Networking, policy, management, reporting
advertisement
Palo Alto Networks Technology Update context |ˈkänˌtekst| noun the circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed 3 | ©2014 Palo Alto Networks. Confidential and Proprietary. action intelligence context 4 | ©2014 Palo Alto Networks. Confidential and Proprietary. slideshare-uploading application function slideshare roadmap.pdf application file name HTTP file-sharing protocol URL category SSL canada protocol destination country 172.16.1.10 tcp/443 64.81.2.23 source IP destination port destination IP pdf file type prodmgmt group bjacobs user 5 | ©2014, Palo Alto Networks. Confidential and Proprietary. 344 KB exe file type finance group fthomas user web-browsing shipment.exe application file name HTTP unknown protocol URL category SSL china protocol destination country 344 KB 172.16.1.10 tcp/443 64.81.2.23 source IP destination port destination IP 6 | ©2014, Palo Alto Networks. Confidential and Proprietary. Hides within SSL New domain, no reputation Payload evades AV Exploit Kit Contact New Domain ZeroAccess Delivered C2 Established Data Stolen Custom C2 & Hacking Spread Laterally Secondary Payload Exfiltration via RDP & FTP No signature for custom malware Hides in plain sight Payload evades C2 signatures 7 | ©2014 Palo Alto Networks. Confidential and Proprietary. C2 hides using nonstandard ports Context: A Unique Approach to Protecting your Network Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base 8 | ©2014 Palo Alto Networks. Confidential and Proprietary. Traditional Bolt-on Approach L7 App Control --------- L6 Application Signatures --------- L5 Firewall- L4 L3 L2 Source/Dest, User --------Port/Protocol --------Networking, policy, management, reporting 9 | ©2014 Palo Alto Networks. Confidential and Proprietary. Port/Protocol --------Networking, policy, management, reporting IPS Antivirus/ --------- --------- IPS Signatures, IPS Decoder --------- AV Signatures Decoder & Proxy --------- Port/Protocol --------Networking, policy, management, reporting Port/Protocol --------Networking, policy, management, reporting PA-7050 oracle datacenter app 100 gbps network connection credit card data security zone 10 | ©2014 Palo Alto Networks. Confidential and Proprietary. finance group Security Performance Drivers Increasing sophistication of application level attacks, insatiable appetite for more bandwidth drive the need for scalable high performance security Internet Gateway • Secure all users on all devices • Requires 10+ Gbps Data Center • Secure all apps, control access for all users & devices • Requires 20+ Gbps Network Segmentation • Contain and protect internal resources • Requires 20-40+ Gbps 11 | ©2014 Palo Alto Networks. Confidential and Proprietary. PA-7050: The Fastest Next-generation Firewall Safely enable all applications; full next-generation firewall capabilities Ground-breaking application layer performance Simple yet flexible chassis architecture 12 | ©2014 Palo Alto Networks. Confidential and Proprietary. Our Unique Approach Applied Across the Network All Applications, All Attack Vectors, All Threats Datacenter • Validate business applications & users • Find rogue/misconfigured apps • High speed threat prevention Gateway • Visibility into all traffic • Enable apps to reduce exposure • Block known/unknown threats Segmentation • Isolate critical data, business functions • Enable applications based on users • Block known/unknown threats 13 | ©2014 Palo Alto Networks. Confidential and Proprietary. Scalable, Purpose-built Architecture 14 | ©2014 Palo Alto Networks. Confidential and Proprietary. PA-7050: Performance and Capacities Summary PA-7050 System PA-7000 NPC Firewall Gbps (App-ID) 120 20 Threat Gbps (DSRI) 100 16+ Threat Gbps (Full) 60 10 Firewall PPS (Millions) 72 12 IPSec VPN Gbps 24 4 720,000 120,000 24 4 25/225 -- New sessions per second Max sessions (Millions) Virtual systems (base/max2) • PA-7050 requires PAN-OS 6.0 • All PAN-OS features are supported except Netflow • DSRI and full threat metrics will be published 15 | ©2013, Palo Alto Networks. Confidential and Proprietary. NGFW Throughput vs. Advertised Max 100% 83% 75% 50% 25% 13% 15% 18% Fortinet Juniper Check Point 0% NGFW Rate Palo Alto Networks Advertised Max Source: Performance metrics are from public facing datasheets for fully loaded Palo Alto Networks PA-7050, Check Point 61000, Juniper SRX 5800 and Fortinet 5140B 16 | ©2014 Palo Alto Networks. Confidential and Proprietary. NGFW Security Performance Relative to Max Source: Performance metrics are from public facing datasheets for fully loaded Palo Alto Networks PA-7050, Check Point 61000, Juniper SRX 5800 and Fortinet 5140B 17 | ©2013, Palo Alto Networks. Confidential and Proprietary. Simple & Flexible Chassis Architecture Scalable • Linear performance and interface density with each added card • High speed backplane supports future network processing cards Flexible • Flexible and dynamic load distribution across multiple network processing modules allows seamless scalability Simple • Single system view for administration – all PAN-OS features supported • System-wide subscriptions and support provide predictable cost model 18 | ©2014 Palo Alto Networks. Confidential and Proprietary. Virtualization windows sharepoint operating system container UUID VM instance 19 | ©2014 Palo Alto Networks. Confidential and Proprietary. production data center Transforming network security for the data center Challenges Solution FW doesn’t see the traffic Automated, transparent services insertion at workload Incomplete security capabilities Virtualized next-generation security supporting PAN-OSTM Static policies Dynamic security policies with VM context VM-Series and VMware NSX Integration 21 | ©2014 Palo Alto Networks. Confidential and Proprietary. Dynamic address groups and VM monitoring VMware vCenter or ESXi PAN-OS Dynamic Address Groups Name IP Guest OS Container web-sjc-01 10.1.1.2 Ubuntu 12.04 Web sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint web-sjc-02 10.1.1.3 Ubuntu 12.04 Web exch-mia-03 10.4.2.2 Win 2008 R2 Exchange exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL Name Tags Addresses SharePoint Servers SharePoint Win 2008 R2 “sp” 10.1.5.4 10.1.5.8 MySQL Servers MySQL Ubuntu 12.04 “db” 10.5.1.5 10.5.1.2 10.5.1.9 Miami DC “mia” 10.4.2.2 10.1.5.8 10.5.1.5 San Jose Linux Web Servers “sjc” “web” Ubuntu 12.04 10.1.1.2 10.1.1.3 PAN-OS Security Policy 22 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Destination Action San Jose Linux Web Servers SharePoint Servers ✔ MySQL Servers Miami DC Introducing VM-Series on Citrix NetScaler SDX Citrix NetScaler SDX • VM-Series (running PAN-OSTM) now supported on SDX 11500 and 17550 Series: • Safely enable applications by apps, users, content • Protect against known and unknown threats • Address risk and compliance mandates • Key use cases (details on next 2 slides): • Integrated solution for XA/XD deployments • Multi-tenant (business units, application owners, service provider) cloud deployments 23 | ©2013, Palo Alto Networks. Confidential and Proprietary. Consolidated Security and Availability for XenApp/XenDesktop On-premise applications Internet applications Any User Any Device Anywhere Citrix Receiver XenApp/XenDesktop (VDI Environment) Citrix NetScaler SDX with VM-Series Validated, consolidated security and ADC for XenApp/XenDesktop • Secure remote access and high availability • Safe application enablement for XenApp/XenDesktop users • • Unique User-ID & Terminal-Services agent integration Segmentation of XenApp/XenDesktop infrastructure 24 | ©2013, Palo Alto Networks. Confidential and Proprietary. Multi-tenant Security and ADC Services Firewall Citrix NetScaler with VM-Series ADC Tenant 1 Tenant 2 Tenant 3 Multi-tenant security and availability for enterprises and cloud data centers • Dedicated instances of network services for different tenants • Addresses independent security and load balancing needs • Per application load balancing with dedicated firewalling 25 | ©2013, Palo Alto Networks. Confidential and Proprietary. RAT download system file tampering WildFire global input C2 traffic registry changes DNS lookups 26 | ©2014 Palo Alto Networks. Confidential and Proprietary. visited URLs Basic WildFire WildFire Subscription PAN-OS 5.0 PAN-OS 6.0 PAN-OS 5.0 PAN-OS 6.0 WF-500 ✓ ✓ Public Cloud ✓ ✓ ✓ WF-500 support ✓ ✓ N/A API access ✓ ✓ Public Cloud ✓ ✓ ✓ PDF ✓ ✓ Office Documents ✓ ✓ Java ✓ ✓ 30 minute signatures ✓ Integrated logging Windows PE (DLL & EXE) ✓ ✓ Windows XP ✓ ✓ ✓ ✓ ✓ Windows 7 ✓ ✓ ✓ ✓ ✓ Android APK 27 | ©2014 Palo Alto Networks. Confidential and Proprietary. ✓ jailbroken corporate device GlobalProtect OS version patched malware installed encrypted storage passcode 28 | ©2014 Palo Alto Networks. Confidential and Proprietary. Home Office Headquarters Branch Office Airport Hotel Enterprise-secured with full protection 29 | ©2014 Palo Alto Networks. Confidential and Proprietary. Exposed to threats, risky apps, and data leakage GlobalProtect Mobile Security Solution Summary New, high performance hardware platforms Continued innovation in the battle against advanced cyber threats More security automation in virtualized environments Expanding further into mobile security 31 | ©2014, Palo Alto Networks. Confidential and Proprietary. Q&A
