the ultimate test drive with palo alto networks · 2021. 7. 7. · every firewall competitor uses...
TRANSCRIPT
The Ultimate Test Drive With Palo Alto Networks
Agenda
§ Introductions, Goals and Objectives
§ Product Overview
§ Break (RDP install)
§ Hand-on Workshop
§ Lunch with Q&A
• 2 | ©, 2013 Palo Alto Networks. Confidential and Proprietary.
Goals & Objectives
• 3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
By the end of this workshop you should be able to:
• Navigate the Palo Alto Networks GUI
• Create and update policies
• Understand how changes to the configuraAon affects the behavior of traffic across the firewall
• Understand the basic operaAon of Logs and ReporAng
Palo Alto Networks Product Overview
Safe Harbor
5 | ©2013, Palo Alto Networks. Confidential and Proprietary.
• This presentation contains “forward-looking” statements that are based on our management’s beliefs and assumptions and on information currently available to management. Forward-looking statements include information concerning our possible or assumed future results of operations, business strategies, financing plans, competitive position, industry environment, potential growth opportunities, potential market opportunities and the effects of competition.
• Forward-looking statements include all statements that are not historical facts and can be identified by terms such as “anticipates,” “believes,” “could,” “seeks,” “estimates,” “intends,” “may,” “plans,” “potential,” “predicts,” “projects,” “should,” “will,” “would” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Forward-looking statements represent our management’s beliefs and assumptions only as of the date of the prospectus. You should read the prospectus, including the Risk Factors set forth therein and the documents that we have filed as exhibits to the registration statement, of which the prospectus is a part, completely and with the understanding that our actual future results may be materially different from what we expect. Except as required by law we assume no obligation to update these forward-looking statements publicly, or to update the reasons why actual results could differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future.
6 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks at a Glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
850+ employees globally 1.800
4.700
10.000
0
2.000
4.000
6.000
8.000
10.000
12.000
Jul-10 Jul-11
$13 $49
$255
$119
$0 $50
$100 $150 $200 $250 $300
FY09 FY10 FY11 FY12
Revenue
Enterprise customers
$MM
FYE July
Nov-12
Applications Have Changed, Firewalls Haven’t
7 | ©2013, Palo Alto Networks. Confidential and Proprietary.
• Network security policy is enforced at the firewall • Sees all traffic • Defines boundary • Enables access • Traditional firewalls don’t work any more
Applications: Threat Vector and a Target
• 8 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Threats target applications • Used as a delivery mechanism • Application specific exploits
Applications: Payload Delivery/Command & Control
• 9 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Applications provide exfiltration • Confidential data
• Threat communication
Encrypted Applications: Unseen by Firewalls
• 10 | ©2013, Palo Alto Networks. Confidential and Proprietary.
What happens traffic is encrypted? • SSL • Proprietary encryption
Technology Sprawl and Creep Aren’t the Answer
• 11 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Network
• “More stuff” doesn’t solve the problem • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Doesn’t address applications
• IM • DLP • IPS • Proxy • URL • AV
UTM
Internet
12 | ©2013, Palo Alto Networks. Confidential and Proprietary.
The Answer? Make the Firewall Do Its Job
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
Differentiating: App-ID vs. Two Step Scanning
§ Operational ramifications of two step scanning § Two separate policies with duplicate info – impossible to reconcile them § Two log databases decrease visibility § Unable to systematically manage unknown traffic § Weakens the deny-all-else premise
§ Every firewall competitor uses two step scanning
• 13 | ©2013, Palo Alto Networks. Confidential and Proprietary.
• Port Policy Decision
• App Ctrl Policy Decision
IPS
ApplicaAons
Firewall Allow port 80 traffic
Traffic 300 or more applications
300 or more applications 300 or more applications
Enabling Applications, Users and Content
• 14 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Making the Firewall a Business Enablement Tool
§ Applications: Enablement begins with application classification by App-ID.
§ Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.
§ Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire.
• 15 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Single Pass Platform Architecture
• 16 | ©2013, Palo Alto Networks. Confidential and Proprietary.
PAN-OS Core Firewall Features
§ Strong networking foundation § Dynamic routing (BGP, OSPF, RIPv2) § Tap mode – connect to SPAN port § Virtual wire (“Layer 1”) for true
transparent in-line deployment § L2/L3 switching foundation § Policy-based forwarding
§ VPN § Site-to-site IPSec VPN § Remote Access (SSL) VPN
§ QoS traffic shaping § Max/guaranteed and priority § By user, app, interface, zone, & more § Real-time bandwidth monitor
§ Zone-based architecture § All interfaces assigned to security
zones for policy enforcement
§ High Availability § Active/active, active/passive § Configuration and session
synchronization § Path, link, and HA monitoring
§ Virtual Systems § Establish multiple virtual firewalls in a
single device (PA-5000, PA-4000, PA-3000, and PA-2000 Series)
§ Simple, flexible management § CLI, Web, Panorama, SNMP, Syslog
17 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Visibility and control of applications, users and content complement core firewall features
Next-Generation Firewall Virtualized Platforms
18 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Specifica(ons
Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels
VM-‐100 50,000 250 10 2,500 25 25
VM-‐200 100,000 2,000 20 4,000 500 200
VM-‐300 250,000 5,000 40 10,000 2,000 500
Supported on VMware ESX/ESXi 4.0 or later
Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces
Supports acAve/passive HA without state synchronizaAon. Does not support 802.3ad, virtual systems, jumbo frames
Performance
Cores Allocated Firewall (App-‐ID) Threat PrevenAon VPN Sessions per Second
2 Core 500 Mbps 200 Mbps 100 Mbps 8,000
4 Core 1 Gbps 600 Mbps 250 Mbps 8,000
8 Core 1 Gbps 1 Gbps 400 Mbps 8,000
Enterprise-wide Next-Generation Firewall Security Pe
rimeter
• App visibility and control in the firewall • All apps, all ports, all the Ame
• Prevent threats • Known threats • Unknown/targeted malware
• Simplify security infrastructure
Data Cen
ter • Network
segmenta(on • Based on applicaAon and user, not port/IP
• Simple, flexible network security • IntegraAon into all DC designs
• Highly available, high performance
• Prevent threats
Distrib
uted
Enterprise
• Consistent network security everywhere • HQ/branch offices/remote and mobile users
• Logical perimeter • Policy follows applicaAons and users, not physical locaAon
• Centrally managed
• 19 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Addresses Three Key Business Problems
§ Safely Enable Applications § Identify more than 1,500 applications, regardless of port, protocol, encryption, or
evasive tactic § Fine-grained control over applications/application functions (allow, deny, limit, scan,
shape) § Addresses the key deficiencies of legacy firewall infrastructure § Systematic management of unknown applications
§ Prevent Threats § Stop a variety of known threats – exploits (by vulnerability), viruses, spyware § Detect and stop unknown threats with WildFire § Stop leaks of confidential data (e.g., credit card #, social security #, file/type) § Enforce acceptable use policies on users for general web site browsing
§ Simplify Security Infrastructure § Put the firewall at the center of the network security infrastructure § Reduce complexity in architecture and operations
• 20 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Many Third Parties Reach Same Conclusion
§ Gartner Enterprise Network Firewall Magic Quadrant § Palo Alto Networks leading the market
§ Forrester IPS Market Overview § Strong IPS solution; demonstrates effective
consolidation
§ NetworkWorld Test § Most stringent NGFW test to date; validated sustained
performance
§ NSS Tests § IPS: Palo Alto Networks NGFW tested against
competitors’ standalone IPS devices; NSS Recommended
§ Firewall: Traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended
§ NGFW: Palo Alto Networks provides the best combination of protection, performance, and value; NSS Recommended (1 of only 3 NGFW recommended)
• 21 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Hands-on Workshop
Activity 1: Controlling Social Media
§ Scenario: Every organization is trying to determine how to exert controls over social media applications – allowing them all is high risk while blocking them all can cripple the business.
§ Policy considerations: who can use social media, what are the risks of data loss/data transfer, and how to eliminate the propagation of malware
§ PAN-OS features to be used: § App-ID and function control § User-ID § Logging and reporting for verification
• 23 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 2: Controlling Evasive Applications
§ Scenario: Evasive applications are found on almost every network. Some are purposely evasive, making every effort to avoid controls and hide. Examples include Ultrasurf, Tor and P2P.
§ Policy considerations for controlling applications include: Protection from RIAA threats, data loss – both inadvertent or otherwise, and malware propagation
§ PAN-OS features to be used: § App-ID and dynamic filters § User-ID § Logging and reporting for verification
• 24 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 3: Applications on Non-Standard Ports
§ Scenario: Limit the use of remote access tools to IT and support; force over their standard port (SSH)
§ Policy considerations: Control which applications and users can punch through the firewall
§ PAN-OS features to be used: § Logging and reporting to show SSH on non-standard ports § App-ID, groups function and service (port) § User-ID (groups) § Logging and reporting for verification
• 25 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 4: Decryption
§ Scenario: More and more traffic is decrypted with SSL by default, making it difficult to allow and scan that traffic, yet blindly allowing it is high risk. Using policy based SSL decryption will allow you to enable encrypted applications, apply policy, then re-encrypt and send the traffic to its final destination.
§ Policy considerations: Which applications to decrypt, protection from malware propagation and data/file transfer
§ PAN-OS features to be used: § App-ID § User-ID § SSL decryption § Logging and reporting for verification
• 26 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 5: Modern Malware Protection
§ Scenario: Modern malware is at the heart of many of today's most sophisticated network attacks, and is increasingly customized to avoid traditional security solutions. WildFire exposes targeted and unknown malware through direct observation in a virtual environment, while the next-generation firewall ensures full visibility and control of all traffic including tunneled, evasive, encrypted and even unknown traffic.
§ Policy considerations: Which applications to apply the WildFire file blocking/upload profile PAN-OS features to be used: § Profiles: Virus, Spyware, file blocking & WildFire § WildFire portal § Logging and reporting for verification
• 27 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 6: URL Filtering
§ Scenario: Application control and URL filtering complement each other, providing you with the ability to deliver varied levels of control that are appropriate for your security profile.
§ Policy considerations: URL category access; which users can or cannot access the URL category, and prevention of malware propagation
§ PAN-OS features to be used: § URL filtering category match § Logging and reporting for verification
• 28 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 7: Traffic Reporting
§ Scenario: Define and generate traffic reports required by management
§ PAN-OS features to be used: § Reporting (pre-defined)
§ Top applications, threats, URL categories, Etc. § Manage custom reports
§ Create a custom report using traffic stats logs
• 29 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Activity 8: Systematically Manage Unknown Traffic (Demo)
§ Scenario: Investigate unknown traffic, determine risk level, implement appropriate policies
§ Policy considerations: Many internal applications – blocking all is unreasonable, may be a commercial application but no App-ID, or possible threat
§ PAN-OS features to highlight (Demo only): § App-ID Unknown TCP/UDP § Policy editor for unknown TCP/UDP – allow but scan § App Override, custom App-ID § Behavioral botnet report
• 30 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Get Your Free AVR Report
• 31 | ©2013, Palo Alto Networks. Confidential and Proprietary.
• Request a free evaluation/AVR Report and get entered into today’s PA-200 drawing
• Wednesday, March 14, 2012
• Palo Alto Networks • 3300 Olcott Drive • Santa Clara, CA 95054 • Sales 866-207-0077 • www.paloaltonetworks.com
• And get entered into the Ultimate Grand Prize Drawing • A two-day all expense paid driving experience at the Audi Driving School in Seefeld/Tyrol Austria!
Thank You
© 2012 Palo Alto Networks. Proprietary and Confidential. Page 32 |