Palo Alto Networks. Re-Inventing Network Security. It s Time To Fix The Firewall?! Christian Etzold Senior System Engineer

Transcription

1 Palo Alto Networks Re-Inventing Network Security It s Time To Fix The Firewall?! Christian Etzold Senior System Engineer

2 Security v1.0 Response: Rip Holes in Firewall Traditional Applications DNS Gopher SMTP HTTP Dynamic Applications FTP RPC Java/RMI Multimedia Background Appeared mid 1980 s Typically embedded in routers Classify individual packets based on port numbers Internet Challenge Could not support dynamic applications Flawed solution was to open large groups of ports Opened the entire network to attack

3 Security v2.0: Stateful Inspection Traditional Applications DNS Gopher SMTP HTTP Internet Dynamic Applications FTP RPC Java/RMI Multimedia Evasive Applications Encrypted Web 2.0 P2P Instant Messenger Skype Music Games Desktop Applications Spyware Crimeware Background Innovation created Check Point in 1994 Used state table to fix packet filter shortcomings Classified traffic based on port numbers but in the context of a flow Challenge Cannot identify Evasive Applications Embedded throughout existing security products

4 Applications Have Changed; Firewalls Have Not The gateway at the trust border is the right place to enforce policy control Sees all traffic Defines trust boundary BUT applications have changed Ports Applications IP Addresses Users Packets Content Need to restore visibility and control in the firewall Page Palo Alto Networks. Proprietary and Confidential.

5 Application Usage and Risk Report 6 th Edition, October 2010

6 Methodology and Demographics Methodology - Analysis is based on live customer traffic not a survey - How are networks being used? - What applications are running on enterprise networks? - What are the risks associated with the existing application mix? Demographics organizations worldwide, up from applications found, up from 741 Participating Organizations petabyes of bandwidth Mar (21) Oct (25) Demographics Mar (60) 113 Oct (214) Mar (347) Oct (723) Americas Asia Pacific, Japan Europe Page Palo Alto Networks. Proprietary and Confidential.

7 Geographically and Historically: Usage is Universal 100% Geographical View: Frequency that Saying, Socializing and Sharing Applications were Detected 90% 80% 70% 60% Worldwide Americas Europe Asia Pacific, Japan Webmail Instant Messaging Social Networking Browser-based Filesharing P2P Filesharing Saying Social Networking Sharing 100% Historical View: Frequency that Saying, Socializing and Sharing Applications were Detected 90% 80% 70% 60% Oct Mar Oct Mar Oct Webmail Instant Messaging Social Networking Browser-based Filesharing P2P Filesharing Saying Social Network ing Sharing Page Palo Alto Networks. Proprietary and Confidential.

8 Saying: Heavily Used, A Common Threat Vector Google Talk Gadget Most Frequently Found Saying (Webmail and IM) Applications Gmail Hotmail Yahoo Mail Facebook Mail SquirrelMail Yahoo IM Facebook Chat MSN Meebo 57% 79% 79% 78% 77% 76% 90% 88% 87% 93% 20% 40% 60% 80% 100% IM: 66 applications: 6 P2P, 27 C/S, 33 browser-based, 0.3% of the bandwidth Webmail: 33 applications, 1% of the bandwidth Business benefits: faster communication, collaboration, productivity Outbound risks: compliance, minor data loss Inbound risks: popular vector for malware, many of these applications have known vulnerabilities Malware Log Instances Per Organization (in 1,000s) Conficker.C.p2p (Worm) GGDoor.22 (Trojan) Mariposa C&C (Bot) Zeus (Bot) Page Palo Alto Networks. Proprietary and Confidential.

9 Socializing: Facebook Dominates Social Networking Application Bandwidth Consumption Facebook 69% All other SN 15% Myspace 1% Stumbleupon 1% LinkedIn 2% Twitter 3% Facebook Posting 1% Facebook Apps 4% Facebook consumes 78% of the total social networking bandwidth Other top SN applications consume 7% 43 remaining social networking applications vie for the remaining table scraps (15%) Facebook Social Plugin 4% Business benefits: faster time to market, rich research, sales, marketing environment Outbound risks: internal and external compliance, branding and image (what should be said), industry (should it be used) Inbound risks: a common vector to deliver malware (Zeus and Conficker), next-gen social engineering Page Palo Alto Networks. Proprietary and Confidential.

10 Sharing: Browser-based Sharing Grows File Sharing Trends Over Time Fileshareing Trend: Frequency of use and number of applications shifts towards browser-based Use of other filesharing applications (like FTP) remains steady 100% 75% 50% 25% Mar Oct Mar Oct Mar Oct Browser-Based File Sharing Peer-to-peer File Sharing FTP All Other Applications 998 TB Bandwidth Consumption Comparison Other Filesharing 49 TB Browser-based Filesharing 22 TB Other P2P Filesharing 48 TB Xunlei (P2P) 203 TB 80 filesharing applications (23 P2P, 49 BB, 9 other) consuming 323 TB (24%) Xunlei, 5 th most popular P2P consumed 203 TB 15% of overall BW Business benefits: easier to move large files, central source of Linux binaries Outbound risks: Data loss is the primary business risk Inbound risks: Mariposa is propagated across P2P (and MSN) Page Palo Alto Networks. Proprietary and Confidential.

11 Summary Application usage has become homogenous - Minor country by country variances exist - Larger players extend their dominance Saying, socializing and sharing: streamlining business, increasing business and security risks - IT continues to struggle with block/allow balance Cloud based applications in use now, driven by users and by IT - 10% of the applications are enterprise cloud - Microsoft and Google have a significant presence Page Palo Alto Networks. Proprietary and Confidential.

12 Summary Application usage has become homogenous - Little geographic or industry variance - Risks across industries are heterogeneous Enterprise 2.0 application usage intensity increases - Frequency remain high, resource consumption up indicating greater intensity These are not your father s applications - 2/3 of the have accessibility features many hop ports - SSL, SSH and VPN are not the only applications that tunnel Page Palo Alto Networks. Proprietary and Confidential.

13 Firewalls

14 Application Based Firewall stateful inspection legacy firewalls tcp/443 tcp/443 What s really going on Page Palo Alto Networks. Proprietary and Confidential 2.1-b

15 Applications Carry Risk Applications can be threats P2P file sharing, tunneling applications, anonymizers, media/video Applications carry threats SANS Top 20 Threats majority are application-level threats Applications & application-level threats result in major breaches Pfizer, VA, US Army Page Palo Alto Networks. Proprietary and Confidential.

16 The Traditional Approach to Network Security Corporate Assets Web App Attacks (2002) Security Perimeter Worms (2005) WAN XML/W.S. Attacks (2004) Info Leakage (2005) Eavesdropping (1994) IM Attacks (2002) Content Access (1998) Resource Access (1992) Viruses (1997) Denial of Service (2000) XML Security Spyware (2006) Exploits (1996) IM Security Anti-Virus DLP/ILP Anti-Spyware Content Filtering IPS IDS IPSEC VPN DoS Protection Internet Worm Mitigation WebApp Security

17 About Palo Alto Networks Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience - Founded in 2005 by security visionary Nir Zuk - Top-tier investors Builds next-generation firewalls that identify / control applications - Restores the firewall as the core of the enterprise network security infrastructure - Innovations: App-ID, User-ID, Content-ID Global footprint: 2,000+ customers in 50+ countries, 24/7 support

18 The Right Answer: Make the Firewall Do Its Job New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation Page Palo Alto Networks. Proprietary and Confidential.

19 Identification Technologies Transform the Firewall App-ID Identify the application User-ID Identify the user Content-ID Scan the content Page Palo Alto Networks. Proprietary and Confidential.

20 App-ID: Comprehensive Application Visibility Policy-based control more than 1000 applications distributed across five categories and 25 sub-categories Balanced mix of business, internet and networking applications and networking protocols 3-5 new applications added weekly App override and custom HTTP/SSL applications address internal applications

21 Application Based Firewall stateful inspection tcp/443 tcp/443 Page Palo Alto Networks. Proprietary and Confidential 2.1-b

22 Application Identification - Signatures SSL Forward proxy HTTP webex Protocol Decoders Decryption Application Signatures Mode shift Webex desktop sharing Page Palo Alto Networks. Proprietary and Confidential 2.1-b

23 User-ID: Enterprise Directory Integration Users no longer defined solely by IP address - Leverage existing enterprise directory services (Active Directory, LDAP, edirectory) without desktop agent rollout - Identify Citrix users and tie policies to user and group, not just the IP address Manage and enforce policy based on user and/or group Understand user application and threat behavior based on username, not just IP Investigate security incidents, generate custom reports

24 Content-ID: Real-Time Content Scanning Detect and block a wide range of threats, limit unauthorized data transfer and control non-work related web surfing Stream-based, not file-based, for real-time performance - Uniform signature engine scans for broad range of threats in single pass - Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home) Block transfer of sensitive data and file transfers by type - Looks for CC # and SSN patterns - Looks into file to determine type not extension based Web filtering enabled via fully integrated URL database - Local 20M URL database (78 categories) maximizes performance (1,000 s URLs/sec) - Dynamic DB and customizable categories adapts to local, regional, or industry

25 Comprehensive View of Applications, Users & Content Application Command Center (ACC) - View applications, URLs, threats, data filtering activity Add/remove filters to achieve desired result Page 28 Filter on Facebook-base 2010 Palo Alto Networks. Proprietary and Confidential. Filter on Facebook-base and user cook Remove Facebook to expand view of cook

26 Gartner: Palo Alto Networks is a Visionary Enterprises need next-generation firewalls - In 2009, Gartner saw market pressures accelerate the demand for nextgeneration firewall platforms that provide the capability to detect and block sophisticated attacks, as well as enforce granular security policy at the application (versus port and protocol) level. Palo Alto Networks next generation firewalls are leading the market - Gartner notes: Palo Alto Networks is highly disruptive within the firewall market because the product has been designed as a next-generation firewall and has competitors being forced to change road maps and sell defensively. Palo Alto Networks generated the most firewall inquiries among Gartner customers in Page Palo Alto Networks. Proprietary and Confidential.

27 2010 Magic Quadrant for Enterprise Network Firewalls Cisco Juniper Networks ability to execute McAfee Stonesoft WatchGuard Fortinet Check Point Software Technologies Palo Alto Networks SonicWALL NETASQ 3Com/H3C phion Astaro Source: Gartner niche players visionaries completeness of vision As of March 2010 Page Palo Alto Networks. Proprietary and Confidential.

28 F1000 Organizations Trust Palo Alto Networks Page Palo Alto Networks. Proprietary and Confidential.

29 Addresses Three Key Business Problems Identify and Control Applications - Visibility of applications, regardless of port, protocol, encryption, or evasive tactic - Fine-grained control over applications (allow, deny, limit, scan, shape) - Addresses the key deficiencies of legacy firewall infrastructure Prevent Threats - Stop a variety of threats exploits (by vulnerability), viruses, spyware - Stop leaks of confidential data (e.g., credit card #, social security #) - Stream-based engine ensures high performance - Enforce acceptable use policies on users for general web site browsing Simplify Security Infrastructure - Put the firewall at the center of the network security infrastructure - Reduce complexity in architecture and operations Page Palo Alto Networks. Proprietary and Confidential.

30 Design and Implementation of the Palo Alto Networks Firewall Version 4.0

31 PAN-OS Core Firewall Features Visibility and control of applications, users and content complement core firewall features Strong networking foundation - Dynamic routing (BGP, OSPF, RIPv2) - Tap mode connect to SPAN port - Virtual wire ( Layer 1 ) for true transparent in-line deployment - L2/L3 switching foundation - Policy-based forwarding VPN - Site-to-site IPSec VPN - SSL VPN / GlobalProtect QoS traffic shaping - Max/guaranteed and priority - By user, app, interface, zone, & more - Real-time bandwidth monitor Zone-based architecture - All interfaces assigned to security zones for policy enforcement High Availability - Active / active - Configuration and session synchronization - Path, link, and HA monitoring Virtual Systems - Establish multiple virtual firewalls in a single device (PA-4000 and PA-2000 Series only) Simple, flexible management - CLI, Web, Panorama, SNMP, Syslog PA-4060 PA-4050 PA-4020 PA-2050 PA-2020 PA-500 Page Palo Alto Networks. Proprietary and Confidential.

32 Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering Page Palo Alto Networks. Proprietary and Confidential.

33 PA-4000 Series Specifications PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O PA Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces PA Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces - 2U, 19 rack-mountable chassis - Dual hot swappable AC power supplies - Dedicated out-of-band management port - 2 dedicated HA ports - DB9 console port Page Palo Alto Networks. Proprietary and Confidential 2.1-b

34 4000 Series Architecture RAM Dedicated Control Plane Highly available mgmt High speed logging and route updates Flash Matching Engine RAM RAM RAM Flash Matching HW Engine Palo Alto Networks uniform signatures Multiple memory banks memory bandwidth scales performance Dual-core CPU RAM RAM HDD CPU 1 SSL CPU 2 CPU 3 IPSec.. CPU 16 RAM RAM De- Compression Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) QoS Route, ARP, MAC lookup NAT 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT Control Plane Data Plane Page Palo Alto Networks. Proprietary and Confidential 2.1-b

35 PA-2000 Series Specifications PA Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces PA Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces - 1U rack-mountable chassis - Single non-modular power supply - 80GB hard drive (cold swappable) - Dedicated out-of-band management port - RJ-45 console port, user definable HA port Page Palo Alto Networks. Proprietary and Confidential 2.1-b

36 2000 Series Architecture RAM Dedicated Control Plane Highly available mgmt High speed logging and route updates Flash Matching Engine RAM RAM RAM Flash Matching HW Engine Palo Alto Networks uniform signatures Multiple memory banks memory bandwidth scales performance 1Gbps Dual-core CPU RAM RAM HDD CPU 1 SSL CPU 2 CPU 3 CPU 4 IPSec RAM RAM Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec) 1Gbps Route, ARP, MAC lookup NAT Network Processor Front-end network processing offloads security processors Hardware accelerated route lookup, MAC lookup and NAT Control Plane Data Plane Page Palo Alto Networks. Proprietary and Confidential 2.1-b

37 Purpose-Built Architecture: PA-4000 Series RAM Dedicated Control Plane Highly available mgmt High speed logging and route updates Signature Match RAM RAM RAM 10Gbps Signature Match HW Engine Palo Alto Networks uniform signatures Vulnerability exploits (IPS), virus, spyware, CC#, SSN, and other signatures Dual-core CPU RAM RAM HDD CPU 1 SSL CPU 2 CPU 3 IPSec.. CPU 16 De- Compression 10Gbps RAM RAM Multi-Core Security Processor High density processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Control Plane QoS Route, ARP, MAC lookup NAT 10 Gig Network Processor Front-end network processing offloads security processors Hardware accelerated QoS, route lookup, MAC lookup and NAT Data Plane

38 Site-to-Site and Remote Access VPN Site-to-site VPN connectivity Remote user connectivity Secure connectivity - Standards-based site-to-site IPSec VPN - SSL VPN for remote access Policy-based visibility and control over applications, users and content for all VPN traffic Included as features in PAN-OS at no extra charge

39 GlobalProtect Securing Users and Data in an Always Connected World

40 The Need to Secure Remote Users How do you secure your applications and your users when they are both moving off the controlled network? Apps DATA Users Headquarters Branch Office Hotel Home Enterprise Secured Open to threats, app usage, & more

41 Two Existing Approaches Fall Well Short Software on the PC Install point security products on the PC Security apps run on the PC and perform specific function Examples include antivirus, antispyware, host IPS, software control, USB port control, DLP, etc. Cloud-based Services Install an agent on the PC Agent forces web traffic to cloudbased proxy for scanning and policy enforcement Examples include ScanSafe, Purewire, etc. Expensive to purchase, deploy, and manage Limited coverage and awareness of different applications and threats (very silo oriented) Policies are inconsistent with network security policies Limited (if any) coordination between user, application, and content Page Palo Alto Networks. Proprietary and Confidential.

42 Overview of Off-Network Security OFF the Enterprise network: Small agent on PC detects off-network - Finds closest gateway and forces traffic through gateway connection Performs host profile check - Is software updated? - Is host running req. software? Enforces enterprise policy Headquarters Branch Office - Application, user, and content-based policies enforced Enterprise for Secured roaming users Hotel Home Off Network Secured Page Palo Alto Networks. Proprietary and Confidential.

43 Overview of On-Network Security Headquarters Branch Office On Network Secured ON the Enterprise network: Small agent on PC detects on-network Agent performs host profile check - Is software updated? - Is host running req. software? Palo Alto Networks firewalls enforce policy augmented by host profile - Unpatched systems, unknown users, noncompliant software config receive limited network access Hotel Home Cloud Service Secured Page Palo Alto Networks. Proprietary and Confidential.

44 GlobalProtect Topology Portal Gateway 1 Gateway Client 4 23 Gateway 1. Client attempts SSL connection to Portal to retrieve latest configuration 2. Client does reverse DNS lookup per configuration to determine whether on or off network (e.g. lookup and see if it resolves to internal.paloalto.local) 3. If external, client attempts to connect to all external gateways via SSL and then uses one with quickest response 4. SSL or IPSec tunnel is established and default routes inserted to direct all traffic through the tunnel for policy control and threat scanning Gateway Palo Alto Networks. Proprietary and Confidential. 48

45 Complete Security Coverage Solution Consistent policy applied to all enterprise traffic: Users protected from threats off-network, plus application and content usage controlled to prevent data leakage User profile incorporated into consistent enterprise security enforcement Enterprises gain same level of control of SaaS applications as when previously hosted internally Apps Headquarters Branch Office Hotel Home Consistent Security Users

46 Traffic Shaping / QoS Application Based!

47 Traffic Shaping Extends Policy Control Options Traffic shaping policies ensure business applications are not bandwidth starved - Guaranteed, prioritized and maximum bandwidth settings - Apply traffic shaping policies by application, user, source, destination, interface, IPSec VPN tunnel and more Enables more effective deployment of appropriate application usage policies Included as a feature in PAN-OS at no extra charge

48 Real-time Bandwidth Monitor Real-time view of bandwidth and session consumption for applications, users, and rules