Vous êtes sur la page 1sur 4

SECURITY PLATFORM

NEXT-GENERATION

Palo Alto Networks Single-Pass Architecture:


Integrated, Prevention-Oriented Security
For many years, the goal of integrating threat prevention
services into the firewall has been pursued as a means
to alleviate the need for additional devices for functions
such as IPS, network antivirus, and more. The pursuit of
integrating threat prevention functions into the firewall
makes perfect sense, as the firewall is the cornerstone of
the security infrastructure

Current integration approaches carry a that plague previous integration attempts.


variety of labels deep inspection, unified As packets are processed, networking,
threat management (UTM), deep packet policy lookup, application and decod-
inspection, and others. These approaches ing, and signature matching for any and
share a common problem, which is all threats and content are performed
a lack of consistent and predictable only once. This significantly r educes the
performance when security services are amount of processing overhead required
enabled. Specifically, the base firewall to perform multiple functions in one
functions are capable of performing at security device. For content inspection
high throughput and low latency, but and threat prevention, the single-pass
when the added security functions are architecture uses a stream-based, uniform
enabled, performance decreases while signature matching engine. Instead of
latency increases. using separate engines and signature sets
(requiring multiple passes), and instead of
More importantly, these traditional
using proxies (requiring download prior
approaches to integration limit security
to scanning), the single-pass architecture
capability. This is because a sequence of
scans traffic for all signatures once
functions approach is inherently less flex-
avoiding the introduction of latency.
ible than one in which all functions share
information and enforcement mechanisms. Flexibility: The single-pass architecture
also supports superior security posture
The Palo Alto Networks Single-Pass
relative to traditional integration at-
Architecture addresses these performance
tempts. This is because the architecture
and flexibility challenges with a unique
performs full-stack inspection up-front,
single-pass approach to packet processing.
and then makes all resulting context avail-
Performance: By performing operations able to all security enforcement options
once per packet, the single-pass architec- (including threat prevention). This stands
ture eliminates many redundant functions in contrast to traditional integration

Palo Alto Networks | White Paper 1


approaches in which full context is not security. Integration if done well Flawed integration methodology:
shared between all enforcement options. simplifies security management, through Previous attempts to integrate security
fewer consoles and functional gaps, and functionality are based on simply collaps-
Implemented in a variety of form factors
provides more effective security coverage. ing multiple functions into one operating
(both physical and virtual), our next-gen-
system and chassis. This isnt integration;
eration firewalls based on Single-Pass Total cost of ownership: The cost of pur-
it is consolidation, and the difference
Architecture are the high-performance chasing separate devices for each security
is critical. Consolidation simply takes
foundation of a security platform that functional requirement, maintaining the
multiple products and stuffs them into a
stops modern threats. equipment, and operational costs all add
single device. In many cases, management
significantly to the total cost of own-
and hardware is still separate, but there
Key Benefits of Integrated Security ership. Integration if done well can
is an illusion of integration because the
It is important to point out that integrating significantly reduce these costs.
functionality is performed in one device.
key security functions into the firewall These are just a few of the more signifi- In other cases, the functions all run on
makes perfect sense, or put another way, cant integration benefits assuming that the same general-purpose CPU, draining
this is not integration for integrations sake. it is done well. If the benefits are so signifi- system resources with each additional
Integration will bring many benefits to any cant, the obvious question becomes: why function that is activated.
organization, and they are important to have the previous attempts failed?
consider when discussing the single-pass The benefits of integration cannot be
approach taken by Palo Alto Networks. achieved without addressing these glaring
Problems with Traditional Approaches to
issues.
Network complexity: Traditionally, every Integration
new security need resulted in a new security The traditional approach to integrating Palo Alto Networks Single-Pass
device to solve it. As the number of security security functions is largely flawed for Architecture
requirements increased, the number of two reasons:
While a seemingly trivial and obvious
devices deployed at key network junction
Flawed traffic classification: The tradi- approach, security software that looks
points increased to an unmanageable point.
tional approach to security integration is at traffic in a single pass is unique to the
There are no longer enough data ports, port
to add f unctions on top of a foundational Palo Alto Networks next-generation
mirrors, network taps, rack space, or power
firewall. This type of firewall classifies firewall. This approach to processing
to easily accept a
dditional devices into the
traffic by protocol and port number (e.g., traffic ensures that each particular task
network. Integration if done well starts
TCP/80), which is essentially meaning- is performed only once on a set of traffic.
to simplify the network.
less for todays applicaitons which often Key processing tasks are as follows:
Network performance: With every new use non-standard, non-unique, and/or
Networking and management
device, additional latency, throughput dynamically selected ports. All further se-
functionality: At the foundation of all traf-
chokepoints, routing issues, and more curity functionality is then based on this
fic processing is a common networking
are introduced. Integration if done well flawed initial traffic classification. This
foundation with a common management
can reduce network latency and the topic is covered f urther in other articles
structure.
number of chokepoints traffic must pass from Palo Alto Networks.
through.
Functional holes: There are several basic
pieces of information that are useful for Policy Engine
setting security policy, irrespective of the
function. These include: source user or IP
Data Filtering
address, application, application function,
URL category, port, protocol, and traffic Content-ID URL Filtering
Real-time Threat Prevention
destination. But each device or scanning
process acquires this information in
unique ways, or in many cases, is not capa-
Application Protocol Decoding
ble of acquiring some of the pieces. These
Application Protocol Detection
gaps and inconsistencies significantly and Decryption
impact security effectiveness. Integration App-ID
Application Signatures
if done well allows the information to Heuristics
be collected once and applied in a single,
flexible set of security policies.
Operational management: Managing the User-ID
complexity of a loosely interconnected
set of devices is not a simple task. Sep-
arate management systems, functional L2/L3 Networking, HA,
holes, unknown functional overlaps, and Cong Management, Reporting
network complexity all contribute to
costs and potentially ineffective network Figure 1: Single-Pass Architecture Traffic Flow

Palo Alto Networks | White Paper 2


User-ID: Maps IP addresses to (e.g., Ac- ownload the entire file before they can
d are the only two compression formats
tive Directory) users and users to groups scan the traffic, a stream-based engine that compress in blocks of data, instead
(roles) to enable visibility and policy scans traffic in real time, only reassem- of the entire file as one compressed
enforcement by user and group. bling packets as needed and only in very block. This is typically not a problem, as
small amounts. Second, unlike traditional these are the most common compression
App-ID: Combination of application sig-
approaches, all traffic can be scanned algorithms, and this is s upplemented with
natures, protocol d etection and decryp-
with a single engine, instead of multiple file type scanning and alerting, so that
tion, protocol decoding, and heuristics
scanning engines. other file types can be monitored and
to identify applications. This application
potentially blocked from traversing cer-
identification is carried through to the
Advantages/Disadvantages of a tain network segments or applications.
Content-ID functionality to scan and
Stream-Based Engine
inspect applications appropriate to their Keeping the goal of integration and
use, as well as to the policy engine. One detail that should not go without performance in mind, Palo Alto Networks
discussion is the advantages and disad- chose to implement a stream-based
Content-ID: Single hardware-accelerat- vantages of a stream-based scanning scanning engine.
ed signature matching engine that uses a engine versus a file proxy engine. The
uniform signature format to scan traffic benefits of a stream-based engine are Hardware Acceleration
for data (e.g., credit card numbers, Social straightforward:
Security numbers, and custom patterns) Implementations of Palo Alto Networks
and threats (e.g., vulnerability exploits Scalability: The stream-based engine single-pass architecture exist in both
IPS, viruses, and spyware), plus a URL requires significantly less memory and virtual and physical form factors. For
categorization engine to perform URL processing power since it doesnt need physical appliances, the single-pass archi-
filtering. to store the entire file while its down- tecture is accelerated by a purpose-built
loading prior to scanning. Think of 5,000 hardware architecture. That hardware
Policy engine: Based on the network- users simultaneously downloading 5,000 architecture is outlined briefly in this
ing, management, User-ID, App-ID, and different files and a file proxy trying to section.
Content-ID i nformation, the policy engine manage all of them it just doesnt work.
is able to use and enforce a single security One conventional belief that has been
A stream-based engine scans the file
policy to matching traffic. rendered obsolete is the notion that,
downloads as they pass through, which is
while firewalls can be hardware-accel-
a much more feasible approach to scan-
Scan it all, scan it once erated, application layer scanning for
ning large amounts of data.
content cannot. The main challenge
One of the key elements to the single-pass
Low latency: The stream-based engine with a ccelerating scanning in hardware
architecture is summed up accurately and
processes and forwards the file as it re- was due to the traditional architectural
succinctly with the phrase scan it all, scan
ceives it, scanning it with submillisecond approach described earlier proxying
it once.
latency unnoticed by the end user. File files and multiple scanning engines are
Common protocol decoding engine: A proxies, on the other hand, can introduce not conducive to hardware acceleration.
key component to the single-pass archi- latency into the 10s of seconds. The second challenge to accelerating
tecture is the use of a common protocol content scanning in hardware was that it
Common processing: Using a stream-
decoding engine that is used for all traffic. was often viewed as an afterthought and
based engine enables one processing
The decoding engine is used to pick apart was not architected into the hardware
engine for all traffic; whereas a file proxy
an application stream to determine what and software from the outset. With our
cannot scan for vulnerabilities and must
the different pieces are for example, single-pass architecture, we provide
therefore be part of a multi-pass ap-
where does a file transfer start and stop, hardware acceleration for each of the
proach.
what is the file type, when is the user major functionality blocks, as illustrated in
posting data versus downloading data, Key trade-offs with the stream-based the example of the PA-7080 architecture
and when is a command being executed. engine that should be considered: shown on the next page in figure 2:
All of this information is then used as the
SMTP/POP3/IMAP: Stream-based Network processing is based on
basis for scanning the content for files,
engines work very well for most appli- per-packet routing, flow lookup, stats
data, threats, and URLs. By p erforming
cations, but not for blocking viruses, counting, NAT, and similar functions
the content scanning task once, instead
spyware, or data over traditional email and is performed on dedicated network
of multiple times, significant processing
protocols, such as SMTP. While alerting processors.
power is saved, as this is one of the most
works well, without actually proxying the
processing-intensive tasks for a security User-ID, App-ID, and policy enforce-
connection, such blocking a ttachments
device to perform. ment. This occurs on multicore security
within an email m essage will often cause
processors with hardware acceleration
Stream-based signature engine: The use a continuous retransmission of the at-
for encryption, decryption, and decom-
of a stream-based engine replaces several tachment over SMTP. In addition, it is not
pression.
components commonly used in other possible to quarantine the email message.
solutions a file proxy for data, virus, and Usually, this is not a problem, as the email Signature Matching for Content-ID per-
spyware, a signature engine for vulner- server is already surrounded by one or forms the signature lookup via dedicated
ability exploits, and an HTTP decoder more layers of antivirus. FPGAs with dedicated memory.
for URL filtering. By using one common
The number of compressed formats that Management functionality is provided via
engine, two key benefits are realized.
can be scanned is limited to zip and gzip a dedicated control plane processor that
First, unlike file proxies that need to
(without password encryption), as these drives the configuration management,

Palo Alto Networks | White Paper 3


logging, and reporting without touching
data processing hardware.

Single-Pass vs. Multi-Pass Architecture


Comparison
The initial comparison to providing multiple
security functions in discrete devices is
obvious each one of the described blocks
in the single-pass architecture will be per-
formed by each device (assuming they can
perform all of the functions). The duplica-
tion of processing is staggering in this case.
Additionally, existing attempts to integrate
security functions into a single device are
often merely sheet metal integration, where
the networking and management functions
are integrated, but elements of traffic clas-
sification, protocol decoding, file proxying,
and signature matching are performed with
separate software and sometimes separate
hardware as well. Figure 3 below shows a
worst-case view of discrete devices with a Figure 2: PA-7080 Hardware Architecture
multi-pass approach:
The figure assumes that there are discrete
processing overhead, latency intro- into a single pass. However, most of
devices performing each function, which
duction, throughput degradation, and the heavy lifting, including file proxies,
results in multiple passes through the
operational costs to keep it all functioning. application decoding, signature engines,
networking layer, traffic classification,
Some basic cost saving has been achieved and policy enforcement are often still
decoders, signature engines, and policy
in that the networking layer and port/ separate functions with overhead that
tables. Each one of these passes generates
protocol identification are often collapsed competes for shared processing.
Conclusion
Back to the original question: why are
IPS Policy AV Policy
integrated security and a single-pass
architecture needed? As the number of
needed security functions continues to
increase, there are two options: add an-
URL Filtering Policy IPS Signatures AV Signatures
other security device or add a function to
an existing device. With the single-pass
architecture, Palo Alto Networks has
Firewall Policy HTTP Decoder IPS Decoder AV Decoder & Proxy made it possible to add a function to
a next-generation firewall, instead of
adding another security device, and in
Port/Protocol-based ID Port/Protocol-based ID Port/Protocol-based ID Port/Protocol-based ID such a way that the integrated approach
actually offers benefits and advantages
that discrete devices cannot. There will
L2/L3 Networking, HA, L2/L3 Networking, HA, L2/L3 Networking, HA, L2/L3 Networking, HA, still be a need for discrete devices in
Cong Management Cong Management Cong Management Cong Management specific cases where highly specialized
Reporting Reporting Reporting Reporting
functionality is required; but for the
majority of cases, integrated security is
Figure 3: Traffic flow for multi-pass architecture now a viable option.

4401 Great America Parkway 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at http://
Main: +1.408.753.4000 www.paloaltonetworks.com/company/trademarks.html. All other marks
Sales: +1.866.320.4788 mentioned herein may be trademarks of their respective companies.
Support: +1.866.898.9087 PAN_WP_SPA_092815

www.paloaltonetworks.com