1.-ConceptElectronics

Insight. The Avatars of the Network Perimeter Gabriel Nicolaescu CISO & Security Architect Concept Electronics

Agora Technology Conferences: â&#x20AC;&#x153;Securitateâ&#x20AC;? Bucharest , 18 November 2009

Applications Have Changed – Firewalls Have Not • The gateway at the trust

border is the right place to enforce policy control 9

Sees all traffic

9

Defines trust boundary

Need to Restore Visibility and Control in the Firewall Page 2 |

Application Control Efforts are Failing • Palo Alto Networks’ Application Usage & Risk Report highlights actual

behavior of cca. 900,000 users across more than 60 organizations 9

Applications are built for accessibility and used for complex B2B collaboration

9

Controls are failing – All had Firewalls, many had IPS, proxies, & URL filtering

Page 3 |

Application Control Efforts are Failing

• Palo Alto Networks’ Application Usage & Risk Report highlights actual

behavior of cca. 900,000 users across more than 60 organizations 9

P2P and browser-based file sharing usage is rampant

9

More and more business use of convergent multi-media content delivery

9

Controls are failing – All had Firewalls, many had IPS, proxies, & URL filtering

Page 4 |

Application Control Efforts are Failing • Palo Alto Networks’ Application Usage & Risk Report highlights actual

behavior of cca. 900,000 users across more than 60 organizations 9

Tools that enable users to circumvent security are common

9

Controls are failing – All had Firewalls, many had IPS, proxies, & URL filtering

Page 5 |

Next-Generation Firewall Agenda New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2.

Identify users regardless of dynamic assignation of IP address

3. Fine-grained visibility and policy control over application access / functionality 4. Protect in real-time against threats embedded across applications 5. Multi-gigabit in-line deployment with no performance degradation

Page 6 |

ÂŠ 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.

Palo Alto Networks Solution Overview

About Palo Alto Networks

• Founded in 2005 by security visionary Nir Zuk • World class team with vast security experience, strong

networking and technology expertise • Builds innovative next generation firewalls that control

more than 800 applications • Named Gartner Cool Vendor in 2008

Page 8 |

Palo Alto Networks Mature & Trusted Technology

Page 9 |

ÂŠ 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.

Unique Technologies that Transform the Firewall App-ID Identify the application

User-ID Identify the user

Content-ID Scan the content Page 10 |

ÂŠ 2009 Palo Alto Networks & Concept Electronics Proprietary and Confidential.

Enables Visibility Into Applications, Users, and Content

Page 11 |

ÂŠ 2008 2009 Palo Alto Networks. Proprietary and Confidential.

Core PAN-OS Platform Features Visibility and control of applications, users and content are complemented by core firewall features • Strong networking foundation -

Dynamic routing Site-to-site IPSec VPN SSL VPN for remote access Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2 / L3 switching foundation

PA-4060

PA-4050

PA-4020

• QoS traffic shaping Maximum / guaranteed and priority - By user, application, interface, zone, and more -

PA-2050

PA-2020

PA-500

Page 12 |

Core PAN-OS Platform Features Visibility and control of applications, users and content are complemented by core firewall features • Zone-based architecture -

All interfaces assigned to security zones for policy enforcement

• High Availability -

Configuration and session synchronization

-

Path, link, and HA monitoring

PA-4060

PA-4050

PA-4020

• Virtual Systems -

Establish multiple virtual firewalls in a single device (PA-4000 Series only)

• Simple, flexible management -

PA-2050

PA-2020

CLI, Web, Panorama, SNMP, Syslog PA-500

Page 13 |

Flexible Deployment Options

•

Many work modes - Tap Mode, Virtual Wire, Layer 2, Layer 3 with dynamic routing protocols.

•

Protections work mode adjusted to the requirements – network interfaces in one device can work in any of the different supported modes.

•

Security virtualization – VLAN interfaces in L2 and L3, virtual routers and virtual systems. Page 14 |

Flexible Deployment Options (Examples) Visibility

• Application, user and content visibility without inline deployment

Page 15 |

Transparent In-Line

• IPS with app visibility & control • Consolidation of IPS & URL filtering

Firewall Replacement

• Firewall replacement with app visibility & control • Firewall + IPS • Firewall + IPS + URL filtering

Flexible Policy Control Responses • Intuitive policy editor enables appropriate usage policies with flexible

policy responses -

Allow or deny individual application usage

-

Control applications by category, subcategory, technology or characteristic

-

Proxy decrypt and inspect SSL

-

Allow or block certain application functions

-

Allow based on schedule policy

-

Allow but apply IPS, scan for viruses, spyware

-

Apply explicit traffic shaping (guaranteed, priority, maximum)

-

Allow for certain users or groups within AD

-

Control excessive web surfing

-

Look for and alert or block file or data transfer

• Consistent and secure local (on device) and remote management

interface; CLI, secure web-based and remote native application Page 16 |

Enterprise Device and Policy Management • Intuitive and flexible management -

Role-based administration enables delegation of tasks to appropriate person CLI, Web, Panorama, SNMP, Syslog

• Panorama central management agement application -

Shared policies enable consistent application control policies Consolidated management, logging, and monitoring of Palo Alto Networks devices Consistent web interface between Panorama and device UI Network-wide ACC/monitoring views, log collection, and reporting

• All interfaces work on current configuration, avoiding sync issues Page 17 |

Turn static files into dynamic content formats.

Create a flipbook