Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO."— Presentation transcript:

1 © 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO

2 About the Speaker 2005-today Founder and CTO at Palo Alto Networks - Next Generation Firewall 2002-2005 CTO at NetScreen/Juniper 2000-2002 Founder and CTO at OneSecure - World’s first Network IPS 1994-1999 Principal Engineer at Check Point Software

3 Some Simple Questions Question #1 : Who has a firewall? Question #2 : What is your firewall doing? Your firewall is controlling access to your network? Really?

4 Is the Firewall Controlling Network Access? Let’s look at a typical enterprise server No…. These are only 10% of your servers 90% of your servers are on end user desktops eMule eMule Server

5 © 2008 Palo Alto Networks. Proprietary and Confidential. Page 5 | Real Data – What’s on Enterprise Networks Application usage assessment of 60 enterprises - 960,000 users - Across verticals: financial services, health care, manufacturing, government, retail, education Looks at - Real enterprise traffic - How are networks being used? - What applications are running on enterprise networks? - Which applications are considered high-risk? - What are the risks associated with the existing application mix? - What threats are on enterprise networks?

6 © 2008 Palo Alto Networks. Proprietary and Confidential. Page 6 | 6 Months Application Trends AprilSept.

7 Some Simple Questions Question #1 : Who has a firewall? Question #2 : What is your firewall doing? Your firewall is controlling access to your network? Really? Question #3 : If you were me, how’d you break into your network?

8 Applications Have Changed – Firewalls Have Not Page 8 | Collaboration / Media The Firewall is using port numbers and IP addresses to classify applications and indentify users BUT…Applications Have Changed - Ports ≠ Applications - IP Addresses ≠ Users Problem: IT Can’t Safely Enable Internet Applications SaaS Personal Leaving IT blind to apps, users & content

9 2006 Time Magazine’s Person of the Year There is a direct relationship between Google, Yahoo, MSN, etc. and the end user

10 Can’t IPS Block Applications? Blocking applications, even if possible, is not the answer Yes, there are harmful applications that need to be blocked Many “Web 2.0” applications are useful - Enhancing productivity - Giving competitive advantage to the business - Employee retention and productivity Some applications are good but have bad features IPS cannot - Explicitly allow good traffic (can only block bad traffic) - Identify users - Identify which feature within the application is being used

11 Can Proxies Block Applications? Proxies cannot run at multi-gig High latency Cannot support millions of concurrent connections Proxies only work for proxied applications - Cannot build a proxy for 100’s of modern applications - Break applications

12 © 2008 Palo Alto Networks. Proprietary and Confidential. Page 12 | HTTP: Universal Application Protocol HTTP is 64% of enterprise bandwidth Most HTTP traffic is client/server (54%) – proxies cannot deal with it Browser-based applications are 46% - some work with proxies and some don’t Web browsing is 23% All HTTP Applications Web Browsing Browser-based Applications

13 Can Proxies Block Applications? Proxies cannot run at multi-gig High latency Cannot support millions of concurrent connections Proxies only work for proxied applications - Cannot build a proxy for 100’s of modern applications - Break applications Oh… I almost forgot… Proxies can be bypassed easily

14 © 2008 Palo Alto Networks. Proprietary and Confidential. Page 14 | Circumvention Tools Get Around Security Users circumvent IT security controls Public proxy services/private proxies at home Encrypted tunnels

15 Some Simple Questions Question #1 : Who has a firewall? Question #2 : What is your firewall doing? Your firewall is controlling access to your network? Really? Question #3 : If you were me, how’d you break into your network? Question #4 : Which threats to your network worry you?

16 Network Threats: Today’s Thinking When talking about network threats, the following threats come into mind: - Viruses - Spyware - Exploits/Intrusions - Worms - Bots - Trojans - Etc. But these are not threats. These are technologies and mechanisms which carry threats

17 Network Threats: The Real Threats From the business’s perspective, network-born threats include: - Data loss - Productivity loss - Increasing operations costs (e.g., helpdesk overload) - Non-compliance with regulations - Business continuity - Bad PR These threats can be introduced by viruses, spyware and exploits but through other mechanisms as well Uncontrolled applications carry risks of all the threats in the list above

18 Applications’ Double Threat Applications bring threats: - Data loss - Productivity loss - Increasing operations costs (e.g., helpdesk overload) - Non-compliance with regulations - Business continuity - Bad PR Applications also carry traditional threat vectors - Viruses, Spyware, Exploits When allowing an application to be used, its traffic needs to be secured - Scan for Viruses, Spyware, Exploits, Data Loss, etc.

19 IPSEC VPN IPS Anti-Virus Content Filtering DoS Protection Anti-Spyware Worm Mitigation DLP/ILP WebApp Security IM Security IDS XML Security Spyware (2006)Eavesdropping (1994) Resource Access (1992) Info Leakage (2005)Viruses (1997)Worms (2005)IM Attacks (2002)Denial of Service (2000)Content Access (1998)Exploits (1996)XML/W.S. Attacks (2004) Web App Attacks (2002) Corporate Assets WAN Internet Security Perimeter The Traditional Approach to Network Security

20 The “UTM” Approach Port/Protocol-based ID L2/L3 Networking, HA, Config Management, Reporting Port/Protocol-based ID HTTP Decoder L2/L3 Networking, HA, Config Management, Reporting URL Filtering Policy Port/Protocol-based ID IPS Signatures L2/L3 Networking, HA, Config Management, Reporting IPS Policy Port/Protocol-based ID AV Signatures L2/L3 Networking, HA, Config Management, Reporting AV Policy Firewall Policy IPS Decoder AV Decoder & Proxy Page 20 | © 2008 Palo Alto Networks. Proprietary and Confidential

21 © 2009 Palo Alto Networks. Proprietary and Confidential. Page 21 | May I suggest a better approach? Single-Pass Parallel Processing (SP3) Architecture Single Pass Single processes for: - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, DLP, etc. One policy Parallel Processing Function-specific hardware engines Multi-core security processing Separate data/control planes Up to 10Gbps, Low Latency

22 Making Content-Scanning Network-Ready Stream-based, not file-based, for real-time performance - Dynamic reassembly Uniform signature engine scans for broad range of threats in single pass Threat detection covers vulnerability exploits (IPS), virus, and spyware (both downloads and phone-home ) Time File-based ScanningStream-based Scanning Buffer File Time Scan File Deliver Content ID Content Scan Content Deliver Content Page 22 | © 2008 Palo Alto Networks. Proprietary and Confidential ID Content

23 Page 23 | New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Granular visibility and policy control over application access / functionality 4. Protect in real-time against threats embedded across applications 5. Multi-gigabit, in-line deployment with no performance degradation Next Generation Firewalls: Requirements

24 Palo Alto Networks Next Generation Firewalls… Performance Branch Office/ Medium Enterprise Large Enterprise Application identification (~800) User identification Granular visibility & control Real time content security Multi-gigabit low latency Transparent deployments PA-2000 Series 1Gb PA-4000 Series 500Mb 2Gb 10Gb

25 © 2008 Palo Alto Networks. Proprietary and Confidential. Page 25 | Identification Technologies Change the Game App-ID Identify the application User-ID Identify the user Content-ID Scan the content

26 © 2009 Palo Alto Networks. Proprietary and Confidential. Page 26 | PAN-OS Features Strong networking foundation: - Flexible Mix-and-Match port configuration  Virtual wire (“L1”) for true transparent in-line deployment  L2 with full VLAN support  L3 with NAT and dynamic routing (OSPF, RIP, etc.)  Tap mode – monitoring via SPAN port - Site-to-site IPSec VPN Zone-based architecture: - All interfaces assigned to security zones for policy enforcement High Availability: - Configuration and session synchronization - Path, link, and HA monitoring - Active / passive Virtual Systems: - Establish multiple virtual firewalls in a single device Intuitive and flexible management - CLI, Web, Panorama, SNMP, Syslog Visibility and control of applications, users and content are complemented by core firewall features

27 Flexible Deployment Options Application Visibility Transparent In-Line Firewall Replacement Connect to span port Provides application visibility without inline deployment Deploy transparently behind existing firewall Provides application visibility & control without networking changes Replace existing firewall Provides application and network-based visibility and control, consolidated policy, high performance

28 Purpose-Built Architecture: PA-4000 Series Flash Matching HW Engine Palo Alto Networks’ uniform signatures Multiple memory banks – memory bandwidth scales performance Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Dedicated Control Plane Highly available mgmt High speed logging and route updates 10Gbps Flash Matching Engine RAM Dual-core CPU RAM HDD 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT CPU 16. SSLIPSec De- Compression CPU 1 CPU 2 10Gbps Control Plane Data Plane RAM CPU 3 QoS Route, ARP, MAC lookup NAT

29 Users Do What They Want…Which Presents Risk Most users can employ any application they want - Applications are evasive - Proxies and encrypted tunnels are common Applications carry risk - Application behavior – threats, file transfer, etc. - Business risk – compliance, data loss, business continuity, operational costs, productivity Enterprise security and control infrastructure isn’t keeping up - Network security is more expensive, harder to manage, and less effective IT Needs to start thinking like the business

30 © 2007 Palo Alto Networks. Proprietary and Confidential Page 30 | Thank You!

Download ppt "© 2007 Palo Alto Networks. Proprietary and Confidential Page 1 | Next Generation Firewalls Nir Zuk Founder and CTO."

Similar presentations

Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.

Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.
Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Palo Alto Networks Product Overview

Palo Alto Networks Product Overview
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Next Generation Network Security Carlos Heller System Engineering.

Next Generation Network Security Carlos Heller System Engineering.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.

Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
Palo Alto Networks Solution Overview May 2010 Denis Pechnov Sales, EMEA.

Palo Alto Networks Solution Overview May 2010 Denis Pechnov Sales, EMEA.
Palo Alto Networks Customer Presentation

Palo Alto Networks Customer Presentation
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager
Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.

Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.
Next-Generation Firewall Palo Alto Networks. Page 2 | Applications Have Changed, firewalls have not The gateway at the trust border is the right place.

Next-Generation Firewall Palo Alto Networks. Page 2 | Applications Have Changed, firewalls have not The gateway at the trust border is the right place.
Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP.

Palo Alto Networks security solution - protection against new cyber-criminal threats focused on client-side vulnerabilities Mariusz Stawowski, Ph.D., CISSP.

Similar presentations

Ads by Google