Scribd Logo
Upload

Welcome to Scribd!

  • NGFW Security in The Data Center

    Uploaded by

    Washington Cárdenas
    33 views17 pages

    Original Title

    NGFW Security in the Data Center

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    33 views17 pages

    NGFW Security in The Data Center

    Uploaded by

    Washington Cárdenas

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 17

    PALO ALTO NETWORKS

    NEXT-GENERATION SECURITY IN THE


    DATA CENTER
    April 2015

    1 | ©2014,
    ©2015, Palo Alto Networks. Confidential and Proprietary.
    PALO ALTO NETWORKS AT-A-GLANCE

    CORPORATE HIGHLIGHTS REVENUES ENTERPRISE CUSTOMERS

    • Founded in 2005; first customer $MM


    shipment in 2007 $598 19,000
    $600 20,000
    • Safely enabling applications and
    preventing cyber threats $396 16,000
    13,500
    $400
    • Able to address all enterprise
    $255 12,000
    cybersecurity needs 9,000
    • Exceptional ability to support $200 8,000
    $119
    global customers $49 4,700
    $13
    $0 4,000
    • Experienced team of 2,000+
    employees
    0
    • Q2 FY15: $218M revenue Jul-11 Jul-12 Jul-13 Jul-14

    2 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    2015 Magic Quadrant for Enterprise Network Firewalls

    “Palo Alto Networks is assessed as a


    Leader, mostly because of its NGFW
    focus, and because of its consistent
    visibility in Gartner shortlists for
    advanced firewalls use cases,
    frequently beating competition on
    feature quality.”

    --Gartner, Magic Quadrant for


    Enterprise Network Firewalls

    3 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Evolution Towards Virtualization and Cloud

    4 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Security Challenges in the Cloud
    Physical firewalls may not see the East-West traffic

     Firewall placement is
    designed around expectation
    of layer 3 segmentation

     Network configuration
    changes required to secure
    East-West traffic flows are
    manual, time-consuming and
    complex
    MS-SQL SharePoint Web Front End

     Ability to transparently insert


    security into the traffic flow is
    needed

    5 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Security Challenges in the Cloud
    Incomplete security features on existing virtual security solutions

    MS-SQL SharePoint Web Front End

    In the cloud, applications of different trust levels now run on a single server
     VM-VM traffic (East-West) needs to be inspected
     Port and protocol-based security is not sufficient
     Virtualized next-generation security is needed to:
     Safely enable application traffic between VMs
     Protect against against cyber attacks

    6 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Security Challenges in the Cloud
    Static policies cannot keep pace with dynamic workload deployments

     Provisioning of applications
    can occur in minutes with
    frequent changes
     Security approvals and
    configurations may take
    weeks/months
     Dynamic security policies that
    understand VM context are
    needed

    7 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Protecting all Data Center Traffic
    Application
    Orchestration
    systems
    corporate network/DMZ
    Network

    Securing North Security

    South traffic

    Securing East
    West traffic

    Virtualized Physical
    servers servers

    Segment North South (physical) and East West (virtual) traffic


    Tracks virtual application provisioning and changes via Dynamic Address Groups
    Automation and orchestration support via REST-API

    8 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Covering the Entire Enterprise

    Network location Data center/cloud Enterprise perimeter Distributed/BYOD Endpoint

    Next-generation
    appliances

    Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050
    WildFire: WF-500
    Virtual: VM-Series (ESXi, KVM, Amazon) & VM-Series-HV for NSX
    Threat Prevention
    URL Filtering
    Subscriptions GlobalProtect™
    WildFire™
    Endpoint (TRAPS)

    Use cases
    Next-Generation Cybersecurity: Web gateway VPN
    Firewall IDS / IPS / APT
    Management system Panorama, M-100 appliance, GP-100 appliance
    Operating system PAN-OS™

    9 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    VM-Series for VMware NSX

    VM-Series for VMware NSX


    deployed as a service
    • Integrated solution with VMware for East-
    West traffic inspection
    • Automated provisioning and deployment
    where a VM-Series is deployed on every
    ESXi server
    • NSX automatically steers traffic to VM-
    Series
    • Dynamic context sharing between NSX and
    Panorama

    10 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Page 10 | © 2012 Palo Alto Networks. Proprietary and Confidential.
    How the Joint Solution Works

    11 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    VM-1000-HV for VMware NSX

    VM-100 VM-200 VM-300 VM-1000-HV


    50,000 sessions 100,000 sessions 250,000 sessions 250,000 sessions

    250 rules 2,000 rules 5,000 rules 10,000 rules

    10 security zones 20 security 40 security zones 40 security zones


    zones

    • Next-generation firewall in a virtual form factor


    • Consistent PAN-OSTM features as hardware-based next-generation firewall
    • Tracks VM creation and movement with dynamic address groups
    • Supports single-pass software architecture to minimize latency
    • Supports 2, 4, 8 CPU cores
    • Performance: 1 Gbps FW throughput (App-ID enabled) and 600 Mbps threat
    protection

    12 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Power of Dynamic Address Groups
    VMware vCenter or NSX PAN-OS Dynamic Address Groups

    Name Tags Addresses


    Name IP Guest OS Container
    SharePoint
    Ubuntu SharePoint 10.1.5.4
    web-sjc-01 10.1.1.2
    10.1.1.2 Web Win 2008 R2
    12.04 Servers 10.1.5.8
    “sp”
    10.1.5.4
    Win 2008 MySQL 10.5.1.5
    sp-sjc-04 10.1.5.4 SharePoint MySQL
    MySQL
    R2 Ubuntu 12.04 10.5.1.2
    10.1.1.3 Servers
    Servers 10.5.1.9
    Ubuntu “db”
    web-sjc-02 10.1.1.3
    10.4.2.2 Web
    12.04 10.4.2.2
    Miami DC
    exch-mia- Win 2008 Miami DC “mia” 10.1.5.8
    10.4.2.3
    10.4.2.2 Exchange 10.5.1.5
    03 R2
    San Jose
    exch-dfw-
    10.1.5.8
    Win 2008 San Jose
    Linux “sjc”
    10.1.1.2
    03
    10.4.2.3
    R2
    Exchange
    WebLinux
    Servers “web”
    10.1.1.3
    10.5.1.5 Web Servers Ubuntu 12.04
    Win 2008
    sp-mia-07 10.1.5.8
    10.5.1.2 SharePoint
    R2
    Ubuntu
    db-mia-01
    db-mia-05 10.5.1.5
    10.5.1.9 MySQL
    12.04 PAN-OS Security Policy
    Ubuntu
    db-dfw-02 10.5.1.2 MySQL
    12.04
    Source Destination Action

    San Jose

    SharePoint
    Linux
    Servers
    Web Servers
    MySQL
    Servers
    Miami DC 

    13 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    PROTECTING THE DATACENTER
    PHYSICAL, VIRTUAL, HYBRID
    Virtualized Compute,
    Network and Storage

     Safely enable applications


    Public Cloud
     Zero Trust to strictly control access
    N/S and E/W traffic

     Prevent known/unknown malware;


    stop lateral movement

     Block exploits before they happen Virtualized Compute,


    Network and Storage

     Streamline workload provisioning


    and policy updates SDDC/Private Credit Card Zone
    Cloud
     Central management and
    orchestration

    14 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    THREAT INTELLIGENCE CLOUD
    THE UNKNOWN REMEDIATION
    Automatically identified Automatically prevented

    WildFire
    192,000 Anti-malware Protections delivered
    automatically in
    protections per day
    15 minutes
    24,000 URL THREAT
    INTELLIGENCE
    protections per day
    CLOUD Richforensics and
    12,000 DNS reporting for quick,
    protections per day detailed investigation

    Threat URL Forensics


    Prevention Filtering & Reporting

    15 | ©2015, Palo Alto Networks. Confidential and Proprietary.


    Advanced Security Services
    Preventing Attacks at Every Stage of the Kill Chain

    1 Breach the perimeter 2 Deliver the malware 3 Lateral movement 4 Exfiltrate data
    Next-Generation Firewall / Traps / WildFire Next-Generation Firewall / Threat Prevention
    GlobalProtect  Block known and unknown GlobalProtect  Block outbound command-and-
     Visibility into all traffic, including
    vulnerability exploits  Establish secure zones with control communications
    SSL  Block known and unknown strictly enforced access control  Block file and data pattern
    malware  Provide ongoing monitoring uploads
     Enable business-critical
    applications  Provide detailed forensics on and inspection of all traffic  DNS monitoring and sinkholing
    attacks between zones
     Block high-risk applications
    URL Filtering
     Block commonly exploited file WildFire  Block outbound communication
    types
     Detecting unknown threats to known malicious URLs and
    pervasively throughout the IP addresses
    Threat Prevention
    network
     Block known exploits,
    malware and inbound
    command-and-control
    communications

    URL Filtering
     Prevent use of social
    engineering
     Block known malicious URLs
    and IP addresses

    WildFire
     Send specific incoming files
    and email links from the
    internet to public or private
    cloud for inspection
     Detect unknown threats
     Automatically deliver
    16 protections
    | ©2015, globally
    Palo Alto Networks. Confidential and Proprietary.
    17 | ©2015, Palo Alto Networks. Confidential and Proprietary.

    You might also like