database • Less work, more visibility. Policy decisions based on complete information. Systematically manage unknowns • Less work, more secure. Quickly identify high risk traffic and systematically manage it. Shared context • Less work, more secure. App, content and user are pervasive - visibility, policy control, logging, reporting 15 | ©2014, Palo Alto Networks. Confidential and Proprietary. Application Control as an Add-on Firewall tcp service on port 80 Allow port 80 Policy Decision #1 App-Control Add-on Applications Policy Decision #2 Open ports to allow the application Allow Facebook Facebook allowed…what about the other 299 apps? Key Difference Ramifications Two separate policies • • More Work. Two policies, more admin effort Possible security holes. No policy reconciliation tools Two separate policy decisions • Weakens the deny-all-else premise. Applications allowed by FW decision Two separate log databases • Less visibility with more effort. Informed policy decisions require more effort , slows reaction time No concept of unknown traffic • • Increased risk. Unknown is found on every network = low volume, high risk More work, less flexible. Significant effort to investigate; limited management No shared context • More work, less knowledge, slows reaction time. Finding and correlating app, user, content requires significant effort 16 | ©2013 Palo Alto Networks. Confidential and Proprietary. *Based on Palo Alto Networks Application Usage and Risk Report A Unique Approach to Protecting your Network APT protection Scan ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics Prevent attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures Detect zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base 17 | ©2014 Palo Alto Networks. Confidential and Proprietary. WildFire: Stopping the Unknowns 10Gbps advanced threat visibility and prevention on all traffic, all ports (web, email, SMB, etc.) Global intelligence and protection delivered to all users Malware run in the cloud with open internet access to discover C2 protocols, domains, URLs and staged malware downloads New malware signatures automatically created by WildFire and delivered to customers globally Stream-based malware engine performs ongoing in-line enforcement On-premises WildFire appliance available for additional data privacy Command-and-control Staged malware downloads Host ID and data exfil Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures WildFire TM WildFire Appliance (optional) WildFire Users 18 | ©2014, Palo Alto Networks. Confidential and Proprietary. Soak sites, sinkholes, 3rd party sources Feb 2014: Continued Security Business Uncertainty The company could cut $200 million in annual operating costs and buy back $2.5 billion in stock immediately and an additional $1 billion in 2015, Elliott said in a presentation of its proposals. Juniper should also review its security and switching businesses to streamline products, and “focus on projects and areas where Juniper has clear competencies and the greatest risk-adjusted return on investment,” Elliott said. security commitment? 19 | ©2014, Palo Alto Networks. Confidential and Proprietary. Our next-generation enterprise security platform Threat Intelligence Cloud Next-Generation Firewall Gathers potential threats from network and endpoints Inspects all traffic Blocks known threats Analyses and correlates threat intelligence Sends unknown to cloud Disseminates threat intelligence to network and endpoints Extensible to mobile & virtual networks Advanced Endpoint Protection Inspects all processes and files Prevents both known & unknown exploits Integrates with cloud to prevent known & unknown malware Migration Best Practices From Consulting Services Perceived Port/Protocol/IP Migration Challenges Cost – people and time Perception of workload and a lot of tedious typing to migrate from your current configuration Risk Moving configurations can seem daunting and seem to involve a lot of risk Legacy policy Policies were originally created with the mindset of port / protocol / IP and not optimized for applications and users Lost history Many companies face “policy bloat” and “cruft” in their firewall configurations 22 | ©2014 Palo Alto Networks. Confidential and Proprietary. Performing the Migration An effective migration requires a combination of people, process, and technology to efficiently and effectively migrate from legacy firewalls to Palo Alto Networks This approach reduces potential risks and lowers cost. The engineers performing the task need knowledge of the current platform and Palo Alto Networks Migration tools can automate the routine conversion tasks reducing effort (cost) and risk. Any migration should follow a proven methodology and process (audit, analyze, migrate, cutover) 23 | ©2014 Palo Alto Networks. Confidential and Proprietary. The Spectrum of Conversion Options Many options exist when performing the initial conversion from IP/port/protocol to user/application-based policies There is a spectrum of options each with pros/cons and potential risk Less risk Lower effort Small reward More risk Higher effort Big reward Initial policy / object conversion options Migrate objects and policies “as is” 24 | ©2014 Palo Alto Networks. Confidential and Proprietary. Policy / object “cleanup” Policy / object “cleanup” + move to application policies Migrate to user/application policies Palo Alto Networks Firewall Migration Tool Web 2.0 application in a VMWare image Parses configurations into a database backend and web UI frontend Provides multiple options: Migrate objects & policies Migrate used or both used / unused objects Allows “in-place” editing of PAN-OS objects, services & policies prior to exporting Doesn’t replace the need for people with expertise in the current technology and PAN-OS Goal of the tool is 85+% policy migration automation 25 | ©2014 Palo Alto Networks. Confidential and Proprietary. Migration Process - Walk Through Migrate L4 to L4 (Phase I) Reduce amount of Rules “Combining” similar ones. By destination address for example. Clean all the unused objects. Clean disabled rules. Change services based on other protocols than TCP/UDP to Palo Alto Networks App-IDs. Example: IKE, IPSEC, GRE Change services with ALG to Palo Alto Networks App-IDs. Example: FTP, SIP Review & add all NAT rules. Check the security policies to match the destination zones when destination NAT is defined. 26 | ©2014 Palo Alto Networks. Confidential and Proprietary. Example: Reducing Policy Rules Due to the simplistic nature of the security rules, we can often combine many policies into one, especially if we can utilize App-ID 27 | ©2014 Palo Alto Networks. Confidential and Proprietary. Migration Process - Walk Through (Cont’d) Migrate from L4 to L7 (Phase II) Put the migrated L4 policy in your Palo Alto Networks device. Connect to your network. In-line ( L3 , L2, VWire ). Off-line (TAP mode). From this moment the Palo Alto Networks device will classify all the traffic in your network. That means it will identify all the applications and generate all the log entries for the application traffic. From the current logs we can extract the applications seen by each rule and we can start to swap from L4 Services to App-ID without to break anything. 28 | ©2014 Palo Alto Networks. Confidential and Proprietary. Additional Migration Considerations Once we have changed services by App-ID, change the service to “application-default” or leave the previous port. Reduce the surface to detect the application to this port if it always uses the same. Control the Unknown From the logs check for unknown traffic (tcp/udp/p2p) and generate custom signatures to identify custom apps. Use Application Override when need. If you have URL filtering activated check for app we-browsing and the Category is “unknown”. Generate proper App-id to identify this traffic as your custom app instead of web-browsing. This is more efficient. Block all the unknown. Threat Prevention Activate WildFire where the apps can transfer files (PE, PDF, Office, APK, Jar). Activate IPS/AV/SPY profiles to your rules. Use the migration tool to do it massively. User-ID Integrate with your user repository to move from static ip address to users and groups. Improve visibility and win in mobility. 29 | ©2014 Palo Alto Networks. Confidential and Proprietary. Migration Tool – Juniper Caveats Objects in Address-Books Check if an object was defined in many address-books (based by zone) If equal, import only once. Check if the IP address/ port is different based in the zone. If different, use different names to avoid duplicates errors. Policies and Zones Reduction of policies only because we can use more than one zone by rule or use the zone ANY. Potential for significant rule reductions here. Customer with 4,623 rules. Direct reduction by 3 only playing with zones. 30 | ©2014 Palo Alto Networks. Confidential and Proprietary. Best Practices to Make Your Migration Successful 1. Align people, process and technology 2. Understand conversion options and optimize policies (ports vs. apps) 3. Utilize migration tool to automate conversion tasks (Objects, Rule base) 4. Validation of accuracy and verification of changes 5. Post migration Implement custom App-IDs Rule cleanup - “Highlight Unused Policies” feature to cleanup post-migration Enable additional security features (User-ID, Content-ID, WildFire, etc…) 31 | ©2014 Palo Alto Networks. Confidential and Proprietary. Get Your Free AVR Report Find out which applications and threats are on your network with a FREE assessment from Palo Alto Networks Palo Alto Networks Application Visibility and Risk Report (AVR) : Request an evaluation Place Palo Alto Networks inside your network We’ll tell you what applications and threats we see in your network! Register today at: http://connect.paloaltonetworks.com/JuniperMigration 32 | ©2014, Palo Alto Networks. Confidential and Proprietary.