Upload
gervais-morgan
View
220
Download
5
Tags:
Embed Size (px)
Citation preview
Palo Alto Networks Product Overview
Karsten Dindorp, Computerlinks
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 2 |
Applications Have Changed – Firewalls Have Not
• The gateway at the trust border is the right place to enforce policy control Sees all traffic Defines trust boundary
Collaboration / MediaSaaS Personal
• But applications have changed Ports ≠ Applications IP addresses ≠ Users Headers ≠ Content
Need to Restore Application Visibility & Control in the Firewall
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 3 |
Stateful Inspection ClassificationThe Common Foundation of Nearly All Firewalls
• Stateful Inspection classifies traffic by looking at the IP header- source IP
- source port
- destination IP
- destination port
- protocol
• Internal table creates mapping to well-known protocols/ports- HTTP = TCP port 80
- SMTP = TCP port 25
- SSL = TCP port 443
- etc, etc, etc…
© 2009 Palo Alto Networks. Proprietary and Confidential.Page 4 |
Enterprise End Users Do What They Want• The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000
users across 60 organizations:- HTTP is the universal app protocol – 64% of BW, most HTTP apps not browser-based
- Video is king of the bandwidth hogs – 30x P2P filesharing
- Applications are the major unmanaged threat vector
• Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 5 |
Firewall “helpers” Is Not The Answer
• Complex to manage
• Expensive to buy and maintain
• Firewall “helpers” have limited view of traffic
• Ultimately, doesn’t solve the problem
Internet
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 6 |
New Requirements for the Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Scan application content in real-time (prevent threats and data leaks)
4. Granular visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no performance degradation
The Right Answer: Make the Firewall Do Its Job
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 7 |
Identification Technologies Transforming the Firewall
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 8 |
Purpose-Built Architectures (PA-4000 Series)
Signature Match HW Engine• Palo Alto Networks’ uniform
signatures• Vulnerability exploits (IPS), virus,
spyware, CC#, SSN, and other signatures
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for
standardized complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
10Gbps
Signature Match
RAM
RAM
RAM
RAM
Dual-coreCPU RAM
RAM
HDD
10 Gig Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route
lookup, MAC lookup and NAT
CPU16
. .
SSL IPSec De-Compression
CPU1
CPU2
10Gbps
Control Plane Data Plane
RAM
RAMCPU3
QoS
Route, ARP, MAC
lookup
NAT
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 9 |
PAN-OS Core Features
• Strong networking foundation: - Dynamic routing (OSPF, RIPv2)- Site-to-site IPSec VPN - SSL VPN- Tap mode – connect to SPAN port- Virtual wire (“Layer 1”) for true
transparent in-line deployment- L2/L3 switching foundation
• QoS traffic shaping- Max, guaranteed and priority - By user, app, interface, zone, and
more
• High Availability: - Active / passive - Configuration and session
synchronization- Path, link, and HA monitoring
• Virtualization:- All interfaces (physical or logical)
assigned to security zones- Establish multiple virtual systems to
fully virtualized the device (PA-4000 & PA-2000 only)
• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog
© 2008 Palo Alto Networks. Proprietary and Confidential.Page 10 |
Flexible Deployment OptionsApplication Visibility Transparent In-Line Firewall Replacement
• Connect to span port
• Provides application visibility without inline deployment
• Deploy transparently behind existing firewall
• Provides application visibility & control without networking changes
• Replace existing firewall
• Provides application and network-based visibility and control, consolidated policy, high performance
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 11 |
Palo Alto Networks Next-Gen Firewalls
PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces
PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP (10 Gig) I/O• 4 SFP (1 Gig) I/O
PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces
PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces
PA-500• 250 Mbps FW• 100 Mbps threat prevention• 50,000 sessions• 8 copper gigabit
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 12 |
PAN-OS 3.0 Summary of Features• Networking
- Quality of Service Enforcement- SSL VPN- IPv6 Firewall (Virtual Wire)- IPsec Multiple Phase 2 SAs- 802.3ad link aggregation- PA-2000 virtual systems licenses (+5)
• App-ID- Custom Web-based App-IDs- Custom App-ID Risk and Timeouts- CRL checking within SSL forward proxy
• Threat Prevention & URL Filtering- Dynamic URL Filtering DB- Increased signature capacity- Threat Exception List- CVE in Threat Profiles
• User Identification- Citrix/Terminal Server User ID- Proxy X-Forwarded-For Support
• Visibility and Reporting- User Activity Report
• Management- Multi-zone Rules- Automated Config Backup in Panorama- Role-based admins in Panorama- SNMP Enhancements
Custom community string Extended MIB support
- XML-based REST API- Ability to Duplicate Objects- Log Export Enhancements
Support for FTP Scheduler
- Custom Admin Login Banner- Web-based Tech Support Export- Database indexing- Configurable management I/O settings
© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 13 | © 2007 Palo Alto Networks. Proprietary and ConfidentialPage 13 |
Demo