Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Palo Alto Networks

advertisement 
Palo Alto Networks
Product Overview
Karsten Dindorp, Computerlinks
Applications Have Changed – Firewalls Have Not
• The gateway at the trust
SaaS
Collaboration / Media
Personal
border is the right place to
enforce policy control

Sees all traffic

Defines trust boundary
• But applications have changed
 Ports ≠ Applications
 IP addresses ≠ Users
 Headers ≠ Content
Need to Restore Application Visibility & Control in the Firewall
Page 2 |
© 2009 Palo Alto Networks. Proprietary and Confidential
Stateful Inspection Classification
The Common Foundation of Nearly All Firewalls
• Stateful Inspection classifies traffic by looking at the IP header
-
source IP
-
source port
-
destination IP
-
destination port
-
protocol
• Internal table creates mapping to well-known protocols/ports
-
HTTP = TCP port 80
-
SMTP = TCP port 25
-
SSL = TCP port 443
-
etc, etc, etc…
Page 3 |
© 2009 Palo Alto Networks. Proprietary and Confidential
Enterprise End Users Do What They Want
• The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000
users across 60 organizations:
-
HTTP is the universal app protocol – 64% of BW, most HTTP apps not browser-based
-
Video is king of the bandwidth hogs – 30x P2P filesharing
-
Applications are the major unmanaged threat vector
• Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss
Page 4 |
© 2009 Palo Alto Networks. Proprietary and Confidential.
Firewall “helpers” Is Not The Answer
Internet
• Complex to manage
• Expensive to buy and maintain
• Firewall “helpers” have limited view of traffic
• Ultimately, doesn’t solve the problem
Page 5 |
© 2009 Palo Alto Networks. Proprietary and Confidential
The Right Answer: Make the Firewall Do Its Job
New Requirements for the Firewall
1. Identify applications regardless of
port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Scan application content in real-time
(prevent threats and data leaks)
4. Granular visibility and policy control
over application access / functionality
5. Multi-gigabit, in-line deployment with
no performance degradation
Page 6 |
© 2009 Palo Alto Networks. Proprietary and Confidential
Identification Technologies Transforming the Firewall
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
Page 7 |
© 2009 Palo Alto Networks. Proprietary and Confidential
Purpose-Built Architectures (PA-4000 Series)
RAM
RAM
Signature
Match
Dedicated Control Plane
• Highly available mgmt
• High speed logging and
route updates
RAM
RAM
Signature Match HW Engine
• Palo Alto Networks’ uniform
signatures
• Vulnerability exploits (IPS), virus,
spyware, CC#, SSN, and other
signatures
10Gbps
RAM
Dual-core
CPU
CPU CPU CPU . . CPU
3
1
2
16
RAM
HDD
SSL
IPSec
RAM
RAM
DeCompression
10Gbps
QoS
Route,
ARP,
MAC
lookup
Control Plane
Page 8 |
© 2009 Palo Alto Networks. Proprietary and Confidential
NAT
Multi-Core Security Processor
• High density processing for flexible
security functionality
• Hardware-acceleration for
standardized complex functions (SSL,
IPSec, decompression)
10 Gig Network Processor
• Front-end network processing offloads
security processors
• Hardware accelerated QoS, route
lookup, MAC lookup and NAT
Data Plane
PAN-OS Core Features
• Strong networking
foundation:
• High Availability:
-
Active / passive
-
Configuration and session
synchronization
-
Path, link, and HA monitoring
-
Dynamic routing (OSPF, RIPv2)
-
Site-to-site IPSec VPN
-
SSL VPN
-
Tap mode – connect to SPAN port
-
Virtual wire (“Layer 1”) for true
transparent in-line deployment
-
All interfaces (physical or logical)
assigned to security zones
-
L2/L3 switching foundation
-
Establish multiple virtual systems to
fully virtualized the device (PA-4000
& PA-2000 only)
• Virtualization:
• QoS traffic shaping
-
Max, guaranteed and priority
-
By user, app, interface, zone, and
more
Page 9 |
© 2009 Palo Alto Networks. Proprietary and Confidential
• Intuitive and flexible
management
-
CLI, Web, Panorama, SNMP, Syslog
Flexible Deployment Options
Application Visibility
• Connect to span port
• Provides application visibility
without inline deployment
Page 10 |
Transparent In-Line
• Deploy transparently behind existing
firewall
• Provides application visibility &
control without networking changes
© 2008 Palo Alto Networks. Proprietary and Confidential.
Firewall Replacement
• Replace existing firewall
• Provides application and networkbased visibility and control,
consolidated policy, high
performance
Palo Alto Networks Next-Gen Firewalls
PA-4060
PA-4050
PA-4020
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
4 XFP (10 Gig) I/O
4 SFP (1 Gig) I/O
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
16 copper gigabit
8 SFP interfaces
2 Gbps FW
2 Gbps threat prevention
500,000 sessions
16 copper gigabit
8 SFP interfaces
PA-2050
PA-2020
PA-500
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
Page 11 |
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
© 2009 Palo Alto Networks. Proprietary and Confidential
250 Mbps FW
100 Mbps threat prevention
50,000 sessions
8 copper gigabit
PAN-OS 3.0 Summary of Features
• Networking
-
Quality of Service Enforcement
SSL VPN
IPv6 Firewall (Virtual Wire)
IPsec Multiple Phase 2 SAs
802.3ad link aggregation
PA-2000 virtual systems licenses (+5)
• App-ID
-
Custom Web-based App-IDs
Custom App-ID Risk and Timeouts
CRL checking within SSL forward proxy
• Threat Prevention & URL Filtering
-
Dynamic URL Filtering DB
Increased signature capacity
Threat Exception List
CVE in Threat Profiles
• User Identification
Page 12
Citrix/Terminal Server User ID
X-Forwarded-For
Support
| Proxy
© 2009
Palo Alto Networks. Proprietary
and Confidential
• Visibility and Reporting
-
User Activity Report
• Management
Multi-zone Rules
- Automated Config Backup in Panorama
- Role-based admins in Panorama
- SNMP Enhancements
 Custom community string
 Extended MIB support
- XML-based REST API
- Ability to Duplicate Objects
- Log Export Enhancements
 Support for FTP
 Scheduler
- Custom Admin Login Banner
- Web-based Tech Support Export
- Database indexing
- Configurable management I/O settings
-
Demo
Page 13 |
© 2007
2009 Palo Alto Networks. Proprietary and Confidential
Related documents
Elizabeth Rochin
Elizabeth Rochin
Curbside Composting - League of Women Voters of Palo Alto
Curbside Composting - League of Women Voters of Palo Alto
Medicine VAPAHCS MCL/UTL
Medicine VAPAHCS MCL/UTL
June 6, 2007 - Palo Alto Networks Ignite 2016
June 6, 2007 - Palo Alto Networks Ignite 2016
Good evening and welcome to our forum on the impacts of
Good evening and welcome to our forum on the impacts of
Palo Alto Networks
Palo Alto Networks
Jiang Bian-CEE215 City Palo Alto Project
Jiang Bian-CEE215 City Palo Alto Project
MAEDS - Michigan Association for Educational Data Systems
MAEDS - Michigan Association for Educational Data Systems
About Palo Alto Networks
About Palo Alto Networks
Download
advertisement