end to end security with palo alto networks (onur kasap, engineer palo alto networks)
TRANSCRIPT
Copyright © 2014, Palo Alto Networks
End to End Security With
Palo Alto NetworksOnur Kasap
Systems Engineer
November 2014-Kiev
Copyright © 2014, Palo Alto Networks
PALO ALTO NETWORKS AT-A-GLANCE
CORPORATE HIGHLIGHTS
• Founded in 2005; first customer
shipment in 2007
• Safely enabling applications and
preventing cyber threats
• Able to address all enterprise
cybersecurity needs
• Exceptional ability to support
global customers
• Experienced team of 1,700+
employees
• Q4FY14: $178.2M revenue
$13$49
$119
$255
$396
$598
$0
$200
$400
$600
FY09 FY10 FY11 FY12 FY13 FY14
$MM
REVENUES ENTERPRISE CUSTOMERS
4,700
9,000
13,500
19,000
0
4,000
8,000
12,000
16,000
20,000
Jul-11 Jul-12 Jul-13 Jul-14
Copyright © 2014, Palo Alto Networks
A clear market leader – again
A leader for 3 years in a row in the
magic quadrant for enterprise network firewalls
Copyright © 2014, Palo Alto Networks
Applications Have Changed, Firewalls Haven’t
Network security policy is enforced at the
firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any more
Copyright © 2014, Palo Alto Networks
Encrypted Applications: Unseen by Firewalls
What happens traffic is encrypted?• SSL
• Proprietary encryption
Copyright © 2014, Palo Alto Networks
Technology Sprawl and Creep Aren’t the Answer
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application “accessibility” features
IMDLPIPS ProxyURLAV
UTM
Internet
Copyright © 2014, Palo Alto Networks
Competitors Firewall Architecture
App
Signatures
IPS
Signatures
Virus
Signature
s
URL
Signatures
Application
Policy
Application
Inspection
IPS
Policy
Threat
Inspection
Anti-Virus
Proxy
AV
Inspection
Web Filtering
Policy
URL
Inspection
Packet In
sp
ectio
n F
low
Stateful FW
policy
Port-based
session
Inspection
L4 Session
Table
Copyright © 2014, Palo Alto Networks
Application Control Belongs in the Firewall
Port PolicyDecision
App Ctrl PolicyDecision
Application Control as an Add-on
• Port-based decision first, apps second
• Applications treated as threats; only block what you
expressly look for
Ramifications
• Two policies/log databases, no reconciliation
• Unable to effectively manage unknowns
IPS
Applications
Firewall
PortTraffic
Firewall IPS
App Ctrl PolicyDecision
Scan Applicationfor Threats
Applications
ApplicationTraffic
Application Control in the Firewall
• Firewall determines application identity; across all
ports, for all traffic, all the time
• All policy decisions made based on application
Ramifications
• Single policy/log database – all context is shared
• Policy decisions made based on shared context
• Unknowns systematically managed
Copyright © 2014, Palo Alto Networks
Evasive Applications
•Yahoo Messenger
•BitTorrent Client
•Port 80
•Open
Port-Based Firewall
Port 5050
Blocked
Port 6681
Blocked
Copyright © 2014, Palo Alto Networks
Firewall Firewall
Palo Alto Networks Firewallswith App-ID
Legacy Firewalls
Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53
DNS = DNS:Packet on Port 53: AllowAllow
DNS DNSDNS DNS
Bittorrent
BitTorrent ≠ DNS:Visibility: BitTorrent detected and blocked
Deny
BitTorrent
Packet on Port 53: AllowVisibility: Port 53 allowed
BitTorrent
Scenario 1: DNS Traffic
Copyright © 2014, Palo Alto Networks
App IPSFirewall Firewall
Scenario 2: BitTorrent with Application IPS
Legacy Firewalls
Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53
DNS=DNS:Packet on Port 53: AllowAllow
DNS DNSDNS DNS
Bittorrent
Bittorrent ≠ DNS:Visibility: Bittorrent detected and blocked
Deny
Bittorrent
Bittorrent: DenyVisibility: Bittorrent detected and blocked
DNS
Bittorrent
Application IPS Rule: Block Bittorrent
Palo Alto Networks Firewallswith App-ID
Copyright © 2014, Palo Alto Networks
Firewall Firewall
Legacy Firewalls
Firewall Rule: ALLOW DNSFirewall Rule: ALLOW Port 53
DNS=DNS:Packet on Port 53: AllowAllow
DNS DNSDNS DNS
Zero-day C & C
Command & Control ≠ DNS:Visibility: Unknown traffic
detected and blocked
Deny
Bittorrent
Visibility: Packet on Port 53 allowed
DNS
Bittorrent
Application IPS Rule: Block Bittorrent
Bittorrent
Zero-day C & C
Zero-day C & C
Zero-day C & C
C & C ≠ Bittorrent: Allow
App IPS
Scenario 3: Zero-day Malware
Palo Alto Networks Firewallswith App-ID
Copyright © 2014, Palo Alto Networks
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
The Answer? Make the Firewall Do Its Job
.
Copyright © 2014, Palo Alto Networks
Making the Firewall a Business Enablement Tool
•App-ID™
•Identify the application
•Content-ID™
•Scan the content
•User-ID™
•Identify the user
Copyright © 2014, Palo Alto Networks
Enabling Applications, Users and Content
Copyright © 2014, Palo Alto Networks
Single-Pass Parallel Processing™ (SP3) Architecture
Single Pass
• Operations once per packet
- Traffic classification (app identification)
- User/group mapping
- Content scanning –threats, URLs, confidential data
• One policy
Parallel Processing
• Function-specific parallel processing hardware engines
• Separate data/control planes
Copyright © 2014, Palo Alto Networks
Single Pass Platform Architecture
Copyright © 2014, Palo Alto Networks
PAN-OS Core Firewall Features
Strong networking foundation
Dynamic routing (BGP, OSPF, RIPv2)
Tap mode – connect to SPAN port
Virtual wire (“Layer 1”) for true transparent
in-line deployment
L2/L3 switching foundation
Policy-based forwarding
VPN
Site-to-site IPSec VPN
Remote Access (SSL) VPN
QoS traffic shaping
Max/guaranteed and priority
By user, app, interface, zone, & more
Real-time bandwidth monitor
Zone-based architecture
All interfaces assigned to security zones
for policy enforcement
High Availability
Active/active, active/passive
Configuration and session
synchronization
Path, link, and HA monitoring
Virtual Systems
Establish multiple virtual firewalls in a
single device (PA-7050, PA-5000, PA-
3000, and PA-2000 Series)
Simple, flexible management
CLI, Web, Panorama, SNMP, Syslog
Visibility and control of applications, users and content complement core firewall features
PA-500
PA-200
PA-2000 SeriesPA-2050, PA-2020
PA-3000 SeriesPA-3050, PA-3020
PA-5000 SeriesPA-5060, PA-5050 PA-5020
VM-SeriesVM-300, VM-200, VM-100,
VM-1000-HV
PA-7050
Copyright © 2014, Palo Alto Networks
Flexible Deployment Options For Ethernet Interfaces
Tap Mode Virtual Wire Mode Layer 3 Mode
• Application, user and content visibility without inline deployment
• Evaluation and Audit of existing networks
• Application ID, Content ID, User ID, SSL Decryption
• Includes NAT capability
• All of the Virtual Wire Mode capabilities with the addition of Layer 3 services: Virtual Routers, VPN and, Routing Protocols
Copyright © 2014, Palo Alto Networks
Threat Prevention of Zero-Day Attacks
WildFire and Traps
Copyright © 2014, Palo Alto Networks
Why change
Targeted attacks can only
be solved on the endpoint
Attackers are more
sophisticated and well funded
Launching Zero-Day attacks
is more accessible and common
of breaches involve
a targeted user device71%
of exploit kits utilize
vulnerabilities less than 2 years old78%
increase in targeted attacks in 2013 91%
Copyright © 2014, Palo Alto Networks
Popular websites(Landing Site)
Malware repository
Hop Point
Víctim
Attacker(C&C)
The attacker injects the URL, in a
legitimate site preferably, under his
control
The victim visits the site and is
redirected to the malicious URL
(iframe)
The victim visits the URL and
the drive-by download executes
The victim downloads and
installs the malware that takes
the station in the botnet
@
Flow of a RAT Attack with 0-day Malware
Copyright © 2014, Palo Alto Networks
Attack Stages of a Drive-by Download / Web Attack
Targeted malicious email sent to user
User clicks on link to a malicious website
Malicious website silently exploits client-side vulnerabilityWith Web Attack Toolkit
Drive-by download of malicious payload
Copyright © 2014, Palo Alto Networks
Targeted Attack Example
Source; http://infosec3t.com/wp-content/uploads/2010/03/contagio_targeted_attack_email_2.png
Copyright © 2014, Palo Alto Networks
Source: http://www.symantec.com/threatreport/topic.jsp?id=malicious_code_trends&aid=triage_analysis_of_targeted_attacks
Copyright © 2014, Palo Alto Networks
Copyright © 2014, Palo Alto Networks
Detection-focused technology investments
Network Security
IPS deployed as IDS
App blades that only detect and report
SSL traffic allowed without decryption
When decrypted, SSL just port-mirrored
Sandboxes deployed to detect malware
Snort engines to detect traffic to high
risk IPs
Endpoint Protection
Forensics agents to capture what happened
IOC scanners
Massive PCAP storage
Remediation tools to try and fix what was
detected
$1,000/hour incident response consultants
to tell you who stole your data
Answer: Detection and Prevention of Advanced Threats
Copyright © 2014, Palo Alto Networks
Command/ControlClient Exploit
Advanced threat requires a solution, not point products
HTTP
SSL
DNS
URL / C&C
EXE, Java,
.LNK, DLL
Known viruses
and exploits
High-risk
applications
1Reduce the
attack surface2
Detect the
unknown3
Create
protections
• Whitelist applications or block
high-risk apps
• Block known viruses, exploits
• Block commonly exploited file
types
• Analysis of all application
traffic
• SSL decryption
• WildFire sandboxing of
exploitive files
Detection and blocking of C&C via:
• Bad domains in DNS traffic
• URLs (PAN-DB)
• C&C signatures (anti-spyware)
Successful spear-phishing email Post-compromise activityFailed attempts
Copyright © 2014, Palo Alto Networks
Why do you need network, endpoint, and cloud
working together?
Copyright © 2014, Palo Alto Networks
Requirements for a new approach
Requires next-generation network, endpoint,
and threat intelligence cloud capabilities
1 Prevent attacks - even attacks seen for the first time
2 Protect all users and applications - including mobile and virtualized
3 Seamlessly combine network and endpoint security, as each has unique strengths
4 Provide rapid analysis of new threats
Copyright © 2014, Palo Alto Networks
Platform approach
Next-Generation Firewall
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile & virtual networks
Copyright © 2014, Palo Alto Networks
Platform approach
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known & unknown malware
Next-Generation Endpoint Protection
Copyright © 2014, Palo Alto Networks
Platform approach
Threat Intelligence Cloud
Gathers potential threats from network and endpoints
Analyzes and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
Copyright © 2014, Palo Alto Networks
The making of a platform: information sharing
UnknownsUnknowns &
zero-day
discoveries
Copyright © 2014, Palo Alto Networks
The making of a platform: prevention distribution
Real-time
signatures
Copyright © 2014, Palo Alto Networks
The making of a platform: correlated analytics
Confirm detection
Integrated reporting
Copyright © 2014, Palo Alto Networks
Reaching Effects of WildFire
Threat Intelligence Sources
WildFire Users
AV Signatures DNS Signatures Anti-C&C SignaturesMalware URL Filtering
Copyright © 2014, Palo Alto Networks
Next-Generation Appliances | Malware Management
WF-500 is a private cloud
Designed for organizations with regulatory or privacy concerns.
WF-500
Copyright © 2014, Palo Alto Networks
WildFire cloud-based architecture scales
Web Sandbox
Email Sandbox File share Sandbox
Central manager
Manual analysis
APT Add-on Approach
WildFireTM
Public cloud or
Private cloud
appliance
WildFire Approach
Easy to manage
and operationalize
Scalable
Cost effective
Hard to manage
Doesn’t scale
Expensive
Requires multiple devices
at each ingress, egress,
and point of segmentation
Copyright © 2014, Palo Alto Networks
WildFire SubscriptionWildFire WildFire
Subscription
WildFire analysis of PE analysis
Daily signature feed (TP subscription required)
WildFire logs integrated within PAN-OS
WildFire analysis of all other file types (PDF, MS Office, Java, Flash, APK*)
15-min signature feed
WildFire Cloud API key
Use of WF-500
Copyright © 2014, Palo Alto Networks
Signature hierarchy
Weekly
Daily
15-minute
App-ID updates “IPS” signatures(vulnerability, anti-spyware)
IP geolocation
Antivirus Botnet support(zone file, dynamic DNS, malware URLs)
DNS signatures
WildFire signatures
Copyright © 2014, Palo Alto Networks
Traps
Advanced Endpoint Protection
Copyright © 2014, Palo Alto Networks
The failures of traditional approaches
EXE
Legacy
Endpoint Protection
Known signature?
NO
Known strings?
NO
Previously seen
behavior?
NOPDF
Malware
direct execution
Exploit
vulnerability
to run any code
Targeted Evasive Advanced
Copyright © 2014, Palo Alto Networks
Introducing TrapsThe right way to deal with advanced cyber threats
Prevent ExploitsIncluding zero-day exploits
Prevent MalwareIncluding advanced & unknown malware
Collect Attempted-Attack ForensicsFor further analysis
Scalable & LightweightMust be user-friendly and cover complete enterprise
Integrate with Network and Cloud SecurityFor data exchange and crossed-organization protection
Copyright © 2014, Palo Alto Networks
Block the core techniques – not the individual attacks
Software Vulnerability Exploits Exploitation Techniques
Thousands of new vulnerabilities and
exploits a year Only 2-4 new exploit techniques a year
Malware Malware Techniques
Millions of new malware every year 10’s – 100’s of new malware
sub-techniques every year
Copyright © 2014, Palo Alto Networks
Preparation Triggering Circumvention Post Malicious Activity
Exploitation technique prevention – Clandestine Fox
Prevention of one technique in the chain will block the entire attack
Memory
Corruption
Mitigation
Logic-Flaws
Real-Time
Intervention
OS
Functions
Shielding
Algorithmic
Memory Traps
Placement
Heap Spray Use after free Utilizing OS
function
ROPCVE-2014-1776
Copyright © 2014, Palo Alto Networks
Exploit technique preventionhow it works
Document is
opened by user
Traps seamlessly
injected into
processes
Process is protected
as exploit attempt is
trapped
CPU
<0.1%
When an exploitation attempt is made, the exploit hits a “trap” and fails before any
malicious activity is initiated.
Attack is blocked
before any successful
malicious activity
Safe!Process is
terminated
Forensic data
is collected
User\admin is
notified
Traps triggers
immediate actions
Reported
to ESM
Copyright © 2014, Palo Alto Networks
Malware prevention
Policy-Based Restrictions
WildFire Inspection
Malware Techniques Mitigation
Limit surface area of attack
control source of file installation
Prevent known malware
with cloud-based integration
Prevent unknown malware
with technique-based mitigation
Copyright © 2014, Palo Alto Networks
User tries to
open executable
file
Policy-based
Restrictions Applied
HASH checked
against WildFire
File is
allowed to
execute
Malware technique
prevention employed
Malware preventionhow it works
Safe!Reported
to ESM
Copyright © 2014, Palo Alto Networks
Forensics captureOngoing capture and attack-triggered capture
Ongoing recording
- Any files execution
- Time of execution
- File name
- File HASH
- User name
- Computer name
- IP address
- OS version
- File’s malicious history
- Any interference with Traps service
- Traps Process shutdown attempt
- Traps Service shutdown attempt
- Related system logs
Exploit or malware hits a “trap” and
triggers real-time collection
- Attack-related forensics
- Time stamp
- Triggering File (non executable)
- File source
- Involved URLs\URI
- Prevented exploitation technique
- IP address
- OS version
- Version of attempted vulnerable software
- All components loaded to memory under attacked process
- Full memory dump
- Indications of further memory corruption activity
- User name and computer name
Copyright © 2014, Palo Alto Networks
Coverage and system requirements
Supported operating systems
Workstations
• Windows XP SP3
• Windows 7
• Windows 8.1
Servers
• Windows Server 2003
• Windows Server 2008 (+R2)
• Windows Server 2012 (+R2)
Footprint
• 25 MB
• 0.1% CPU
• Very Low I\O
Copyright © 2014, Palo Alto Networks
Benefits
Business
Prevent breaches,
not just detect
Increases business
continuity
Lowers TCO
Operations
Save time and
money on
Forensics and
remediation
Easy to manage,
does not require
frequent updates
Zero-day coverage
IT
Install patches on
your own schedule
Compatible with
existing solutions
Minimal
performance
impact
Intelligence
Access to threat
intel through
WildFire integration
Attack-triggered
forensics collection
Copyright © 2014, Palo Alto Networks
The Virtual Data Center
Copyright © 2014, Palo Alto Networks
East/West Traffic flows often greater than North/South flows
Enterprise Network
Copyright © 2014, Palo Alto Networks
Security challengesPhysical firewalls may not see the East-West traffic
Firewalls placement is designed
around expectation of layer 3
segmentation
Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex
Ability to transparently insert
security into the traffic flow is
needed
Hypervisor
DB App Web
Hardware
Firewall
Copyright © 2014, Palo Alto Networks
Security challengesStatic policies cannot keep pace with dynamic workload deployments
Provisioning of applications can occur
in minutes with frequent changes
Security approvals and configurations
may take weeks/months
Dynamic security policies that
understand VM context are needed
Copyright © 2014, Palo Alto Networks
Hypervisor
App Web
Hypervisor
DB
Data Center
Core Network
vMotion
Hardware
Firewall
What happens when a VM is vMotioned?
Copyright © 2014, Palo Alto Networks
VM-Series Next Generation Security Platform• Consistent Features as hardware-based next-
generation firewall
App-ID
User-ID
Content-ID
Wildfire
• Inspects and Safely Enables Intra-Host Communications (East-West traffic)
• Tracks VM Creation and Movement with Dynamic Address Group objects
API integration with orchestration: Automate Workflows
Centrally Managed through Panorama58 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Copyright © 2014, Palo Alto Networks
VM-Series deployment options
• VM-100, VM-200, VM-300, and VM-1000-HV deployed as guest VMs on VMware ESXi
• Deployed as part of virtual network configuration for East-West traffic inspection
VM-Series for VMware
vSphere (ESXi)
• VM-100, VM-200, VM-300, and VM-1000-HV deployed as guest VMs on Citrix NetScaler SDX
• Consolidates ADC and security services for multi-tenant and Citrix XenApp/XenDesktop deployments
VM-Series for Citrix NetScaler
SDX
• VM-Series for NSX deployed as a service with VMware NSX and Panorama
• Ideal for East-West traffic inspection
VM-Series for VMware NSX
Copyright © 2014, Palo Alto Networks
VMware vCenter or ESXi
Dynamic Address Groups and VM Monitoring
Name IP Guest OS Container
web-sjc-01 10.1.1.2 Ubuntu 12.04 Web
sp-sjc-04 10.1.5.4 Win 2008 R2 SharePoint
web-sjc-02 10.1.1.3 Ubuntu 12.04 Web
exch-mia-03 10.4.2.2 Win 2008 R2 Exchange
exch-dfw-03 10.4.2.3 Win 2008 R2 Exchange
sp-mia-07 10.1.5.8 Win 2008 R2 SharePoint
db-mia-01 10.5.1.5 Ubuntu 12.04 MySQL
db-dfw-02 10.5.1.2 Ubuntu 12.04 MySQL
PAN-OS Security Policy
Source Destination Action
PAN-OS Dynamic Address Groups
Name Tags Addresses
SharePoint Servers
MySQL Servers
Miami DC
San Jose LinuxWeb Servers
Name Tags Addresses
SharePoint ServersSharePoint
Win 2008 R2“sp”
MySQL ServersMySQL
Ubuntu 12.04“db”
Miami DC “mia”
San Jose LinuxWeb Servers
“sjc”“web”
Ubuntu 12.04
Name Tags Addresses
SharePoint ServersSharePoint
Win 2008 R2“sp”
10.1.5.410.1.5.8
MySQL ServersMySQL
Ubuntu 12.04“db”
10.5.1.510.5.1.2
Miami DC “mia”10.4.2.210.1.5.810.5.1.5
San Jose LinuxWeb Servers
“sjc”“web”
Ubuntu 12.04
10.1.1.210.1.1.3
IP
10.1.1.2
10.1.5.4
10.1.1.3
10.4.2.2
10.4.2.3
10.1.5.8
10.5.1.5
10.5.1.2
Name
SharePoint Servers
MySQL Servers
Miami DC
San Jose LinuxWeb Servers
Source Destination Action
SharePoint ServersSan Jose LinuxWeb Servers ✔
MySQLServers
Miami DC
db-mia-05 10.5.1.9 Ubuntu 12.04 MySQL
10.5.1.9
60 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Copyright © 2014, Palo Alto Networks
Model Sessions Rules Security Zones
Address Objects
IPSec VPN Tunnels
SSL VPN Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 1,000 500
VM-1000-HV 250,000 10,000 40 100,000 2,000 500
Copyright © 2014, Palo Alto Networks
2 Core Configuration:Core 1 = Management PlaneCore 2 = Data Plane
4 Core Configuration:Core 1 = Management PlaneCore 2 = Data Plane: Read & Transmit packetsCore 3 & Core 4 = Data Plane: Process packets
8 Core Configuration:Core 1 = Management PlaneCore 2 = Data Plane: Reads packetsCore 3 = Data Plane: Transmit packetsCore 4 thru Core 8 = Data Plane: Process packets
Effect of dedicating cores
Copyright © 2014, Palo Alto Networks
Safely Enabling Mobile Devices
GlobalProtect™
Copyright © 2014, Palo Alto Networks
Challenge: Quality of Security Tied to Location
Enterprise-secured with full protection
Headquarters Branch Offices
malware
botnets
exploits
Airport Hotel Home Office
Exposed to threats, risky apps, and data leakage
Copyright © 2014, Palo Alto Networks
GlobalProtect™: Consistent Security Everywhere
•Headquarters •Branch Office
malware
botnets
exploits
• VPN connection to a purpose-built firewall that is performing the security work• Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance and reporting
Copyright © 2014, Palo Alto Networks
Unlocking The Potential of Mobile Depends On Security
Intranet
Running Your
Business on
Mobile Devices
Ben
efi
ts t
o B
usin
ess
Mobile Maturity
Accessing
Business Apps
Copyright © 2014, Palo Alto Networks
New Approach to Safely Enabling Mobile Devices
Protect the Device Control the DataManage the Device
Ensure devices are safely
enabled while simplifying
deployment & setup
• Ensure proper settings in
place, such as strong
passcodes and
encryption
• Simplify provisioning of
common configuration
like email and certificates
Protect the mobile device
from exploits and
malware
• Protecting the device
from infection also
protects confidential
data and unauthorized
network access
Control access to data
and movement of
between applications
•Control access by app,
user, and device state
•Extend data movement
controls to the device to
ensure data stays within
“business apps”
Copyright © 2014, Palo Alto Networks
GlobalProtect Mobile Security Solution
GlobalProtect App
GlobalProtect GatewayDelivers mobile threat
prevention and policy
enforcement based on apps,
users, content and device
state
Enables device management,
provides device state information,
and establishes secure
connectivity
GlobalProtect Mobile
Security ManagerProvides device
management, malware
detection, and device state
Copyright © 2014, Palo Alto Networks
Manage The Device Manage Device Settings
Enforce security settings such as passcode
Restricts device functions such as camera
Configure accounts such as email, VPN, Wi-
Fi settings
Understand Device State
Monitor and report device state for policy
enforcement, such as:
Whitelisted / blacklisted apps
Rooted / jailbroken
Perform Key Operations
Ex: lock, unlock, wipe, send a message
Detect Android Malware
Detect and react to the presence of malware
GlobalProtect Mobile
Security Manager
GlobalProtect App
Copyright © 2014, Palo Alto Networks
Protect The Device Consistent Security Everywhere
IPsec/SSL VPN connection to a
purpose- built next-generation
security platform for policy
enforcement regardless of the
device location
Mobile Threat Prevention
Vulnerability (IPS) and malware
(AV) protection for mobile threats
URL filtering for protection against
malicious websites
WildFire™ static and dynamic
analysis for advanced mobile
threats
Threats
GlobalProtect Gateway
GlobalProtect App
Copyright © 2014, Palo Alto Networks
Control The Data Control Access to Applications and Data
Granular policy determines which users and
devices can access sensitive applications and
data
Policy criteria based on application, user,
content, device, and device state for control
and visibility
Identify device types such as iOS,
Android, Windows, Mac devices
Identify device ownership such as
personal (BYOD) or corporate issued
Identify device states such as
rooted/jailbroken
File blocking based on content and content
type
Control Data Movement Between Apps
on the Device
Solution provides the foundation for future
developments in data protection
Applications and Data
GlobalProtect Gateway
GlobalProtect App
Copyright © 2014, Palo Alto Networks
How the Integrated Solution Works
Copyright © 2014, Palo Alto Networks
Internet
WildFire Cloud
TrapsAdvanced Endpoint Protection
Copyright © 2014, Palo Alto Networks