Palo Alto Networks VM-Series
for VMware vCloud® AirTM
Next-Generation Security for Hybrid Clouds
Palo Alto Networks
24-Aug-2015
© 2014 VMware Inc. All rights reserved.
vCloud Air Security Requirements
• Cloud environments provide basic security
– Security is a shared responsibility between cloud provider and customer
– Port and protocol security is not sufficient
• Cloud environments lack
– visibility and control of applications and traffic sources
– protection against known and unknown threats (APTs)
The VM-Series can be deployed to protect the green highlighted use cases
CONFIDENTIAL
2
Securing Applications and Data in vCloud Air
• Step 1: Import VM-Series OVF using vCloud Director or OVF Tool
– Deploy the VM-Series behind the Edge Gateway with destination NAT and static routes
• Step 2: VM-Series as the gateway/perimeter firewall
– Protect your public facing deployments in vCloud Air with a next generation firewall
• Step 3: Securely extend the data center into the cloud
– Use the VM-Series to control applications and users accessing the cloud over IPSec
• Step 4: Protect against lateral threats between subnets and app-tiers
– Use the VM-Series to control traffic between vApp subnets in the vDC
CONFIDENTIAL
3
Improving Security in vCloud Air Deployments
• Identify and control applications
– Control applications based on their behavior and identity - not the port they use
– Restrict application usage based on user identity - not just IP address
• Prevent known and unknown threats
– Block known exploits, malware and inbound command-and-control communications
– Block known malicious URLs and IP addresses
– Analyze files and email links to detect previously unknown threats; automatically deliver
protections globally
• Streamline management and policy updates
– Single management interface can manage both physical and virtual firewalls
• Flexible integration options
– REST-based API enables integration with 3rd party ecosystem of partner solutions
CONFIDENTIAL
4
Licensing and Deployment Options
• VM-Series Next-Generation firewall
– Same security features as the physical firewalls
– Consistent management interfaces: web UI, CLI, REST API
– Manage both physical and virtual versions centrally with Panorama
• Available through a bring your own license (BYOL) model
– VM-Series for ESXi
– All SKU’s: VM-100, -200, -300, -1000-HV
– Subscriptions: Threat Prevention, WildFire, URL Filtering, GlobalProtect
• How to deploy
– Import VM-Series into vCloud Air just like any other VM
– Deploy in L3 mode and add license authcode
For Partners: Expand Business Opportunities
• Leverage a partnership that is multi-level and now 2 years+ old
– Executive, product management, field sales and marketing
– Proven in the market and in customer deployments
• Improve customer data center security posture
– Visibility and control over applications, not ports
– Micro-segmentation using zero-trust principles
– Prevent known and unknown threats both North-South and East-West
• Engage in long term, business critical projects that bring:
– Significant architecture and design opportunities
– Trusted advisor status and ongoing revenue streams
• Expand your business partnerships and competencies
– Security market is roughly $16B
– The 5 year life time value of our customer base is 10X the initial purchase
Thank You