Upload
responsedatacomms
View
122
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
1
PALO ALTO
SAFE APPLICATION ENABLEMENT
0
2,000
4,000
6,000
8,000
10,000
1,800
4,700
9,000
Jul-10 Jul-11
FY09 FY10 FY11 FY12$0
$50
$100
$150
$200
$250
$300
$13$49
$255
$119
Palo Alto Networks at a GlanceCorporate Highlights
Disruptive Network Security Platform
Safely Enabling Applications
Able to Address All Network Security Needs
Exceptional Growth and Global Presence
Experienced Technology and Management Team
800+ Employees
Revenue
Enterprise Customers
$MM
FYE July
Jul-12
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications Get Through the Firewall
4 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more
Applications Get Through the Firewall: Threats
5 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
Threats target applications• Used as a threat vector• Application specific exploits
Applications Get Through the Firewall: Exfiltration
Applications provide exfiltration• Threat communication• Confidential data
6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications Get Through the Firewall: Encryption
What happens traffic is encrypted?• SSL• Proprietary encryption
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Technology Sprawl and Creep Aren’t the Answer
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application control challenges
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IMDLPIPS ProxyURLAV
UTM
Internet
The Answer? Make the Firewall Do Its Job
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Why Visibility & Control Must Be In The Firewall
Port PolicyDecision
App Ctrl PolicyDecision
Application Control as an Add-on• Port-based FW + App Ctrl (IPS) = two policies • Applications are threats; only block what you
expressly look for
Implications • Network access decision is made with no
information• Cannot safely enable applications
IPS
Applications
FirewallPortTraffic
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Firewall IPS
App Ctrl PolicyDecision
Scan Applicationfor Threats
Applications
ApplicationTraffic
NGFW Application Control • Application control is in the firewall = single policy• Visibility across all ports, for all traffic, all the time
Implications • Network access decision is made based on
application identity • Safely enable application usage
Enabling Applications, Users and Content
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Enabling Applications, Users and Content
• Applications: Safe enablement begins with application classification by App-ID.
• Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.
• Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID and WildFire.
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Single-Pass Parallel Processing™ (SP3) ArchitectureSingle Pass
• Operations once per packet– Traffic classification (app
identification)– User/group mapping– Content scanning – threats,
URLs, confidential data
One policy• Parallel Processing• Function-specific parallel
processing hardware engines
Separate data/control planes
13 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
Up to 20Gbps, Low Latency
PAN-OS Core Firewall Features
•Strong networking foundation
– Dynamic routing (BGP, OSPF, RIPv2)– Tap mode – connect to SPAN port– Virtual wire (“Layer 1”) for true
transparent in-line deployment– L2/L3 switching foundation– Policy-based forwarding
•VPN– Site-to-site IPSec VPN – SSL VPN
•QoS traffic shaping– Max/guaranteed and priority – By user, app, interface, zone, & more– Real-time bandwidth monitor
•Zone-based architecture
– All interfaces assigned to security zones for policy enforcement
•High Availability– Active/active, active/passive – Configuration and session
synchronization– Path, link, and HA monitoring
•Virtual Systems– Establish multiple virtual firewalls in
a single device (PA-5000, PA-4000, and PA-2000 Series)
•Simple, flexible management
– CLI, Web, Panorama, SNMP, Syslog
Visibility and control of applications, users and content complement core firewall features
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks NGFW Hardware Platforms
15 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
Firewall Firewall Throughput
Threat Prevention Throughput Ports Session Capacity
PA-5060 20 Gbps 10 Gbps4 SFP+ (10 Gig)8 SFP (1 Gig)12 copper gigabit
4,000,000
PA-5050 10 Gbps 5 Gbps4 SFP+ (10 Gig)8 SFP (1 Gig)12 copper gigabit
2,000,000
PA-5020 5 Gbps 2 Gbps 8 SFP12 copper gigabit 1,000,000
PA-4060 10 Gbps 5 Gbps 4 XFP (10 Gig)4 SFP (1 Gig) 2,000,000
PA-4050 10 Gbps 5 Gbps 8 SFP16 copper gigabit 2,000,000
PA-4020 2 Gbps 2 Gbps 8 SFP16 copper gigabit 500,000
PA-3050 4 Gbps 2 Gbps 8 SFP12 copper gigabit 500,000
PA-3020 2 Gbps 1 Gbps 8 SFP12 copper gigabit 250,000
PA-2050 1 Gbps 500 Mbps 4 SFP16 copper gigabit 250,000
PA-2020 500 Mbps 250 Mbps 8 copper gigabit 125,000
PA-500 250 Mbps 100 Mbps 8 copper gigabit 64,000
PA-200 100 Mbps 50 Mbps 4 copper gigabit 64,000
Palo Alto Networks NGFW Virtualized Platforms
• Delivers the same next-generation firewall features available in our hardware platforms in a virtualized form-factor
16 | ©2012, Palo Alto Networks. Confidential and
Proprietary.
Capacities
Model Sessions Rules Security Zones
Address Objects
IPSec VPN Tunnels
SSL VPN Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 2,000 500
Performance
Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second
2 Core 500 Mbps 200 Mbps 100 Mbps 8,000
4 Core 1 Gbps 600 Mbps 250 Mbps 8,000
8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
Supported on VMware ESX/ESXi 4.0 or later
Minimum of 2 dedicated CPU cores, 4GB dedicated RAM, 40GB HD, 2 interfaces
Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames
NGFW in The Enterprise NetworkPe
rimet
er • App visibility and control in the firewall• All apps, all ports,
all the time• Prevent threats• Known threats• Unknown/targeted
malware• Simplify security
infrastructure
Dat
a Ce
nter • Network
segmentation• Based on
application and user, not port/IP
• Simple, flexible network security• Integration into all
DC designs• Highly available,
high performance• Prevent threats
Dis
trib
uted
Ent
erpr
ise • Consistent network
security everywhere• HQ/branch
offices/remote and mobile users
• Logical perimeter• Policy follows
applications and users, not physical location
• Centrally managed
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Addresses Three Key Business Problems
• Identify and Control Applications– Identifies over 1,500 applications, regardless of
port, protocol, encryption, or evasive tactic– Fine-grained control over applications (allow, deny,
limit, scan, shape)– Addresses the key deficiencies of legacy firewall
infrastructure• Prevent Threats
– Stop a variety of known threats – exploits (by vulnerability), viruses, spyware
– Detect and stop unknown threats with WildFire– Stop leaks of confidential data (e.g., credit card #,
social security #, file/type)– Enforce acceptable use policies on users for
general web site browsing• Simplify Security Infrastructure
– Put the firewall at the center of the network security infrastructure
– Reduce complexity in architecture and operations
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Many Third Parties Reach Same Conclusion• Gartner Enterprise Network Firewall Magic Quadrant
- Palo Alto Networks leading the market
• Forrester IPS Market Overview- Strong IPS solution; demonstrates effective consolidation
• NetworkWorld Test- Most stringent NGFW test to date; validated sustained
performance and key differences
• NSS Tests- IPS: Palo Alto Networks NGFW tested against competitors’
standalone IPS devices; NSS Recommended- Firewall: traditional port-based firewall test; Palo Alto Networks
most efficient by a wide margin; NSS Recommended- NGFW: Palo Alto Networks best combination of protection,
performance, and value; NSS Recommended (1 of only 3)
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
20 | ©2012, Palo Alto Networks. Confidential and
Proprietary.