Applications Have Changed. Why Hasn’t the Firewall? Dave Smith 214.674.7854 [email protected] Von Nguyen 713.301.9929 [email protected]

Applications Have Changed.

Why Hasn’t the Firewall? Dave Smith

214.674.7854

[email protected]

Von Nguyen

713.301.9929

[email protected]

mailto:[email protected]

mailto:[email protected]

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 2 |

About Palo Alto Networks

• Founded by security visionary Nir Zuk

• World class team with strong security and networking experience

• Built family of next generation firewalls with control of 600+ applications

• Named Gartner Cool Vendor in 2008

• Best of Interop Grand Prize, Best of Interop Security 2008

© 2007 Palo Alto Networks. Proprietary and ConfidentialPage 3 |

Leading Organizations Trust Palo Alto NetworksHealth Care Financial Services Government

Mfg / High Tech / EnergyEducationServices

Media / Entertainment / Retail

http://www.nordson.com/

http://www.marsicofunds.com/index.asp

https://ww4.janus.com/Janus/Retail/StaticPage?jsp=jsp/umbrella/UmbrellaPage.jsp&comingFrom=home

http://www.sandisk.com/Default.aspx

http://pics.livejournal.com/mad_jamison/pic/0000b2wx

http://www.dir.ca.gov/

http://www.nicoletbank.com/nicoletbank/default.asp

http://www.hhmi.org/

http://www.thedacare.org/ThedaCareWeb/Default.aspx

http://www.upmc.com/

http://www.naco.org/

http://www.sjsu.edu/

http://www.uso.org/

https://www4.acuity.com/acuityweb/home

http://www.greenhill.com/index.php

http://www.sinclair.edu/index.cfm

http://www.vcuhealth.org/

http://images.google.com/imgres?imgurl=http://www.med.nyu.edu/ophthalmology/images/lh_logo_sm.gif&imgrefurl=http://www.med.nyu.edu/ophthalmology/aboutus/facilities/&h=16&w=150&sz=3&hl=en&start=9&um=1&tbnid=DOni7FQ-X5bkrM:&tbnh=10&tbnw=96&prev=/images%3Fq%3Dlennox%2Bhill%2Bhospital%2Bny%2Blogo%26um%3D1%26hl%3Den

http://www.peirce.edu/Home.html

http://www.hp.com/country/us/en/welcome.html

http://www.adp.com/

http://www.mercy.net/

http://www.scjohnson.com/

http://www.energy.gov/

http://www.mcs.k12.nc.us/home.asp

http://www.motorola.com/

http://ecare.pngcom.com/site/index.php

http://www.panamerica-group.com/s/Home.asp

http://www.valleysoftinc.com/index.php

http://www.louisdreyfus.ca/index.shtml

http://www.kimberly-clark.com/

http://www.google.com/imgres?imgurl=http://imgsrv.1230thefan.com/image/kzym/UserFiles/Image/espn_logo.jpg&imgrefurl=http://www.1230thefan.com/pages/1288403.php&h=248&w=887&sz=26&tbnid=yOaggA9H-XUJ::&tbnh=41&tbnw=146&prev=/images%3Fq%3Despn%2Blogo&hl=en&sa=X&oi=image_result&resnum=1&ct=image&cd=1

http://en.wikipedia.org/wiki/Image:GreenBayPackers_100.svg

Why Palo Alto Networks?


Applications Have Changed – Firewalls Have Not

• The gateway at the trust border is the right place to enforce policy control

- Sees all traffic

- Defines trust boundary

Need to Restore Visibility and Control in the Firewall

Collaboration / MediaSaaS Personal

• BUT…Applications Have Changed

- Ports ≠Applications

- IP Addresses ≠Users

- Packets ≠Content


Today’s Architecture – Appliance Bloat

Packet Shaping

INTERNET

•HTTP/FTP Proxy•IPS/IDS•Content-Filtering

•IM Proxy

Logging/Reporting

User Correlation

Present day firewalls require many “helper”

appliances to try and stop the leakage. Unfortunately,

application visibility and control is STILL lacking and the evasiveness continues

unabated!


Identifies over 700+ applications regardless of port, protocol or evasive tactic

Policy based decryption, identification and control of SSL applications

Application Command Center (ACC) for granular visibility & policy control of applications

FlashMatch™ engine for real-time threat prevention

Dedicated hardware processing for 10 Gbps in-line operation with no network degradation

Designed to transparently augment existing firewall

Palo Alto – Next Generation Firewall

Next-generation firewall based on App-ID™ traffic classification technology

•© 2008 Palo Alto Networks. Proprietary and Confidential.•Page 8 |

Identification Technologies Change the Game

App-IDIdentify the application

User-IDIdentify the user

Content-IDScan the content


App-ID: Comprehensive Application Visibility

• Policy-based control over more than 600 applications distributed across five categories and 25 sub-categories

• Balanced mix of business, internet and networking applications and networking protocols

• ~ 5 new applications added weekly


Powerful Policy-Based Control

• Browse more than 600 applications based on name, category, technology or characteristic

• Immediately translate results into positive enforcement model firewall rules

• Examples:- Allow all business and networking

apps- Allow IM but block file transfer

capabilities- Block all P2P

• Policy enforcement by end-user / group identities from Active Directory or IP address


Comprehensive Application Visibility

File Sharing (28)afp aim-file-transfer boxnet carbonite cvsup dotmac dropboks esnips foldershare ftp gtalk-file-transfer ibackup jubii mediamax megaupload mozy ms-ds-smb msn-file-transfer nfs omnidrive openomy rsync sosbackup tftp titanize uucp xdrive yahoo-file-transfer

General Internet (28)atom daytime dealio-toolbar discard echo facebook finger google-safebrowsing google-toolbar gopher hi5 livejournal msn-toolbar myspace nntp razor rsh rss rusers send-to-phone spark stumbleupon web-browsing web-crawler webdav webshots whois yahoo-toolbar

Instant Messaging (39)aim aim-audio aim-video camfrog ebuddy fix google-talk gtalk-voice ichat-av icq iloveim imhaha imvu irc jabber koolim mabber meebo meetro meebo-repeater meebome meetro messengerfx msn msn-video msn-voice myspace-im oovoo p10 qq radiusim spark-im swapper userplane webaim xfire yahoo-im yahoo-webcam yoomba zoho-im

Networking (sample of 154 total)Activenet bgp chargen compaq-peer dhcp dns eigrp gre icmp igmp ipip ipv6 isis mgcp ms-wins netbios-dg netbios-ns netbios-ss ospf pim rip stun vrrp

Proxy (10)bypass bypassthat hopster http-proxy http-tunnel httport jap pingfu socks socks2httpDatabase (7)

Dabbledb db2 mssql-db mssql-mon mysql oracle postgres

Media (45)cooltalk eyejot flash folding-at-home foonz gizmo google-earth google-picasa h.245 h.323 http-audio http-video itunes joost lifecam live365 logitech-webcam metacafe miro mms move-networks neokast netmeeting pandora pna rdt rtmp rtp rtsp sccp shoutcast sip skype skype-probe sling socialtv sopcast teamspeak uusee vakaka ventrilo veohtv yahoo-voice youtube

Peer to Peer (34)100bao allpeers applejuice ares azureus babelgum bittorrent direct-connect emule fasttrack flashget freenet generic-p2p gnutella goboogy hotline imesh kazaa mute neonet openft peerenabler poco pplive ppstream soribada soulseek tesla thecircle tvants vuze warez-p2p winmx xunlei

Remote Access (23)avocent beinsync citrix crossloop fastviewer foldera l2tp logmein ms-rdp netviewer pcanyware pptp r-exec r-services radmin rlogin teamviewer telnet unyte vnc x11 xdmcp

Email (7)blackberry imap ms-exchange outlook-web pop3 seven-email smtp

Business Applications (82)active-directory adobe-connect altiris apple-update avamar avaya-phone-ping backweb big-brother ca-mq-service campfire centriccrm convoq corba cpq-wbem cups cvs distcc dynamicintranet eiq-sec-analyzer elluminate eroom-host eroom-net filemaker flexnet gkrellm google-calendar google-desktop google-docs gotomeeting groupwise hp-jetdirect innovative ipp jaspersoft kaspersky kerberos ldap live-meeting lpd mcafee meeting-maker mount ms-dtc ms-frs ms-groove ms-iis ms-netlogon ms-scheduler ms-update msrpc nagios ncp ndmp norton-av ntp perforce portmapper radius rpc rstatd salesforce seamless-phenom securemeeting snmp snmp-trap soap spirent subversion symantec syslog tacacs tacacs-plus time trendmicro vmware vyew webex webex-weboffice ypserv yugma

Encrypted Tunnel (11)ciscovpn hamachi ike ipsec-ah ipsec-esp ipsec-esp-udp secure-access ssh ssl swipe tor

Webmail (7)aim-mail fastmail gmail hotmail myspace-mail yahoo-mail yousendit

Gaming (11)bomberclone knight-online little-fighter party-poker poker-stars source-engine steam subspace war-rock wolfenstein worldofwarcraft

Policy-based control for over 600 applications across categories


Content-ID: Real-Time Content Scanning

• Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing

- Stream-based, not file-based, for real-time performance Uniform signature engine scans for broad range of threats in single pass

Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)

- Block a wide range of file transfers by type Looks into file to determine type – not extension based

- Web filtering enabled via fully integrated URL database 20M URLs across 54 categories

Local database ensure highly scalable solution (1,000’s!)


…

…

User-ID: Enterprise Directory Integration

• Users no longer defined solely by IP address- Leverage existing Active Directory

infrastructure

• Understand users application and threat behavior based on actual AD username, not just IP

• Manage and enforce policy based on user and/or AD group

• Investigate security incidents, generate custom reports

Active Directory Server(s)

User Identification

Agent(s)


User-Based Application Visibility

Drill into specific user activity- Top users of an application- List of applications used by a user- Malware and other threats detected

by user

Application Command Center (ACC)- View exactly what applications are

running on the network- View by top applications, high risk,

and category


Enables Executive Visibility

Purpose-Built Architecture

Flash Matching HW Engine• Palo Alto Networks’ uniform signatures

• Multiple memory banks – memory bandwidth scales performance

Multi-Core Security Processor• High density processing for flexible

security functionality• Hardware-acceleration for standardized

complex functions (SSL, IPSec, decompression)

Dedicated Control Plane• Highly available mgmt

• High speed logging and route updates

10Gbps

Flash Matching

Engine

RAM

RAM

RAM

RAM

Dual-core

CPURAM

RAM

HDD

10 Gig Network Processor• Front-end network processing offloads

security processors• Hardware accelerated QoS, route lookup,

MAC lookup and NAT

CPU

16. .

SSL IPSec De-Compression

CPU

1

CPU

2

10Gbps

Control Plane Data Plane

RAM

RAMCPU

3

QoS

Route, ARP, MAC

lookup

NAT


Flexible Deployment OptionsFirewall Replacement

• Replace existing firewall

• Provides application and network-based visibility

and control, consolidated policy, high performance

Application Visibility

• Connect to span port

• Provides application visibility without inline

deployment

Transparent In-Line

• Deploy transparently behind existing firewall

• Provides application visibility & control without

networking changes


Palo Alto Networks Next Generation FirewallsPe

rfor

man

ce

Remote Office/Medium Enterprise Large Enterprise

•PA-2000 Series

•1Gb

•PA-4000 Series

•500Mb

2Gb

10Gb

10Gb with XFPs


PAN-OS Features

• Strong networking foundation: - Dynamic routing (OSPF, RIPv2)

- Site-to-site IPSec VPN,

- Tap mode – connect to SPAN port

- Virtual wire (“Layer 1”) for true transparent in-line deployment

- L2/L3 switching foundation

• Zone-base architecture:- All interfaces assigned to security zones

for policy enforcement

• Annual Subscriptions:- Threat prevention +20%

- URL filtering +20%

• High Availability: - Active / passive

- Configuration and session synchronization

- Path, link, and HA monitoring

• Virtual Systems:- Establish multiple virtual firewalls in a

single device (PA-4000 Series only)

• Legacy firewall support: - Application-based rules complement

inbound and outbound port-based firewall rules

Visibility and control of applications, users and content are complemented by core firewall features


PA-4000 Series Specifications

- 2U, 19” rack-mountable chassis

- Dual AC power supply, Removable 80GB hard drive

- Dedicated out-of-band management port

- 2 dedicated HA ports

- DB9 console port

PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces• $35,000

PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces• $60,000

PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP interfaces • 4 SFP interfaces• $80,000


PA-2000 Series Specifications

- 1U rack-mountable chassis

- Single non-modular power supply

- Removable 80GB hard drive (Non hot-swappable)

- Dedicated out-of-band management port

- RJ-45 console port, user definable HA port

PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces• $16,000

PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces• $12,000

Customer Use Case Examples


“We now know what we didn’t know. And it’s scary what our users and contractors were doing.”

……….

Mark ReinSenior Director, Information TechnologyMercy Medical Center

MANY SOLUTION USE CASES and BENEFITS

• Application Visibility & Control

• User-based App Visibility & Control

• Real-time Threat Prevention

• Identify & Control SSL

• Content Security & DLP

• Monitor & Control Web Surfing

• Consolidate Security Devices @ Wire Speed

• Firewall Replacement

• Significant Human and Capital ROI

Palo Alto Networks - Use Cases


Customer Example: Nordson Corporation

“The PA-4020 has simplified the tasks of managing security at our remote site. And it gives us visibility that no one else can match, telling us exactly which applications are on the network.”……….

Tim HarrManager, Corporate Information Technologies, Nordson

Problem• Needed cost-effective remote office

security solution

• Was looking at a complex 3-box solution

Solution• PA-4000 Series deployed as primary

firewall for visibility and control over applications and threats

• Consolidates multiple devices

Results• Complete coverage - firewall, application

control, threat prevention - one box

• Easy remote management - one UI

• Deployed in 3 locations internationally including headquarters

Industry: Manufacturing

Statistics: 30 Countries, 4100 employees, 2007 revenue - US$994M


Customer Example: Greenhill Capital

“The PA-4000 Series enables us to manage applications and users – which are far more relevant to our business that ports and protocols.”……….

John ShafferGreenhill

Problem• No visibility into which applications were

running on the network

• Couldn’t control webmail, attachments and unmonitored email a major issue

• Tired of adding appliances and vendors to security racks

Solution• PA-4000 Series deployed as the firewall

for visibility and control over applications

Results• Complete coverage - firewall, application

control, threat prevention - one box

• Easy remote management - one UI

• Easier vendor management – one support line, one vendor

Industry: Financial Services, M&A research and analysis

Statistics: 250 employees, 2007 revenue - US$400M


Customer Example: Constellation Energy

“The PA-4000 Series helps us be proactive in our security, allowing us to set and enforce application policies and protect our business assets much more effectively.”

……….

Frank ChambersDirector of Information Security Management, Constellation Energy

Problem• Lack of visibility and control over

applications traversing the network.

• Want to be more proactive to enable more rapid deployment of new businesses and technology

• Heavy traffic across (2) DS3 pipes was forcing them to look at costly OC3 expansion

Solution• PA-4000 Series provides unmatched

visibility and control over applications and web traffic traversing the centralized Internet connections

Results• Constellation found significant amounts of

IM and P2P traffic traversing the network – which it is now able to control

Industry: Energy, Energy Trading

Statistics: F117, 9700 employees, 2007 revenue - US$21B


Customer Example: SanDisk Corporation

“With Palo Alto Networks, we are now for the first time able to identify rogue applications on the network such as P2P and Skype, and then block them accordingly.”

……….

Justin SmithSenior Network EngineerSanDisk

Problem• Unable to manage applications on the

network – concerned about various “threats” moving over rogue applications

Solution• PA-4000 Series brings increased visibility

and control over applications and web traffic

Results• Able to see which applications and users

are utilizing the network

• Able to take action – created policies to permit/deny groups or specific applications/users

• Provide a level of assurance that networks are being used for business purposes

Industry: High-Tech Manufacturing

Statistics: 3000 employees, 2007 revenue - US$3.9B


Customer Example: Sisters of Mercy Health

“Palo Alto Networks enables us to provide real-time access to critical applications while stopping threats and risky applications.”

……….

Dan SchulteManager of Network SecuritySisters of Mercy Health System

Problem• Couldn’t manage which applications ran

on the network

• Application-level threats impacting business

• IPS up for renewal

Solution• PA-4000 Series consolidates firewall,

URL filtering and threat prevention

• Enables visibility and control over applications, web traffic and threats

Results• Visibility and control of applications

• Able to stop a broad range of threats (exploits, viruses, spyware)

Industry: Health Care

Statistics: 9 US States, 28,000 employees, over 4000 beds


Customer Example: Louis Dreyfus Energy

“Palo Alto Networks enables us not only to stop threats, but to understand how our networks are being used.”

……….

Dave BakerManager, Systems AdministrationLouis-Dreyfus Highbridge Energy

Problem• Firewalls couldn’t stop threats

Solution• PA-4000 Series enables visibility and

control over applications and threats



• Very happy with customer responsiveness and support

Industry: Financial Services

Statistics: 290 employees, 2007 enterprise value – US$1B


Customer Example: ESPN

“We needed an IPS that could keep up with our business, and that could deal with today’s threats.”

……….

Scott MessinaDirector of SecurityESPN

Problem• ISS IPS was struggling to handle ESPN’s

traffic load

Solution• PA-4000 Series deployed primarily as a

threat prevention solution

• Enables visibility and control over threats and applications


• Able to stop a broader range of threats (exploits, viruses, spyware) than previous IPS

• Integrates with Active Directory for user- and group-specific policy

• Performance that keeps pace with business

Industry: Media

Statistics: over 50 outlets – television, radio, publishing, ESPN.com


Customer Example: Nicolet National Bank

“We can now meet bank examiners expectations regarding visibility and control on our network.”……….

Jon BisknerAVP and Chief Information Security Officer, Nicolet National Bank

Problem• Couldn’t maintain security posture in the

face of evasive application traffic

• Couldn’t control data leaving network

• Too many appliances


firewall for visibility and control over applications and threats

Results• Visibility, control and easier compliance

• Reducing and simplifying security infrastructure

Industry: Financial Services/Banking

Statistics: Regional; 6 branches, over $530M in assets


Customer Example: City and Schools of Staunton

“Our legacy firewall simply couldn’t deliver in terms of performance or visibility. The PA-4000 Series keeps pace easily, and provides a level of visibility and control that translates into real and enforceable acceptable use policies.”

……….

Kurt PlowmanChief Technology OfficerCity of Staunton

Problem• Existing port-based firewall could not keep

up with traffic – slowing the business of the city

• Couldn’t manage which applications ran on the network

• Application-level threats impacting business

Solution• PA-4000 Series consolidates multiple

devices - enables visibility and control over applications, threats and web traffic

Results• High-speed firewall

• Visibility and control of applications


Industry: Government

Statistics: over 2000 employees and students


Customer Example: Lenox Hill Radiology

“After evaluating the PA-4000 Series, its ability to control applications and perform access control, as well as inspect content for threats and vulnerabilities – all through an easy, simple management structure – just blew us away.”……….

Joe FunaroIT DirectorLenox Hill Radiology

Problem• Application-level threats impacting business

• Looking at IPS + AV to stop threats

Solution• PA-4000 Series deployed as primary firewall

enabling application visibilty and control

• Replaces multiple security appliances (firewall, IPS, Proxy, AV)



• Firewall + application visibility + threat blocking in one policy, one appliance

Industry: Health Care

Statistics: 3 locations in New York Metro area, 400 employees


Customer Example: Western & Southern Insurance

“We had every security device imaginable, all in-line, but couldn’t stop layer 7 threats.”

……….

Doug RossChief Technology OfficerWestern & Southern Financial Group

Problem• Couldn’t tell what was on the

network, despite firewall, IPS, DLP. Couldn’t catch L7 threats

Solution• PA-4000 Series enables visibility and

control over applications

Results• Visibility into what’s on network

• Enable positive use of applications while controlling port-agile apps, ID malicious code on desktops that nothing else could find

• Long term, consolidate FW, URL filtering, IPS devices as they near end-of-life

Industry: Financial Services

Statistics: $4.8B, Ranked 480 on Fortune 1000 list, privately held


Customer Example: Sonic Solutions

“Our existing security solution is blind to traffic flowing across port 80. Palo Alto Networks provides us with user-based application visibility and control”

……….

Roger BlakelyVP of Information SecuritySonic Solutions

Problem• Had no control over port 80 traffic, no

ability to understand which users were doing what

Solution• PA-4000 Series for application visibility

and control

Results• Visibility and control over applications

and users traversing the network

• Long term will enable replacement of Cisco PIX and Fortinet firewalls

Industry: High tech, software development

Statistics: 600 employees, multiple sites worldwide


Customer Example: Garland ISD

“Not only did the PA-4000 Series give us total control over all applications, we saw a significant performance increase in our network performance.”……….

Neil MossNetwork EngineerGarland ISD

Industry: K-12 Education

Statistics: Largest district in TX, 57,000 students, 12,000 employees, 74 sites

Problem• Students circumventing IT security controls

with tools such as UtraSurf and TOR

- No visibility into user behavior, application use

• Existing firewalls not keeping up

- Rate of change in applications

- Sheer throughput


enterprise firewall

Results• Policy control by application and user

- No longer struggle to keep up with new/changed applications

• Improved performance

• Saved $80K in year one

• Application Level Visibility & Control (700+ Signatures)

• User-based & Group-based Visibility & Policy Control via Microsoft AD Integration

• Tightly integrated and Comprehensive Threat Prevention (URL filtering, Anti-Virus, Anti-Spyware, Anti-Malware & Anti-Vulnerability Protection)

• Aggressive Platform-based Subscription Pricing (vs. Costly User-based!)

• Embedded Virtual System Support (VSYS)

• Embedded Zone Protection (Denial of Service, Reconnaissance Port Scan)

• User-based Activity Reports and Ad-Hoc and Scheduled Reports

• Single Management Interface for all features on a single appliance

• Built-in Hardware/Software SSL Decryption capabilities

• 100% security protection during failover to the standby system

• Sensitive Data Protection - SSN & Credit Card numbers (Q4, 2008)

• Traffic Tagging Capability Now – Full Traffic Shaping Coming (1H, 2009)


Palo Alto Networks - Competitive Advantages

Thank You!

Documents

Applications Have Changed. Why Hasn’t the Firewall? Dave Smith 214.674.7854 [email protected] Von Nguyen 713.301.9929 [email protected]