Palo Alto Networks - Next Generation Firewall. Contents

Transcription

1 Palo Alto Networks - Next Generation Firewall Contents Palo Alto Networks - Next Generation Firewall... 1 Enterprises Need Application Visibility and Control... 2 Key Next- Generation Firewall Requirements:... 2 Visibility: Turning On the Lights... 2 Control: Safe Enablement vs. Blindly Blocking... 3 Specific Examples: Google Talk and UltraSurf... 4 Enabling the Secure Use of Facebook... 4 How it works... 6 App- ID: Classifying All Applications, All Ports, All the Time... 6 User- ID: Enabling Applications by Users and Groups... 7 Content- ID: Protecting Allowed Traffic... 8 Extending The Network Perimeter The Logical Perimeter: A Strategic Solution GlobalProtect + Next- Generation Firewall = The Logical Perimeter Enforce Network Controls Based on User, Role, and User Profile The Information technology security has been steadily developing over past couple of decades in a fast and evolutionary way. Every now and then, however, the evolutionary path gets disrupted by a revolutionary change. Testimony to that are introduction of stateful inspection on firewalls, entry and domination of easy-to-use purpose-built firewall appliances and expansion of UTM functionality. Today again we witness a similar revolutionary change which does away with traditional complexity and murkiness of network traffic inspection and control, which easily identifies applications and segregates those bad from those which are good, as well as empowering network security administrators to identify with unprecendented ease not just what kind of traffic is flowing across the network but also who exactly generates it. This technology enables quick discovery and remediation of all aspects of network security issues providing not just the adequate response to the incident itself but also almost immediate insight into most important questions which security administrator needs answered: what the incident is, where it comes from, what the impact would be and who exactly has done it.

2 By discarding the traditional traffic classification mechanisms of port and protocol, and taking an application centric approach, the Palo Alto Networks next-generation firewall is able to bring unparalleled application visibility and control back to the IT department. Whether the need is to control one of the application categories such as P2P, social networking or a more general application visibility and control requirement, the Palo Alto Networks firewall allows administrators to define traditional firewall policies to control their application traffic. Enterprises Need Application Visibility and Control In a world where social networking and cloud-based applications dominate business application discussions, the need for application visibility and control has never been greater. A growing number of Internet-savvy employees are accessing any business and personal applications they want in order to be more productive and stay connected. The benefits may be clear, but there are also security risks, which is why many enterprises are demanding that their security infrastructure help them regain visibility and control over the applications traversing the network. Gartner has highlighted application visibility and control as a critical requirement for next generation firewalls. Today, many security vendors are weaving the terms nextgeneration and application control into marketing messages for their existing port-based offerings. Key Next- Generation Firewall Requirements: Identify applications, not ports. Identify the application, irrespective of protocol, encryption, or evasive tactic and use the identity as the basis for all security policies. Identify users, not IP addresses. Employ user and group information from enterprise directories for visibility, policy creation, reporting, and forensic investigation no matter where the user is located. Block threats in real-time. Protect against the entire lifecycle of an attack including dangerous applications, vulnerabilities, malware, high-risk URLs, and a wide array of malicious files and content. Simplify policy management. Safely and securely enable applications with easy-to-use graphical tools and a unified policy editor. Enable a logical perimeter. Secure all users, including travelling or telecommuting users, with consistent security that extends from the physical to the logical perimeter. Deliver multi-gigabit throughput. Combine purpose-built hardware and software to enable low-latency, multi-gigabit performance with all services enabled. Palo Alto Networks next-generation firewalls enable unprecedented visibility and control of applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies, found in every Palo Alto Networks firewall, enable enterprises to safely and securely enable application usage, while significantly reducing total cost of ownership through device consolidation. Visibility: Turning On the Lights A firewall must classify all traffic, across all ports it is the whole point of a firewall. An IPS (or UTM using IPS to identify applications) only sees patterns it is expressly looking for, typically only on certain specified ports. The resulting benefit of doing this in the firewall: the administrator has a clear and comprehensive picture of all of the applications on the network.

3 Armed with this information, administrators can make more informed enablement decisions. It s like turning on the lights in a dark room suddenly everything is illuminated and easily seen, and administrators can act on it. With a traditional firewall + IPS or other add-ons, administrators are not given this level of detail. They only know what they have configured the IPS to look for. It s very much like using a flashlight in a dark room you only have limited visibility into the small area you are focused on. Finally, the visibility available in one spot has significant benefits. Usually, visibility means reviewing multiple log files, looking for the needle in a haystack. But Palo Alto Networks data centre customers have found that the application visibility, the traffic visibility, coupled with the inbound URL and threat logs all available in one user interface eliminate the either/or choice between visibility and efficiency. Control: Safe Enablement vs. Blindly Blocking A next-generation firewall is designed to enable and control application access, and, if need be, hand it off to be scanned for threats by an IPS. The benefit of doing application identification and control in the firewall: safe enablement of applications. Organizations can allow, deny, allow for certain groups, allow certain functions, allow but shape, or allow but scan for threats or confidential data. In contrast, an IPS s control model is negative, and terminal - meaning that an IPS can only block, which is insufficient for application cont Using a stateful inspection firewall plus an IPS to identify and control applications, IT organizations must rely on simple signatures, but applications port-agility and SSLencryption can render those signatures useless find it and kill it only works when you can find it. Everything else gets through. And that means the ability to effectively control applications is very limited. Bottom line: if the firewall uses stateful inspection to classify traffic, it isn t a

4 next-generation firewall. If it isn t a next-generation firewall, it doesn t really change anything for your network security. Specific Examples: Google Talk and UltraSurf It seems it should be easy for an IPS to have a signature to identify Google Talk, allowing an admin to block Google Talk. It could also have signatures to block Google Talk Gadget, Gmail Chat, and Google Talk File Transfer. However, there are two potential challenges first, the port agility of some of these applications (IPS engines still use port to determine which decoder to use, and signatures are written for specific decoders) renders application identification spotty administrators have to specify all of the ports to search on. Second, Gmail defaults to SSL-encrypted now, and most IPSs are not capable of decrypting outbound SSL so Gmail Chat works just fine, despite whatever policy is in place on the UTM. Palo Alto Networks App-IDTM includes an ability to decrypt SSL, coupled with identifying the application. In this case, that includes controlling file transfers over Gmail as well as Gmail Talk (a special implementation of Google Talk embedded in Gmail). 2. Block UltraSurf. Anyone who knows what UltraSurf does would likely want to block it as it allows the user to tunnel any other internet application through an encrypted tunnel capable of traversing traditional firewalls, proxies, and IPS systems. Here the biggest challenge is the way UltraSurf uses a proprietary implementation of SSL to bypass protocol decoding and signature detection, so the IPS approach cannot identify and block UltraSurf. Put another way, find it and kill it only works when you can find it. And since UltraSurf can be used to tunnel just about any application, all other application controls are rendered useless. Palo Alto Networks App-IDTM uses its heuristics engine to identify UltraSurf, and to keep up with UltraSurf s often changing evasion tactics. Enabling the Secure Use of Facebook Facebook is rapidly extending its influence from the personal world to the corporate world as employees use these applications to get their jobs done. At the same time, many organizations are looking at the nearly 400 million Facebook users as an opportunity to conduct research, execute targeted marketing, gather product feedback and increase awareness. The end result is that Facebook can help organizations improve their bottom line. However, formally enabling the use of Facebook introduces several challenges to organizations. Many organizations are unaware of the how heavily Facebook is being used, or for what purpose. In most cases, policies governing specific usage are non-existent or unenforceable. Finally, users tend to be too trusting, operating in a click now, think later mentality which introduces significant security risks. Like any application that is brought into the enterprise by end-users, blindly allowing Facebook may result in propagation of threats, loss of data and damage to the corporate reputation. Blindly blocking is also an inappropriate response because it may play an important role in the business, and may force users to find alternative means of accessing Facebook (proxies, circumvention tools, etc). Organizations should follow a systematic process to develop, enable and enforce appropriate Facebook usage policies while protecting network resources. 1. Find out who s using Facebook. There are many cases where there may already be a corporate Facebook presence established by marketing or sales, so it is critical that IT determine which social networking applications are in use, who is using them and the

5 associated business objectives. By meeting with the business groups and discussing the common company goals, IT can use this step to move away from the image of always saying no and towards the role of business enabler. 2. Develop a corporate Facebook policy. Once visibility into Facebook usage patterns are determined, organizations should engage in discussions regarding what should and should not be said or posted about the company, the competition and the appropriate language. Educating users on the security risks associated with Facebook is another important element to encouraging usage for business purposes. With a click first, think later mentality, Facebook users tend to place too much trust in their friend network, potentially introducing malware while placing personal and corporate data at risk. 3. Use Technology to Monitor and Enforce Policy. The outcome of each of these discussions should be documented with an explanation of how IT will apply security policies to safely and securely enable use of Facebook within enterprise environments. Palo Alto Networks next-generation firewalls allow organizations to take a very systematic approach to enabling the secure use of Facebook by determining usage patterns, establishing and enforcing corporate policies that enable the business objectives in a secure manner. Identify Who is Using Facebook: The first step in safely enabling the use of Facebook (or other social networking applications) is to identify which applications are being used and which employees are using them. Facebook, along with other social networking applications, have added companion applications like and chat and have opened their platform to developers with Facebook Apps. In addition to the base Facebook application, Palo Alto Networks can identify and control Facebook Apps, Facebook Mail, Facebook Chat, Facebook Posting (read-only) and Facebook Social Plugins. Define and Enforce Appropriate Usage Policies: Once the Facebook applications and associated users have been identified (via directory services integration), administrators can apply appropriate usage policies that support the goals and objectives. Enforcing policy control that spans both personal and professional use of Facebook requires a delicate balancing act. Policies must be flexible enough to enable the business and allow some personal use (where appropriate), yet be effective enough to protect the enterprise from security or business risks. For example, a Facebook read-only policy can be enabled to strike a balance between block or allow. Using the identity of the specific applications combined with the user information from directory services (Active Directory, LDAP, edirectory) enables administrators to apply policies that go far beyond the traditional allow or deny. Policy options include:

6 Allow or deny Allow but scan Allow based on schedule Decrypt and inspect Allow and apply traffic shaping Allow for certain users or groups Allow certain application functions Any combination of the above Protect the Network From Attacks Propagated Across Facebook: With nearly 400 million users exchanging images, links and documents at a breakneck pace and a click now, think later mentality, the Facebook population represents a very target-rich environment for cyber criminals. Studies done by Kaspersky labs show that social networking sites are 10 times more effective at delivering malware than previous methods of delivery. With a Palo Alto Networks next-generation firewall, a detailed Facebook application control policy can be augmented with an equally detailed threat prevention policy can be enabled using Palo Alto Networks integrated threat prevention engine. The threat prevention engine detects and blocks a wide range of threats (spyware, Trojans, viruses, application vulnerabilities) including Koobface. Monitor and Control Unauthorized File and Data Transfers: As part of the balancing act between personal and professional use, organizations must also evaluate how best to implement policies that are designed to limit unauthorized transfer of files and data. Taking advantage of the Palo Alto Networks data filtering capabilities, administrators can apply policies to detect the flow of confidential data patterns (credit card numbers, social security numbers and custom patterns) with varied response options depending on the policy. In addition to the data filtering capabilities, file blocking by type can also be enabled. More than 50 different file types are identified and can be controlled with response options that include outright blocking, block and send the user a warning message or log and send an alert to the administrator. How it works App- ID: Classifying All Applications, All Ports, All the Time Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the network. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-ID addresses the traffic classification visibility limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the firewall sees it, to determine the exact identity of applications traversing the network.

7 Unlike add-on offerings that rely solely on IPS-style signatures, implemented after portbased classification, every App-ID automatically uses up to four different traffic classification mechanisms to identify the application. App-ID continually monitors the application state, re-classifying the traffic and identifying the different functions that are being used. The security policy determines how to treat the application: block, allow, or securely enable (scan for, and block embedded threats, inspect for unauthorized file transfer and data patterns, or shape using QoS). User- ID: Enabling Applications by Users and Groups Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and computing means that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. User-ID allows organizations to extend user- or group-based application enablement polices across Microsoft Windows, Apple Mac OS X, Apple ios, and Linux users. User information can be harvested from enterprise directories (Microsoft Active Directory, edirectory, and Open LDAP) and terminal services offerings (Citrix and Microsoft Terminal Services) while integration with Microsoft Exchange, a Captive Portal, and an XML API enable organizations to extend policy to Apple Mac OS X, Apple ios, and UNIX users that typically reside outside of the domain. User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise directory and terminal services offerings, enabling administrators to tie application activity and security policies to users and groups not just IP addresses. When used in conjunction with App-ID and Content-ID, IT organizations can leverage user and group information for visibility, policy creation, forensic investigation and reporting on application, threat, web surfing and data transfer activity. User-ID addresses the challenge of using IP addresses to monitor and control the activity of specific network users something that was once a fairly simple task, but has become difficult as enterprises moved to an Internet- and web-centric model.

8 Compounding the visibility problem in an increasingly mobile enterprise, where employees access the network from virtually anywhere around the world, internal wireless networks reassign IP addresses as users move from zone to zone, and network users are not always company employees. Content- ID: Protecting Allowed Traffic Many of today s applications provide significant benefit, but are also being used as a delivery tool for modern malware and threats. Content-ID, in conjunction with App-ID, provides administrators with a two-pronged solution to protecting the network. After App-ID is used to identify and block unwanted applications, administrators can then securely enable allowed applications by blocking vulnerability exploits, modern malware, viruses, botnets, and other malware from propagating across the network, all regardless of port, protocol, or method of evasion. Rounding out the control elements that Content-ID offers is a comprehensive URL database to control web surfing and data filtering features. Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of exploits, malware, dangerous web surfing as well as targeted and unknown threats. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and related content.

9 Enterprises of all sizes are at risk from a variety of increasingly sophisticated network-borne threats that have evolved to avoid many of the industry s traditional security measures. Palo Alto Networks Content-ID delivers a new approach based on the complete analysis of all allowed traffic using multiple threat prevention and data-loss prevention techniques in a single unified engine. Unlike traditional solutions, Palo Alto Networks actually controls the threat vectors themselves through the tight control of all types of applications. This immediately reduces the attack surface of the network after which all allowed traffic is analyzed for exploits, malware, dangerous URLs, dangerous or restricted files or content, and even exposes unknown threats attempting to breach the network. Single Pass, Parallel Processing Architecture Forms A High-Performance Foundation First and foremost, network security infrastructure must perform. In order to implement a true next-generation firewall, Palo Alto Networks had to develop a new architecture that could perform computationally intensive functions (e.g., application identification) at wire speed. Palo Alto Networks next-generation firewalls use a single-pass parallel processing (SP3) architecture to protect datacenter environments at speeds of up to 20 Gbps. The two key elements that make up the SP3 architecture are the single pass software architecture and the custom-built hardware platform. Palo Alto Networks SP3 architecture is a unique approach to hardware and software integration that simplifies management, streamlines processing and maximizes performance.

10 Content-ID is built on a single-pass architecture, which is a unique integration of software and hardware that simplifies management, streamlines processing and maximizes performance. The single-pass architecture (SP3) integrates multiple threat prevention disciplines (IPS, anti-malware, URL filtering, etc) into a single stream-based engine with a uniform signature format. This allows traffic to be fully analyzed in a single pass without the incremental performance degradation seen in other multi-function gateways. The software is tied directly to a parallel processing hardware platform that uses function specific processors for threat prevention to maximize throughput and minimize latency. Modern Malware Detection and Prevention Malware has evolved to become an extensible networked application that provides attackers with unprecedented access and control inside of the targeted network. As the power of modern malware increases, it is critical that enterprises be able to detect these threats immediately, even before the threat has a defined signature. Palo Alto Networks next-generation firewalls provide organizations with a multifaceted approach based on the direct analysis of both executable files and network traffic to protect their networks even before signatures are available. WildFire : Using a cloud-based approach, WildFire exposes previously unseen malicious executable files by directly observing their behaviour in a secure virtualized environment. WildFire looks for malicious actions within Microsoft Windows executable files such as changing registry values or operating system files, disabling security mechanisms, or injecting code into running processes. This direct analysis quickly and accurately identifies malware even when no protection mechanism is available. The results are immediately delivered to the administrator for an appropriate response and a signature is automatically developed and delivered to all customers in the next available content update.

11 Behavioural Botnet Detection: App-ID classifies all traffic at the application level, thereby exposing any unknown traffic on the network, which is often an indication of malware or other threat activity. The behavioural botnet report analyzes network behaviour that is indicative of a botnet infection such as repeatedly visiting malware sites, using dynamic DNS, IRC, and other potentially suspicious behaviours. The results are displayed in the form of a list of potentially infected hosts that can be investigated as possible members of a botnet. Traffic Monitoring: Analysis, Reporting and Forensics Security best practices dictate that administrators strike a balance between being proactive, continually learning and adapting to protect the corporate assets, and being reactive, investigating, analyzing, and reporting on security incidents. ACC and the policy editor can be used to proactively apply application enablement policies, while a rich set of monitoring and reporting tools provide organizations with the necessary means to analyze and report on the application, users and content flowing through the Palo Alto Networks next-generation firewall. App-Scope: Complementing the real-time view of applications and content provided by ACC, App-scope provides a dynamic, user-customizable view of application, traffic, and threat activity over time. Reporting: Predefined reports can be used as-is, customized, or grouped together as one report in order to suit the specific requirements. All reports can be exported to CSV or PDF format and can be executed and ed on a scheduled basis. Logging: Real-time log filtering facilitates rapid forensic investigation into every session traversing the network. Log filter results can be exported to a CSV file or sent to a syslog server for offline archival or additional analysis. Trace Session Tool: Accelerate forensics or incident investigation with a centralized correlated view across all of the logs for traffic, threats, URLs, and applications related to an individual session. Extending The Network Perimeter Both applications and network users themselves are becoming less and less bound to the physical infrastructure of the enterprise. Enterprises are doing everything they can to reduce the cost and management burden associated with their enterprise applications, leading firms to move applications to hosted models either in the public or private cloud and software increasingly being delivered as a service. Such initiatives are mission-critical for the enterprise as they can directly save time, money and manpower. Users have also migrated beyond the reach of the traditional enterprise network. Users simply expect to be able to take their work with them and to stay connected from anywhere. Unlike in the past, this behaviour is no longer limited to the traditional road-warriors or home-office employees. Due to the widespread availability new networking technologies such as WiFi and 3G/4G, endusers have become very accustomed to having Internet connectivity literally everywhere they go. The rise of ios-based devices such as the iphone and ipad has made users even more mobile, and in some cases, more difficult to recognize and secure. In some cases, these technologies lead to counter-intuitive situations where

12 users may accidentally roam outside of the corporate network even though they may still be physically inside a corporate building. The Logical Perimeter: A Strategic Solution As most security professionals know from experience, security is not simply a product or a feature that can be added on to a project at the end, but rather a process that must be designed in from the beginning. The logical perimeter provides the requisite framework for integrating a standardized and consistent approach to security into every network connection regardless of location. This means the rules and policies remain consistent and the organization s best intelligence and protections are universally applied. To meet this goal, the logical perimeter must first standardize on the corporate security policy as the rule of law for all network connections regardless of where they occur. Security policies, like any rules or laws,must be applied consistently if they are expected to serve their purpose. If the rules only apply in certain circumstances, then they cease to be rules in any true sense and exceptions quickly become the norm. This is precisely the situation that security teams find themselves in today. Users have been mobile for many years, and enterprises have gradually become accustomed to settling for a reduced quality of security for these users. The logical perimeter establishes consistent security policy based on applications and users, and in the process clearly sets the bar for new projects and what security levels they will be expected to meet. While this step may seem obvious, it is nevertheless extremely important to have a strong directive in order to push back against a longestablished trend of making security exceptions for remote users.

13 Secondly, network users outside the corporate network should receive the same protections that are provided when inside the physical network. For example, firewalling decisions should provide the same visibility and control of applications, users and content established by the next-generation firewall at the traditional perimeter. In fact, this requirement is particularly important for end-users in the field, as client applications are very likely to be evasive and route around traditional portbased controls. Additionally, users may revert to less strict browsing behaviours when away from the office, exposing them to even more potential threats. As with firewall controls, users should be protected by the full complement of IPS, and threat prevention when they are outside the physical network. This means true network-based IPS, malware and botnet control, as well as a file, URL and content filtering. Obviously, users are exposed to just as many risks and threats when outside the network, so it only makes sense that they should receive the enterprise s best protections. Key Requirements of the Logical Perimeter: Establishes a consistent set of policies based on applications and users that apply to all traffic Provides the same protections outside as inside Delivers enterprise performance and reliability GlobalProtect + Next- Generation Firewall = The Logical Perimeter GlobalProtect introduces a modern approach to enterprise security. Instead of trying to reinvent the entirety of enterprise security on the end-user s laptop, GlobalProtect takes what already works today, the next-generation firewall, and delivers it transparently to all remote connections. Almost as importantly, GlobalProtect takes advantage of the next-generation firewalls that are already deployed and can typically be deployed with no additional hardware required. The solution is comprised of three different components: GlobalProtect Agent: The GlobalProtect agent is a small piece of software that resides on the end user s PC. This agent can be delivered to the user automatically via Active Directory, SMS or Microsoft System Configuration Manager or can be downloaded directly from the GlobalProtect Portal. The agent provides secure connectivity between a remote user and the enterprise Palo Alto Networks firewall to ensure secure connectivity as well as next-generation visibility and control of traffic regardless of location. The agent supports Microsoft Windows XP, Vista, Windows 7, and Mac OS X, enabling IT to extend security and connectivity to a wide variety of today s most popular devices. When licensed, the agent can actively test and select for the best performing Palo Alto Networks GlobalProtect Gateway. And lastly it compiles a Host Information Profile (HIP) of the client device including such factors as patch level, disk encryption, antivirus version and many more. Additionally Palo Alto Networks leverages the IPSec VPN client built in to Apple ios devices. This provides native connectivity and secure access, but does not support HIP profiles or intelligent gateway selection.

14 GlobalProtect Portal: The GlobalProtect Portal provides the centralized management for the solution. Any Palo Alto Networks firewall can act as the portal while also performing its everyday duties as a next-generation firewall. However, each GlobalProtect deployment will only have 1 portal at a time. The portal provides three key functions: It delivers the GlobalProtect Agent to users. It provides the GlobalProtect agents with a list of available GlobalProtect Gateways. And lastly, it manages the authentication certificates for the solution. The GlobalProtect Portal, like all Palo Alto Networks can be run as a high-availability pair, to ensure always-on reliability of the solution. GlobalProtect Gateway: The GlobalProtect Gateways are responsible for the majority of the actual security enforcement in the solution. Similar to the portal, any Palo Alto Networks firewall can be a gateway for the GlobalProtect solution. However, unlike the portal, you can leverage as many gateways simultaneously as you need, ensuring multiple potential routes between an agent and gateway. The Gateway has three core functions: First and foremost, it performs the full breadth of next-generation firewalling functionality including application control, threat prevention, URL filtering, user visibility, etc on all traffic from associated GlobalProtect Agents. It also provides the end of the secure connection established by the Agent. Lastly, it receives the Host Information Profile (HIP) and enforces policies accordingly. Enforce Network Controls Based on User, Role, and User Profile One of the key concepts behind the next-generation firewall is the ability to enforce policies based on user or user group. Instead of relying on IP address, the Palo Alto Networks next-generation firewall integrates with the enterprise directory infrastructure to uniquely identify and enforce policy to individual users and machines. The User-ID technology integrates with a variety of directories including Active Directory, edirectory, Open LDAP, Citrix Terminal Server, Microsoft Terminal Server and XenWorks. User-ID can also be configured to monitor logon events from clients accessing their Microsoft Exchange mailbox, enabling the solution to identify Mac OS X, Apple ios, and Linux/UNIX client systems that don t directly authenticate to the domain. GlobalProtect extends these controls to incorporate the configuration of the end user s device. If the user s end-point is not properly secured, security teams can automatically enforce network controls to compensate. For example, a user may have rights to access certain information on the enterprise network,but the GlobalProtect Gateway can prevent that user from downloading files if his laptop is not using disk encryption. Or alternatively, if the host antivirus is out of date, staff can automatically restrict access to social networking sites where malware tends to propagate. When added to the application, user and content controls available from the Palo Alto Networks next-generation firewall, security teams now have a level of control and flexibility that they have never had from traditional solutions. Just as the nextgeneration firewall allows for more granular controls of firewall policy,

15 GlobalProtect offers granular control of user rights based on their host configuration. Policies can be based on the following host characteristics. Operating System and Application Patch Level Host Anti-Malware Version Host Firewall Version Disk Encryption Data Backup Products Customized host conditions