Vous êtes sur la page 1sur 21

SRTY-6003 Securing the Edge 1

Palo Alto Platforms and Architecture


Cyber Attack and Palo Alto
Next-Generation Security Platform
•NGFW – Identifies the network
traffic.

•Threat Intelligence Cloud –


Correlates threats, gather
information from multiple
sources. – AutoFocus/WildFire

•Advanced Endpoint Protection


– Block malicious at the
endpoint.
Next-Generation Security Platform
Development of Unified Threat Management

Internet
Serial Processing in the UTM
Palo Alto Networks Single-Pass Architecture

Single pass:
Operations per packet:
• Traffic classification with App-ID
• User/group mapping
• Content scanning – threats, URLs,
confidential data
One policy

Parallel processing:
Function-specific parallel
processing hardware engines
Separate data/control planes
Palo Alto Networks Single-Pass Architecture
Palo Alto Networks Firewall Architecture
Control Plane | Management
Provides configuration, logging, and report functions on
a separate processer, RAM, and hard drive

Signature Matching
Stream-based, uniform signature match including
vulnerability exploits (IPS), virus, spyware, CC#, and
SSN

Security Processing
High-density parallel processing for flexibility hardware-
acceleration for standardized complex functions

Network Processing
Front-end network processing, hardware-accelerated
per-packet route lookup, MAC lookup, and NAT

Can you imagine how much horse power to process regular


expressions?
Zero Trust Model
Zero trust model is an
alternative that
assumes there is not
default trust.

If a compromised host connects


to your network, the tradicional
egress security is not enough.

NEVER TRUST, ALWAYS VERIFY.


Threat Prevention Capabilities
Flow Logic of the Next-Generation Firewall
Flow Logic of the Next-Generation Firewall

Initial Packet Source Zone/ PBF/ NAT Policy


Destination
Address/ Forwarding
Processing User-ID Lookup
Zone Evaluated

Security Check Session


Pre-Policy Allowed Ports Created

Check for Application App-ID/


Decryption
Application Encrypted
Policy
Override Content-ID
Traffic Policy Labeling

Check Check
Security Policy Security Policy
Security
Profiles

Post-Policy Re-Encrypt NAT Policy Packet


Processing Traffic Applied Forwarded
Flow Logic of the Next-Generation Firewall

Initial Packet Source Zone/ PBF/ NAT Policy


Destination
Address/ Forwarding
Processing User-ID Lookup
Zone Evaluated

Security Check Session


Pre-Policy Allowed Ports Created

Check for Application App-ID/


Decryption
Application Encrypted
Policy
Override Content-ID
Traffic Policy Labeling

Check Check
Security Policy Security Policy
Security
Profiles

Post-Policy Re-Encrypt NAT Policy Packet


Processing Traffic Applied Forwarded
Flow Logic of the Next-Generation Firewall

Initial Packet Source Zone/ PBF/ NAT Policy


Destination
Address/ Forwarding
Processing User-ID Lookup
Zone Evaluated

Security Check Session


Pre-Policy Allowed Ports Created

Check for Application App-ID/


Decryption
Application Encrypted
Policy
Override Content-ID
Traffic Policy Labeling

Check Check
Security Policy Security Policy
Security
Profiles

Post-Policy Re-Encrypt NAT Policy Packet


Processing Traffic Applied Forwarded
Security on Cloud
Hardware Platforms
•PA-200, PA-500, PA-2000 Series (EoS), PA-3000 Series,
PA-4000 Series (EoS), PA-5000 Series, PA-7000 Series
•Nearly every feature is supported on every platform.
•Compare capacities at:
https://www.paloaltonetworks.com/products/product-selection.html
Virtual Platforms – PAN OS 7
• VM-100, VM-200, VM-300, and VM-1000
• Ideal for protecting virtualized data centers and “east-west” traffic
• RESTful APIs:
• Integrate VMs with external orchestration and management tools
• Virtual Machine Monitoring:
• Poll virtual machine inventory and changes, collecting data into tags
• Dynamic Address Groups:
• Identify newly deployed machines with tags instead of static addresses
Virtual Platforms PAN OS 8.0
VM-Series Hypervisors
•VMware:
• NSX: Install and manage firewalls on multiple ESXi servers.
• ESXi: Integrates with external management systems
• VMware vCloud Air: Protect your VMware-based public cloud
•Citrix NetScaler SDX
•Kernel-based Virtual Machine (KVM):
• Linux-based virtualization and cloud-based initiatives
•Microsoft Hyper-V and Azure
•Amazon Web Services
Questions?