Scribd Logo
Importer

Bienvenue sur Scribd !

  • Palo Alto Networks Cust June 2009

    Transféré par

    Azzeddine Salem
    43 vues13 pages
    Palo Alto Networks Cust June 2009

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PPT, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Palo Alto Networks Cust June 2009

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPT, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    43 vues13 pages

    Palo Alto Networks Cust June 2009

    Transféré par

    Azzeddine Salem
    Palo Alto Networks Cust June 2009

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPT, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 13

    Palo Alto Networks

    Product Overview
    Karsten Dindorp, Computerlinks
    Applications Have Changed Firewalls Have Not
    Collaboration / Media
    SaaS Personal
    The gateway at the trust
    border is the right place to
    enforce policy control
    Sees all traffic
    Defines trust boundary

    But applications have changed


    Ports Applications
    IP addresses Users
    Headers Content

    Need to Restore Application Visibility & Control in the Firewall


    Page 2 | 2009 Palo Alto Networks. Proprietary and Confidential
    Stateful Inspection Classification
    The Common Foundation of Nearly All Firewalls

    Stateful Inspection classifies traffic by looking at the IP header


    - source IP
    - source port
    - destination IP
    - destination port
    - protocol
    Internal table creates mapping to well-known protocols/ports
    - HTTP = TCP port 80
    - SMTP = TCP port 25
    - SSL = TCP port 443
    - etc, etc, etc

    Page 3 | 2009 Palo Alto Networks. Proprietary and Confidential


    Enterprise End Users Do What They Want
    The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000
    users across 60 organizations:
    - HTTP is the universal app protocol 64% of BW, most HTTP apps not browser-based
    - Video is king of the bandwidth hogs 30x P2P filesharing
    - Applications are the major unmanaged threat vector
    Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss

    Page 4 | 2009 Palo Alto Networks. Proprietary and Confidential.


    Firewall helpers Is Not The Answer

    Internet

    Complex to manage

    Expensive to buy and maintain

    Firewall helpers have limited view of traffic

    Ultimately, doesnt solve the problem

    Page 5 | 2009 Palo Alto Networks. Proprietary and Confidential


    The Right Answer: Make the Firewall Do Its Job

    New Requirements for the Firewall

    1. Identify applications regardless of


    port, protocol, evasive tactic or SSL

    2. Identify users regardless of IP address

    3. Scan application content in real-time


    (prevent threats and data leaks)

    4. Granular visibility and policy control


    over application access / functionality

    5. Multi-gigabit, in-line deployment with


    no performance degradation

    Page 6 | 2009 Palo Alto Networks. Proprietary and Confidential


    Identification Technologies Transforming the Firewall

    App-ID
    Identify the application

    User-ID
    Identify the user

    Content-ID
    Scan the content

    Page 7 | 2009 Palo Alto Networks. Proprietary and Confidential


    Purpose-Built Architectures (PA-4000 Series)

    RAM Signature Match HW Engine


    RAM Palo Alto Networks uniform
    Dedicated Control Plane Signature
    signatures
    Match RAM
    Highly available mgmt Vulnerability exploits (IPS), virus,
    High speed logging and RAM spyware, CC#, SSN, and other
    route updates signatures
    10Gbps

    CPU CPU CPU . . CPU RAM Multi-Core Security Processor


    RAM
    Dual-core 1 2 3 16 RAM High density processing for flexible
    RAM security functionality
    CPU
    De- Hardware-acceleration for
    HDD SSL IPSec
    Compression standardized complex functions (SSL,
    IPSec, decompression)
    10Gbps

    Route, 10 Gig Network Processor


    ARP, Front-end network processing offloads
    QoS NAT
    MAC security processors
    lookup Hardware accelerated QoS, route
    lookup, MAC lookup and NAT
    Control Plane Data Plane
    Page 8 | 2009 Palo Alto Networks. Proprietary and Confidential
    PAN-OS Core Features
    Strong networking High Availability:
    foundation: - Active / passive
    - Dynamic routing (OSPF, RIPv2) - Configuration and session
    - Site-to-site IPSec VPN synchronization
    - SSL VPN - Path, link, and HA monitoring
    - Tap mode connect to SPAN port Virtualization:
    - Virtual wire (Layer 1) for true - All interfaces (physical or logical)
    transparent in-line deployment assigned to security zones
    - L2/L3 switching foundation - Establish multiple virtual systems to
    fully virtualized the device (PA-4000
    QoS traffic shaping & PA-2000 only)
    - Max, guaranteed and priority Intuitive and flexible
    - By user, app, interface, zone, and management
    more
    - CLI, Web, Panorama, SNMP, Syslog

    Page 9 | 2009 Palo Alto Networks. Proprietary and Confidential


    Flexible Deployment Options
    Application Visibility Transparent In-Line Firewall Replacement

    Replace existing firewall


    Deploy transparently behind existing
    Connect to span port Provides application and network-
    firewall
    Provides application visibility based visibility and control,
    Provides application visibility &
    without inline deployment consolidated policy, high
    control without networking changes
    performance

    Page 10 | 2008 Palo Alto Networks. Proprietary and Confidential.


    Palo Alto Networks Next-Gen Firewalls

    PA-4060 PA-4050 PA-4020


    10 Gbps FW 10 Gbps FW 2 Gbps FW
    5 Gbps threat prevention 5 Gbps threat prevention 2 Gbps threat prevention
    2,000,000 sessions 2,000,000 sessions 500,000 sessions
    4 XFP (10 Gig) I/O 16 copper gigabit 16 copper gigabit
    4 SFP (1 Gig) I/O 8 SFP interfaces 8 SFP interfaces

    PA-2050 PA-2020 PA-500


    1 Gbps FW 500 Mbps FW 250 Mbps FW
    500 Mbps threat prevention 200 Mbps threat prevention 100 Mbps threat prevention
    250,000 sessions 125,000 sessions 50,000 sessions
    16 copper gigabit 12 copper gigabit 8 copper gigabit
    4 SFP interfaces 2 SFP interfaces

    Page 11 | 2009 Palo Alto Networks. Proprietary and Confidential


    PAN-OS 3.0 Summary of Features
    Networking Visibility and Reporting
    - Quality of Service Enforcement - User Activity Report
    - SSL VPN Management
    - IPv6 Firewall (Virtual Wire)
    - Multi-zone Rules
    - IPsec Multiple Phase 2 SAs
    - Automated Config Backup in Panorama
    - 802.3ad link aggregation
    - Role-based admins in Panorama
    - PA-2000 virtual systems licenses (+5)
    - SNMP Enhancements
    App-ID Custom community string

    - Custom Web-based App-IDs Extended MIB support

    - Custom App-ID Risk and Timeouts - XML-based REST API


    - CRL checking within SSL forward proxy - Ability to Duplicate Objects

    Threat Prevention & URL Filtering - Log Export Enhancements


    Support for FTP
    - Dynamic URL Filtering DB
    Scheduler
    - Increased signature capacity
    - Custom Admin Login Banner
    - Threat Exception List
    - Web-based Tech Support Export
    - CVE in Threat Profiles
    - Database indexing
    User Identification
    - Configurable management I/O settings
    - Citrix/Terminal Server User ID
    -
    Page 12 | Proxy X-Forwarded-For
    2009 Support
    Palo Alto Networks. Proprietary and Confidential
    Demo

    Page 13 | 2007
    2009 Palo Alto Networks. Proprietary and Confidential

    Vous aimerez peut-être aussi