SlideShare a Scribd company logo

Palo Alto Networks Soc Ent Okt2009

Download as PPT, PDF
Zernike College
Zernike College

The document discusses how enterprise networks are changing due to increased use of internet applications by employees. It notes that traditional firewalls cannot adequately control these applications or identify users. The document then introduces Palo Alto Networks next-generation firewalls as a solution, claiming they can identify applications, users, and content to enable better policy enforcement and risk management.

Related slideshows

Cisco Managed Security
Cisco Managed SecurityCisco Managed Security
Cisco Managed Security
 
Industrial Communication Systems
Industrial Communication SystemsIndustrial Communication Systems
Industrial Communication Systems
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
 
1 of 26
the changed enterprise has arrived . . . . . . and you need to get control of it! Wat is er aan de hand op het gebied van security en firewalls? Marcel Derksen System Engineer, Noord Europa
Our enterprise is changing Driven by new generation of Internet-centric users Giant social system - traditional boundaries have been eliminated Built around communication, sharing, collaboration, group knowledge Full, unrestricted access to everything on the Internet is a right IT and business need to determine risk tolerance of Social Enterprise Internet Enterprise Work Life Home Life Rewards Risks
Enterprise applications take many forms What’s running on YOUR network?
what we recently found on enterprise networks 484 total unique applications running on 60 large enterprises Application usage and Risk Report
employees use them, but management is struggling 73% - like to read and write blogs for business 59% - use Instant Messaging at work 53% - like Twitter for business and personal use 52% - participate in online discussion forums at work 52% - execs admit they’re important to business goals, success 6% - but very few businesses deploy them widely today
business benefits of enterprise applications Twitter – instant alerts on corporate news or information Blogs – instant perspective and analysis on relevant issues IM – instant communication with remote employees Webex – instant meetings with customers in another city Salesforce – instant update to sales data from any location YouTube – instant distribution of product training videos SharePoint – instant collaboration on complex projects Better communication, collaboration, information exchange Increased efficiency, lower cost, higher productivity for all
Data loss Unauthorized employee file transfer, data sharing Non-compliance Using unapproved applications – IM, web mail in financial services Operational cost overruns Excessive bandwidth consumption, desktop cleanup Employee productivity loss Uncontrolled, excessive use of personal applications Business continuity Malware or application vulnerability induced downtime internal risks of enterprise applications
but employees are unconcerned about risks 64% - understand some apps can result in data leakage 33% - experienced security issues when using an app 45% - did nothing when confronted with a security breach 61% - feel more productive using internet apps The inmates are running the asylum 59% - admit these apps are completely uncontrolled IT is losing control of applications, users, content 48% - don’t know what apps are used by employees
summary of the social enterprise challenge for IT Employees Driving exploding use of collaborative Internet applications Using an average of 6 different business and personal applications Ignoring policies and circumventing security controls to get them Unaware and unconcerned about data theft and potential threats In control of the network – more users, more apps coming IT Cannot see applications Cannot control applications Cannot identify specific users Cannot enforce effective policies Cannot manage the risk or rewards of these apps for the business
the underlying cause of the security problem Firewalls should see and control applications, users, and threats . . . . . . but they only show you ports, protocols, and IP addresses –all meaningless!
The current solving Internet Doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain © 2009 Palo Alto Networks. Proprietary and Confidential. Page |
enough! it’s time to fix the firewall! How to Make the Firewall Useful Again 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Identify and prevent potential threats associated with all high risk applications 4. Granular policy-based control over applications, users, functionality 5. Multi-gigabit, in-line deployment with no performance degradation
Einde deel 1 Marcel Derksen System Engineer, Noord Europa
Palo Alto Next Generation Firewalls Marcel Derksen System Engineer, Noord Europa
enough! it’s time to fix the firewall! How to Make the Firewall Useful Again 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Identify and prevent potential threats associated with all high risk applications 4. Granular policy-based control over applications, users, functionality 5. Multi-gigabit, in-line deployment with no performance degradation
About Palo Alto Networks Founded in 2005 by security visionary Nir Zuk World class team with strong security and networking experience Innovations: App-ID, User-ID, Content-ID Builds next-generation firewalls that identify and control more than 900 applications; makes firewall strategic again Global footprint: presence in 50+ countries, 24/7 support © 2009 Palo Alto Networks. Proprietary and Confidential. Page |
Unique Technologies Transform the Firewall App-ID Identify the application User-ID Identify the user Content-ID Scan the content © 2009 Palo Alto Networks. Proprietary and Confidential. Page |
Purpose-Built Architecture: PA-4000 Series © 2009 Palo Alto Networks. Proprietary and Confidential. Page | Content Scanning HW Engine Palo Alto Networks’ uniform signatures Multiple memory banks – memory bandwidth scales performance Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Dedicated Control Plane Highly available mgmt High speed logging and route updates 10Gbps Dual-core CPU RAM RAM HDD 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16 . . SSL IPSec De-Compression CPU 1 CPU 2 10Gbps Control Plane Data Plane RAM RAM CPU 3 QoS Route, ARP, MAC lookup NAT Content Scanning Engine RAM RAM RAM RAM
Enables Executive Visibility © 2009 Palo Alto Networks. Proprietary and Confidential. Page | © 2008 Palo Alto Networks. Proprietary and Confidential. Page | © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
Palo Alto Networks-OS Features Strong networking foundation Dynamic routing (OSPF, RIPv2) Site-to-site IPSec VPN SSL VPN for remote access Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, and more Zone-based architecture All interfaces assigned to security zones for policy enforcement High Availability Active / passive Configuration and session synchronization Path, link, and HA monitoring Virtual Systems Establish multiple virtual firewalls in a single device (PA-4000 Series only) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog © 2009 Palo Alto Networks. Proprietary and Confidential. Page | Visibility and control of applications, users and content are complemented by core firewall features PA-500 PA-2020 PA-2050 PA-4020 PA-4050 PA-4060
Flexible Deployment Options © 2009 Palo Alto Networks. Proprietary and Confidential. Page | Visibility Transparent In-Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering
you decide how much control is needed Unprecedented level of application control Decrypt where appropriate Deny – even unknown applications Allow Allow but scan Allow certain users Allow certain functions Shape (QoS) … and various combinations of the above
next generation firewalls for everyone Performance Remote Office/ Medium Enterprise Large Enterprise PA-2000 Series PA-4000 Series PA-500
Leading Organizations Trust Palo Alto Networks © 2009 Palo Alto Networks. Proprietary and Confidential Page | Financial Services Government Media / Entertainment / Retail Service Providers / Services
Leading Organizations Trust Palo Alto Networks © 2009 Palo Alto Networks. Proprietary and Confidential Page | Education Mfg / High Tech / Energy Healthcare Industry
thank you! enough talking, show us 

More Related Content

Palo Alto Networks Soc Ent Okt2009

  • 1. the changed enterprise has arrived . . . . . . and you need to get control of it! Wat is er aan de hand op het gebied van security en firewalls? Marcel Derksen System Engineer, Noord Europa
  • 2. Our enterprise is changing Driven by new generation of Internet-centric users Giant social system - traditional boundaries have been eliminated Built around communication, sharing, collaboration, group knowledge Full, unrestricted access to everything on the Internet is a right IT and business need to determine risk tolerance of Social Enterprise Internet Enterprise Work Life Home Life Rewards Risks
  • 3. Enterprise applications take many forms What’s running on YOUR network?
  • 4. what we recently found on enterprise networks 484 total unique applications running on 60 large enterprises Application usage and Risk Report
  • 5. employees use them, but management is struggling 73% - like to read and write blogs for business 59% - use Instant Messaging at work 53% - like Twitter for business and personal use 52% - participate in online discussion forums at work 52% - execs admit they’re important to business goals, success 6% - but very few businesses deploy them widely today
  • 6. business benefits of enterprise applications Twitter – instant alerts on corporate news or information Blogs – instant perspective and analysis on relevant issues IM – instant communication with remote employees Webex – instant meetings with customers in another city Salesforce – instant update to sales data from any location YouTube – instant distribution of product training videos SharePoint – instant collaboration on complex projects Better communication, collaboration, information exchange Increased efficiency, lower cost, higher productivity for all
  • 7. Data loss Unauthorized employee file transfer, data sharing Non-compliance Using unapproved applications – IM, web mail in financial services Operational cost overruns Excessive bandwidth consumption, desktop cleanup Employee productivity loss Uncontrolled, excessive use of personal applications Business continuity Malware or application vulnerability induced downtime internal risks of enterprise applications
  • 8. but employees are unconcerned about risks 64% - understand some apps can result in data leakage 33% - experienced security issues when using an app 45% - did nothing when confronted with a security breach 61% - feel more productive using internet apps The inmates are running the asylum 59% - admit these apps are completely uncontrolled IT is losing control of applications, users, content 48% - don’t know what apps are used by employees
  • 9. summary of the social enterprise challenge for IT Employees Driving exploding use of collaborative Internet applications Using an average of 6 different business and personal applications Ignoring policies and circumventing security controls to get them Unaware and unconcerned about data theft and potential threats In control of the network – more users, more apps coming IT Cannot see applications Cannot control applications Cannot identify specific users Cannot enforce effective policies Cannot manage the risk or rewards of these apps for the business
  • 10. the underlying cause of the security problem Firewalls should see and control applications, users, and threats . . . . . . but they only show you ports, protocols, and IP addresses –all meaningless!
  • 11. The current solving Internet Doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain © 2009 Palo Alto Networks. Proprietary and Confidential. Page |
  • 12. enough! it’s time to fix the firewall! How to Make the Firewall Useful Again 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Identify and prevent potential threats associated with all high risk applications 4. Granular policy-based control over applications, users, functionality 5. Multi-gigabit, in-line deployment with no performance degradation
  • 13. Einde deel 1 Marcel Derksen System Engineer, Noord Europa
  • 14. Palo Alto Next Generation Firewalls Marcel Derksen System Engineer, Noord Europa
  • 15. enough! it’s time to fix the firewall! How to Make the Firewall Useful Again 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Identify and prevent potential threats associated with all high risk applications 4. Granular policy-based control over applications, users, functionality 5. Multi-gigabit, in-line deployment with no performance degradation
  • 16. About Palo Alto Networks Founded in 2005 by security visionary Nir Zuk World class team with strong security and networking experience Innovations: App-ID, User-ID, Content-ID Builds next-generation firewalls that identify and control more than 900 applications; makes firewall strategic again Global footprint: presence in 50+ countries, 24/7 support © 2009 Palo Alto Networks. Proprietary and Confidential. Page |
  • 17. Unique Technologies Transform the Firewall App-ID Identify the application User-ID Identify the user Content-ID Scan the content © 2009 Palo Alto Networks. Proprietary and Confidential. Page |
  • 18. Purpose-Built Architecture: PA-4000 Series © 2009 Palo Alto Networks. Proprietary and Confidential. Page | Content Scanning HW Engine Palo Alto Networks’ uniform signatures Multiple memory banks – memory bandwidth scales performance Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Dedicated Control Plane Highly available mgmt High speed logging and route updates 10Gbps Dual-core CPU RAM RAM HDD 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16 . . SSL IPSec De-Compression CPU 1 CPU 2 10Gbps Control Plane Data Plane RAM RAM CPU 3 QoS Route, ARP, MAC lookup NAT Content Scanning Engine RAM RAM RAM RAM
  • 19. Enables Executive Visibility © 2009 Palo Alto Networks. Proprietary and Confidential. Page | © 2008 Palo Alto Networks. Proprietary and Confidential. Page | © 2008 Palo Alto Networks. Proprietary and Confidential. Page |
  • 20. Palo Alto Networks-OS Features Strong networking foundation Dynamic routing (OSPF, RIPv2) Site-to-site IPSec VPN SSL VPN for remote access Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, and more Zone-based architecture All interfaces assigned to security zones for policy enforcement High Availability Active / passive Configuration and session synchronization Path, link, and HA monitoring Virtual Systems Establish multiple virtual firewalls in a single device (PA-4000 Series only) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog © 2009 Palo Alto Networks. Proprietary and Confidential. Page | Visibility and control of applications, users and content are complemented by core firewall features PA-500 PA-2020 PA-2050 PA-4020 PA-4050 PA-4060
  • 21. Flexible Deployment Options © 2009 Palo Alto Networks. Proprietary and Confidential. Page | Visibility Transparent In-Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering
  • 22. you decide how much control is needed Unprecedented level of application control Decrypt where appropriate Deny – even unknown applications Allow Allow but scan Allow certain users Allow certain functions Shape (QoS) … and various combinations of the above
  • 23. next generation firewalls for everyone Performance Remote Office/ Medium Enterprise Large Enterprise PA-2000 Series PA-4000 Series PA-500
  • 24. Leading Organizations Trust Palo Alto Networks © 2009 Palo Alto Networks. Proprietary and Confidential Page | Financial Services Government Media / Entertainment / Retail Service Providers / Services
  • 25. Leading Organizations Trust Palo Alto Networks © 2009 Palo Alto Networks. Proprietary and Confidential Page | Education Mfg / High Tech / Energy Healthcare Industry
  • 26. thank you! enough talking, show us 

Editor's Notes

  1. Inernet coming in; enterprise apps moving out. Users right in the middle. Hard to define/manage a hard boundary users also in the middle of personal/professional life – internet is part of both How do you control boundary there? Your challenge – minimize risks/max rewards
  2. 494 unique apps * 30 business apps * 44 file sharing apps (all types) * 43 photo/video apps * 17 social networking * 45 IM
  3. Now lets change gears and think positive… What the firewall really did provide innovation? What would it look like? Based on whats really happening, here are 5 critical requirements. Networks exist to support apps – you need to see them Ip addresses are annoying – you need to know the user by name Forget adding other threat prevention stuff – make the FW stop the damn threats! If you have this level of visibility, the policies you create will be effective and enforceable at the end of the day, it must keep pace with your business – security stuff should not slow you down.
  4. Now lets change gears and think positive… What the firewall really did provide innovation? What would it look like? Based on whats really happening, here are 5 critical requirements. Networks exist to support apps – you need to see them Ip addresses are annoying – you need to know the user by name Forget adding other threat prevention stuff – make the FW stop the damn threats! If you have this level of visibility, the policies you create will be effective and enforceable at the end of the day, it must keep pace with your business – security stuff should not slow you down.
  5. 03/05/07