Anda di halaman 1dari 13

Palo Alto Networks

Product Overview
Karsten Dindorp, Computerlinks
Applications Have Changed Firewalls Have Not
Collaboration / Media
SaaS Personal
The gateway at the trust
border is the right place to
enforce policy control
Sees all traffic
Defines trust boundary

But applications have changed


Ports Applications
IP addresses Users
Headers Content

Need to Restore Application Visibility & Control in the Firewall


Page 2 | 2009 Palo Alto Networks. Proprietary and Confidential
Stateful Inspection Classification
The Common Foundation of Nearly All Firewalls

Stateful Inspection classifies traffic by looking at the IP header


- source IP
- source port
- destination IP
- destination port
- protocol
Internal table creates mapping to well-known protocols/ports
- HTTP = TCP port 80
- SMTP = TCP port 25
- SSL = TCP port 443
- etc, etc, etc

Page 3 | 2009 Palo Alto Networks. Proprietary and Confidential


Enterprise End Users Do What They Want
The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000
users across 60 organizations:
- HTTP is the universal app protocol 64% of BW, most HTTP apps not browser-based
- Video is king of the bandwidth hogs 30x P2P filesharing
- Applications are the major unmanaged threat vector
Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss

Page 4 | 2009 Palo Alto Networks. Proprietary and Confidential.


Firewall helpers Is Not The Answer

Internet

Complex to manage

Expensive to buy and maintain

Firewall helpers have limited view of traffic

Ultimately, doesnt solve the problem

Page 5 | 2009 Palo Alto Networks. Proprietary and Confidential


The Right Answer: Make the Firewall Do Its Job

New Requirements for the Firewall

1. Identify applications regardless of


port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Scan application content in real-time


(prevent threats and data leaks)

4. Granular visibility and policy control


over application access / functionality

5. Multi-gigabit, in-line deployment with


no performance degradation

Page 6 | 2009 Palo Alto Networks. Proprietary and Confidential


Identification Technologies Transforming the Firewall

App-ID
Identify the application

User-ID
Identify the user

Content-ID
Scan the content

Page 7 | 2009 Palo Alto Networks. Proprietary and Confidential


Purpose-Built Architectures (PA-4000 Series)

RAM Signature Match HW Engine


RAM Palo Alto Networks uniform
Dedicated Control Plane Signature
signatures
Match RAM
Highly available mgmt Vulnerability exploits (IPS), virus,
High speed logging and RAM spyware, CC#, SSN, and other
route updates signatures
10Gbps

CPU CPU CPU . . CPU RAM Multi-Core Security Processor


RAM
Dual-core 1 2 3 16 RAM High density processing for flexible
RAM security functionality
CPU
De- Hardware-acceleration for
HDD SSL IPSec
Compression standardized complex functions (SSL,
IPSec, decompression)
10Gbps

Route, 10 Gig Network Processor


ARP, Front-end network processing offloads
QoS NAT
MAC security processors
lookup Hardware accelerated QoS, route
lookup, MAC lookup and NAT
Control Plane Data Plane
Page 8 | 2009 Palo Alto Networks. Proprietary and Confidential
PAN-OS Core Features
Strong networking High Availability:
foundation: - Active / passive
- Dynamic routing (OSPF, RIPv2) - Configuration and session
- Site-to-site IPSec VPN synchronization
- SSL VPN - Path, link, and HA monitoring
- Tap mode connect to SPAN port Virtualization:
- Virtual wire (Layer 1) for true - All interfaces (physical or logical)
transparent in-line deployment assigned to security zones
- L2/L3 switching foundation - Establish multiple virtual systems to
fully virtualized the device (PA-4000
QoS traffic shaping & PA-2000 only)
- Max, guaranteed and priority Intuitive and flexible
- By user, app, interface, zone, and management
more
- CLI, Web, Panorama, SNMP, Syslog

Page 9 | 2009 Palo Alto Networks. Proprietary and Confidential


Flexible Deployment Options
Application Visibility Transparent In-Line Firewall Replacement

Replace existing firewall


Deploy transparently behind existing
Connect to span port Provides application and network-
firewall
Provides application visibility based visibility and control,
Provides application visibility &
without inline deployment consolidated policy, high
control without networking changes
performance

Page 10 | 2008 Palo Alto Networks. Proprietary and Confidential.


Palo Alto Networks Next-Gen Firewalls

PA-4060 PA-4050 PA-4020


10 Gbps FW 10 Gbps FW 2 Gbps FW
5 Gbps threat prevention 5 Gbps threat prevention 2 Gbps threat prevention
2,000,000 sessions 2,000,000 sessions 500,000 sessions
4 XFP (10 Gig) I/O 16 copper gigabit 16 copper gigabit
4 SFP (1 Gig) I/O 8 SFP interfaces 8 SFP interfaces

PA-2050 PA-2020 PA-500


1 Gbps FW 500 Mbps FW 250 Mbps FW
500 Mbps threat prevention 200 Mbps threat prevention 100 Mbps threat prevention
250,000 sessions 125,000 sessions 50,000 sessions
16 copper gigabit 12 copper gigabit 8 copper gigabit
4 SFP interfaces 2 SFP interfaces

Page 11 | 2009 Palo Alto Networks. Proprietary and Confidential


PAN-OS 3.0 Summary of Features
Networking Visibility and Reporting
- Quality of Service Enforcement - User Activity Report
- SSL VPN Management
- IPv6 Firewall (Virtual Wire)
- Multi-zone Rules
- IPsec Multiple Phase 2 SAs
- Automated Config Backup in Panorama
- 802.3ad link aggregation
- Role-based admins in Panorama
- PA-2000 virtual systems licenses (+5)
- SNMP Enhancements
App-ID Custom community string

- Custom Web-based App-IDs Extended MIB support

- Custom App-ID Risk and Timeouts - XML-based REST API


- CRL checking within SSL forward proxy - Ability to Duplicate Objects

Threat Prevention & URL Filtering - Log Export Enhancements


Support for FTP
- Dynamic URL Filtering DB
Scheduler
- Increased signature capacity
- Custom Admin Login Banner
- Threat Exception List
- Web-based Tech Support Export
- CVE in Threat Profiles
- Database indexing
User Identification
- Configurable management I/O settings
- Citrix/Terminal Server User ID
-
Page 12 | Proxy X-Forwarded-For
2009 Support
Palo Alto Networks. Proprietary and Confidential
Demo

Page 13 | 2007
2009 Palo Alto Networks. Proprietary and Confidential