PALO ALTO SAFE APPLICATION ENABLEMENT

PALO ALTO SAFE APPLICATION ENABLEMENT 1

Palo Alto Networks Product Overview James Sherlow SE Manager WEUR & Africa jsherlow@paloaltonetworks.com @jsherlow

Palo Alto Networks at a Glance Corporate Highlights Disruptive Network Security Platform Safely Enabling Applications Able to Address All Network Security Needs Exceptional Growth and Global Presence $MM $300 $250 $200 $150 $100 $50 $0 FYE July 10,000 8,000 Revenue $119 FY09 FY10 FY11 FY12 Enterprise Customers 9,000 Experienced Technology and Management Team 6,000 4,700 800+ Employees 4,000 2,000 0 1,800 Jul-10 Jul-11 Jul-12 3 2012, Palo Alto Networks.

Applica]ons Get Through the Firewall Network security policy is enforced at the firewall Sees all traffic Defines boundary Enables access Traditional firewalls don t work any more 4 2012, Palo Alto Networks. Confiden]al and Proprietary.

Applica]ons Get Through the Firewall: Threats Threats target applications Used as a threat vector Application specific exploits 5 2012, Palo Alto Networks. Confiden]al and Proprietary.

Applica]ons Get Through the Firewall: Threats Applications provide exfiltration Threat communication Confidential data 6 2012, Palo Alto Networks.

Applica]ons Get Through the Firewall: Threats What happens traffic is encrypted? SSL Proprietary encryption 7 2012, Palo Alto Networks.

Applica]ons Get Through the Firewall: Threats More stuff doesn t solve the problem Firewall helpers have limited view of traffic Complex and costly to buy and maintain Doesn t address application control challenges UTM Internet IPS DLP IM AV URL Proxy Technology Sprawl and Creep Aren t 8 2012, Palo Alto Networks. the Answer Enterprise Network

The Answer? Make the Firewall Do Its Job 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment 9 2012, Palo Alto Networks.

Why Visibility & Control Must Be In The Firewall Application Control as an Add-on Traffic Firewall Port IPS Port-based FW + App Ctrl (IPS) = two policies Applications are threats; only block what you expressly look for Applica]ons Implications Port Policy Decision App Ctrl Policy Decision Network access decision is made with no information Cannot safely enable applications NGFW Application Control Application control is in the firewall = single policy Visibility across all ports, for all traffic, all the time Implications Network access decision is made based on application identity Safely enable application usage Traffic Firewall Applica]ons App Ctrl Policy Decision Applica]on IPS Scan Applica=on for Threats 10 2012, Palo Alto Networks.

Enabling Applica]ons, Users and Content 11 2012, Palo Alto Networks.

Enabling Applica]ons, Users and Content Applica=ons: Safe enablement begins with applica]on classifica]on by App- ID. Users: Tying users and devices, regardless of loca]on, to applica]ons with User- ID and GlobalProtect. Content: Scanning content and protec]ng against all threats both known and unknown; with Content- ID and WildFire. 12 2012, Palo Alto Networks.

Single- Pass Parallel Processing (SP3) Architecture Up to 20Gbps, Low Latency Single Pass Opera]ons once per packet Traffic classifica]on (app iden]fica]on) User/group mapping Content scanning threats, URLs, confiden]al data One policy Parallel Processing Func]on- specific parallel processing hardware engines Separate data/ control planes 13 2012, Palo Alto Networks. Confiden]al and Proprietary.

PAN- OS Core Firewall Features Visibility and control of applica=ons, users and content complement core firewall features Strong networking founda]on Dynamic rou]ng (BGP, OSPF, RIPv2) Tap mode connect to SPAN port Virtual wire ( Layer 1 ) for true transparent in- line deployment L2/L3 switching founda]on Policy- based forwarding VPN Site- to- site IPSec VPN SSL VPN QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real- ]me bandwidth monitor 14 2012, Palo Alto Networks. Zone- based architecture All interfaces assigned to security zones for policy enforcement High Availability Ac]ve/ac]ve, ac]ve/passive Configura]on and session synchroniza]on Path, link, and HA monitoring Virtual Systems Establish mul]ple virtual firewalls in a single device (PA- 5000, PA- 4000, and PA- 2000 Series) Simple, flexible management CLI, Web, Panorama, SNMP, Syslog

Palo Alto Networks NGFW Hardware Plavorms Firewall Firewall Throughput Threat Preven]on Throughput Ports Session Capacity PA- 5060 20 Gbps 10 Gbps PA- 5050 10 Gbps 5 Gbps PA- 5020 5 Gbps 2 Gbps PA- 4060 10 Gbps 5 Gbps PA- 4050 10 Gbps 5 Gbps PA- 4020 2 Gbps 2 Gbps PA- 3050 4 Gbps 2 Gbps PA- 3020 2 Gbps 1 Gbps PA- 2050 1 Gbps 500 Mbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit 8 SFP 12 copper gigabit 4 XFP (10 Gig) 4 SFP (1 Gig) 8 SFP 16 copper gigabit 8 SFP 16 copper gigabit 8 SFP 12 copper gigabit 8 SFP 12 copper gigabit 4 SFP 16 copper gigabit 4,000,000 2,000,000 1,000,000 2,000,000 2,000,000 500,000 500,000 250,000 250,000 PA- 2020 500 Mbps 250 Mbps 8 copper gigabit 125,000 PA- 500 250 Mbps 100 Mbps 8 copper gigabit 64,000 PA- 200 100 Mbps 50 Mbps 4 copper gigabit 64,000 15 2012, Palo Alto Networks. Confiden]al and Proprietary.

Palo Alto Networks NGFW Virtualized Plavorms Delivers the same next- genera]on firewall features available in our hardware plavorms in a virtualized form- factor Capaci=es Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels VM- 100 50,000 250 10 2,500 25 25 VM- 200 100,000 2,000 20 4,000 500 200 VM- 300 250,000 5,000 40 10,000 2,000 500 Performance Cores Allocated Firewall (App- ID) Threat Preven]on VPN Sessions per Second 2 Core 500 Mbps 200 Mbps 100 Mbps 8,000 4 Core 1 Gbps 600 Mbps 250 Mbps 8,000 8 Core 1 Gbps 1 Gbps 400 Mbps 8,000 Supported on VMware ESX/ESXi 4.0 or later Minimum of 2 dedicated CPU cores, 4GB dedicated RAM, 40GB HD, 2 interfaces Supports ac]ve/passive HA without state synchroniza]on. Does not support 802.3ad, virtual systems, jumbo frames 16 2012, Palo Alto Networks. Confiden]al and Proprietary.

NGFW in The Enterprise Network Perimeter App visibility and control in the firewall All apps, all ports, all the ]me Prevent threats Known threats Unknown/ targeted malware Simplify security infrastructure Data Center Network segmenta=on Based on applica]on and user, not port/ip Simple, flexible network security Integra]on into all DC designs Highly available, high performance Prevent threats Distributed Enterprise Consistent network security everywhere HQ/branch offices/remote and mobile users Logical perimeter Policy follows applica]ons and users, not physical loca]on Centrally managed 17 2012, Palo Alto Networks.

Addresses Three Key Business Problems Iden]fy and Control Applica]ons Iden]fies over 1,500 applica]ons, regardless of port, protocol, encryp]on, or evasive tac]c Fine- grained control over applica]ons (allow, deny, limit, scan, shape) Addresses the key deficiencies of legacy firewall infrastructure Prevent Threats Stop a variety of known threats exploits (by vulnerability), viruses, spyware Detect and stop unknown threats with WildFire Stop leaks of confiden]al data (e.g., credit card #, social security #, file/type) Enforce acceptable use policies on users for general web site browsing Simplify Security Infrastructure Put the firewall at the center of the network security infrastructure Reduce complexity in architecture and opera]ons 18 2012, Palo Alto Networks.

Gartner Enterprise Network Firewall Magic Quadrant - Palo Alto Networks leading the market Forrester IPS Market Overview - Strong IPS solu]on; demonstrates effec]ve consolida]on NetworkWorld Test - Most stringent NGFW test to date; validated sustained performance and key differences NSS Tests Many Third Par]es Reach Same Conclusion - IPS: Palo Alto Networks NGFW tested against compe]tors standalone IPS devices; NSS Recommended - Firewall: tradi]onal port- based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended - NGFW: Palo Alto Networks best combina]on of protec]on, performance, and value; NSS Recommended (1 of only 3) 19 2012, Palo Alto Networks.

20 2012, Palo Alto Networks. Confiden]al and Proprietary.