Scribd Logo
Upload

Welcome to Scribd!

  • Palo Alto Networks Product Overview: Karsten Dindorp, Computerlinks

    Uploaded by

    Triệu Hồng Biên
    9 views13 pages

    Original Title

    Palo_Alto_Networks_Cust_June_2009.ppt

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views13 pages

    Palo Alto Networks Product Overview: Karsten Dindorp, Computerlinks

    Uploaded by

    Triệu Hồng Biên

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    Palo Alto Networks

    Product Overview
    Karsten Dindorp, Computerlinks
    Applications Have Changed – Firewalls Have Not
    Collaboration / Media
    SaaS Personal
    • The gateway at the trust
    border is the right place to
    enforce policy control
     Sees all traffic
     Defines trust boundary

    • But applications have changed


     Ports ≠ Applications
     IP addresses ≠ Users
     Headers ≠ Content

    Need to Restore Application Visibility & Control in the Firewall


    Page 2 | © 2009 Palo Alto Networks. Proprietary and Confidential
    Stateful Inspection Classification
    The Common Foundation of Nearly All Firewalls

    • Stateful Inspection classifies traffic by looking at the IP header


    - source IP
    - source port
    - destination IP
    - destination port
    - protocol
    • Internal table creates mapping to well-known protocols/ports
    - HTTP = TCP port 80
    - SMTP = TCP port 25
    - SSL = TCP port 443
    - etc, etc, etc…

    Page 3 | © 2009 Palo Alto Networks. Proprietary and Confidential


    Enterprise End Users Do What They Want
    • The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000
    users across 60 organizations:
    - HTTP is the universal app protocol – 64% of BW, most HTTP apps not browser-based
    - Video is king of the bandwidth hogs – 30x P2P filesharing
    - Applications are the major unmanaged threat vector
    • Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss

    Page 4 | © 2009 Palo Alto Networks. Proprietary and Confidential.


    Firewall “helpers” Is Not The Answer

    Internet

    • Complex to manage

    • Expensive to buy and maintain

    • Firewall “helpers” have limited view of traffic

    • Ultimately, doesn’t solve the problem

    Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential


    The Right Answer: Make the Firewall Do Its Job

    New Requirements for the Firewall

    1. Identify applications regardless of


    port, protocol, evasive tactic or SSL

    2. Identify users regardless of IP address

    3. Scan application content in real-time


    (prevent threats and data leaks)

    4. Granular visibility and policy control


    over application access / functionality

    5. Multi-gigabit, in-line deployment with


    no performance degradation

    Page 6 | © 2009 Palo Alto Networks. Proprietary and Confidential


    Identification Technologies Transforming the Firewall

    App-ID
    Identify the application

    User-ID
    Identify the user

    Content-ID
    Scan the content

    Page 7 | © 2009 Palo Alto Networks. Proprietary and Confidential


    Purpose-Built Architectures (PA-4000 Series)

    RAM Signature Match HW Engine


    RAM • Palo Alto Networks’ uniform
    Dedicated Control Plane Signature
    signatures
    Match RAM
    • Highly available mgmt • Vulnerability exploits (IPS), virus,
    • High speed logging and RAM spyware, CC#, SSN, and other
    route updates signatures
    10Gbps

    CPU CPU CPU . . CPU RAM Multi-Core Security Processor


    RAM
    Dual-core 1 2 3 16 RAM • High density processing for flexible
    RAM security functionality
    CPU
    De- • Hardware-acceleration for
    HDD SSL IPSec
    Compression standardized complex functions (SSL,
    IPSec, decompression)
    10Gbps

    Route, 10 Gig Network Processor


    ARP, • Front-end network processing offloads
    QoS NAT
    MAC security processors
    lookup • Hardware accelerated QoS, route
    lookup, MAC lookup and NAT
    Control Plane Data Plane
    Page 8 | © 2009 Palo Alto Networks. Proprietary and Confidential
    PAN-OS Core Features
    • Strong networking • High Availability:
    foundation: - Active / passive
    - Dynamic routing (OSPF, RIPv2) - Configuration and session
    - Site-to-site IPSec VPN synchronization
    - SSL VPN - Path, link, and HA monitoring
    - Tap mode – connect to SPAN port • Virtualization:
    - Virtual wire (“Layer 1”) for true - All interfaces (physical or logical)
    transparent in-line deployment assigned to security zones
    - L2/L3 switching foundation - Establish multiple virtual systems to
    fully virtualized the device (PA-4000
    • QoS traffic shaping & PA-2000 only)
    - Max, guaranteed and priority • Intuitive and flexible
    - By user, app, interface, zone, and management
    more
    - CLI, Web, Panorama, SNMP, Syslog

    Page 9 | © 2009 Palo Alto Networks. Proprietary and Confidential


    Flexible Deployment Options
    Application Visibility Transparent In-Line Firewall Replacement

    • Replace existing firewall


    • Deploy transparently behind existing
    • Connect to span port • Provides application and network-
    firewall
    • Provides application visibility based visibility and control,
    • Provides application visibility &
    without inline deployment consolidated policy, high
    control without networking changes
    performance

    Page 10 | © 2008 Palo Alto Networks. Proprietary and Confidential.


    Palo Alto Networks Next-Gen Firewalls

    PA-4060 PA-4050 PA-4020


    • 10 Gbps FW • 10 Gbps FW • 2 Gbps FW
    • 5 Gbps threat prevention • 5 Gbps threat prevention • 2 Gbps threat prevention
    • 2,000,000 sessions • 2,000,000 sessions • 500,000 sessions
    • 4 XFP (10 Gig) I/O • 16 copper gigabit • 16 copper gigabit
    • 4 SFP (1 Gig) I/O • 8 SFP interfaces • 8 SFP interfaces

    PA-2050 PA-2020 PA-500


    • 1 Gbps FW • 500 Mbps FW • 250 Mbps FW
    • 500 Mbps threat prevention • 200 Mbps threat prevention • 100 Mbps threat prevention
    • 250,000 sessions • 125,000 sessions • 50,000 sessions
    • 16 copper gigabit • 12 copper gigabit • 8 copper gigabit
    • 4 SFP interfaces • 2 SFP interfaces

    Page 11 | © 2009 Palo Alto Networks. Proprietary and Confidential


    PAN-OS 3.0 Summary of Features
    • Networking • Visibility and Reporting
    - Quality of Service Enforcement - User Activity Report
    - SSL VPN • Management
    - IPv6 Firewall (Virtual Wire)
    - Multi-zone Rules
    - IPsec Multiple Phase 2 SAs
    - Automated Config Backup in Panorama
    - 802.3ad link aggregation
    - Role-based admins in Panorama
    - PA-2000 virtual systems licenses (+5)
    - SNMP Enhancements
    • App-ID  Custom community string

    - Custom Web-based App-IDs  Extended MIB support

    - Custom App-ID Risk and Timeouts - XML-based REST API


    - CRL checking within SSL forward proxy - Ability to Duplicate Objects

    • Threat Prevention & URL Filtering - Log Export Enhancements


     Support for FTP
    - Dynamic URL Filtering DB
     Scheduler
    - Increased signature capacity
    - Custom Admin Login Banner
    - Threat Exception List
    - Web-based Tech Support Export
    - CVE in Threat Profiles
    - Database indexing
    • User Identification
    - Configurable management I/O settings
    - Citrix/Terminal Server User ID
    -
    Page 12 | Proxy X-Forwarded-For
    © 2009 Support
    Palo Alto Networks. Proprietary and Confidential
    Demo

    Page 13 | © 2007
    2009 Palo Alto Networks. Proprietary and Confidential

    You might also like