Presentation is loading. Please wait.

Presentation is loading. Please wait.

Migrating from Juniper to Palo Alto Networks. Agenda  Overview  Key Differences  Key Reasons to Migrate  Migration Best Practices  Q&A 2 | ©2014,

Similar presentations


Presentation on theme: "Migrating from Juniper to Palo Alto Networks. Agenda  Overview  Key Differences  Key Reasons to Migrate  Migration Best Practices  Q&A 2 | ©2014,"— Presentation transcript:

1 Migrating from Juniper to Palo Alto Networks

2 Agenda  Overview  Key Differences  Key Reasons to Migrate  Migration Best Practices  Q&A 2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

3 Applications Have Changed, Firewalls Haven’t 3 | ©2014, Palo Alto Networks. Confidential and Proprietary. Network security policy is enforced at the firewall Sees all traffic Defines boundary Enables access Traditional firewalls don’t work any more

4 The Firewall as a Business Enablement Tool  Applications: Enablement begins with application classification by App-ID.  Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.  Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire. 4 | ©2014, Palo Alto Networks. Confidential and Proprietary.

5 Controlling Applications, Content and Users 5 | ©2014, Palo Alto Networks. Confidential and Proprietary.

6 Broad Range of Hardware Platforms 6 | ©2014, Palo Alto Networks. Confidential and Proprietary. FirewallFirewall Throughput Threat Prevention Throughput PortsSession Capacity PA-7050System: 120 GbpsSystem: 60 Gbps 24 SFP+ (10 Gig) 48 SFP (1 Gig) 72 copper gigabit 24,000,000 PA-7000-NPC NPC: 20 GbpsNPC: 10 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 4, PA Gbps10 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 4,000,000 PA Gbps5 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 2,000,000 PA Gbps2 Gbps 8 SFP 12 copper gigabit 1,000,000 PA Gbps2 Gbps 8 SFP 12 copper gigabit 500,000 PA Gbps1 Gbps 8 SFP 12 copper gigabit 250,000 PA Gbps500 Mbps 4 SFP 16 copper gigabit 250,000 PA Mbps250 Mbps8 copper gigabit125,000 PA Mbps100 Mbps8 copper gigabit64,000 PA Mbps50 Mbps4 copper gigabit64,000

7 Juniper SRX Overview  SRX = Security services gateways.  Successor to the NetScreen/ScreenOS products  Uses JUNOS – a high performance routing OS  Two platform families  Enterprise and datacenter (SRX1400 to SRX5800)  Small, distributed enterprise (SRX100 to SRX650)  AppSecure addresses next-generation firewall features  NGFW feature components added to Stateful inspection  AppTrack (visibility), AppFW (id apps), AppQoS (QoS) and AppDoS (DoS)  Application identification and control are performed after an initial port-based firewall decision is made 7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

8 AppSecure 8 | ©2014, Palo Alto Networks. Confidential and Proprietary.

9 Three Reasons to Migrate

10 Top 3 Reasons to Migrate 1.Context-based policy management 2.Positive control model? 3.APT prevention 10 | ©2014, Palo Alto Networks. Confidential and Proprietary.

11 344 KB source IP destination IP tcp/443 destination port file-sharing URL category pdf file type roadmap.pdf file name bjacobs user prodmgmt group canada destination country SSL protocol HTTP protocol slideshare application slideshare-uploading application function unknown URL category shipment.exe file name china destination country context-based policy management

12 Reporting | Logging | Forensics | Panorama Apps | Functions | Users | IPS | AV | AS | Malware | QoS | Files | Patterns Safe Enablement Policies Shared Context Highlights the Value of Integration 12 | ©2014, Palo Alto Networks. Confidential and Proprietary. Applications Users Content

13 Operational Efficiency: Unified Policy Control Single Policy for application, user and content (threat prevention) 13 | ©2014, Palo Alto Networks. Confidential and Proprietary. Users/User Groups Application Threat Prevention Antivirus Anti-Spyware Vulnerability Protection URL Filtering WildFire

14 AppSecure Management  AppSecure Management Challenges  Multiple management components required – Space, CLI, STRM = more work, less visibility & control, slows responsiveness  User information is not natively integrated – requires UAC + Pulse = more work, more devices and components to manage, less effective 14 | ©2014, Palo Alto Networks. Confidential and Proprietary. Different policy management components

15 Application Control in the Firewall 15 | ©2014, Palo Alto Networks. Confidential and Proprietary. Policy Decision Firewall App-ID Allow Facebook X Key DifferenceBenefit Single firewall policy Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated. Positive control model Allow by policy, all else is denied. It’s a firewall. Single log database Less work, more visibility. Policy decisions based on complete information. Systematically manage unknowns Less work, more secure. Quickly identify high risk traffic and systematically manage it. Shared context Less work, more secure. App, content and user are pervasive - visibility, policy control, logging, reporting positive control

16 *Based on Palo Alto Networks Application Usage and Risk Report Facebook allowed…what about the other 299 apps? Policy Decision #2 App-Control Add-on Applications Allow Facebook Policy Decision #1 Firewall Allow port 80 Open ports to allow the application Key DifferenceRamifications Two separate policies More Work. Two policies, more admin effort Possible security holes. No policy reconciliation tools Two separate policy decisions Weakens the deny-all-else premise. Applications allowed by FW decision Two separate log databases Less visibility with more effort. Informed policy decisions require more effort, slows reaction time No concept of unknown traffic Increased risk. Unknown is found on every network = low volume, high risk More work, less flexible. Significant effort to investigate; limited management No shared context More work, less knowledge, slows reaction time. Finding and correlating app, user, content requires significant effort Application Control as an Add-on 16 | ©2013 Palo Alto Networks. Confidential and Proprietary. tcp service on port 80

17 A Unique Approach to Protecting your Network  Scan ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics  Prevent attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures  Detect zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base 17 | ©2014 Palo Alto Networks. Confidential and Proprietary. APT protection

18 WildFire: Stopping the Unknowns  10Gbps advanced threat visibility and prevention on all traffic, all ports (web, , SMB, etc.)  Malware run in the cloud with open internet access to discover C2 protocols, domains, URLs and staged malware downloads  New malware signatures automatically created by WildFire and delivered to customers globally  Stream-based malware engine performs ongoing in-line enforcement  On-premises WildFire appliance available for additional data privacy 18 | ©2014, Palo Alto Networks. Confidential and Proprietary. WildFire TM WildFire Appliance (optional) Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures Soak sites, sinkholes, 3 rd party sources WildFire Users Global intelligence and protection delivered to all users Command-and-control Staged malware downloads Host ID and data exfil

19 Feb 2014: Continued Security Business Uncertainty 19 | ©2014, Palo Alto Networks. Confidential and Proprietary. The company could cut $200 million in annual operating costs and buy back $2.5 billion in stock immediately and an additional $1 billion in 2015, Elliott said in a presentation of its proposals. Juniper should also review its security and switching businesses to streamline products, and “focus on projects and areas where Juniper has clear competencies and the greatest risk-adjusted return on investment,” Elliott said. security commitment?

20 Our next-generation enterprise security platform  Gathers potential threats from network and endpoints  Analyses and correlates threat intelligence  Disseminates threat intelligence to network and endpoints Threat Intelligence Cloud  Inspects all traffic  Blocks known threats  Sends unknown to cloud  Extensible to mobile & virtual networks Next-Generation Firewall  Inspects all processes and files  Prevents both known & unknown exploits  Integrates with cloud to prevent known & unknown malware Advanced Endpoint Protection

21 Migration Best Practices From Consulting Services

22 Perceived Port/Protocol/IP Migration Challenges  Cost – people and time  Perception of workload and a lot of tedious typing to migrate from your current configuration  Risk  Moving configurations can seem daunting and seem to involve a lot of risk  Legacy policy  Policies were originally created with the mindset of port / protocol / IP and not optimized for applications and users  Lost history  Many companies face “policy bloat” and “cruft” in their firewall configurations 22 | ©2014 Palo Alto Networks. Confidential and Proprietary.

23 Performing the Migration 23 | ©2014 Palo Alto Networks. Confidential and Proprietary. An effective migration requires a combination of people, process, and technology to efficiently and effectively migrate from legacy firewalls to Palo Alto Networks This approach reduces potential risks and lowers cost. Migration tools can automate the routine conversion tasks reducing effort (cost) and risk. Any migration should follow a proven methodology and process (audit, analyze, migrate, cutover) The engineers performing the task need knowledge of the current platform and Palo Alto Networks

24 The Spectrum of Conversion Options 24 | ©2014 Palo Alto Networks. Confidential and Proprietary. Initial policy / object conversion options Many options exist when performing the initial conversion from IP/port/protocol to user/application-based policies There is a spectrum of options each with pros/cons and potential risk Migrate to user/application policies More risk Higher effort Big reward Less risk Lower effort Small reward Migrate objects and policies “as is” Policy / object “cleanup” Policy / object “cleanup” + move to application policies

25 Palo Alto Networks Firewall Migration Tool  Web 2.0 application in a VMWare image  Parses configurations into a database backend and web UI frontend  Provides multiple options:  Migrate objects & policies  Migrate used or both used / unused objects  Allows “in-place” editing of PAN-OS objects, services & policies prior to exporting  Doesn’t replace the need for people with expertise in the current technology and PAN-OS  Goal of the tool is 85+% policy migration automation 25 | ©2014 Palo Alto Networks. Confidential and Proprietary.

26 Migration Process - Walk Through  Migrate L4 to L4 (Phase I)  Reduce amount of Rules “Combining” similar ones. By destination address for example.  Clean all the unused objects. Clean disabled rules.  Change services based on other protocols than TCP/UDP to Palo Alto Networks App-IDs. Example: IKE, IPSEC, GRE  Change services with ALG to Palo Alto Networks App-IDs. Example: FTP, SIP  Review & add all NAT rules. Check the security policies to match the destination zones when destination NAT is defined. 26 | ©2014 Palo Alto Networks. Confidential and Proprietary.

27 Example: Reducing Policy Rules  Due to the simplistic nature of the security rules, we can often combine many policies into one, especially if we can utilize App-ID 27 | ©2014 Palo Alto Networks. Confidential and Proprietary.

28 Migration Process - Walk Through (Cont’d)  Migrate from L4 to L7 (Phase II)  Put the migrated L4 policy in your Palo Alto Networks device. Connect to your network.  In-line ( L3, L2, VWire ).  Off-line (TAP mode).  From this moment the Palo Alto Networks device will classify all the traffic in your network. That means it will identify all the applications and generate all the log entries for the application traffic.  From the current logs we can extract the applications seen by each rule and we can start to swap from L4 Services to App-ID without to break anything. 28 | ©2014 Palo Alto Networks. Confidential and Proprietary.

29 Additional Migration Considerations  Once we have changed services by App-ID, change the service to “application-default” or leave the previous port. Reduce the surface to detect the application to this port if it always uses the same.  Control the Unknown  From the logs check for unknown traffic (tcp/udp/p2p) and generate custom signatures to identify custom apps. Use Application Override when need.  If you have URL filtering activated check for app we-browsing and the Category is “unknown”. Generate proper App-id to identify this traffic as your custom app instead of web-browsing. This is more efficient.  Block all the unknown.  Threat Prevention  Activate WildFire where the apps can transfer files (PE, PDF, Office, APK, Jar).  Activate IPS/AV/SPY profiles to your rules. Use the migration tool to do it massively.  User-ID  Integrate with your user repository to move from static ip address to users and groups. Improve visibility and win in mobility. 29 | ©2014 Palo Alto Networks. Confidential and Proprietary.

30 Migration Tool – Juniper Caveats  Objects in Address-Books  Check if an object was defined in many address-books (based by zone) If equal, import only once.  Check if the IP address/ port is different based in the zone. If different, use different names to avoid duplicates errors.  Policies and Zones  Reduction of policies only because we can use more than one zone by rule or use the zone ANY. Potential for significant rule reductions here.  Customer with 4,623 rules. Direct reduction by 3 only playing with zones. 30 | ©2014 Palo Alto Networks. Confidential and Proprietary.

31 Best Practices to Make Your Migration Successful 1.Align people, process and technology 2.Understand conversion options and optimize policies (ports vs. apps) 3.Utilize migration tool to automate conversion tasks (Objects, Rule base) 4.Validation of accuracy and verification of changes 5.Post migration  Implement custom App-IDs  Rule cleanup - “Highlight Unused Policies” feature to cleanup post-migration  Enable additional security features (User-ID, Content-ID, WildFire, etc…) 31 | ©2014 Palo Alto Networks. Confidential and Proprietary.

32 Get Your Free AVR Report 32 | ©2014, Palo Alto Networks. Confidential and Proprietary. Find out which applications and threats are on your network with a FREE assessment from Palo Alto Networks Register today at: Palo Alto Networks Application Visibility and Risk Report (AVR) :  Request an evaluation  Place Palo Alto Networks inside your network  We’ll tell you what applications and threats we see in your network!

33


Download ppt "Migrating from Juniper to Palo Alto Networks. Agenda  Overview  Key Differences  Key Reasons to Migrate  Migration Best Practices  Q&A 2 | ©2014,"

Similar presentations


Ads by Google