Securing the Virtualized Data Center with Next-Generation Firewalls

Similar documents
(VCP-310)

Configuring Additional Active Directory Server Roles

Security Functions and Purposes of Network Devices and Technologies (SY0-301) Firewalls. Audiobooks

Domain 1 Components of the Cisco Unified Communications Architecture

Domain 1: Identifying Cause of and Resolving Desktop Application Issues Identifying and Resolving New Software Installation Issues

E-Plex Enterprise Access Control System

IntelliSOURCE Comverge s enterprise software platform provides the foundation for deploying integrated demand management programs.

3G Security VoIP Wi-Fi IP Telephony Routing/Switching Unified Communications. NetVanta. Business Networking Solutions

Authentication - Access Control Default Security Active Directory Trusted Authentication Guest User or Anonymous (un-authenticated) Logging Out

InventoryControl. The Complete Inventory Tracking Solution for Small Businesses

ContactPro Desktop for Multi-Media Contact Center

IT Support n n support@premierchoiceinternet.com. 30 Day FREE Trial. IT Support from 8p/user

Domain 1: Configuring Domain Name System (DNS) for Active Directory

BaanERP. BaanERP Windows Client Installation Guide

FPO. A global telecom s strategy. for Canada

June 3, Voice over IP

Radio Dispatch Systems

Domain 1 - Describe Cisco VoIP Implementations

Document Control Solutions

Domain 1: Designing a SQL Server Instance and a Database Solution

FortiGuard Fortinet s Global Security Research and Protection

Skytron Asset Manager

client communication

Baan Service Master Data Management

CCH Accountants Starter Pack

To c o m p e t e in t o d a y s r e t a i l e n v i r o n m e n t, y o u n e e d a s i n g l e,

Things Your Next Firewall Must Do

QUADRO tech. PST Flightdeck. Put your PST Migration on autopilot

iprox sensors iprox inductive sensors iprox programming tools ProxView programming software iprox the world s most versatile proximity sensor

Engineering Data Management

OpenText Cloud Fax Sevices

CCH CRM Books Online Software Fee Protection Consultancy Advice Lines CPD Books Online Software Fee Protection Consultancy Advice Lines CPD

Silver Lining of Cloud Computing

facing today s challenges As an accountancy practice, managing relationships with our clients has to be at the heart of everything we do.

Enhancing Oracle Business Intelligence with cubus EV How users of Oracle BI on Essbase cubes can benefit from cubus outperform EV Analytics (cubus EV)

>7011AUPS UNINTERRUPTIBLE P O W E R SUPPLIES

leasing Solutions We make your Business our Business

QUADRO tech. FSA Migrator 2.6. File Server Migrations - Made Easy

Enterprise Security & Risk Management. White Paper. Securing the Future with Next-Generation Data Center Security

An Approach to Fusion CRM Adoption

Enable Compliance, Quality, and Efficiency in Your Safety Operations with Oracle Argus

*The most important feature of MRP as compared with ordinary inventory control analysis is its time phasing feature.

ODBC. Getting Started With Sage Timberline Office ODBC

Ideate, Inc. Training Solutions to Give you the Leading Edge

Optimize your Network. In the Courier, Express and Parcel market ADDING CREDIBILITY

A guide to School Employees' Well-Being

Wells Fargo Insurance Services Claim Consulting Capabilities

Verizon Wireless Broadband Network Connectivity and Data Transport Solutions. Verizon Wireless White Paper

Viswanathan Ganapathy Daniel Logan

Desktop Management. Desktop Management Tools

Securing the Virtualized Data Center With Next-Generation Firewalls

RightFax Express. One solution. Multiple choices.

Telecom. White Paper. Actionable Intelligence in the SDN Ecosystem: Optimizing Network Traffic through FRSA

OfficePACS. Digital Imaging

How Asigra Cloud Backup Protects Your Network

TruStore: The storage. system that grows with you. Machine Tools / Power Tools Laser Technology / Electronics Medical Technology

One Goal. 18-Months. Unlimited Opportunities.

Agency Relationship Optimizer

Transformation of Storage Technology Industry: Digital Trends and their Impact

France caters to innovative companies and offers the best research tax credit in Europe

The future of global data management is here: modular, scalable and integrated. MasterCard smartdata.gen2

Introducing Rational Suite

INVESTING IN SOCIAL CHANGE TOOLS FOR SOCIAL INNOVATION

Putting Cloud security in perspective

Mobile Client Architecture Web vs. Native vs. Hybrid Apps

Advanced Protection for Web Services

Supply Chain Management

Xantaro Maintenance Services & Operations. XTAC User Guide. UK Edition

Data Center Ethernet Facilitation of Enterprise Clustering. David Flynn, Linux Networx Orlando, Florida March 16, 2004

Transcription:

Securig the Virtualized Data Ceter with Next-Geeratio Firewalls November 2012

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Table of Cotets Executive Summary 3 Evolutio Towards Virtualizatio ad Cloud Computig 3 Why Server Virtualizatio? 4 Why Cloud Computig? 4 Security Cosideratios i Securig the Jourey to the Cloud 5 Existig Security Solutios i the Data Ceter Do Not Deliver 6 Palo Alto Networks Architecture for Virtualized Data Ceters 7 Safe licatio Eablemet for licatios 7 Threat Protectio with Superior High-Performace architecture 8 Flexible Network Itegratio 8 Virtualizatio Security ad Cloud-Ready Features 8 Cetralized Maagemet 9 Choice of Form Factor 9 Secure Data Ceter Deploymets 10 Summary 10 PAGE 2

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Executive Summary Virtualizatio is helpig orgaizatios utilize their data ceter hardware ifrastructure more effectively, leadig to reductio i costs, ad improvemets i operatioal efficiecies. Garter 1 estimates that almost 50% of all x86 server workloads are virtualized today with this umber expected to grow to 77% i 2015. May orgaizatios are also evolvig their virtualizatio ifrastructure to build their ow automated, self-service, private cloud eviromets. As orgaizatios evolve from traditioal data ceters to virtualized ad cloud computig eviromets, security architectures must support the chagig set of requiremets. This icludes ot oly addressig fudametal tablestakes fuctioality such as safe applicatio eablemet, threat protectio ad flexible etworkig itegratio, but also ew challeges brought o by the virtualized ifrastructure, ad the dyamic ad automated ature of the virtualized eviromet. These iclude havig visibility ito virtual machie traffic that may ot leave the virtual ifrastructure, the ability to tie security policies to virtual machie istatiatio ad movemet, ad orchestratio of security policies i lock step with applicatio workflows. This white paper describes the challeges of virtualized data ceter ad cloud computig eviromets, ad how to address them with ext-geeratio firewalls. Evolutio Towards Virtualizatio ad Cloud Computig Today s IT orgaizatios are icreasigly tasked with doig more with less. I these challegig ecoomic coditios, IT orgaizatios are faced ot oly with shrikig budgets but are beig asked to improve operatioal efficiecies ad drive resposiveess for busiess processes. For may IT orgaizatios, the adoptio of techologies like virtualizatio ad cloud computig provide may beefits from operatioal efficiecies to speed i applicatio delivery. Virtualizatio techology partitios a sigle physical server ito virtual machies ruig multiple operatig systems ad applicatios. The hypervisor, a software layer that sits betwee the hardware ad the virtual operatig system ad applicatios, is what allocates memory ad processig resources to the virtual machies. Two types of virtualizatio are available hypervisor virtualizatio ad hosted virtualizatio. I hypervisor architectures, also kow as bare metal or ative virtualizatio, the hypervisor is the first layer of software ruig o the uderlyig hardware without a host operatig system. I hosted virtualizatio, the hypervisor rus o top of the host operatig system. This cofiguratio supports the broadest rage of hardware operatig system icludig Widows, Liux or MacOS. Hypervisor OR Hypervisor Guest x86 x86 x86 x86 Physical Server Virtualized Server (Hosted) Virtualized Server (Hypervisor) Figure 1: Virtualizatio Architectures Figure 1 shows both architectures. Server virtualizatio typically utilizes hypervisor architectures while desktop virtualizatio uses hosted virtualizatio architectures. I this whitepaper, we will focus primarily o server virtualizatio ad hypervisor architectures. PAGE 3

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Why Server Virtualizatio? Most data ceter virtualizatio iitiatives begi with the cosolidatio of data ceters ruig applicatios o dedicated, purpose-built servers ito a optimized umber of data ceters with applicatios o stadardized virtualized servers. Server virtualizatio improves operatioal efficiecies ad lowers capital expediture for orgaizatios: Optimizes existig hardware resources: Istead of a oe server, oe applicatio model, multiple virtual applicatios ca be ru o a sigle physical server. This meas that orgaizatios ca leverage their existig hardware ifrastructure by ruig more applicatios withi the same system. Reduces data ceter costs: Reducig the server hardware box cout ot oly reduces the physical ifrastructure real-estate but also reduces data ceter related costs such as power, coolig ad rack space. Gai operatioal flexibility: Through the dyamic ature of virtual machie provisioig, applicatios ca be delivered quicker rather tha the process of purchase, rack/stack, cablig, cofiguratio. This helps improve the agility of the IT orgaizatio. Maximizes efficiecy of data ceter resources: Because applicatios ca experiece asychroous, or bursty demad loads, virtualizatio provides a more efficiet way to address resource cotetio issues ad maximize server utilizatio. It also provides a better way to deal with server maiteace ad backup challeges. For example, IT staff ca migrate virtual machies to other virtualized servers while performig hardware or software upgrades. Why Cloud Computig? Virtualizatio is ofte the first step i a orgaizatio s strategy to move towards automated, o-demad services. Cloud, ulike commo miscoceptios, is ot a locatio but rather a pool of resources that ca be rapidly provisioed. The U.S. Natioal Istitute of Stadards ad Techology (NIST) defies cloud computig i Special Publicatio (SP) 800-145 as a model for eablig ubiquitous, coveiet, o-demad etwork access to a shared pool of cofigurable computig resources (such as etworks, servers, storage, applicatios, ad services) that ca be rapidly provisioed ad released with miimal maagemet effort or service provider iteractio. The busiess value of cloud computig is the ability to pool resources together to achieve ecoomies of scale. This is true for private or public clouds. Istead of multiple orgaizatios or groups withi a orgaizatio idepedetly buildig a data ceter ifrastructure, pools of resources are aggregated ad cosolidated, ad desiged to be elastic eough to scale with orgaizatioal demad. This ot oly brigs cost ad operatioal beefits but techology beefits. Data ad applicatios are easily accessed by users o matter where they reside, projects ca scale easily, ad cosumptio ca be tracked effectively. Virtualizatio is a critical part of this architecture, eablig applicatios to be delivered efficietly, ad i a more dyamic maer. However, aother critical aspect of cloud computig is software orchestratio that eables disparate processes to be stitched together i a seamless maer, so that they ca be automated, easily replicated ad offered o a as-eeded basis. The IT orgaizatioal model also eeds to evolve towards a services-cetric, multi-teat model, where cosumptio eeds to be measured, ad segmetatio betwee multiple teats eeds to be provisioed. PAGE 4

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Security Cosideratios i Securig the Jourey to the Cloud With virtualizatio ad cloud techologies, the data ceter eviromet has evolved from rigid, fixed eviromets where applicatios ru o dedicated servers towards dyamic, automated, orchestrated eviromets where pools of computig resources are available to support ay applicatio to be accessed aywhere, aytime, from ay device. - SERIES - SERIES licatios Ifrastructure Security DATABASES APP SERVERS WEBSERVERS DATABASES APP SERVERS WEBSERVERS DATABASES APP SERVERS WEBSERVERS Traditioal Data Ceter Dedicated applicatio servers Server utilizatio=15% North South traffic Virtualized Data Ceter Multiple apps per server Higher operatioal efficiecies Improved server utilizatio Cloud (Private/Public) IT as a service O-demad services Automatio ad orchestratio Dyamic, automated, services-orieted Figure 2: Evolutio of data ceter architectures Security is the biggest hurdle to embrace this ew dyamic, automated, services-orieted architecture. The process to cofigure etwork security appliaces today is excruciatigly paiful ad slow. Policy chages eed to be approved, the appropriate firewalls eed to be idetified, ad the relevat ports ad protocols determied. While the creatio of a virtual workload may take miutes, the security cofiguratio for this workload may take weeks. Security also caot keep up with the dyamic ature of virtualizatio ad cloud. Virtual machies ca be highly dyamic, with frequet add, move ad chage operatios. This complicates the ability to track security policies to virtual machie creatio ad movemet so that requiremets ad regulatory compliace cotiue to be met. Virtualized computig eviromets also eable direct commuicatio betwee virtual machies withi a server. Itra-host commuicatios may ot be visible to etwork-based security appliaces residig outside a virtual server. The routig of itra-host virtual machie traffic to exteral security appliaces for ispectio may ot be ideal because of performace ad latecy requiremets. At the same time, the existig treds that have impacted the security ladscape i the virtualized data ceter chagig applicatio ladscape, distributed eterprise, ad moder threats do ot go away. The chagig applicatio ladscape meas that the idetificatio, cotrol ad safe eablemet of applicatios ca o loger be accomplished via ports ad protocols. The distributed eterprise of mobile users ad exteded eterprise, ad the evolutio of threats towards sophisticated, multi-vector, targeted attacks require user-based policies ad a complete threat framework. I summary, ext-geeratio firewallig capabilities to safely eable applicatios, protect agaist all kow ad ukow threats without performace impact, ad itegrate flexibly ito the PAGE 5

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls data ceter cotiue to be critical, fudametal security requiremets. Therefore, security for the virtualized data ceter must exhibit the followig characteristics: 1) Deliver all the features that are table stakes: These iclude safe applicatio eablemet, threat protectio without impactig the performace of the data ceter, ad flexible itegratio ito the data ceter desig. These features must be available withi a virtualized firewall to secure itra-host commuicatios or East-West traffic. 2) Must become more dyamic: Security policies must be applied as soo as a virtual machie is created. Security policies must follow virtual machie movemet. Security workflows must be automated ad orchestrated so it does t slow dow virtual workload provisioig. 3) Cetralized, cosistet maagemet: Cetralized maagemet is critical, ad must be cosistet for all eviromets physical, hybrid or mixed eviromets. The maagemet cofiguratio must provide oe uified policy rule base for ease of cofiguratio ad complete visibility ito the policies beig eabled i the data ceter. I fact, Garter 2 advocates that orgaizatios favor security vedors that spa physical ad virtual eviromets with a cosistet policy maagemet ad eforcemet framework. Existig Security Solutios i the Data Ceter Do Not Deliver Existig security solutios i the data ceter make their access cotrol decisios based o ports ad protocol. May security solutios also bolt o applicatio cotrol ad threat prevetio features to their stateful ispectio firewalls. There are several problems with this approach. The lack of visibility ito all traffic meas that evasive applicatios, applicatios that use o-stadard ports ad threats that leverage the same behavior as applicatios may be missed. Security policies also become covoluted as you build ad maage a firewall policy with source, destiatio, user, port ad actio, a applicatio cotrol policy with similar rules, i additio to other threat prevetio rules. Policy gaps appear ad grow because of the difficulty i maagig ad moitorig multiple appliaces. A multiple policy rule base approach ot oly icreases admiistrative overhead, but may icrease busiess ad security risks with policy gaps that may be hard to see. This multi-platform or multi-module approach also degrades data ceter performace as more ad more features are eabled. Fially, existig security solutios i the data ceter do ot address the dyamic ature of the virtualized eviromet, ad caot track policies to virtual machie creatio or movemet. May virtualized security offerigs are virtualized versios of port- ad protocol-based security appliaces, deliverig the same iadequacies as their physical couterparts. PAGE 6

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Palo Alto Networks Architecture for Virtualized Data Ceters Palo Alto Networks delivers a comprehesive approach to security for the virtualized data ceters. The architecture addresses fudametal security challeges for the virtualized data ceter ad supports the dyamic ature of virtualizatio ad cloud. - SERIES Physical Form Factor Virtual Form Factor Safe licatio Eablemet Threat protectio without performace implicatios. Flexible Itegratio Cloud-readiess Cetralized maagemet, oe itegrated policy. -ID, User-ID, Cotet-ID, GlobalProtect, ad WildFire Separate maagemet ad data plae Sigle pass software architecture Multi-core hardware Comprehesive etworkig foudatio (routig, VLAN trukig, lik aggregatio) Itegratio at layer 1, 2, 3 Multi-teacy via virtual systems Multi-teacy via virtual istaces Dyamic objects ties movemet ad creatio to policy Cloud orchestratio via REST API Paorama with cetralized provisioig ad loggig Figure 3: Palo Alto Networks Comprehesive roach to Securig the Virtualized Data Ceter Safe licatio Eablemet for licatios Palo Alto Networks ext-geeratio firewalls allow orgaizatios to safely eable applicatios. This is achieved via ext-geeratio firewall techologies -ID, User-ID, Cotet-ID, GlobalProtect, ad WildFire that ca idetify all applicatios, eable them by user, applicatio ad cotet, ad ispect all cotet for threats. The ext-geeratio firewall idetifies all applicatios i the data ceter with -ID regardless of ports, protocol, evasive tactic ad ecryptio. Visibility ito all traffic i the data ceter reduces the scope of attacks by cotrollig o-compliat use of applicatios, blockig rogue applicatios ad distiguishig ay ukow traffic. Differetiated access to data ceter applicatios by user/group leveragig User-ID ad GlobalProtect supports secure aytime, aywhere access by employees, exteded busiess parters ad mobile users. Fially, Cotet-ID ad WildFire deliver a complete threat framework addressig kow ad ukow threats, from malware, exploits ad spyware to targeted attacks. WildFire provides the ability to idetify malicious behaviors i executable files by ruig them i a cloud sadbox ad observig their behaviors. This eables Palo Alto Networks ext-geeratio firewalls to idetify malware quickly ad accurately, eve if the particular sample of malware has ever bee see i the wild before. For Iteret-facig data ceters, deial-of-service features ca cotrol various types of traffic floods. Safe applicatio eablemet features applied to security zoes i the data ceter delivers meaigful segmetatio, limits access, ad delivers idividual accoutability to meet compliace madates. PAGE 7

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Threat Protectio with Superior High-Performace Architecture If a applicatio hosted i a data ceter is t available or resposive to users, a orgaizatio is ofte missig reveue opportuities so etwork security cotrols, which all too ofte itroduce delays ad outages, are typically streamlied. Network security performace therefore must go had-i-had with threat protectio to esure that as threat protectio services are eabled, the performace of the data ceter is ot affected. The Palo Alto Networks sigle-pass software architecture offers superior performace compared to traditioal approaches, icludig those foud i a UTM or software blade approach. This is because of the uique architecture that processes fuctios i a sigle pass to reduce latecy, allowig you to simplify your etwork security ifrastructure ad to elimiate the eed for a variety of stad-aloe ad bolt-o security devices. Physical appliaces combie the sigle-pass software architecture with parallel processig hardware architecture, with dedicated, specialized processig for etworkig, security, ad cotet scaig so that the full suite of ext-geeratio features ca be eabled with high throughput ad reliability. Flexible Network Itegratio Palo Alto Networks ext-geeratio firewalls support more deploymet optios tha ay other device i the etwork security market. The ext-geeratio firewalls provide deploymets at L1, L2, L3, ad tap modes (or a mixture of all o the same appliace) ad couple that with powerful etworkig capabilities for itegratio (VLAN trukig, lik aggregatio) ad high availability (separatio of data ad cotrol plaes, active/active ad active/passive deploymet optios.) This accommodates ay data ceter architecture, ad the flexibility to add additioal security cotrols without rearchitectig the etwork whe the threat or applicatio ladscape chages. Virtualizatio Security ad Cloud-Ready Features The virtualized ext-geeratio firewalls feature a umber of iovative features specifically desiged to address the security challeges itroduced by the virtualized eviromet, icludig the dyamic ad automated ature of virtual machies: Tyig Policy to Virtual Machie Creatio ad Movemet: Virtual machies ca be highly dyamic, with frequet add, move ad chage operatios. The dyamic ature of virtualizatio itroduces ew security requiremets for the virtual computig eviromet. Security policies, icludig the segmetatio ad compartmetalizatio of specific applicatios for compliace, must cotiue to be eforced i a virtual eviromet. This meas the ability to keep the policies i syc with creatio, ad the ability to maitai policies with the mobility of virtual machies. Palo Alto Networks provides a feature called dyamic address objects that bids appropriate security policies to virtual machie istatiatio ad movemet. This automates the process of keepig security policies i syc with virtual machies as they are created or moved. Itegratio with Orchestratio Software: Data ceter eviromets typically automate the tasks ad processes usig workflows that help IT teams execute chage with greater speed, quality, ad cosistecy. Deploymet of security capabilities ca lag orchestratio software provisioig for virtual eviromets, leadig to security risks ad cosiderable itegratio challeges. A automated way to provisio etwork security i lie with the pace of orchestratio of the elemets of the virtualized data ceter eviromet is eeded. Palo Alto Networks offers a powerful XML maagemet API that eables exteral cloud orchestratio software to coect over a ecrypted SSL lik to maage ad cofigure Palo Alto Networks firewalls. The exhaustive ad fully-documeted REST-based API allows cofiguratio parameters to be see, set ad modified as eeded. Turkey service templatig ca be defied for cloud orchestratio software so that the security features withi the ext-geeratio firewall become part of the data ceter workflow. Hypervisor Security: Fially, the security of the hypervisor, the virtualizatio layer betwee the operatig system () ad the hardware, is a ew security challege itroduced oly i a virtualized computig eviromet. Hypervisor attacks rage from vulerabilities that cause hypervisors to crash to complex breakout exploits that cause a guest system to escape ad ifiltrate its ow host system. While the foudatio of hypervisor security must start with hardeed software, vulerabilities associated with hypervisor ca be addressed with the ext-geeratio firewall. PAGE 8

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Cetralized Maagemet Cetralized maagemet for physical ad virtualized ext-geeratio firewalls is available with Paorama. Paorama is a cetralized security maagemet system that provides global cotrol over a etwork of Palo Alto Networks ext-geeratio firewalls. Usig the same look ad feel that the idividual device maagemet iterface carries, Paorama elimiates ay learig curve associated with switchig from oe mechaism to aother. Paorama allows admiistrators to cotrol all aspects of the devices ad/or virtual systems uder maagemet (security, NAT, QoS, policy based forwardig, decryptio, applicatio override, captive portal, ad DoS protectio). Usig pre- ad post-rules, Paorama admiistrators ca eforce shared policies while allowig local policy flexibility. Rules i betwee the pre- ad post-rules ca be edited locally or by a Paorama admiistrator who has switched to the local firewall cotext. Software updates such as dyamic cotet updates (licatios, Threats, Ativirus, WildFire), ad software liceses ca also be maaged cetrally o Paorama. Paorama provides the ability to view logs ad ru reports across dyamic or locally queried data aggregated from maaged devices. Choice of Form Factor Palo Alto Networks offers a choice of either virtualized or physical form factor to secure your virtualized data ceter. The choice of whether a physical or virtual etwork security appliace should be deployed i the data ceter depeds o the specific issues to be addressed. Physical etwork security appliaces are adequate if the same trust levels are maitaied withi a sigle server, for example, itra-host traffic ca be forced off-box through a default security appliace for further ispectio. As orgaizatios move towards pooled computig resources deployig applicatios of differet trust levels, the visibility of itra-host commuicatios ca be provided oly with virtual firewalls. I may data ceter scearios, hybrid deploymets of both physical ad virtual appliaces will exist, with physical firewalls beig deployed for iter-server segmetatio ad virtualized firewalls for itra-server segmetatio. However, because Palo Alto Networks ext-geeratio firewalls support a sigle maagemet iterface to maage both physical ad virtualized firewalls, ad uses a sigle policy rule table for all ext-geeratio fuctioality, operatioal ad maagemet complexities are reduced. Palo Alto Networks -Series The Palo Alto Networks -Series comprises three virtualized ext-geeratio firewall models -100, -200, ad -300 supported o ware ESXi 4.1 ad ESXi 5.0 platforms. 2, 4 or 8 CPU cores o the virtualized server platforms ca be assiged for ext-geeratio firewall processig. Up to 1 Gbps firewall throughput with -ID eabled ca be supported with 4 CPU cores ruig. To esure that maagemet is accessible uder periods of heavy traffic, the data plae ad the cotrol plae are separated. I additio, Palo Alto Network s sigle-pass software architecture offers a uique architecture that processes fuctios i a sigle pass to reduce latecy. The Palo Alto Networks -Series rus the PAN-OS security operatig system, the same operatig system o the physical firewalls, therefore supportig the same set of ext-geeratio firewall capabilities. Palo Alto Networks PA-5000 Series Firewall The PA-5000 Series of ext-geeratio firewalls is desiged to secure data ceter eviromets where traffic demads dictate predictable firewall ad threat prevetio throughput. These high performace platforms are tailor-made to provide eterprise firewall protectio at throughput speeds of up to 20 Gbps. The PA-5000 Series is powered by more tha 40 processors distributed across four fuctioal areas: etworkig, security, cotet ispectio ad maagemet. Reliability ad resiliecy is delivered by active/active or active/passive high availability; physical separatio of data ad cotrol plae; ad redudat, hot swappable compoets. A 20 Gbps backplae smooths the pathway betwee dedicated processors, ad the physical separatio of data ad cotrol plae esures that maagemet access is always available, irrespective of the traffic load. The PA-5000 Series comprises three models the PA-5020, the PA-5050 ad PA-5060 at 5 Gbps, 10 Gbps ad 20 Gbps firewall throughput respectively, with -ID eabled. PAGE 9

Palo Alto Networks: Securig the Virtualized Data Ceter with Next-Geeratio Firewalls Secure Data Ceter Deploymets There are may flexible ways to deploy Palo Alto Networks ext-geeratio firewalls i the virtualized data ceter. Physical firewalls ca be used if all servers host applicatios of the same trust levels. Alteratively, i a eviromet with applicatios of mixed trust levels, the Palo Alto Networks -Series ca be deployed withi a virtualized server. A combiatio of physical ad virtualized firewalls (ot show) may also be used where physical firewalls provide segmetatio betwee virtualized servers ad virtualized firewalls deliver segmetatio withi the server. - SERIES vswitch vswitch VLAN VLAN Segmetatio with physical firewalls Segmetatio with virtualized firewalls Figure 4: Next-Geeratio Firewall Deploymets Summary Palo Alto Networks ext-geeratio firewalls provide a security architecture that protects, scales ad evolves with data ceter eeds for physical, virtual ad mixed-mode eviromets. The ext-geeratio firewalls are desiged to safely eable applicatios by user, applicatio ad cotet without compromisig performace. I additio, the ext-geeratio firewalls are desiged to address key virtualizatio ad cloud challeges from the ispectio of itra-host commuicatios, ad trackig security policies to virtual machie creatio ad movemet, to itegratio with orchestratio software. Foototes: 1: Garter Security ad Risk Maagemet Summit, Neil McDoald, Jue 2011 2: Addressig the Most Commo Security Risks i Data Ceter Virtualizatio Projects, Jauary 2010 3300 Olcott Street Sata Clara, CA 95054 Mai: +1.408.573.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltoetworks.com Copyright 2012, Palo Alto Networks, Ic. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, -ID ad Paorama are trademarks of Palo Alto Networks, Ic. All specificatios are subject to chage without otice. Palo Alto Networks assumes o resposibility for ay iaccuracies i this documet or for ay obligatio to update iformatio i this documet. Palo Alto Networks reserves the right to chage, modify, trasfer, or otherwise revise this publicatio without otice. PAN_WP_SVDC_110812

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information