What Did You Do At School
Today Junior?
Ethan West – Palo Alto Networks
Systems Engineer
279
schools
1,000s of
students
1,200+
applications
1
challenge
What do you really know about your network?
Frequency that external proxies were
found on K-12 Networks?
Frequency is defined as a single instance found on a network (n=279).
|
Frequency that external proxies
were found on K-12 networks?
A total of 28 different proxies were in use, with an average of 4 external
proxies found on 80% of the 279 K12 networks.
|
Frequency that non-VPN related encrypted
tunnels were found?
Frequency is defined as a single instance found on a network (n=279).
Frequency that non-VPN related encrypted tunnels were
found?
An average of 2 encrypted tunnel applications were found in 42% of the K12
networks.
SSH is excluded
Students will find a way…
• Encrypted tunnels (Tor, UltraSurf,
Hamachi) used to “hide”
• External proxies
commonly used
to bypass URL
filtering
• Remote access commonly used to evade
controls; known as a cyber criminal target
Frequency is defined as a single instance found on a network (n=279).
Percentage of total bandwidth consumed by
file transfer of all types
Percentage of total bandwidth consumed by
file transfer of all types?
P2P, browser-based and client-server filesharing applications consumed
9% of total bandwidth – roughly the same amount as viewed in the
enterprise environments.
P2P Dwarfs All Other Filesharing Applications

The solution of choice for moving big files…
Average number of browser-based file sharing
applications found on each network?
Average number of browser-based filesharing
applications found on each network?
There were 64 browser-based filesharing variants found with an average
of 11 discovered on 95% of the K-12 networks.
Browser-Based File Sharing: Two Use Cases
Browser-based filesharing use cases: entertainment or productivity. Both
uses have a common set of business and security risks that organizations must
address.
The number of applications
using Port 80 (tcp/80) only?
The number of applications
using Port 80 (tcp/80) only?
The number of applications that ONLY use Port 80 is 278 or 26% of the
1,050 applications found on the participating K-12 networks.
Percentage of total bandwidth consumed by
applications not using tcp/80?
Percentage of total bandwidth consumed by applications
not using tcp/80?
30% of the total bandwidth is being consumed by (31% of the 1,050) applications
that DO NOT USE port 80 at all. Ever.
Port 80 only security is shortsighted
The common perception is that port 80 (tcp/80) is where all the traffic
and all the problems are. An emphasis is an absolute requirement; but
too much tcp/80 focus is shortsighted.
Junior’s application usage is sophisticated…

These are not our parents applications – usage patterns are on-par with those
seen in the enterprise

Applications that can hide or mask activity are common

P2P, despite control efforts, is used heavily; browser-based filesharing is a
hidden risk

Port 80 is used heavily, but too much focus is shortsighted and high risk
Page 21 |
© 2012 Palo Alto Networks. Proprietary and Confidential.
Applications Have Changed, Firewalls Haven’t
Network security policy is enforced
at the firewall
•
Sees all traffic
•
Defines boundary
•
Enables access
Traditional firewalls don’t work any
more
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Technology Sprawl and Creep Aren’t the Answer
•
“More stuff” doesn’t solve the problem
•
Firewall “helpers” have limited view of traffic
•
Complex and costly to buy and maintain
•
Doesn’t address application “accessibility” features
UTM
Internet
IPS
DLP
IM
AV
URL
Proxy
Enterprise
Network
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
More not always better…
© 2010 Palo Alto Networks. Proprietary and Confidential.
The Answer? A capable Next Gen Security Platform
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The Benefits of Classifying Traffic in the Firewall
X
Firewall
Allow Facebook
App-ID
Policy Decision
Key Difference
Benefit
Single firewall policy
•
Less work, more secure. Administrative effort is reduced; potential
reconciliation holes eliminated.
Positive control model
•
Allow by policy, all else is denied. It’s a firewall.
Single log database
•
Less work, more visibility. Policy decisions based on complete information.
Systematic management of
unknowns
•
Less work, more secure. Quickly identify high risk traffic and systematically
manage it.
26 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Multi-Step Scanning Ramifications
Firewall
App-Control
Add-on
Allow port
80
Applications
Policy
Decision #1
Open ports to
allow the application
Policy
Decision #2
300+ applications allowed*
Allow Facebook
Facebook allowed…what
about the other 299 apps?
Key Difference
Ramifications
Two separate policies
•
•
More Work. Two policies = double the admin effort (data entry, mgmt, etc)
Possible security holes. No policy reconciliation tools to find potential
holes
Two separate policy decisions
•
Weakens the FW deny all else premise. Applications allowed by portbased FW decision.
Two separate log databases
•
Less visibility with more effort. informed policy decisions require more
effort , slows reaction time
No concept of unknown
traffic
•
Increased risk. Unknown is found on every network = low volume, high
risk
More work, less flexible. Significant effort to investigate; limited ability to
*Based on Palo Alto Networks Application Usage and Risk Report
manage if it is found.
•
27 | ©2013 Palo Alto Networks. Confidential and Proprietary.
Your Control With a Next-Generation Firewall
» The ever-expanding
universe of applications,
services and threats
Only allow the
apps you need
Safely enable the
applications relevant
to your business
» Traffic limited to
» Complete threat library with no
approved business
use cases based on
App and User
» Attack surface
reduced by orders of
magnitude
blind spots
Bi-directional inspection
Scans inside of SSL
Scans inside compressed
files
Scans inside proxies and
tunnels
Covering the entire Enterprise
Data center/
cloud
Network
location
Enterprise perimeter
Distributed
enterprise/BYOD
Nextgeneration
appliances
Physical: PA-200, PA-500,, PA-3000 Series, PA-5000 Series
WildFire: WF-500
Virtual: VM-Series
Threat Prevention
URL Filtering
GlobalProtect™
WildFire™
Subscription
services
Use cases
Next-Generation
Firewall
Cybersecurity:
IDS / IPS / APT
Web gateway
Management
system
Panorama and M-100 appliance
Operating
system
PAN-OS™
29 | ©2013, Palo Alto Networks. Confidential and Proprietary.
VPN
Addresses Three Key Business Problems

Safely Enable Applications
 Identify more than 1,900 applications, regardless of port, protocol, encryption, or
evasive tactic
 Fine-grained control over applications/application functions (allow, deny, limit, scan,
shape)
 Addresses the key deficiencies of legacy firewall infrastructure
 Systematic management of unknown applications

Prevent Threats





Stop a variety of known threats – exploits (by vulnerability), viruses, spyware
Detect and stop unknown threats with WildFire
Stop leaks of confidential data (e.g., credit card #, social security #, file/type)
Enforce acceptable use policies on users for general web site browsing
Simplify Security Infrastructure
 Put the firewall at the center of the network security infrastructure
 Reduce complexity in architecture and operations
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Magic Quadrant for Enterprise Network Firewalls
“Palo Alto Networks continues to
both drive competitors to react in the
firewall market and to move the
overall firewall market forward. It is
assessed as a Leader, mostly
because of its NGFW design,
direction of the market along the
NGFW path, consistent
displacement of competitors, rapidly
increasing revenue and market
share, and market disruption that
forces competitors in all quadrants to
react.”
Gartner, February 2013
31 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Customer Example: Huron Valley Schools
Problem
 Students circumventing IT security controls
with tools such as UltraSurf and TOR
 No visibility into user behavior, application
use
 Existing firewall not keeping up
“Not only did the PA-3000
Series give us total control over
all applications, we saw an
increase in our Internet
performance plus much easier
administration.”
Industry: K-12 Education
Statistics: School District in Oakland County
supporting 9800 students across 15 schools.
© 2008 Palo Alto Networks. Proprietary and Confidential.
Page 32 |




Rate of change in applications
Difficult to maintain content filter
Reaching throughput maximum
End of life
Solution / Results
 PA-3000 Series deployed as primary
enterprise firewall
 Policy control by application and user
 No longer struggle to keep up with
new/changed applications
 Improved performance
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.