© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO.

Slides:



Advertisements
Similar presentations
Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.
Advertisements

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
Palo Alto Networks Jay Flanyak Channel Business Manager
Network Security Essentials Chapter 11
Palo Alto Networks Product Overview
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Next Generation Network Security Carlos Heller System Engineering.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
Palo Alto Networks Solution Overview May 2010 Denis Pechnov Sales, EMEA.
Palo Alto Networks Customer Presentation
MIGRATION FROM SCREENOS TO JUNOS based firewall
Barracuda Networks Steve Scheidegger Commercial Account Manager
Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.
Next-Generation Firewall Palo Alto Networks. Page 2 | Applications Have Changed, firewalls have not The gateway at the trust border is the right place.
Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Palo Alto Networks – next page in firewalling It’s time to fix the firewall! Tiit Sokolov.
Firewall Typical Networking and Troubleshooting Common Faults.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
ShareTech 2015 Next-Gen UTM.
What Did You Do At School Today Junior?
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Net Optics Confidential and Proprietary 1 Bypass Switches Intelligent Access and Monitoring Architecture Solutions.
High Performance Web Accelerator WEB INSIGHT AG Product Introduction March – 2007 MONITORAPP Co.,Ltd.
Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.
SonicWALL SSL-VPN Series Easy Secure Remote Access Cafferata Cristiano SE Italia.
Security fundamentals Topic 10 Securing the network perimeter.
About Palo Alto Networks
Chapter 4: Implementing Firewall Technologies
IS3220 Information Technology Infrastructure Security
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
NSA 240 Overview For End Users. 2 New Challenges To Solve  Threats Are Increasing  Web 2.0 & SaaS  Impacts to servers, users & networks  Threats go.
Palo Alto Networks - Next Generation Security Platform
Palo Alto Networks SLO WUG NG Silvester Drobnič, CHS d.o.o.
Firewall requirements to secure IPv6 networks – finished playing! LANCom seminar, Maribor Ides Vanneuville, Palo Alto Networks – Next-Generation firewall.
Security fundamentals
Web Content Security Unlock the Power of the Web
Barracuda NG Firewall ™
Palo Alto Networks Certified Network Security Engineer
CompTIA Security+ Study Guide (SY0-401)
Barracuda Firewall The Next-Generation Firewall for Everyone
Web Content Security Unlock the Power of the Web
PCNSE7 Palo Alto Networks Certified Network Security Engineer
Working at a Small-to-Medium Business or ISP – Chapter 8
Barracuda Firewall The Next-Generation Firewall for Everyone
Barracuda Web Filtering Service
PCNSE7 Palo Alto Networks Certified Network Security Engineer
CompTIA Security+ Study Guide (SY0-401)
2018 Real CompTIA N Exam Questions Killtest
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
IS4680 Security Auditing for Compliance
Firewalls Jiang Long Spring 2002.
AT&T Firewall Battlecard
Presentation transcript:

© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO

About the Speaker 2005-today Founder and CTO at Palo Alto Networks - Next Generation Firewall CTO at NetScreen/Juniper Founder and CTO at OneSecure - World’s first Network IPS Principal Engineer at Check Point Software

Some Simple Questions Question #1 : Who has a firewall? Question #2 : What is your firewall doing? Your firewall is controlling access to your network? Really?

Is the Firewall Controlling Network Access? Let’s look at a typical enterprise server No…. These are only 10% of your servers 90% of your servers are on end user desktops eMule eMule Server

© 2008 Palo Alto Networks. Proprietary and Confidential. Page 5 | Real Data – What’s on Enterprise Networks Application usage assessment of 60 enterprises - 960,000 users - Across verticals: financial services, health care, manufacturing, government, retail, education Looks at - Real enterprise traffic - How are networks being used? - What applications are running on enterprise networks? - Which applications are considered high-risk? - What are the risks associated with the existing application mix? - What threats are on enterprise networks?

© 2008 Palo Alto Networks. Proprietary and Confidential. Page 6 | 6 Months Application Trends AprilSept.

Some Simple Questions Question #1 : Who has a firewall? Question #2 : What is your firewall doing? Your firewall is controlling access to your network? Really? Question #3 : If you were me, how’d you break into your network?

Applications Have Changed – Firewalls Have Not Page 8 | Collaboration / Media The Firewall is using port numbers and IP addresses to classify applications and indentify users BUT…Applications Have Changed - Ports ≠ Applications - IP Addresses ≠ Users Problem: IT Can’t Safely Enable Internet Applications SaaS Personal Leaving IT blind to apps, users & content

2006 Time Magazine’s Person of the Year There is a direct relationship between Google, Yahoo, MSN, etc. and the end user

Can’t IPS Block Applications? Blocking applications, even if possible, is not the answer Yes, there are harmful applications that need to be blocked Many “Web 2.0” applications are useful - Enhancing productivity - Giving competitive advantage to the business - Employee retention and productivity Some applications are good but have bad features IPS cannot - Explicitly allow good traffic (can only block bad traffic) - Identify users - Identify which feature within the application is being used

Can Proxies Block Applications? Proxies cannot run at multi-gig High latency Cannot support millions of concurrent connections Proxies only work for proxied applications - Cannot build a proxy for 100’s of modern applications - Break applications

© 2008 Palo Alto Networks. Proprietary and Confidential. Page 12 | HTTP: Universal Application Protocol HTTP is 64% of enterprise bandwidth Most HTTP traffic is client/server (54%) – proxies cannot deal with it Browser-based applications are 46% - some work with proxies and some don’t Web browsing is 23% All HTTP Applications Web Browsing Browser-based Applications

Can Proxies Block Applications? Proxies cannot run at multi-gig High latency Cannot support millions of concurrent connections Proxies only work for proxied applications - Cannot build a proxy for 100’s of modern applications - Break applications Oh… I almost forgot… Proxies can be bypassed easily

© 2008 Palo Alto Networks. Proprietary and Confidential. Page 14 | Circumvention Tools Get Around Security Users circumvent IT security controls Public proxy services/private proxies at home Encrypted tunnels

Some Simple Questions Question #1 : Who has a firewall? Question #2 : What is your firewall doing? Your firewall is controlling access to your network? Really? Question #3 : If you were me, how’d you break into your network? Question #4 : Which threats to your network worry you?

Network Threats: Today’s Thinking When talking about network threats, the following threats come into mind: - Viruses - Spyware - Exploits/Intrusions - Worms - Bots - Trojans - Etc. But these are not threats. These are technologies and mechanisms which carry threats

Network Threats: The Real Threats From the business’s perspective, network-born threats include: - Data loss - Productivity loss - Increasing operations costs (e.g., helpdesk overload) - Non-compliance with regulations - Business continuity - Bad PR These threats can be introduced by viruses, spyware and exploits but through other mechanisms as well Uncontrolled applications carry risks of all the threats in the list above

Applications’ Double Threat Applications bring threats: - Data loss - Productivity loss - Increasing operations costs (e.g., helpdesk overload) - Non-compliance with regulations - Business continuity - Bad PR Applications also carry traditional threat vectors - Viruses, Spyware, Exploits When allowing an application to be used, its traffic needs to be secured - Scan for Viruses, Spyware, Exploits, Data Loss, etc.

IPSEC VPN IPS Anti-Virus Content Filtering DoS Protection Anti-Spyware Worm Mitigation DLP/ILP WebApp Security IM Security IDS XML Security Spyware (2006)Eavesdropping (1994) Resource Access (1992) Info Leakage (2005)Viruses (1997)Worms (2005)IM Attacks (2002)Denial of Service (2000)Content Access (1998)Exploits (1996)XML/W.S. Attacks (2004) Web App Attacks (2002) Corporate Assets WAN Internet Security Perimeter The Traditional Approach to Network Security

The “UTM” Approach Port/Protocol-based ID L2/L3 Networking, HA, Config Management, Reporting Port/Protocol-based ID HTTP Decoder L2/L3 Networking, HA, Config Management, Reporting URL Filtering Policy Port/Protocol-based ID IPS Signatures L2/L3 Networking, HA, Config Management, Reporting IPS Policy Port/Protocol-based ID AV Signatures L2/L3 Networking, HA, Config Management, Reporting AV Policy Firewall Policy IPS Decoder AV Decoder & Proxy Page 20 | © 2008 Palo Alto Networks. Proprietary and Confidential

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 21 | May I suggest a better approach? Single-Pass Parallel Processing (SP3) Architecture Single Pass Single processes for: - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, DLP, etc. One policy Parallel Processing Function-specific hardware engines Multi-core security processing Separate data/control planes Up to 10Gbps, Low Latency

Making Content-Scanning Network-Ready Stream-based, not file-based, for real-time performance - Dynamic reassembly Uniform signature engine scans for broad range of threats in single pass Threat detection covers vulnerability exploits (IPS), virus, and spyware (both downloads and phone-home ) Time File-based ScanningStream-based Scanning Buffer File Time Scan File Deliver Content ID Content Scan Content Deliver Content Page 22 | © 2008 Palo Alto Networks. Proprietary and Confidential ID Content

Page 23 | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Granular visibility and policy control over application access / functionality 4. Protect in real-time against threats embedded across applications 5. Multi-gigabit, in-line deployment with no performance degradation Next Generation Firewalls: Requirements

Palo Alto Networks Next Generation Firewalls… Performance Branch Office/ Medium Enterprise Large Enterprise Application identification (~800) User identification Granular visibility & control Real time content security Multi-gigabit low latency Transparent deployments PA-2000 Series 1Gb PA-4000 Series 500Mb 2Gb 10Gb

© 2008 Palo Alto Networks. Proprietary and Confidential. Page 25 | Identification Technologies Change the Game App-ID Identify the application User-ID Identify the user Content-ID Scan the content

© 2009 Palo Alto Networks. Proprietary and Confidential. Page 26 | PAN-OS Features Strong networking foundation: - Flexible Mix-and-Match port configuration  Virtual wire (“L1”) for true transparent in-line deployment  L2 with full VLAN support  L3 with NAT and dynamic routing (OSPF, RIP, etc.)  Tap mode – monitoring via SPAN port - Site-to-site IPSec VPN Zone-based architecture: - All interfaces assigned to security zones for policy enforcement High Availability: - Configuration and session synchronization - Path, link, and HA monitoring - Active / passive Virtual Systems: - Establish multiple virtual firewalls in a single device Intuitive and flexible management - CLI, Web, Panorama, SNMP, Syslog Visibility and control of applications, users and content are complemented by core firewall features

Flexible Deployment Options Application Visibility Transparent In-Line Firewall Replacement Connect to span port Provides application visibility without inline deployment Deploy transparently behind existing firewall Provides application visibility & control without networking changes Replace existing firewall Provides application and network-based visibility and control, consolidated policy, high performance

Purpose-Built Architecture: PA-4000 Series Flash Matching HW Engine Palo Alto Networks’ uniform signatures Multiple memory banks – memory bandwidth scales performance Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Dedicated Control Plane Highly available mgmt High speed logging and route updates 10Gbps Flash Matching Engine RAM Dual-core CPU RAM HDD 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16. SSLIPSec De- Compression CPU 1 CPU 2 10Gbps Control Plane Data Plane RAM CPU 3 QoS Route, ARP, MAC lookup NAT

Users Do What They Want…Which Presents Risk Most users can employ any application they want - Applications are evasive - Proxies and encrypted tunnels are common Applications carry risk - Application behavior – threats, file transfer, etc. - Business risk – compliance, data loss, business continuity, operational costs, productivity Enterprise security and control infrastructure isn’t keeping up - Network security is more expensive, harder to manage, and less effective IT Needs to start thinking like the business

© 2007 Palo Alto Networks. Proprietary and Confidential Page 30 | Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.