PAN Ultimate Test Drive NGFW

Palo Alto Networks

Ultimate Test Drive - Next-Generation Firewall

Presented by Secure Dynamics

Hello and

Welcome to:

PALO ALTO NETWORKS AT-A-GLANCE

CORPORATE HIGHLIGHTS

Founded in 2005; first customer shipment in 2007

Safely enabling applications and preventing cyber threats

Able to address all enterprise cybersecurity needs

Exceptional ability to support global customers

Experienced team of 2,300+ employees

Q3 FY15: $234M revenue

$13 $49

$119

$255

$396

$598

$0

$200

$400

$600

FY09 FY10 FY11 FY12 FY13 FY14

$MM

REVENUES ENTERPRISE CUSTOMERS

4,700

9,000

13,500

19,000

0

4,000

8,000

12,000

16,000

20,000

Jul-11 Jul-12 Jul-13 Jul-14

2 | 2015, Palo Alto Networks. Confidential and Proprietary.

WHATS CHANGED? THE EVOLUTION OF THE ATTACKER

$445 CYBERCRIME NOW

billion industry

100+ nations CYBER WARFARE


WHATS CHANGED?

Known Threats

Org

aniz

ational R

isk

Zero-Day Exploits/Vulnerabilities

Unknown & Polymorphic Malware

Evasive Command-and-Control

Lateral Movement

Changing Application Environment

SSL Encryption

Mobile Threats

THE EVOLUTION OF THE ATTACK


FAILURE OF LEGACY SECURITY

ARCHITECTURES

Anti-APT for

port 80 APTs

Anti-APT for

port 25 APTs

Endpoint AV

DNS protection cloud

Network AV

DNS protection for

outbound DNS

Anti-APT cloud

Internet

Enterprise Network

UTM/Blades

Limited Visibility Manual Response Lacks Integration

Vendor 1

Vendor 2

Vendor 3

Vendor 4

Internet Connection

Malware Intelligence

DNS Alert Endpoint Alert

AV Alert

SMTP Alert

AV Alert

Web Alert

Web Alert

SMTP Alert

DNS Alert

AV Alert

DNS Alert

Web Alert

Endpoint Alert


REQUIREMENTS FOR THE FUTURE DETECT AND PREVENT THREATS AT EVERY

POINT ACROSS THE ORGANIZATION

At the

internet edge

Between

employees and

devices within

the LAN

At the

data center

edge and

between VMs

At the

mobile device

Cloud

Within private,

public and

hybrid clouds


DELIVERING A NEXT-GENERATION

SECURITY PLATFORM

NATIVELY INTEGRATED

EXTENSIBLE

AUTOMATED

THREAT

INTELLIGENCE

CLOUD

NEXT-GENERATION FIREWALL

ADVANCED ENDPOINT PROTECTION


A COMPLETE ENTERPRISE SECURITY

ARCHITECTURE

Enterprise Network

Public Cloud

Private Cloud

THREAT

INTELLIGENCE

CLOUD


1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

PALO ALTO NEXT GENERATION FIREWALL


MULTI-STEP SCANNING RAMIFICATIONS

300+ applications allowed*

*Based on Palo Alto Networks Application Usage and Risk Report

Facebook allowedwhat about the other 299 apps?

Policy Decision #2

App-Control Add-on

Applications

Allow Facebook

Policy Decision #1

Firewall Allow port

80

Open ports to

allow the application

Key Difference Ramifications

Two separate policies More Work. Two policies = double the admin effort (data entry, mgmt, etc) Possible security holes. No policy reconciliation tools to find potential holes

Two separate policy decisions Weakens the FW deny all else premise. Applications allowed by port-based FW decision.

Two separate log databases Less visibility with more effort. informed policy decisions require more effort , slows reaction time

No concept of unknown traffic Increased risk. Unknown is found on every network = low volume, high risk More work, less flexible. Significant effort to investigate; limited ability to manage

if it is found.


BENEFITS OF CLASSIFYING TRAFFIC IN THE

FIREWALL

Policy Decision

Firewall App-ID

Allow Facebook X Key Difference Benefit

Single firewall policy Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.

Positive control model Allow by policy, all else is denied. Its a firewall.

Single log database Less work, more visibility. Policy decisions based on complete information.

Systematic management of unknowns

Less work, more secure. Quickly identify high risk traffic and systematically manage it.


OUR FUNDAMENTALLY NEW APPROACH TO

ENTERPRISE SECURITY

App-ID

Identify the application

User-ID Identify the user

Content-ID Scan the content


Firewall Firewall

Legacy Firewalls

Security Rule: ALLOW DNS Security Rule: ALLOW Port 53

DNS = DNS: Packet on Port 53: Allow Allow

DNS DNS DNS DNS

Bittorrent

BitTorrent DNS:

Visibility: BitTorrent detected and blocked

Deny

BitTorrent

Packet on Port 53: Allow

Visibility: Port 53 allowed

BitTorrent

EXAMPLE: DNS

App IPS Firewall Firewall

DNS=DNS: Packet on Port 53: Allow Allow

DNS DNS DNS DNS

Bittorrent

Bittorrent DNS:

Visibility: Bittorrent detected and blocked

Deny

Bittorrent

Bittorrent: Deny

Visibility: Bittorrent detected and blocked

DNS

Bittorrent

Application IPS Rule: BLOCK Bittorrent

Legacy Firewalls

Security Rule: ALLOW DNS Security Rule: ALLOW Port 53

EXAMPLE: BITTORRENT

Firewall Firewall

DNS=DNS: Packet on Port 53: Allow Allow

DNS DNS DNS DNS

Zero-day C & C

Command & Control DNS:

Visibility: Unknown traffic detected and blocked

Deny

Bittorrent

Visibility: Packet on Port 53 allowed

DNS

Bittorrent Bittorrent

Zero-day C & C

Zero-day C & C

Zero-day C & C

C & C Bittorrent: Allow

App IPS

Application IPS Rule: BLOCK Bittorrent

Legacy Firewalls Security Rule: ALLOW DNS Security Rule: ALLOW Port 53

EXAMPLE: ZERO-DAY MALWARE

SAFELY ENABLE APPLICATIONS

Visibility into all applications & users on the network

Remove threats from wanted traffic

Cloud

REDUCE AND CONTROL RISK

FACILITATE ACCESS

Allow desired applications by user, limit high-risk features


GlobalProtect protects the mobile workforce

Use the enterprise security platform to extend security to laptops, mobile

phones and tablets. Enforce policy no matter where users go.

Stop mobile exploits and malware Block access to dangerous websites and content

Contextually control access and enforce security policies based on application, user, and device

state

Manage mobile device settings & applications Inspect business traffic and protect business data

while respecting the users privacy

MOBILE SECURITY

Mobile Threat Prevention

Protect the Network

Manage Applications &

Data

COVERING THE ENTIRE ENTERPRISE

Data center/cloud Enterprise perimeter Distributed/BYOD Endpoint

Next-Generation

Firewall

Cybersecurity:

IDS / IPS / APT Web gateway VPN

Panorama, M-100 appliance, GP-100 appliance

PAN-OS

Network location

Next-generation

appliances

Subscriptions

Use cases

Management system

Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050

WildFire: WF-500

Virtual: VM-Series & VM-Series-HV for NSX

URL Filtering

GlobalProtect

WildFire

Threat Prevention

Endpoint (Traps)

Operating system


Palo Alto Networks is proud to be

named a Leader once again. We are

now a four-time Magic Quadrant leader

recognized for our ability to execute

and completeness of vision.

Gartner, Magic Quadrant for Enterprise Network Firewalls, Adam Hils, et al, April 22, 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from go.paloaltonetworks.com/gartnermq2015. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


2015 Magic Quadrant for Enterprise Network

Firewalls

Thank you for attending!

Documents

PAN Ultimate Test Drive NGFW