Next-Generation Firewall Palo Alto Networks Applications Have Changed, firewalls have not • The gateway at the trust SaaS Collaboration / Media Personal border is the right place to enforce policy control - Sees all traffic - Defines trust boundary • BUT…Applications Have Changed - Ports ≠Applications - IP Addresses ≠Users - Packets ≠Content Need to Restore Visibility and Control in the Firewall Page 2 | Stateful Inspection Classification The Common Foundation of Nearly All Firewalls • Stateful Inspection classifies traffic by looking at the IP header - source IP - source port - destination IP - destination port - protocol • Internal table creates mapping to well-known protocols/ports - HTTP = TCP port 80 - SMTP = TCP port 25 - SSL = TCP port 443 Page 3 | Palo Alto Networks Exceeds NGFW Requirements In “Defining the Next-Generation Firewall,” Gartner describes what Palo Alto Networks already delivers Application Awareness and Full Stack Visibility App-ID Identifies and controls 900+ applications Integrated Rather Than Co-Located IPS Content-ID includes full IPS, without compromising performance Extra-Firewall Intelligence to Identify Users User-ID brings AD users and groups into firewall policy Standard First-Generation Firewall Capabilities Packet filtering, state, flexible NAT, IPSec, SSL VPNs, etc. Support “bump in the wire” Deployments Multiple options for transparent deployment behind existing firewalls Page 4 | Palo Alto Networks “Fixes the Firewall” New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Granular visibility and policy control over application access / functionality 4. Protect in real-time against threats embedded across applications 5. Multi-gigabit, in-line deployment with no performance degradation Page 5 | Identification Technologies Help Manage Risk App-ID Identify the application User-ID Identify the user Content-ID Scan the content Page 6 | App-ID: Comprehensive Application Visibility • Policy-based control about 900 applications distributed across five categories and 25 sub-categories • Balanced mix of business, internet and networking applications and networking protocols • ~ 5 new applications added weekly Page 7 | User-ID: Enterprise Directory Integration User-ID • Users no longer defined solely by IP address - Leverage existing Active Directory infrastructure • Understand users application and threat behavior based on actual AD username, not just IP • Manage and enforce policy based on user and/or AD group • Investigate security incidents, generate custom reports Page 8 | Making Content-Scanning Network-Ready File-based Scanning Stream-based Scanning ID Content ID Content Buffer File Scan Content Scan File Deliver Content Deliver Content Time Time • Stream-based, not file-based, for real-time performance - Dynamic reassembly • Uniform signature engine scans for broad range of threats in single pass • Threat detection covers vulnerability exploits (IPS), virus, and spyware (both downloads and phone-home) Page 9 | A better approach Single-Pass Parallel Processing (SP3) Architecture Single Pass • Single processes for: - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, DLP, etc. • One policy Parallel Processing • Function-specific hardware engines • Multi-core security processing • Separate data/control planes Up to 10Gbps, Low Latency Page 10 | PAN-OS Core Features • Strong networking foundation: - Dynamic routing (OSPF, RIPv2) - Site-to-site IPSec VPN - SSL VPN - Tap mode – connect to SPAN port - Virtual wire (“Layer 1”) for true transparent in-line deployment - L2/L3 switching foundation • QoS traffic shaping - Max, guaranteed and priority - By user, app, interface, zone, and more Page 11 | • High Availability: - Active / passive - Configuration and session synchronization - Path, link, and HA monitoring • Virtualization: - All interfaces (physical or logical) assigned to security zones - Establish multiple virtual systems to fully virtualized the device (PA4000 & PA-2000 only) • Intuitive and flexible management - CLI, Web, Panorama, SNMP, Syslog Palo Alto Networks Next-Gen Firewalls PA-4060 PA-4050 PA-4020 • • • • • • • • • • • • • • • 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces 2 Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces PA-2050 PA-2020 PA-500 • • • • • • • • • • • • • • 1 Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces Page 12 | 500 Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces 250 Mbps FW 100 Mbps threat prevention 50,000 sessions 8 copper gigabit Purpose-Built Architecture: PA-4000 Series RAM Flash Matching Engine Dedicated Control Plane • Highly available mgmt • High speed logging and route updates RAM RAM RAM Flash Matching HW Engine • Palo Alto Networks’ uniform signatures • Multiple memory banks – memory bandwidth scales performance 10Gbps RAM Dual-core CPU CPU 1 CPU 2 CPU 3 .. RAM CPU 16 RAM RAM HDD SSL IPSec DeCompression Multi-Core Security Processor • High density processing for flexible security functionality • Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) 10Gbps QoS Control Plane Page 13 | Route, ARP, MAC lookup NAT 10 Gig Network Processor • Front-end network processing offloads security processors • Hardware accelerated QoS, route lookup, MAC lookup and NAT Data Plane Flexible Deployment Options Application Visibility • Connect to span port • Provides application visibility without inline deployment Page 14 | Transparent In-Line • Deploy transparently behind existing firewall • Provides application visibility & control without networking changes Firewall Replacement • Replace existing firewall • Provides application and network-based visibility and control, consolidated policy, high performance Enterprise Device and Policy Management • Intuitive and flexible management - CLI, Web, Panorama, SNMP, Syslog • Panorama central management application - Consolidated management, logging, and monitoring of Palo Alto Networks devices - Consistent web interface between Panorama and device UI - Network-wide ACC/monitoring views, log collection, and reporting • All interfaces work on current configuration, avoiding sync issues Page 15 | Requirements for Data Center Firewalls • Threat Prevention - Protect against external attacks – including those routed through internal “secure” clients • Data Leakage Prevention - Protect confidential and unauthorized content from leaving the network • Access Control - Control access – by user or groups of users – to specific applications and content • Performance - Page 16 | Minimize latency and maximize throughput to ensure business performance is not compromised © 2009 Palo Alto Networks. Proprietary and Confidential. Palo Alto Networks Exceeds Requirements • Content-ID - Threat Prevention - Stops external attacks with high speed threat prevention engine Decrypts SSL sessions to identify and stop threats via clients Data Leakage Prevention Scans traffic to stop transfer of unauthorized data or file types • User-ID and App-ID - Access Control Policies to create security zones within the data center Create data center segments to isolate specific users and applications • SP3 Architecture Page 17 | Single pass, minimized latency, maximum throughput up to 10Gbps © 2009 Palo Alto Networks. Proprietary and Confidential. Data Centre Security Zones • Security zones can first be applied to isolate the DC can as a means of protecting the data. Once the network has been divided into distinct zones, positive control model security policies can be applied that control, at a very granular level, which applications, users and content are allowed in and out of the DC security zone. • Uniform signature format: Rather than use a separate set of scanning engines and signatures for each type of threat, Palo Alto Networks uses a uniform threat engine and signature format to detect and block a wide range of malware while dramatically reducing latency. Page 18 | © 2009 Palo Alto Networks. Proprietary and Confidential. Isolating the Data with Security Zones •Security zones: logical container for physical interfaces, VLANs, IP addresses or a combination thereof Users Client Server Zone Client Servers Users Infrastructure Servers Infrastructure Servers Development Servers Development Servers Users Flat network – no security zones All users can access all resources Difficult to protect proprietary data Forensics becomes equally difficult Page 19 | © 2009 Palo Alto Networks. Proprietary and Confidential. Zones isolate client data – irrespective of networking environment Security policies dictate access control, threat prevention and content scanning Logging and reporting against zone simplifies forensics and monitoring Granular Access Control Policies • Control access based on application (App-ID) and users (User-ID) • Example: - - - Page 20 | Only authorized SAP users and access SAP Users Inbound and outbound traffic scanned for threats and sensitive data Palo Alto Networks Oracle Limited traffic in the zone helps minimize latency, maximize throughput Secure IT access for logging, reporting, forensics Client Server Zone Infrastructure Servers IT Tools IT Dept WAN and Internet Users Development Servers Block Threats, Monitor Data Transfer • Block inbound threats that target Oracle, monitor outbound traffic for data patterns (Content-ID) • Example: - Add threat prevention policy element for Oracle (inbound) - Monitor out bound traffic for proprietary data patterns - Log for forensics and record keeping Client Server Zone Brokers Palo Alto Networks Infrastructure Servers WAN and Internet Users Page 21 | © 2009 Palo Alto Networks. Proprietary and Confidential. Development Servers Logging and Reporting • Forensics and activity monitoring through context aware and expression-based log filtering - Export to excel or syslog for archive and analysis • Pre-defined and custom reporting - Page 22 | Create zone specific reports, scheduled to be emailed to key personnel © 2009 Palo Alto Networks. Proprietary and Confidential. Policy Example Rule 1 • Limit access to client data to only brokers in Active Directory • Only allow Oracle • Block threats, watch for client data transfer Rule 2 • Only allow IT to use specific tools to access client data Rule 3 • Deny and log all else Page 23 | © 2009 Palo Alto Networks. Proprietary and Confidential. Limitations of Existing Technology • Legacy firewalls are ineffective at policy-based segmentation - Unable to identify applications – only ports and protocols - Cannot see user identity from AD – only IP addresses - May require secondary platform to inspect content - Cumbersome management and difficult log correlation • Firewall “helpers” are no help - Don’t enforce policy - Are not designed to segment - Cannot understand all applications, slow, cumbersome to manage - Unable to tie applications to users - Impossible to produce reports needed for audit purposes Page 24 | © 2009 Palo Alto Networks. Proprietary and Confidential. Protecting Proprietary Data • Flexible, zone-based architecture facilitates data isolation in any networking environment • Policy control over cardholder data access - Allow/deny access based on specific application - Inspect traffic bi-directionally for threats and data transfer - Tie access rules to user identity from Active Directory • Powerful logging and reporting for archival and forensics purposes • Up to 10 Gbps throughput and up to 24 ports eliminates bottlenecks Page 25 | © 2009 Palo Alto Networks. Proprietary and Confidential.