palo alto networks - magellan-net.de
TRANSCRIPT
Agenda
Introductions, Goals and Objectives
Product Overview
Break (RDP install)
Hand-on Workshop
Lunch with Q&A
•2 | ©, 2013 Palo Alto Networks. Confidential and Proprietary.
Goals & Objectives
•3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
By the end of this workshop you should be able to:
• Navigate the Palo Alto Networks GUI
• Create and update policies
• Understand how changes to the configuration affects the behavior of traffic across the firewall
• Understand the basic operation of Logs and Reporting
6 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
850+ employees globally
1.800
4.700
10.000
0
2.000
4.000
6.000
8.000
10.000
12.000
Jul-10 Jul-11
$13
$49
$255
$119
$0
$50
$100
$150
$200
$250
$300
FY09 FY10 FY11 FY12
Revenue
Enterprise customers
$MM
FYE July
Nov-12
Applications Have Changed, Firewalls Haven’t
7 | ©2013, Palo Alto Networks. Confidential and Proprietary.
•Network security policy is enforced at the firewall
• Sees all traffic
• Defines boundary
• Enables access
•Traditional firewalls don’t work any more
Applications: Threat Vector and a Target
•8 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Threats target applications
• Used as a delivery mechanism
• Application specific exploits
Applications: Payload Delivery/Command & Control
•9 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Applications provide exfiltration
• Confidential data
• Threat communication
Encrypted Applications: Unseen by Firewalls
•10 | ©2013, Palo Alto Networks. Confidential and Proprietary.
What happens traffic is encrypted?
• SSL
• Proprietary encryption
Technology Sprawl and Creep Aren’t the Answer
•11 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address applications
•IM •DLP •IPS •Proxy •URL •AV
UTM
Internet
12 | ©2013, Palo Alto Networks. Confidential and Proprietary.
The Answer? Make the Firewall Do Its Job
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
Differentiating: App-ID vs. Two Step Scanning
Operational ramifications of two step scanning
Two separate policies with duplicate info – impossible to reconcile them
Two log databases decrease visibility
Unable to systematically manage unknown traffic
Weakens the deny-all-else premise
Every firewall competitor uses two step scanning
•13 | ©2013, Palo Alto Networks. Confidential and Proprietary.
•Port Policy Decision
•App Ctrl Policy Decision
IPS
Applications
Firewall Allow port 80 traffic
Traffic 300 or more applications
300 or more applications 300 or more applications
Enabling Applications, Users and Content
•14 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Making the Firewall a Business Enablement Tool
Applications: Enablement begins with
application classification by App-ID.
Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
Content: Scanning content and protecting
against all threats, both known and unknown,
with Content-ID and WildFire.
•15 | ©2013, Palo Alto Networks. Confidential and Proprietary.
PAN-OS Core Firewall Features
Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2)
Tap mode – connect to SPAN port
Virtual wire (“Layer 1”) for true
transparent in-line deployment
L2/L3 switching foundation
Policy-based forwarding
VPN
Site-to-site IPSec VPN
Remote Access (SSL) VPN
QoS traffic shaping Max/guaranteed and priority
By user, app, interface, zone, & more
Real-time bandwidth monitor
Zone-based architecture All interfaces assigned to security
zones for policy enforcement
High Availability
Active/active, active/passive
Configuration and session
synchronization
Path, link, and HA monitoring
Virtual Systems Establish multiple virtual firewalls in a
single device (PA-5000, PA-4000, PA-
3000, and PA-2000 Series)
Simple, flexible management CLI, Web, Panorama, SNMP, Syslog
17 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Visibility and control of applications, users and content complement core firewall features
Next-Generation Firewall Virtualized Platforms
18 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Specifications
Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels
VM-100 50,000 250 10 2,500 25 25
VM-200 100,000 2,000 20 4,000 500 200
VM-300 250,000 5,000 40 10,000 2,000 500
Supported on VMware ESX/ESXi 4.0 or later
Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces
Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames
Performance
Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second
2 Core 500 Mbps 200 Mbps 100 Mbps 8,000
4 Core 1 Gbps 600 Mbps 250 Mbps 8,000
8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
Enterprise-wide Next-Generation Firewall Security Pe
rim
eter
•App visibility and control in the firewall
•All apps, all ports, all the time
•Prevent threats
•Known threats
•Unknown/targeted malware
•Simplify security infrastructure
Dat
a C
ente
r •Network segmentation
•Based on application and user, not port/IP
•Simple, flexible network security
• Integration into all DC designs
•Highly available, high performance
•Prevent threats
Dis
trib
ute
d E
nte
rpri
se
•Consistent network security everywhere
•HQ/branch offices/remote and mobile users
•Logical perimeter
•Policy follows applications and users, not physical location
•Centrally managed
•19 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Addresses Three Key Business Problems
Safely Enable Applications
Identify more than 1,500 applications, regardless of port, protocol, encryption, or
evasive tactic
Fine-grained control over applications/application functions (allow, deny, limit, scan,
shape)
Addresses the key deficiencies of legacy firewall infrastructure
Systematic management of unknown applications
Prevent Threats
Stop a variety of known threats – exploits (by vulnerability), viruses, spyware
Detect and stop unknown threats with WildFire
Stop leaks of confidential data (e.g., credit card #, social security #, file/type)
Enforce acceptable use policies on users for general web site browsing
Simplify Security Infrastructure
Put the firewall at the center of the network security infrastructure
Reduce complexity in architecture and operations
•20 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Many Third Parties Reach Same Conclusion
Gartner Enterprise Network Firewall Magic Quadrant
Palo Alto Networks leading the market
Forrester IPS Market Overview
Strong IPS solution; demonstrates effective consolidation
NetworkWorld Test
Most stringent NGFW test to date; validated sustained performance
NSS Tests
IPS: Palo Alto Networks NGFW tested against competitors’ standalone IPS devices; NSS Recommended
Firewall: Traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended
NGFW: Palo Alto Networks provides the best combination of protection, performance, and value; NSS Recommended (1 of only 3 NGFW recommended)
•21 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 1: Controlling Social Media
Scenario: Every organization is trying to determine how to exert controls over
social media applications – allowing them all is high risk while blocking them
all can cripple the business.
Policy considerations: who can use social media, what are the risks of data
loss/data transfer, and how to eliminate the propagation of malware
PAN-OS features to be used:
App-ID and function control
User-ID
Logging and reporting for verification
•23 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 2: Controlling Evasive Applications
Scenario: Evasive applications are found on almost every network. Some are
purposely evasive, making every effort to avoid controls and hide. Examples
include Ultrasurf, Tor and P2P.
Policy considerations for controlling applications include: Protection from
RIAA threats, data loss – both inadvertent or otherwise, and malware
propagation
PAN-OS features to be used:
App-ID and dynamic filters
User-ID
Logging and reporting for verification
•24 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 3: Applications on Non-Standard Ports
Scenario: Limit the use of remote access tools to IT and support; force over
their standard port (SSH)
Policy considerations: Control which applications and users can punch
through the firewall
PAN-OS features to be used:
Logging and reporting to show SSH on non-standard ports
App-ID, groups function and service (port)
User-ID (groups)
Logging and reporting for verification
•25 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 4: Decryption
Scenario: More and more traffic is decrypted with SSL by default, making it
difficult to allow and scan that traffic, yet blindly allowing it is high risk. Using
policy based SSL decryption will allow you to enable encrypted applications,
apply policy, then re-encrypt and send the traffic to its final destination.
Policy considerations: Which applications to decrypt, protection from malware
propagation and data/file transfer
PAN-OS features to be used:
App-ID
User-ID
SSL decryption
Logging and reporting for verification
•26 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 5: Modern Malware Protection
Scenario: Modern malware is at the heart of many of today's most
sophisticated network attacks, and is increasingly customized to avoid
traditional security solutions. WildFire exposes targeted and unknown
malware through direct observation in a virtual environment, while the next-
generation firewall ensures full visibility and control of all traffic including
tunneled, evasive, encrypted and even unknown traffic.
Policy considerations: Which applications to apply the WildFire file
blocking/upload profile PAN-OS features to be used:
Profiles: Virus, Spyware, file blocking & WildFire
WildFire portal
Logging and reporting for verification
•27 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 6: URL Filtering
Scenario: Application control and URL filtering complement each other,
providing you with the ability to deliver varied levels of control that are
appropriate for your security profile.
Policy considerations: URL category access; which users can or cannot
access the URL category, and prevention of malware propagation
PAN-OS features to be used:
URL filtering category match
Logging and reporting for verification
•28 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 7: Traffic Reporting
Scenario: Define and generate traffic reports required by management
PAN-OS features to be used:
Reporting (pre-defined)
Top applications, threats, URL categories, Etc.
Manage custom reports
Create a custom report using traffic stats logs
•29 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 8: Systematically Manage Unknown Traffic (Demo)
Scenario: Investigate unknown traffic, determine risk level, implement
appropriate policies
Policy considerations: Many internal applications – blocking all is
unreasonable, may be a commercial application but no App-ID, or possible
threat
PAN-OS features to highlight (Demo only):
App-ID Unknown TCP/UDP
Policy editor for unknown TCP/UDP – allow but scan
App Override, custom App-ID
Behavioral botnet report
•30 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Get Your Free AVR Report
•31 | ©2013, Palo Alto Networks. Confidential and Proprietary.
•Request a free evaluation/AVR Report and get entered into today’s PA-200 drawing
•And get entered into the Ultimate Grand Prize Drawing
•A two-day all expense paid driving experience at the Audi Driving School in Seefeld/Tyrol Austria!