the ultimate test drive with palo alto networks · safe harbor 5 | ©2013, palo alto networks....

The Ultimate Test Drive With Palo Alto Networks

Agenda

§  Introductions, Goals and Objectives

§  Product Overview

§  Break (RDP install)

§  Hand-on Workshop

§  Lunch with Q&A

• 2 | ©, 2013 Palo Alto Networks. Confidential and Proprietary.

Goals & Objectives

• 3 | ©2013, Palo Alto Networks. Confidential and Proprietary.

By the end of this workshop you should be able to:

•  Navigate the Palo Alto Networks GUI

•  Create and update policies

•  Understand how changes to the configuraAon affects the behavior of traffic across the firewall

•  Understand the basic operaAon of Logs and ReporAng

Palo Alto Networks Product Overview

Safe Harbor

5 | ©2013, Palo Alto Networks. Confidential and Proprietary.

• This presentation contains “forward-looking” statements that are based on our management’s beliefs and assumptions and on information currently available to management. Forward-looking statements include information concerning our possible or assumed future results of operations, business strategies, financing plans, competitive position, industry environment, potential growth opportunities, potential market opportunities and the effects of competition.

• Forward-looking statements include all statements that are not historical facts and can be identified by terms such as “anticipates,” “believes,” “could,” “seeks,” “estimates,” “intends,” “may,” “plans,” “potential,” “predicts,” “projects,” “should,” “will,” “would” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Forward-looking statements represent our management’s beliefs and assumptions only as of the date of the prospectus. You should read the prospectus, including the Risk Factors set forth therein and the documents that we have filed as exhibits to the registration statement, of which the prospectus is a part, completely and with the understanding that our actual future results may be materially different from what we expect. Except as required by law we assume no obligation to update these forward-looking statements publicly, or to update the reasons why actual results could differ materially from those anticipated in the forward-looking statements, even if new information becomes available in the future.


Palo Alto Networks at a Glance

Corporate highlights

Founded in 2005; first customer shipment in 2007

Safely enabling applications

Able to address all network security needs

Exceptional ability to support global customers

Experienced technology and management team

850+ employees globally 1.800

4.700

10.000

0

2.000

4.000

6.000

8.000

10.000

12.000

Jul-10 Jul-11

$13 $49

$255

$119

$0 $50

$100 $150 $200 $250 $300

FY09 FY10 FY11 FY12

Revenue

Enterprise customers

$MM

FYE July

Nov-12

Applications Have Changed, Firewalls Haven’t


• Network security policy is enforced at the firewall •  Sees all traffic •  Defines boundary •  Enables access • Traditional firewalls don’t work any more

Applications: Threat Vector and a Target


Threats target applications •  Used as a delivery mechanism •  Application specific exploits

Applications: Payload Delivery/Command & Control


Applications provide exfiltration •  Confidential data

•  Threat communication

Encrypted Applications: Unseen by Firewalls


What happens traffic is encrypted? •  SSL •  Proprietary encryption

Technology Sprawl and Creep Aren’t the Answer


Enterprise Network

•  “More stuff” doesn’t solve the problem •  Firewall “helpers” have limited view of traffic •  Complex and costly to buy and maintain •  Doesn’t address applications

• IM • DLP • IPS • Proxy • URL • AV

UTM

Internet


The Answer? Make the Firewall Do Its Job

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify and control users regardless of IP address, location, or device

3. Protect against known and unknown application-borne threats

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, low latency, in-line deployment

Differentiating: App-ID vs. Two Step Scanning

§  Operational ramifications of two step scanning §  Two separate policies with duplicate info – impossible to reconcile them §  Two log databases decrease visibility §  Unable to systematically manage unknown traffic §  Weakens the deny-all-else premise

§  Every firewall competitor uses two step scanning


• Port Policy Decision

• App Ctrl Policy Decision

IPS

ApplicaAons

Firewall Allow port 80 traffic

Traffic 300 or more applications

300 or more applications 300 or more applications

Enabling Applications, Users and Content


Making the Firewall a Business Enablement Tool

§  Applications: Enablement begins with application classification by App-ID.

§  Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.

§  Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire.


Single Pass Platform Architecture


PAN-OS Core Firewall Features

§ Strong networking foundation §  Dynamic routing (BGP, OSPF, RIPv2) §  Tap mode – connect to SPAN port §  Virtual wire (“Layer 1”) for true

transparent in-line deployment §  L2/L3 switching foundation §  Policy-based forwarding

§ VPN §  Site-to-site IPSec VPN §  Remote Access (SSL) VPN

§ QoS traffic shaping §  Max/guaranteed and priority §  By user, app, interface, zone, & more §  Real-time bandwidth monitor

§ Zone-based architecture §  All interfaces assigned to security

zones for policy enforcement

§ High Availability §  Active/active, active/passive §  Configuration and session

synchronization §  Path, link, and HA monitoring

§ Virtual Systems §  Establish multiple virtual firewalls in a

single device (PA-5000, PA-4000, PA-3000, and PA-2000 Series)

§ Simple, flexible management §  CLI, Web, Panorama, SNMP, Syslog


Visibility and control of applications, users and content complement core firewall features

Next-Generation Firewall Virtualized Platforms


Specifica(ons

Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels

VM-‐100 50,000 250 10 2,500 25 25

VM-‐200 100,000 2,000 20 4,000 500 200

VM-‐300 250,000 5,000 40 10,000 2,000 500

Supported on VMware ESX/ESXi 4.0 or later

Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces

Supports acAve/passive HA without state synchronizaAon. Does not support 802.3ad, virtual systems, jumbo frames

Performance

Cores Allocated Firewall (App-‐ID) Threat PrevenAon VPN Sessions per Second

2 Core 500 Mbps 200 Mbps 100 Mbps 8,000

4 Core 1 Gbps 600 Mbps 250 Mbps 8,000

8 Core 1 Gbps 1 Gbps 400 Mbps 8,000

Enterprise-wide Next-Generation Firewall Security Pe

rimeter

•  App visibility and control in the firewall •  All apps, all ports, all the Ame

•  Prevent threats •  Known threats •  Unknown/targeted malware

•  Simplify security infrastructure

Data Cen

ter •  Network

segmenta(on •  Based on applicaAon and user, not port/IP

•  Simple, flexible network security •  IntegraAon into all DC designs

•  Highly available, high performance

•  Prevent threats

Distrib

uted

Enterprise

•  Consistent network security everywhere •  HQ/branch offices/remote and mobile users

•  Logical perimeter •  Policy follows applicaAons and users, not physical locaAon

•  Centrally managed


Addresses Three Key Business Problems

§  Safely Enable Applications §  Identify more than 1,500 applications, regardless of port, protocol, encryption, or

evasive tactic §  Fine-grained control over applications/application functions (allow, deny, limit, scan,

shape) §  Addresses the key deficiencies of legacy firewall infrastructure §  Systematic management of unknown applications

§  Prevent Threats §  Stop a variety of known threats – exploits (by vulnerability), viruses, spyware §  Detect and stop unknown threats with WildFire §  Stop leaks of confidential data (e.g., credit card #, social security #, file/type) §  Enforce acceptable use policies on users for general web site browsing

§  Simplify Security Infrastructure §  Put the firewall at the center of the network security infrastructure §  Reduce complexity in architecture and operations


Many Third Parties Reach Same Conclusion

§  Gartner Enterprise Network Firewall Magic Quadrant §  Palo Alto Networks leading the market

§  Forrester IPS Market Overview §  Strong IPS solution; demonstrates effective

consolidation

§  NetworkWorld Test §  Most stringent NGFW test to date; validated sustained

performance

§  NSS Tests §  IPS: Palo Alto Networks NGFW tested against

competitors’ standalone IPS devices; NSS Recommended

§  Firewall: Traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended

§  NGFW: Palo Alto Networks provides the best combination of protection, performance, and value; NSS Recommended (1 of only 3 NGFW recommended)


Hands-on Workshop

Activity 1: Controlling Social Media

§  Scenario: Every organization is trying to determine how to exert controls over social media applications – allowing them all is high risk while blocking them all can cripple the business.

§  Policy considerations: who can use social media, what are the risks of data loss/data transfer, and how to eliminate the propagation of malware

§  PAN-OS features to be used: §  App-ID and function control §  User-ID §  Logging and reporting for verification


Activity 2: Controlling Evasive Applications

§  Scenario: Evasive applications are found on almost every network. Some are purposely evasive, making every effort to avoid controls and hide. Examples include Ultrasurf, Tor and P2P.

§  Policy considerations for controlling applications include: Protection from RIAA threats, data loss – both inadvertent or otherwise, and malware propagation

§  PAN-OS features to be used: §  App-ID and dynamic filters §  User-ID §  Logging and reporting for verification


Activity 3: Applications on Non-Standard Ports

§  Scenario: Limit the use of remote access tools to IT and support; force over their standard port (SSH)

§  Policy considerations: Control which applications and users can punch through the firewall

§  PAN-OS features to be used: §  Logging and reporting to show SSH on non-standard ports §  App-ID, groups function and service (port) §  User-ID (groups) §  Logging and reporting for verification


Activity 4: Decryption

§  Scenario: More and more traffic is decrypted with SSL by default, making it difficult to allow and scan that traffic, yet blindly allowing it is high risk. Using policy based SSL decryption will allow you to enable encrypted applications, apply policy, then re-encrypt and send the traffic to its final destination.

§  Policy considerations: Which applications to decrypt, protection from malware propagation and data/file transfer

§  PAN-OS features to be used: §  App-ID §  User-ID §  SSL decryption §  Logging and reporting for verification


Activity 5: Modern Malware Protection

§  Scenario: Modern malware is at the heart of many of today's most sophisticated network attacks, and is increasingly customized to avoid traditional security solutions. WildFire exposes targeted and unknown malware through direct observation in a virtual environment, while the next-generation firewall ensures full visibility and control of all traffic including tunneled, evasive, encrypted and even unknown traffic.

§  Policy considerations: Which applications to apply the WildFire file blocking/upload profile PAN-OS features to be used: §  Profiles: Virus, Spyware, file blocking & WildFire §  WildFire portal §  Logging and reporting for verification


Activity 6: URL Filtering

§  Scenario: Application control and URL filtering complement each other, providing you with the ability to deliver varied levels of control that are appropriate for your security profile.

§  Policy considerations: URL category access; which users can or cannot access the URL category, and prevention of malware propagation

§  PAN-OS features to be used: §  URL filtering category match §  Logging and reporting for verification


Activity 7: Traffic Reporting

§  Scenario: Define and generate traffic reports required by management

§  PAN-OS features to be used: §  Reporting (pre-defined)

§  Top applications, threats, URL categories, Etc. §  Manage custom reports

§  Create a custom report using traffic stats logs


Activity 8: Systematically Manage Unknown Traffic (Demo)

§  Scenario: Investigate unknown traffic, determine risk level, implement appropriate policies

§  Policy considerations: Many internal applications – blocking all is unreasonable, may be a commercial application but no App-ID, or possible threat

§  PAN-OS features to highlight (Demo only): §  App-ID Unknown TCP/UDP §  Policy editor for unknown TCP/UDP – allow but scan §  App Override, custom App-ID §  Behavioral botnet report


Get Your Free AVR Report


• Request a free evaluation/AVR Report and get entered into today’s PA-200 drawing

• Wednesday, March 14, 2012

• Palo Alto Networks • 3300 Olcott Drive • Santa Clara, CA 95054 • Sales 866-207-0077 • www.paloaltonetworks.com

• And get entered into the Ultimate Grand Prize Drawing • A two-day all expense paid driving experience at the Audi Driving School in Seefeld/Tyrol Austria!

the ultimate test drive with palo alto networks · safe harbor 5 | ©2013, palo alto networks....

Documents