1

PALO ALTO

SAFE APPLICATION ENABLEMENT

Palo Alto Networks Product OverviewJames Sherlow

SE Manager WEUR & Africajsherlow@paloaltonetworks.com

@jsherlow

0

2,000

4,000

6,000

8,000

10,000

1,800

4,700

9,000

Jul-10 Jul-11

FY09 FY10 FY11 FY12$0

$50

$100

$150

$200

$250

$300

$13$49

$255

$119

Palo Alto Networks at a GlanceCorporate Highlights

Disruptive Network Security Platform

Safely Enabling Applications

Able to Address All Network Security Needs

Exceptional Growth and Global Presence

Experienced Technology and Management Team

800+ Employees

Revenue

Enterprise Customers

$MM

FYE July

Jul-12

3 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Applications Get Through the Firewall

4 | ©2012, Palo Alto Networks. Confidential and

Proprietary.

Network security policy is enforced at the firewall• Sees all traffic• Defines boundary• Enables accessTraditional firewalls don’t work any more

Applications Get Through the Firewall: Threats

5 | ©2012, Palo Alto Networks. Confidential and

Proprietary.

Threats target applications• Used as a threat vector• Application specific exploits

Applications Get Through the Firewall: Exfiltration

Applications provide exfiltration• Threat communication• Confidential data

6 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Applications Get Through the Firewall: Encryption

What happens traffic is encrypted?• SSL• Proprietary encryption

7 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Technology Sprawl and Creep Aren’t the Answer

Enterprise Network

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address application control challenges

8 | ©2012, Palo Alto Networks. Confidential and Proprietary.

IMDLPIPS ProxyURLAV

UTM

Internet

The Answer? Make the Firewall Do Its Job

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

9 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Why Visibility & Control Must Be In The Firewall

Port PolicyDecision

App Ctrl PolicyDecision

Application Control as an Add-on• Port-based FW + App Ctrl (IPS) = two policies • Applications are threats; only block what you

expressly look for

Implications • Network access decision is made with no

information• Cannot safely enable applications

IPS

Applications

FirewallPortTraffic

10 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Firewall IPS

App Ctrl PolicyDecision

Scan Applicationfor Threats

Applications

ApplicationTraffic

NGFW Application Control • Application control is in the firewall = single policy• Visibility across all ports, for all traffic, all the time

Implications • Network access decision is made based on

application identity • Safely enable application usage

Enabling Applications, Users and Content

11 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Enabling Applications, Users and Content

• Applications: Safe enablement begins with application classification by App-ID.

• Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.

• Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID and WildFire.

12 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Single-Pass Parallel Processing™ (SP3) ArchitectureSingle Pass

• Operations once per packet– Traffic classification (app

identification)– User/group mapping– Content scanning – threats,

URLs, confidential data

One policy• Parallel Processing• Function-specific parallel

processing hardware engines

Separate data/control planes

13 | ©2012, Palo Alto Networks. Confidential and

Proprietary.

Up to 20Gbps, Low Latency

PAN-OS Core Firewall Features

•Strong networking foundation

– Dynamic routing (BGP, OSPF, RIPv2)– Tap mode – connect to SPAN port– Virtual wire (“Layer 1”) for true

transparent in-line deployment– L2/L3 switching foundation– Policy-based forwarding

•VPN– Site-to-site IPSec VPN – SSL VPN

•QoS traffic shaping– Max/guaranteed and priority – By user, app, interface, zone, & more– Real-time bandwidth monitor

•Zone-based architecture

– All interfaces assigned to security zones for policy enforcement

•High Availability– Active/active, active/passive – Configuration and session

synchronization– Path, link, and HA monitoring

•Virtual Systems– Establish multiple virtual firewalls in

a single device (PA-5000, PA-4000, and PA-2000 Series)

•Simple, flexible management

– CLI, Web, Panorama, SNMP, Syslog

Visibility and control of applications, users and content complement core firewall features

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks NGFW Hardware Platforms

15 | ©2012, Palo Alto Networks. Confidential and

Proprietary.

Firewall Firewall Throughput

Threat Prevention Throughput Ports Session Capacity

PA-5060 20 Gbps 10 Gbps4 SFP+ (10 Gig)8 SFP (1 Gig)12 copper gigabit

4,000,000

PA-5050 10 Gbps 5 Gbps4 SFP+ (10 Gig)8 SFP (1 Gig)12 copper gigabit

2,000,000

PA-5020 5 Gbps 2 Gbps 8 SFP12 copper gigabit 1,000,000

PA-4060 10 Gbps 5 Gbps 4 XFP (10 Gig)4 SFP (1 Gig) 2,000,000

PA-4050 10 Gbps 5 Gbps 8 SFP16 copper gigabit 2,000,000

PA-4020 2 Gbps 2 Gbps 8 SFP16 copper gigabit 500,000

PA-3050 4 Gbps 2 Gbps 8 SFP12 copper gigabit 500,000

PA-3020 2 Gbps 1 Gbps 8 SFP12 copper gigabit 250,000

PA-2050 1 Gbps 500 Mbps 4 SFP16 copper gigabit 250,000

PA-2020 500 Mbps 250 Mbps 8 copper gigabit 125,000

PA-500 250 Mbps 100 Mbps 8 copper gigabit 64,000

PA-200 100 Mbps 50 Mbps 4 copper gigabit 64,000

Palo Alto Networks NGFW Virtualized Platforms

• Delivers the same next-generation firewall features available in our hardware platforms in a virtualized form-factor

16 | ©2012, Palo Alto Networks. Confidential and

Proprietary.

Capacities

Model Sessions Rules Security Zones

Address Objects

IPSec VPN Tunnels

SSL VPN Tunnels

VM-100 50,000 250 10 2,500 25 25

VM-200 100,000 2,000 20 4,000 500 200

VM-300 250,000 5,000 40 10,000 2,000 500

Performance

Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second

2 Core 500 Mbps 200 Mbps 100 Mbps 8,000

4 Core 1 Gbps 600 Mbps 250 Mbps 8,000

8 Core 1 Gbps 1 Gbps 400 Mbps 8,000

Supported on VMware ESX/ESXi 4.0 or later

Minimum of 2 dedicated CPU cores, 4GB dedicated RAM, 40GB HD, 2 interfaces

Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames

NGFW in The Enterprise NetworkPe

rimet

er • App visibility and control in the firewall• All apps, all ports,

all the time• Prevent threats• Known threats• Unknown/targeted

malware• Simplify security

infrastructure

Dat

a Ce

nter • Network

segmentation• Based on

application and user, not port/IP

• Simple, flexible network security• Integration into all

DC designs• Highly available,

high performance• Prevent threats

Dis

trib

uted

Ent

erpr

ise • Consistent network

security everywhere• HQ/branch

offices/remote and mobile users

• Logical perimeter• Policy follows

applications and users, not physical location

• Centrally managed

17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Addresses Three Key Business Problems

• Identify and Control Applications– Identifies over 1,500 applications, regardless of

port, protocol, encryption, or evasive tactic– Fine-grained control over applications (allow, deny,

limit, scan, shape)– Addresses the key deficiencies of legacy firewall

infrastructure• Prevent Threats

– Stop a variety of known threats – exploits (by vulnerability), viruses, spyware

– Detect and stop unknown threats with WildFire– Stop leaks of confidential data (e.g., credit card #,

social security #, file/type)– Enforce acceptable use policies on users for

general web site browsing• Simplify Security Infrastructure

– Put the firewall at the center of the network security infrastructure

– Reduce complexity in architecture and operations

18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Many Third Parties Reach Same Conclusion• Gartner Enterprise Network Firewall Magic Quadrant

- Palo Alto Networks leading the market

• Forrester IPS Market Overview- Strong IPS solution; demonstrates effective consolidation

• NetworkWorld Test- Most stringent NGFW test to date; validated sustained

performance and key differences

• NSS Tests- IPS: Palo Alto Networks NGFW tested against competitors’

standalone IPS devices; NSS Recommended- Firewall: traditional port-based firewall test; Palo Alto Networks

most efficient by a wide margin; NSS Recommended- NGFW: Palo Alto Networks best combination of protection,

performance, and value; NSS Recommended (1 of only 3)

19 | ©2012, Palo Alto Networks. Confidential and Proprietary.

20 | ©2012, Palo Alto Networks. Confidential and

Proprietary.