1. What Did You Do At School Today Junior?
Ethan West – Palo Alto Networks Systems Engineer
Every day, in homes around the world, parents ask their kids what they did in school. The common response is, “we painted pictures, did our math, reading or history assignments”. Rarely would the response be, we bypassed web filtering to view inappropriate content or we used BitTorrent to download the new Twilight movie. Yet that is what appears to be happening on grade school, middle and high school (K-12) networks. What did you do in school today Junior? summarizes network traffic assessments performed on K-12 networks conducted between January 2009 and February 2012.
Today, we are going to play a little game to test your knowledge of network application traffic. Keep score for yourself and will see how you do.
We will pose a Question, provide the answer, then provide some added insight into what the data means
The findings, based on live K-12 traffic, shows that student application usage is similar in pattern to those found on enterprise networks. Taken at first glance, the similarities are not interesting. However, when the user-base is comprised of teenagers or younger, then the similarities, combined with the level of sophisticated application usage make the general finding somewhat startling. The assumption is that enterprise users are given more leeway in which application they can use, and therefore there should be a greater difference between the two groups

2. 279 schools 1,000s of students 1,200+ applications 1 challenge
Methodology The data in this presentation is based on actual network traffic. It is not a survey.
Data is collected (with permission) as part of the Palo Alto Networks customer evaluation process where a Palo Alto Networks next-generation firewall is deployed to monitor network application traffic.
At the end of the evaluation, the customer receives a report that provides unprecedented insight into their network traffic, detailing the applications found, and their corresponding risks.
The traffic patterns observed are then summarized anonymously and used for trend analysis and reporting.

3. What do you really know about your network?

4. Frequency that external proxies were found on K-12 Networks?
75%
External proxies are those that would be used to bypass controls – not a BlueCoat or ISA – but a Phproxy, CGIProxy, or other….
The primary use case for an external proxy (private or a service from proxy.org) is to bypass filtering controls, which are commonplace in K-12 networks and are often driven by legislation. The analysis shows that the most popular private proxies were detected at nearly double the rate that they were detected on enterprise networks. This indicates that K-12 students are making a more concerted effort to bypass controls than enterprise employees
Frequency is defined as a single instance found on a network (n=279).

5. Frequency that external proxies were found on K-12 networks?
80%
There are two types of proxies that can be used for the purposes of bypassing security controls. The first is a private proxy, which the student will install on a machine at home, or somewhere outside of the K-12 network. The student will then browse to the external proxy as an unmonitored means to browse the web, free of any network controls.
The analysis found 28 different private proxy variants, not including HTTP proxy, which is typically deployed and endorsed by the school.
Excluding HTTP proxy from the discussion, external proxies were detected in 80% of the K-12 networks. An average of four proxy variants were found on each network.
The frequency of use in K-12 networks for the most popular variants was nearly double that of the enterprise environments.
The second proxy variant is a public proxy or a proxy service. These are merely implementations of proxy software applications (PHproxy, CGIproxy, Glype-Proxy) discussed above but their URL has been made public for others to use on websites such as Currently, there are several thousand public proxies listed and users can sign up for an update that notifies them of the new proxy sites made available on a daily basis.
In either of these two cases, the traffic looks like normal web browsing to most security products and this type of traffic is typically allowed. The result is that students are bypassing any control efforts, including threat inspection, exposing the school to unnecessary security and compliance risks.
A total of 28 different proxies were in use, with an average of 4 external proxies found on 80% of the 279 K12 networks.

6. Frequency that non-VPN related encrypted tunnels were found?
50%
Non-VPN related tunnels are considered to be applications such as Tor, Hamachi, or ultrasurf.
Most security professionals would agree that they do not belong on a K-12 network.
Frequency is defined as a single instance found on a network (n=279).

7. Frequency that non-VPN related encrypted tunnels were found?
42%
The findings show that 42% of the K-12 networks had 2 non-vpn related encrypted tunnel applications - SSH is excluded.
This is a bit high compared to the frequency of use in the enterprise sample where it is 30%
An average of 2 encrypted tunnel applications were found in 42% of the K12 networks.
SSH is excluded

8. Students will find a way…
Encrypted tunnels (Tor, UltraSurf, Hamachi) used to “hide”
External proxies commonly used to bypass URL filtering
There is a perception, accurate or otherwise, that application activity on a K-12 network would be very different than that of an enterprise network. The reason for this perception is that the users are children and tighter controls are implemented, when compared to enterprises, to safeguard the students.
The analysis showed that the perception of greater control is not necessarily true. The use of encrypted tunnels (non-VPN related) and remote access tools mimicked the usage patterns found in an enterprise environment. Frequency of use for the most popular external proxies, designed to expressly bypass controls, were nearly double the frequency found on enterprise networks.
Note that the frequency is based on a given application appearing on the university network – the number of users is a factor in frequency.
Remote access commonly used to evade controls; known as a cyber criminal target
Frequency is defined as a single instance found on a network (n=279).

9. 10% Percentage of total bandwidth consumed by
file transfer of all types
10%
Now lets talk a bit about filesharing and file transfer applications.
For purposes of definition, these applications include p2p, client server like FTP and browser-based (yousendit), or cloud/digital lockers (dropbox, box.net).

10. Percentage of total bandwidth consumed by file transfer of all types?9%
9% of all bandwidth is consumed by filesharing applications. Again, this seems high, given the controls supposedly in place in K-12 networks. 9% is the same amount that is consumed in the enterprise space.
P2P, browser-based and client-server filesharing applications consumed 9% of total bandwidth – roughly the same amount as viewed in the enterprise environments.

11. P2P Dwarfs All Other Filesharing Applications
While 9% is the total, a whopping 7.8% is P2P related. This is abnormally high, again, given the controls that they are supposed to have in place.
The solution of choice for moving big files…

12. 10 Average number of browser-based file sharing
applications found on each network? 10
The initial use case for browser-based filesharing was to bypass the file size limitations in with a mechanism that was as easy as file attachments. Previously, FTP may have been used, but it requires some technical acumen to use, and these new browser-based filesharing applications are point and click easy. YouSendit! allows a user to upload a file and a URL for the download is sent to the intended recipient.

13. Average number of browser-based filesharing applications found on each network?11
The analysis of browser-based filesharing applications on K-12 networks showed that total of 64 different browser-based file sharing applications were found, with an average of 11 variants were found on 95% of the K-12 networks.
Since 2008, the number of variants has steadily increased from 22 to 71 variants and these applications are found in 95% of the K-12 networks analyzed. Comparatively speaking, P2P filesharing was found on 90% of the participating K-12 schools and only 80% of the time across all organizations.
There were 64 browser-based filesharing variants found with an average of 11 discovered on 95% of the K-12 networks.

14. Browser-Based File Sharing: Two Use Cases
With at least 64 application variants, segmentation into different use cases has occurred with two clear cases emerging: productivity (education)-oriented or entertainment-oriented.
This slide shows the commonly used applications in terms of frequency of use and the percentage of browser-based file sharing bandwidth consumed. Both have a common set of business and security risks.
Business Risks include potential copyright violations and data loss/sharing – purposeful or otherwise. The same application that is useful to the user for sending large PowerPoint files is also potentially just as valuable for moving illegal music, movies or even large amounts of sensitive enterprise data. Several of the media focused browser-based filesharing applications discussed above have been found to be in violation of, or have been accused of, copyright violations. Some of the most highly publicized P2P-related data breaches were inadvertent, traced to either a misconfigured P2P client or other user error. Initially, browser-based filesharing applications dramatically reduced the risk of inadvertent sharing because the initial focus was a one-to-one distribution or a one-to-a few. As many of these offerings add clients and premium services, the risks increase. For example, the Dropbox client creates a folder on the Windows desktop that, by default, automatically synchronizes desktop folder to the cloud-based folder. If a proprietary file is dropped into the folder accidently, it is automatically shared with those who have folder permissions. The risks, while still lower than those associated with P2P, have increased in conjunction with the usage and should be addressed.
Security Risks include being a common source for malware and providing cybercriminals with an ideal infrastructure for cybercriminals and their malware. File transfer applications have long been associated with malware. Peer-to-peer file transfer applications, for example, have been notorious in this respect for years (Mariposa most recently), and malware has been using FTP for communication for an even longer period of time. Put another way, whatever mechanism that is used to electronically transfer files, is also commonly used to move malware, and browser-based file transfer applications are the latest front in this evolution. Browser-based filesharing applications have unique characteristics that make them uniquely suited for cybercriminals: they are Free and anonymous. Since these applications are typically free (or at least offer free versions), a cybercriminal can easily upload malware anonymously. Most services only require an address in order to use the service, so the cybercriminal can remain virtually untraceable simply by using a disposable address and a network anonymizer, a proxy or circumventor. Furthermore, the ease with which attackers can upload files means that they can easily and continually update and refresh their malware in order to stay ahead of traditional antivirus signatures. They are simple to use and trusted. A key reason for the popularity of browser-based filesharing applications is the fact that they make file transfers very easy. They are easily built into the browser or even the application tray of the operating system. This means that file transfers are almost as simple as clicking on a link, which vastly increases the opportunities for a target user to be lured into a dangerous spear-phishing click. Several of the offerings provide that enables folders and shared files to be embedded into web site while other application offerings include a developer API. They can automatically synchronize your folders. A common, though not universal feature of browser-based filesharing applications is the ability to regularly sync files or entire directories. This sort of capability is already being marketed as a method for delivering and updating applications. This functionality could easily benefit malicious applications just as much as approved ones. A key requirement for modern malware is to establish a method of command and control for the malware in which the attacker can direct the malware, update the program and extract data. An attacker could use this syncing ability to perform all of these functions under the cover of an approved application.
Browser-based filesharing use cases: entertainment or productivity. Both uses have a common set of business and security risks that organizations must address.

15. The number of applications using Port 80 (tcp/80) only?
250
The common perception is that Port 80 (tcp/80) is where all the traffic and all the problems are. This is just not true. In fact, out of 1,121 applications found in the US organizations observed, 48% of them do not use port 80 at all and those 534 applications are consuming 54% of the bandwidth.
This set of applications include a wide range of common applications such as 51 different remote access / remote management applications, as well as database applications. Remote access applications are commonly used by cybercriminals as a penetration vector. This is well documented by Verizon in their databreach report and also more recently, remote access tools were how Subway customers were had $3M stolen. Focus on port 80 only is a requirement – without a doubt, but too much focus would not be considered best-practices.

16. The number of applications using Port 80 (tcp/80) only?
278
The number of applications that ONLY use Port 80 is 278 or 26% of the 1,050 applications found on the participating K-12 networks.

17. Percentage of total bandwidth consumed by applications not using tcp/80?
40%
Up until now, we have discussed applications that are largely web-based or browser-based. Based on that discussion, you would think that those are the only apps on the network.
Based on the traffic observed, is the BW consumed by apps not on port 80 – business applications, back office, remote access- is the BW consumed higher or lower than 39%.

18. Percentage of total bandwidth consumed by applications not using tcp/80?
30%
On K-12 networks, applications that do not use port 80, ever, represent 30% of the bandwidth consumed - a bit lower than what was found on enterprise networks, but still representative of nearly 1/3 of the applications found.
30% of the total bandwidth is being consumed by (31% of the 1,050) applications that DO NOT USE port 80 at all. Ever.

19. Port 80 only security is shortsighted
The common perception is that Port 80 (tcp/80) is where all the traffic and all the problems are. This is just not true. Out of 1,050 applications found, 31% of them do not use port 80 at all and those applications are consuming 30% of the bandwidth.
This set of applications include a wide range of common applications such as remote access / remote management applications, as well as database applications. Remote access applications are commonly used by cybercriminals as a penetration vector. This is well documented by Verizon in their databreach report and also more recently, remote access tools were how Subway customers were had $3M stolen. Focus on port 80 only is a requirement – without a doubt, but too much focus would not be considered best-practices.
The common perception is that port 80 (tcp/80) is where all the traffic and all the problems are. An emphasis is an absolute requirement; but too much tcp/80 focus is shortsighted.

20. Junior’s application usage is sophisticated…
These are not our parents applications – usage patterns are on-par with those seen in the enterprise
Applications that can hide or mask activity are common
P2P, despite control efforts, is used heavily; browser-based filesharing is a hidden risk
Port 80 is used heavily, but too much focus is shortsighted and high risk

21. © 2012 Palo Alto Networks. Proprietary and Confidential.

22. Applications Have Changed, Firewalls Haven’t
The fundamental problem that we set out to solve is this: applications have changed, the firewall has not kept pace. And what we sometimes forget is that the firewall was designed to act as the security boundary for your network. It sees all traffic and enables access.
The evolution of the application landscape has not happened over night – although it has accelerated dramatically in recent years.
Antivirus applications began using port 80 as their avenue for updates back in AV is not a web application. The vendors did this to simplify access and better support their customers.
AOL instant messenger (AIM) used to prompt you with “Find an open port?” if it could not establish a connection.
BitTorrent, Skype both port hop and MS sharepoint uses a range of ports.
Finally, MS-Lync – the messaging component for MS live 365 requires port 443, 3478 (stun), 5223 and a range of ports between 20,000-45,000 and 50,000-59,999.
These are just a few examples of how applications have changed to mainly simplify access.
Think about it, if you’re an application developer, you want your application used – so you will do what is necessary to achieve that goal.
The ramifications of these changes result in an increase in business and security risks - applications act as (1) a threat vector ( delivering a video URL but is really malware) and (2) they are threat targets (SQL injection attacks), and (3) they act as the command and control/exfiltration avenue.
So while applications were rapidly evolving, port-based firewalls were stuck in the late 1990s – they did not keep pace. To try and address the problem, the industry’s response has been to sell more stuff!
Goals of this slide.
This slide establishes the problem: Firewalls have always been designed to be the security boundary. They have not kept pace with the application trends.
Use interesting examples that are not Facebook and Twitter to show that applications have changes firewalls have not.
Use examples of applications that may use evasive techniques to simplify use and in so doing, avoid detection.
Use applications that change state as added functions are used – they are hard for UTMS to identify, control and enable.
Network security policy is enforced at the firewall
Sees all traffic
Defines boundary
Enables access
Traditional firewalls don’t work any more

23. Technology Sprawl and Creep Aren’t the Answer
“More stuff” doesn’t solve the problem
Firewall “helpers” have limited view of traffic
Complex and costly to buy and maintain
Doesn’t address application “accessibility” features
UTM
Internet IM
DLP
IPS
Proxy
URL AV
Now…this is probably what your current network infrastructure looks like: Behind your port blocking firewall there is most likely a stand alone IPS, Quality of Service, URL Filtering, Data Leakage Prevention, Proxy, Antivirus, and maybe others…but our position is that sprawl is not the answer.
<Click to animate>
And bolting it all in one box, as UTM vendors have done, doesn’t work for several reasons:
UTMs are all stateful inspection based – it is part of the UTM definition: stateful inspection + IPS + AV as outlined by IDC around 10 years ago. In all UTMs, the port-based decision is made first – this cannot be changed. Then the application, IPS, AV, URL decisions are made sequentially using a silo-based scanning approach – but it is all still based on what the stateful inspection (port-based) decision was.
None of the information learned by the first scan is shared with the second, third or fourth. So ultimately, the decisions are either allow or deny – nothing in between.
Sheet metal integration merely puts everything in one box for the sole purpose of lowering costs – nothing more. Nothing has changed.
It’s all the same stuff just a lot slower and cheaper.
We believe that the firewall is STILL the ideal location to exert control over traffic flowing across the network. But we believe control needs to be based on the application identify, regardless of which port/ports it uses – and here’s why…
Explain why customers have deployed all of these devices – the control that once existed in the firewall has eroded over time. Added devices or scanning engines do not solve the problem.
UTMs exist for the sole purpose of consolidating devices to save money
UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etc
UTMs are all stateful inspection based – the all make their first decision on port.
This is not our value-add
Enterprise Network

24. More not always better…
© 2010 Palo Alto Networks. Proprietary and Confidential.

25. The Answer? A capable Next Gen Security Platform
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
We believe the firewall should be the traffic cop for your network.
Identify applications regardless of port, protocol, evasive tactic, or SSL encryption. The firewall needs to be able to decrypt SSL traffic across all ports, all the time.
Next, it needs to identify and control users, regardless of IP address, so that policies can be built around those users, and groups of users, by name.
Protect in real-time against known and unknown application-borne threats…
all while providing fine-grained visibility and policy control over application access and functionality.
And lastly, do all this with multi-gigabit, in-line deployment with no performance degradation and low latency.
These are the criteria we feel needs to be met in order for the firewall to be effective and practical today. 25 25 25

26. The Benefits of Classifying Traffic in the Firewall
Allow Facebook X
Firewall
App-ID
Policy Decision
Key Difference
Benefit
Single firewall policy
Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.
Positive control model
Allow by policy, all else is denied. It’s a firewall.
Single log database
Less work, more visibility. Policy decisions based on complete information.
Systematic management of unknowns
Less work, more secure. Quickly identify high risk traffic and systematically manage it.
We believe application enablement belongs in the FW, not in a secondary scanning process. And that is what we do with app-id.
In 2007 when we launched our first product, competitors dismissed the concept of application enablement. Now, many existing firewall vendors say, “we do what Palo Alto Networks does”, validating our direction set forth at that time.

27. Multi-Step Scanning Ramifications
300+ applications allowed*
Facebook allowed…what about the other 299 apps?
Policy Decision #1
Firewall
Allow port 80
Open ports to
allow the application
Policy Decision #2
App-Control Add-on
Applications
Allow Facebook
Key Difference
Ramifications
Two separate policies
More Work. Two policies = double the admin effort (data entry, mgmt, etc)
Possible security holes. No policy reconciliation tools to find potential holes
Two separate policy decisions
Weakens the FW deny all else premise. Applications allowed by port-based FW decision.
Two separate log databases
Less visibility with more effort. informed policy decisions require more effort , slows reaction time
No concept of unknown traffic
Increased risk. Unknown is found on every network = low volume, high risk
More work, less flexible. Significant effort to investigate; limited ability to manage if it is found.
Ramifications
Two separate policies: Two policies means double the admin effort (data entry, mgmt, etc). No policy reconciliation tools to look for potential security holes
Two separate policy decisions: Applications allowed by port decision weakens the FW deny all else premise
Two separate log databases: Visibility required to make more informed policy decisions is labor intensive, slows reaction time
No concept of unknown traffic: Unknown traffic – high risk and significant effort to investigate. Limited ability to manage unknown if it is found
In 2007 when we launched our first product, competitors dismissed the concept of application enablement. Now, many existing firewall vendors say, “we do what Palo Alto Networks does”, validating our direction set forth at that time.
In reality, there are some fundamental differences that cannot be overlooked, starting with the foundation of your existing firewalls. Stateful inspection makes all access control decisions based on port and protocol. This cannot be changed, yet it is easily bypassed by many of today’s applications. Existing firewall vendors try to address application enablement by adding application control features to their Stateful inspection firewall, much like they have done with IPS. There are several significant ramifications to this add-on approach.
Multiple policies with duplicate information increases management effort. A port-based firewall plus application control approach means you will need to build and manage firewall policy with source, destination, user, port, and action, etc. and an application control policy, with the same information adding application and action. If your organization is like most, then you likely have hundreds, even thousands of firewall rules. A multiple policy rulebase approach will not only increase administrative overhead – it may also increase both business and security risks unnecessarily. Palo Alto Networks uses a single, unified policy editor that allows you to use application, user and content as the basis for your secure enablement policies.
Systematic management of unknown traffic. Unknown traffic epitomizes the 80%-20% rule – it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Incumbent vendors have no way to systematically find and manage that unknown traffic. To be clear, all of the traffic is logged by the firewall, but the applications are logged separately and are a subset, making unknown traffic management nearly impossible. Blocking it all may cripple the business. Allowing it all is high risk. We categorize unknown traffic, which allows you to find internal applications and create a custom App-ID; do a PCAP for unidentified commercial applications and submit them for App-ID development; use the logging and reporting features to see if it is a threat. You are able to systematically manage unknown traffic down to a small, low risk amount – all based on policy.
Port-based ‘allow’ rule defeats ‘deny all’ premise. The always-on nature of port-based traffic classification, means your incumbent firewall will first need to open? the application default port controlling the application. To control Facebook, you need to allow tcp/80 or tcp/443. Based on the December 2011 Application Usage and Risk Report, you may be allowing 297 (25% of the average enterprise application mix) other applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened. As soon as traffic hits a Palo Alto Networks firewall, App-ID immediately identifies what the application is, across all ports, all the time. Access control decisions are made based on the application and default deny all can be maintained.
*Based on Palo Alto Networks Application Usage and Risk Report

28. Your Control With a Next-Generation Firewall
Safely enable the applications relevant to your business
Only allow the apps you need
Traffic limited to approved business use cases based on App and User
Attack surface reduced by orders of magnitude
Complete threat library with no blind spots
Bi-directional inspection
Scans inside of SSL
Scans inside compressed files
Scans inside proxies and tunnels
Control the Threat Vector
By first controlling which applications run on the network, organizations greatly reduce their attack surface
Control All Allowed Traffic With Industry Leading IPS
Identify and stop threats
Scan inside SSL and compressed content
Stop leaks of confidential data (e.g., credit card #)
The important takeway for the slide: When we use the full power of the Palo Alto Networks NGFW we can expand the conversation from one about point solutions to one about fundamentally changing the risk profile of the enterprise.
If someone is trying to shoot you, make yourself as small as possible!
The ever-expanding universe of applications, services and threats

29. Covering the entire Enterprise
Network location
Data center/ cloud
Enterprise perimeter
Distributed enterprise/BYOD
Next-Generation Firewall
Cybersecurity: IDS / IPS / APT
Web gateway
VPN
Panorama and M-100 appliance
PAN-OS™
Next-generation appliances
Physical: PA-200, PA-500,, PA-3000 Series, PA-5000 Series
WildFire: WF-500
Virtual: VM-Series
Subscription services
Threat Prevention
URL Filtering
GlobalProtect™
WildFire™
Use cases
Management system
Operating system

30. Addresses Three Key Business Problems
Safely Enable Applications
Identify more than 1,900 applications, regardless of port, protocol, encryption, or evasive tactic
Fine-grained control over applications/application functions (allow, deny, limit, scan, shape)
Addresses the key deficiencies of legacy firewall infrastructure
Systematic management of unknown applications
Prevent Threats
Stop a variety of known threats – exploits (by vulnerability), viruses, spyware
Detect and stop unknown threats with WildFire
Stop leaks of confidential data (e.g., credit card #, social security #, file/type)
Enforce acceptable use policies on users for general web site browsing
Simplify Security Infrastructure
Put the firewall at the center of the network security infrastructure
Reduce complexity in architecture and operations

31. Magic Quadrant for Enterprise Network Firewalls
“Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward. It is assessed as a Leader, mostly because of its NGFW design, direction of the market along the NGFW path, consistent displacement of competitors, rapidly increasing revenue and market share, and market disruption that forces competitors in all quadrants to react.”
Gartner, February 2013
In this MQ Gartner is validating that the next-generation firewall has gone mainstream, stating "Advances in threats have driven mainstream firewall demand for next- generation firewall capabilities. Buyers should focus on the quality, not quantity, of the features and the R&D behind them."
With our placement in the upper right for the 2nd consecutive Gartner is validating that we are a leader in the enterprise FW market: "Palo Alto Networks continued through 2012 to generate the most firewall inquiries among Gartner customers by a significant margin. Palo Alto Networks was consistently on most NGFW competitive shortlists, and we observed high customer loyalty and satisfaction from early adopters."
We came to market in 2007 with an innovative, disruptive firewall solution and a singular focus on customers, which Gartner validates in the MQ: "Palo Alto Networks continues to both drive competitors to react in the firewall market and to move the overall firewall market forward.”
As far as what not to say – stick to the script, do NOT:
1.  Put words in Gartner's mouth.
2.  Anticipate future MQ positions.
3.  Talk about other vendors.  We have plenty of strong stuff in the bullets below.

32. Customer Example: Huron Valley Schools
Problem
Students circumventing IT security controls with tools such as UltraSurf and TOR
No visibility into user behavior, application use
Existing firewall not keeping up
Rate of change in applications
Difficult to maintain content filter
Reaching throughput maximum
End of life
Solution / Results
PA-3000 Series deployed as primary enterprise firewall
Policy control by application and user
No longer struggle to keep up with new/changed applications
Improved performance
“Not only did the PA Series give us total control over all applications, we saw an increase in our Internet performance plus much easier administration.”
Case study:
Press release:
Garland Independent School District (ISD), one of the largest school districts in Texas, has replaced its outdated security infrastructure with the PA-4000 Series next-generation firewall. The district now enjoys an even more robust capability for protecting its students from an ever-increasing range of inappropriate content.
Garland ISD, comprising 65 schools and 57,000 students, is one of the largest in Texas. The district’s legacy security infrastructure made it increasingly difficult for its IT organization to manage and control application use. Importantly, Garland ISD needed granular visibility into proxy applications and anonymizers that enabled network users to circumvent security policy -- often at the expense of exposure to malware, viruses and unacceptable materials.
"Our students are our first concern, so when our former security infrastructure did not offer the application visibility and control we required to protect them from inappropriate content, we didn’t hesitate to make a change," said Neal Moss, Network Engineer for Garland Independent School District. "The PA-4000 Series greatly improved network and application performance while giving us instant, sustainable control over the applications and content our network."
Industry: K-12 Education
Statistics: School District in Oakland County supporting 9800 students across 15 schools.
© 2008 Palo Alto Networks. Proprietary and Confidential.