Upload
tenishan-fernando
View
241
Download
0
Embed Size (px)
DESCRIPTION
PaloAlto Training
Citation preview
Palo Alto Networks
Ultimate Test Drive - Next-Generation Firewall
Presented by Secure Dynamics
Hello and
Welcome to:
PALO ALTO NETWORKS AT-A-GLANCE
CORPORATE HIGHLIGHTS
Founded in 2005; first customer shipment in 2007
Safely enabling applications and preventing cyber threats
Able to address all enterprise cybersecurity needs
Exceptional ability to support global customers
Experienced team of 2,300+ employees
Q3 FY15: $234M revenue
$13 $49
$119
$255
$396
$598
$0
$200
$400
$600
FY09 FY10 FY11 FY12 FY13 FY14
$MM
REVENUES ENTERPRISE CUSTOMERS
4,700
9,000
13,500
19,000
0
4,000
8,000
12,000
16,000
20,000
Jul-11 Jul-12 Jul-13 Jul-14
2 | 2015, Palo Alto Networks. Confidential and Proprietary.
WHATS CHANGED? THE EVOLUTION OF THE ATTACKER
$445 CYBERCRIME NOW
billion industry
100+ nations CYBER WARFARE
3 | 2015, Palo Alto Networks. Confidential and Proprietary.
WHATS CHANGED?
Known Threats
Org
aniz
ational R
isk
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Evasive Command-and-Control
Lateral Movement
Changing Application Environment
SSL Encryption
Mobile Threats
THE EVOLUTION OF THE ATTACK
4 | 2015, Palo Alto Networks. Confidential and Proprietary.
FAILURE OF LEGACY SECURITY
ARCHITECTURES
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for
outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited Visibility Manual Response Lacks Integration
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware Intelligence
DNS Alert Endpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
5 | 2015, Palo Alto Networks. Confidential and Proprietary.
REQUIREMENTS FOR THE FUTURE DETECT AND PREVENT THREATS AT EVERY
POINT ACROSS THE ORGANIZATION
At the
internet edge
Between
employees and
devices within
the LAN
At the
data center
edge and
between VMs
At the
mobile device
Cloud
Within private,
public and
hybrid clouds
6 | 2015, Palo Alto Networks. Confidential and Proprietary.
DELIVERING A NEXT-GENERATION
SECURITY PLATFORM
NATIVELY INTEGRATED
EXTENSIBLE
AUTOMATED
THREAT
INTELLIGENCE
CLOUD
NEXT-GENERATION FIREWALL
ADVANCED ENDPOINT PROTECTION
7 | 2015, Palo Alto Networks. Confidential and Proprietary.
A COMPLETE ENTERPRISE SECURITY
ARCHITECTURE
Enterprise Network
Public Cloud
Private Cloud
THREAT
INTELLIGENCE
CLOUD
8 | 2015, Palo Alto Networks. Confidential and Proprietary.
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
PALO ALTO NEXT GENERATION FIREWALL
9 | 2015, Palo Alto Networks. Confidential and Proprietary.
MULTI-STEP SCANNING RAMIFICATIONS
300+ applications allowed*
*Based on Palo Alto Networks Application Usage and Risk Report
Facebook allowedwhat about the other 299 apps?
Policy Decision #2
App-Control Add-on
Applications
Allow Facebook
Policy Decision #1
Firewall Allow port
80
Open ports to
allow the application
Key Difference Ramifications
Two separate policies More Work. Two policies = double the admin effort (data entry, mgmt, etc) Possible security holes. No policy reconciliation tools to find potential holes
Two separate policy decisions Weakens the FW deny all else premise. Applications allowed by port-based FW decision.
Two separate log databases Less visibility with more effort. informed policy decisions require more effort , slows reaction time
No concept of unknown traffic Increased risk. Unknown is found on every network = low volume, high risk More work, less flexible. Significant effort to investigate; limited ability to manage
if it is found.
10 | 2015, Palo Alto Networks. Confidential and Proprietary.
BENEFITS OF CLASSIFYING TRAFFIC IN THE
FIREWALL
Policy Decision
Firewall App-ID
Allow Facebook X Key Difference Benefit
Single firewall policy Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.
Positive control model Allow by policy, all else is denied. Its a firewall.
Single log database Less work, more visibility. Policy decisions based on complete information.
Systematic management of unknowns
Less work, more secure. Quickly identify high risk traffic and systematically manage it.
11 | 2015, Palo Alto Networks. Confidential and Proprietary.
OUR FUNDAMENTALLY NEW APPROACH TO
ENTERPRISE SECURITY
App-ID
Identify the application
User-ID Identify the user
Content-ID Scan the content
12 | 2015, Palo Alto Networks. Confidential and Proprietary.
Firewall Firewall
Legacy Firewalls
Security Rule: ALLOW DNS Security Rule: ALLOW Port 53
DNS = DNS: Packet on Port 53: Allow Allow
DNS DNS DNS DNS
Bittorrent
BitTorrent DNS:
Visibility: BitTorrent detected and blocked
Deny
BitTorrent
Packet on Port 53: Allow
Visibility: Port 53 allowed
BitTorrent
EXAMPLE: DNS
App IPS Firewall Firewall
DNS=DNS: Packet on Port 53: Allow Allow
DNS DNS DNS DNS
Bittorrent
Bittorrent DNS:
Visibility: Bittorrent detected and blocked
Deny
Bittorrent
Bittorrent: Deny
Visibility: Bittorrent detected and blocked
DNS
Bittorrent
Application IPS Rule: BLOCK Bittorrent
Legacy Firewalls
Security Rule: ALLOW DNS Security Rule: ALLOW Port 53
EXAMPLE: BITTORRENT
Firewall Firewall
DNS=DNS: Packet on Port 53: Allow Allow
DNS DNS DNS DNS
Zero-day C & C
Command & Control DNS:
Visibility: Unknown traffic detected and blocked
Deny
Bittorrent
Visibility: Packet on Port 53 allowed
DNS
Bittorrent Bittorrent
Zero-day C & C
Zero-day C & C
Zero-day C & C
C & C Bittorrent: Allow
App IPS
Application IPS Rule: BLOCK Bittorrent
Legacy Firewalls Security Rule: ALLOW DNS Security Rule: ALLOW Port 53
EXAMPLE: ZERO-DAY MALWARE
SAFELY ENABLE APPLICATIONS
Visibility into all applications & users on the network
Remove threats from wanted traffic
Cloud
REDUCE AND CONTROL RISK
FACILITATE ACCESS
Allow desired applications by user, limit high-risk features
16 | 2015, Palo Alto Networks. Confidential and Proprietary.
GlobalProtect protects the mobile workforce
Use the enterprise security platform to extend security to laptops, mobile
phones and tablets. Enforce policy no matter where users go.
Stop mobile exploits and malware Block access to dangerous websites and content
Contextually control access and enforce security policies based on application, user, and device
state
Manage mobile device settings & applications Inspect business traffic and protect business data
while respecting the users privacy
MOBILE SECURITY
Mobile Threat Prevention
Protect the Network
Manage Applications &
Data
COVERING THE ENTIRE ENTERPRISE
Data center/cloud Enterprise perimeter Distributed/BYOD Endpoint
Next-Generation
Firewall
Cybersecurity:
IDS / IPS / APT Web gateway VPN
Panorama, M-100 appliance, GP-100 appliance
PAN-OS
Network location
Next-generation
appliances
Subscriptions
Use cases
Management system
Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050
WildFire: WF-500
Virtual: VM-Series & VM-Series-HV for NSX
URL Filtering
GlobalProtect
WildFire
Threat Prevention
Endpoint (Traps)
Operating system
18 | 2015, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks is proud to be
named a Leader once again. We are
now a four-time Magic Quadrant leader
recognized for our ability to execute
and completeness of vision.
Gartner, Magic Quadrant for Enterprise Network Firewalls, Adam Hils, et al, April 22, 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from go.paloaltonetworks.com/gartnermq2015. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
19 | 2014, Palo Alto Networks. Confidential and Proprietary.
2015 Magic Quadrant for Enterprise Network
Firewalls
Thank you for attending!