Palo Alto Networks Overview

Palo Alto Networks Overview campu[s]³ Christian Etzold Sr. System Engineer

About Palo Alto Networks Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience - Founded in 2005, first customer July 2007, top-tier investors Builds next-generation firewalls that identify / control 1,300+ applications - Restores the firewall as the core of enterprise network security infrastructure - Innovations: App-ID, User-ID, Content-ID Global momentum: 4,500+ customers - August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters A few of the many enterprises that have deployed more than $1M Page 2 (*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks fiscal year runs from August 1st until July 31st.

The Internet World Anno 1995 Virtually no application traffic, no known threats Simple assumptions worked; HTTP traffic = browsing Firewalls were born to keep simple traffic from coming in or going out; in 15 years time it became a $5B industry Page 3 2010 Palo Alto Networks. Proprietary and Confidential.

Security v1.0 Response: Rip Holes in Firewall Traditional Applications DNS Gopher SMTP HTTP Dynamic Applications FTP RPC Java/RMI Multimedia Background Appeared mid 1980 s Typically embedded in routers Classify individual packets based on port numbers Internet Challenge Could not support dynamic applications Flawed solution was to open large groups of ports Opened the entire network to attack

Security v2.0: Stateful Inspection Traditional Applications DNS Gopher SMTP HTTP Internet Dynamic Applications FTP RPC Java/RMI Multimedia Evasive Applications Encrypted Web 2.0 P2P Instant Messenger Skype Music Games Desktop Applications Spyware Crimeware Background Innovation created Check Point in 1994 Used state table to fix packet filter shortcomings Classified traffic based on port numbers but in the context of a flow Challenge Cannot identify Evasive Applications Embedded throughout existing security products

The Internet World Anno 2010 Many applications; many more threats Applications are evasive and are the #1 threat vector Traditional firewalls are defenseless and offer no protection to enterprises Page 6 2010 Palo Alto Networks. Proprietary and Confidential.

Applications Have Changed; Firewalls Have Not The firewall is the right place to enforce policy control Sees all traffic Defines trust boundary Enables access via positive control BUT applications have changed Ports Applications IP Addresses Users Packets Content Need to restore visibility and control in the firewall Page 7

Applications Carry Risk Applications can be threats P2P file sharing, tunneling applications, anonymizers, media/video Applications carry threats Qualys Top 20 Vulnerabilities majority result in applicationlevel threats Applications & application-level threats result in major breaches RSA, Comodo, FBI Page 8

Enterprise 2.0 Applications and Risks Widespread Palo Alto Networks latest Application Usage & Risk Report highlights actual behavior of 1M+ users in 1253 organizations - More enterprise 2.0 application use for personal and business reasons. - Tunneling and port hopping are common - Bottom line: all had firewalls, most had IPS, proxies, & URL filtering but none of these organizations could control what applications ran on their networks Page 9

The Traditional Approach to Network Security Corporate Assets Security Perimeter WAN XML/W.S. Attacks (2004) Web App Attacks (2002) Info Leakage (2005) Worms (2005) Eavesdropping (1994) IM Attacks (2002) Content Access (1998) Resource Access (1992) Viruses (1997) Denial of Service (2000) XML Security Spyware (2006) Exploits (1996) IM Security Anti-Virus Anti-Spyware IPS IPSEC DoS Internet DLP/ILP Content VPN Protection Filtering IDS Worm Mitigation WebApp Security

Traditional Systems Have Limited Understanding Some port-based apps caught by firewalls (if they behave!!!) Some web-based apps caught by URL filtering or proxy Some evasive apps caught by an IPS None give a comprehensive view of what is going on in the network Page 11

Technology Sprawl & Creep Are Not The Answer Internet More stuff doesn t solve the problem Firewall helpers have limited view of traffic Complex and costly to buy and maintain Putting all of this in the same box is just slow Page 12

The Right Answer: Make the Firewall Do Its Job New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation Page 13

How Do You Change The Architecture? Conventional Wisdom Disruptive Thinking Sprawl Simplification Page 14 2010 Palo Alto Networks. Proprietary and Confidential.

Why Visibility & Control Must Be In The Firewall Application Control as an Add-on Traffic Firewall Port IPS Port-based FW + App Ctrl (IPS) = two policies Applications are threats; only block what you expressly look for Port Policy Decision Applications App Ctrl Policy Decision Implications Network access decision is made with no information Cannot safely enable applications NGFW Application Control Application control is in the firewall = single policy Visibility across all ports, for all traffic, all the time Implications Network access decision is made based on application identity Safely enable application usage Traffic Firewall Applications App Ctrl Policy Decision Application IPS Scan Application for Threats Page 15

Palo Alto Networks Firewall Policy Page 16

What You See with Port-Based FW + Application Control Add-on Page 17

What You See with a True Next-Generation Firewall Page 18

Your Control With Port-based Firewall Add-on Page 19

Your Control With a Next-Generation Firewall Only allow the apps you need Safely enable the applications relevant to your business» The ever-expanding universe of applications, services and threats» Traffic limited to approved business use cases based on App and User» Attack surface reduced by orders of magnitude» Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels Page 20

Identification Technologies Transform the Firewall App-ID Identify the application User-ID Identify the user Content-ID Scan the content Page 21

Comprehensive View of Applications, Users & Content Application Command Center (ACC) - View applications, URLs, threats, data filtering activity Add/remove filters to achieve desired result Page 22 Filter on Facebook-base 2010 Palo Alto Networks. Proprietary and Confidential. Filter on Facebook-base and user cook Remove Facebook to expand view of cook

PAN-OS Core Firewall Features Visibility and control of applications, users and content complement core firewall features Strong networking foundation - Dynamic routing (BGP, OSPF, RIPv2) - Tap mode connect to SPAN port - Virtual wire ( Layer 1 ) for true transparent in-line deployment - L2/L3 switching foundation - Policy-based forwarding VPN - Site-to-site IPSec VPN - SSL VPN QoS traffic shaping - Max/guaranteed and priority - By user, app, interface, zone, & more - Real-time bandwidth monitor Zone-based architecture - All interfaces assigned to security zones for policy enforcement High Availability - Active/active, active/passive - Configuration and session synchronization - Path, link, and HA monitoring Virtual Systems - Establish multiple virtual firewalls in a single device (PA-5000, PA- 4000, and PA-2000 Series) Simple, flexible management - CLI, Web, Panorama, SNMP, Syslog PA-5060 PA-5050 PA-5020 PA-4060 PA-4050 PA-4020 PA-2050 PA-2020 PA-500 Page 23

Palo Alto Networks Next-Gen Firewalls PA-5060 20 GbpsFW/10 Gbpsthreat prevention/4,000,000 sessions 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit PA-5050 10 GbpsFW/5 Gbpsthreat prevention/2,000,000 sessions 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 copper gigabit PA-5020 5 GbpsFW/2 Gbpsthreat prevention/1,000,000 sessions 8 SFP, 12 copper gigabit PA-4060 10 GbpsFW/5 Gbpsthreat prevention/2,000,000 sessions 4 XFP (10 Gig), 4 SFP (1 Gig) PA-4050 10 GbpsFW/5 Gbpsthreat prevention/2,000,000 sessions 8 SFP, 16 copper gigabit PA-4020 2 GbpsFW/2 Gbpsthreat prevention/500,000 sessions 8 SFP, 16 copper gigabit PA-2050 1 GbpsFW/500 Mbps threat prevention/250,000 sessions 4 SFP, 16 copper gigabit PA-2020 500 Mbps FW/200 Mbps threat prevention/125,000 sessions 2 SFP, 12 copper gigabit PA-500 250 Mbps FW/100 Mbps threat prevention/50,000 sessions 8 copper gigabit Page 24 2011 Palo Alto Networks. Proprietary and Confidential

PA-5000 Series Architecture Highly available mgmt High speed logging and route update Dual hard drives Quad-core CPU RAM RAM HDD HDD Control Plane 80 Gbps switch fabric interconnect 20 Gbps QoS engine QoS Switch Fabric Switch Fabric Signature Match HW Engine Stream-based uniform sig. match Vulnerability exploits (IPS), virus, spyware, CC#, SSN, and more 40+ processors 30+ GB of RAM Signature Match 10Gbps Separate high speed data and CPU 1 control planes CPU 2 RAM RAM RAM RAM Signature Match 10Gbps... CPU RAM CPU CPU... CPU RAM CPU CPU... 12 RAM 1 2 12 RAM 1 2 De- De- SSL 20 IPSec Gbps SSL IPSec Compress. firewall throughputcompress. 10 Gbps threat prevention throughput Security Processors High density parallel processing for flexible security functionality Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression) Flow control 20Gbps 4 Million concurrent sessions Route, ARP, MAC lookup Data Plane NAT SSL IPSec CPU 12 RAM RAM RAM RAM RAM RAM De- Compress. Network Processor 20 Gbps front-end network processing Hardware accelerated per-packet route lookup, MAC lookup and NAT Page 25

Transforming The Perimeter and Datacenter Perimeter Datacenter Same Next-Generation Firewall, Different Benefits Page 26

Flexible Deployment Options Visibility Transparent In-Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering Page 27

Redefine Network Security and Save Money! Capital cost replace multiple devices - Legacy firewall, IPS, URL filtering device (e.g. proxy, secure web gateway ) Cut by as much as 80% Hard operational expenses - Support contracts - Subscriptions - Power and HVAC Cut by as much as 65% Save on soft costs too - Rack space, deployment/integration, headcount, training, help desk calls Page 28

GlobalProtect Securing Users and Data in an Always Connected World

Introducing GlobalProtect Users never go off-network regardless of location All firewalls work together to provide cloud of network security How it works: - Small agent determines network location (on or off the enterprise network) - If off-network, the agent automatically connects the laptop to the nearest firewall via SSL VPN - Agent submits host information profile (patch level, asset type, disk encryption, and more) to the gateway - Gateway enforces security policy using App-ID, User-ID, Content-ID AND host information profile Page 30

A Modern Architecture for Enterprise Network Security malware botnets exploits Establishes a logical perimeter that is not bound to physical limitations Users receive the same depth and quality of protection both inside and out Security work performed by purpose-built firewalls, not end-user laptops Unified visibility, compliance and reporting Page 31

Palo Alto Networks Wrap-up campu[s]³

Enables Visibility Into Applications, Users, and Content

2010 Magic Quadrant for Enterprise Network Firewalls Cisco Juniper Networks ability to execute McAfee Stonesoft WatchGuard Fortinet Check Point Software Technologies Palo Alto Networks SonicWALL NETASQ 3Com/H3C phion Astaro Source: Gartner niche players visionaries completeness of vision As of March 2010 Page 34

Next-Generation Firewalls Are Network Security Page 35

Continual Customer Driven Innovation App-ID: Traffic classification by application; all ports, all the time SSL decryption/inspection, control unknowns, PCAPs, App override, function enablement, custom App-IDs, QoS, PBF, SSH control User-ID: User identity becomes pervasive; visibility, policy, logging and reporting Active Directory, terminal services, LDAP, edirectory, XML API 4,500 Content-ID: Single engine stream-based scanning of allowed content Exploits, viruses, confidential data, botnets, modern malware 2,500 Enterprise-Class Platform: Scalable, deployable, predictable Dual-plane architecture; single pass software, function specific processing, tap mode, Vwire, L2/L3/mixed mode, IPv6 19 164 776 Customer Count 2007 2011 Page 36

Addresses Three Key Business Problems Identify and Control Applications - Visibility of 1300+ applications, regardless of port, protocol, encryption, or evasive tactic - Fine-grained control over applications (allow, deny, limit, scan, shape) - Addresses the key deficiencies of legacy firewall infrastructure Prevent Threats - Stop a variety of threats exploits (by vulnerability), viruses, spyware - Stop leaks of confidential data (e.g., credit card #, social security #, file/type) - Stream-based engine ensures high performance - Enforce acceptable use policies on users for general web site browsing Simplify Security Infrastructure - Put the firewall at the center of the network security infrastructure - Reduce complexity in architecture and operations Page 37