Firewall requirements to secure IPv6 networks – finished playing! LANCom seminar, Maribor Ides Vanneuville, Palo Alto Networks – Next-Generation firewall Sr. Director Systems Engineering EMEA © 2011 Palo Alto Networks. Proprietary and Confidential.
About Palo Alto Networks Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience - Founded in 2005, first customer July 2007, top-tier investors Builds next-generation firewalls that identify / control 1,300+ applications - Restores the firewall as the core of enterprise network security infrastructure - Innovations: App-ID™, User-ID™, Content-ID™ Global momentum: 5,300+ customers August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters (*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st. © 2011 Palo Alto Networks. Proprietary and Confidential.
2011 Magic Quadrant for Enterprise Network Firewalls Please get a copy of the report from this link: © 2011 Palo Alto Networks. Proprietary and Confidential.
Applications Have Changed; Firewalls Have Not © 2011 Palo Alto Networks. Proprietary and Confidential. Need to restore visibility and control in the firewall BUT…applications have changed Ports ≠ Applications IP Addresses ≠ Users Packets ≠ Content The firewall is the right place to enforce policy control Sees all traffic Defines trust boundary Enables access via positive control
Applications Carry Risk © 2011 Palo Alto Networks. Proprietary and Confidential. Applications can be “threats” P2P file sharing, tunneling applications, anonymizers, media/video Applications carry threats Qualys Top 20 Vulnerabilities – majority result in application-level threats Applications & application-level threats result in major breaches – RSA, Comodo, FBI
Enterprise 2.0 Applications and Risks Widespread © 2011 Palo Alto Networks. Proprietary and Confidential. Palo Alto Networks’ latest Application Usage & Risk Report highlights actual behavior of 1M+ users in 1253 organizations - More enterprise 2.0 application use for personal and business reasons. - Tunneling and port hopping are common - Bottom line: all had firewalls, most had IPS, proxies, & URL filtering – but none of these organizations could control what applications ran on their networks
Technology Sprawl & Creep Are Not The Answer “More stuff” doesn’t solve the problem Firewall “helpers” have limited view of traffic Complex and costly to buy and maintain © 2011 Palo Alto Networks. Proprietary and Confidential. Internet Putting all of this in the same box is just slow
New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation The Right Answer: Make the Firewall Do Its Job © 2011 Palo Alto Networks. Proprietary and Confidential.
Why Visibility & Control Must Be In The Firewall © 2011 Palo Alto Networks. Proprietary and Confidential. Port Policy Decision App Ctrl Policy Decision Application Control as an Add-on Port-based FW + App Ctrl (IPS) = two policies Applications are threats; only block what you expressly look for Implications Network access decision is made with no information Cannot safely enable applications IPS Applications Firewall PortTraffic Firewall IPS App Ctrl Policy Decision Scan Application for Threats Applications ApplicationTraffic NGFW Application Control Application control is in the firewall = single policy Visibility across all ports, for all traffic, all the time Implications Network access decision is made based on application identity Safely enable application usage
What You See…with Port-Based FW + Application Control Add-on © 2011 Palo Alto Networks. Proprietary and Confidential.Page 10 |
What You See with a True Next-Generation Firewall © 2011 Palo Alto Networks. Proprietary and Confidential.Page 11 |
Your Control With Port-based Firewall Add-on © 2011 Palo Alto Networks. Proprietary and Confidential.Page 12 |
Your Control With a Next-Generation Firewall » The ever-expanding universe of applications, services and threats » Traffic limited to approved business use cases based on App and User » Attack surface reduced by orders of magnitude » Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels Only allow the apps you need Safely enable the applications relevant to your business Page 13 |
Transforming The Perimeter and Datacenter © 2011 Palo Alto Networks. Proprietary and Confidential. Page 14 | Perimeter Datacenter Same Next-Generation Firewall, Different Benefits…
© 2011 Palo Alto Networks. Proprietary and Confidential. Page 15 | PAN-OS Core Firewall Features Strong networking foundation –Dynamic routing (BGP, OSPF, RIPv2) –Tap mode – connect to SPAN port –Virtual wire (“Layer 1”) for true transparent in-line deployment –L2/L3 switching foundation –Policy-based forwarding VPN –Site-to-site IPSec VPN –SSL VPN QoS traffic shaping –Max/guaranteed and priority –By user, app, interface, zone, & more –Real-time bandwidth monitor Zone-based architecture –All interfaces assigned to security zones for policy enforcement High Availability –Active/active, active/passive –Configuration and session synchronization –Path, link, and HA monitoring Virtual Systems –Establish multiple virtual firewalls in a single device (PA-5000, PA- 4000, and PA-2000 Series) Simple, flexible management –CLI, Web, Panorama, SNMP, Netflow, , Syslog, Netflow Visibility and control of applications, users and content complement core firewall features PA-500 PA-2020 PA-2050 PA-4020 PA-4050 PA-4060 PA-5060 PA-5050 PA-5020 PA-200
IPv6 deployment options Datacenter UsersBranch Internet Gateway Internal Segmentation Datacenter Protection Branch gateway Road warriors
IPv6 requirements for firewalls Focus on dual-stack functionality on the data processing part –Transparent for IPv4 and IPv6 Focus on networking functionality –Native IPv6 –IPv4 to IPv6 to IPv4 gateway functionality Focus on IPv6 services –Native support for DNS, Syslog, NTP, RADIUS, LDAP, …
IP stack can change but …Malware is the same
it’s time to fix the traditional IPv6 firewall
it’s time to fix malware protection !
the new attacker
the attacker is not a bored geek
nation states and organized crime
data breaches in 2011
step one: bait an end-user
spear phishing step one: bait an end-user
step two: exploit a vulnerability
step three: download a backdoor
step four: establish a back channel
step five: explore and steal
Why App, User and Content-ID?
Identification Technologies Transform the Firewall App-ID™ Identify the application User-ID™ Identify the user Content-ID™ Scan the content
needs to work across all applications
Control known applications and block the unknown
needs high-speed IPS and AV
The Strategic Role of Modern Malware Infection Escalation Remote Control Malware provides the internal foothold to control and expand a sustained attack
Unreliable enforcement Sandboxes lack enforcement, while enforcement points lack sandbox intelligence Lack of outbound traffic controls Lack of actionable information Industry Challenges in Controlling Malware Inability to recognize files as malware Targeted malware New and refreshed malware Long windows to protection Infecting files are hidden Inside applications Encrypted traffic, proxies Non-standard ports Drive-by-downloads
exploit protection many months pass between black-hat discovery, white hat discovery, and protection being available
Introducing WildFire Architecture © 2011 Palo Alto Networks. Proprietary and Confidential. Unknown Files From the Internet Coming into the Enterprise Compare to Known Files Sandbox Environment Signature Generator Admin Web Portal Firewall Submits File to WildFire Cloud New Signatures Delivered to ALL Firewalls via regular threat updates. Portal provides malware forensics
solution has to be enterprise-wide
IPv6 firewall needs…continued Seamless Next-Generation firewall operations across IPv6 and IPv4 –Application detection –Interface with user-directories and user-identification methods (e.g. captive portal, API, etc…) –Content-scanning and (SSL/SSH) decryption is seamless on both stacks –Focus on IPv6 security specifics (e.g. IPv6 headers, DoS detection & prevention)
IPv6 firewall needs…continued Secure connectivity –SSL-VPN and IPsec for roaming users and branch offices –Mix & match IPv6 and IPv4 Integrated security policy management for both IPv6 and IPv4 Integrated reporting and visualization of ‘events’
Summary Need to ‘secure’ IPv6 networks and services –IPv6 becomes more widespread… Next-Generation firewall plays a very important role in ‘transitioning’ networks and managing both worlds Go IPv6!!……..Go Palo Alto Networks NGFW!!
modern malware protection belongs in a next generation firewall
thank you