Palo Alto Networks Overview

Gerardo Gonzlez

Regional Sales Manager North Mexico

gerardo.gonzalez@paloaltonetworks.com

About Palo Alto Networks

We are the network security company

World-class team with strong security and networking experience

-

Founded in 2005, first customer July 2007

We offer next-generation firewalls that safely enable 1,700+ applications

-

Restores the firewall as the core of the enterprise network security infrastructure
-

Innovations: App-ID, User-ID, Content-ID, GlobalProtect, WildFire

Global footprint: 13000+ customers in 80+ countries, 40 of whom

deployed more than $1M of our solution

Page 2 |

2012 Palo Alto Networks. Proprietary and Confidential.

Applications Have Changed; Firewalls Have Not

The firewall is the right place
to enforce policy control
Sees all traffic
Defines trust boundary
Enables access via positive
control

BUTapplications have changed

Ports Applications
IP Addresses Users
Packets Content

Need to restore visibility and control in the firewall

Page 3 |

2011 Palo Alto Networks. Proprietary and Confidential.

Dispersion de Tecnologia y arrastre no son la respuesta

Mas cosas no resuelven el problema
ayudantes para el Firewall tienen vision
limitada del trafico
Son complejos y costosos al comprar y
mantener
No se ocupan de las aplicaciones
UTM

Internet
Red
Empresarial

Page 4 |

2012 Palo Alto Networks. Proprietary and Confidential.

The Right Answer: Make the Firewall Do Its Job

New Requirements for the Firewall
1. Identify applications regardless of port,
protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats
embedded across applications
4. Fine-grained visibility and policy control
over application access / functionality
5. Multi-gigabit, in-line deployment with no
performance degradation

Page 5 |

2011 Palo Alto Networks. Proprietary and Confidential.

Enabling Applications, Users and Content

Applications: Safe enablement begins with
application classification by App-ID.

Users: Tying users and devices, regardless of

location, to applications with User-ID and
GlobalProtect.

Content: Scanning content and protecting

against all threats both known and unknown;
with Content-ID and WildFire.

6 | 2012, Palo Alto Networks. Confidential and Proprietary.

Restauracion de visibilidad y control para el Firewall

App-ID: Identifica todas las aplicaciones, todos los

puertos, todo el tiempo

User-ID: Identifica al usuario, atado a la politica

de control

Unknown files
uploaded

Analysis for 100+

malicious behaviors

Malware signature
automatically
generated/delivered

Content-ID: busca en aplicaciones especificas

amenazas especificas

WildFire: identifica y protege contra el malware

desconocido

Por que la visibilidad y el control deben estar en el Firewall?

Control de aplicacion como agregado
FW basado en puertos + App Ctrl (IPS) = Dos
politicas

Puerto

Trafico

Firewall

IPS
Applications

Politica de decision

Politica de decision

De puerto

De control de aplicacion

Aplicaciones son las amenazas; solo bloquean lo

que expresamente busca.

Implicaciones

La decision del acceso a la red se realiza sin

informacion
No puede habilitar aplicaciones de forma segura

NGFW Control de Aplicaciones

Control de aplicaciones dentro del firewall =
Politica simple
Visibilidad a traves de todos los puertos, todo el
trafico, todo el tiempo

Implicaciones
La decision del acceso a la red se realiza con
base a la identidad de la aplicacion
Permitir el uso de aplicaciones de forma segura

Page 8 |

Trafico

Aplicacion

Firewall

IPS

Applicaciones
Politica de decision
de control de
aplicacion

2011 Palo Alto Networks. Proprietary and Confidential.

Aplicacion de
busqueda de
amenazas

Single-Pass Parallel Processing (SP3) Architecture

Single Pass
Operations once per
packet
-

Traffic classification (app

identification)

User/group mapping

Content scanning
threats, URLs,
confidential data

One policy

Parallel Processing
Function-specific parallel
processing hardware
engines
Separate data/control
planes

Up to 20Gbps, Low Latency

Page 9 |

2011 Palo Alto Networks. Proprietary and Confidential.

10 | 2012, Palo Alto Networks. Confidential

and Proprietary.

Network
segmentation
Based on
application and
user, not port/IP
Simple, flexible
network security
Integration into all
DC designs
Highly available,
high performance
Prevent threats

Distributed Enterprise

Perimeter

App visibility and

control in the
firewall
All apps, all ports,
all the time
Prevent threats
Known threats
Unknown/targeted
malware
Simplify security
infrastructure

Data Center

NGFW in The Enterprise Network

Consistent network
security
everywhere
HQ/branch
offices/remote and
mobile users
Logical perimeter
Policy follows
applications and
users, not physical
location
Centrally managed

Addresses Three Key Business Problems

Identify and Control Applications

Identifies over 1,700 applications, regardless of port, protocol, encryption, or
evasive tactic
Fine-grained control over applications (allow, deny, limit, scan, shape)
Addresses the key deficiencies of legacy firewall infrastructure

Prevent Threats

Stop a variety of known threats exploits (by vulnerability), viruses, spyware

Detect and stop unknown threats with WildFire
Stop leaks of confidential data (e.g., credit card #, social security #, file/type)
Enforce acceptable use policies on users for general web site browsing

Simplify Security Infrastructure

Put the firewall at the center of the network security infrastructure
Reduce complexity in architecture and operations

11 | 2012, Palo Alto Networks. Confidential and Proprietary.

Flexible Deployment Options

Visibility

Application, user and content

visibility without inline
deployment

Page 12 |

Transparent In-Line

IPS with app visibility & control

Consolidation of IPS & URL
filtering

2011 Palo Alto Networks. Proprietary and Confidential.

Firewall Replacement

Firewall replacement with app

visibility & control
Firewall + IPS
Firewall + IPS + URL filtering

Introducing WildFire
Identifies unknown malware by direct

observation in a cloud-based, virtual sandbox

-

Detects more than 70 malicious behaviors

Capture and enforcement performed locally by firewall

Sandbox analysis performed in the cloud removes need for

new hardware and provides single point of malware visibility

Automatically generates signatures for

identified malware
-

Infecting files and command-and-control

Distributes signatures to all firewalls

via regular threat updates

Provides forensics and insight into malware behavior

-

Actions on the target machine

Applications, users and URLs involved with the malware

Page 13 |

2011 Palo Alto Networks. Proprietary and Confidential.

A New Breed of Malware

% Malware Without Anti-Virus Coverage
100%

60% of malware found with

WildFire are not covered by
traditional AV at time of
detection

80%

40% of malware still

not covered after 7
days

60%

40%

20%

0%
Day 0

Day 1

14 | 2012, Palo Alto Networks. Confidential and Proprietary.

Day 2

Day 3

Day 4

Day 5

Day 6

Day 7

The First 24 Hours is Critical

9,000
8,000

7,000
6,000
5,000
4,000
3,000
2,000
1,000
0
1

* Sample size = 50 malware files

15 | 2012, Palo Alto Networks. Confidential and Proprietary.

11 13 15 17 19 21 23 25 27 29 31 33 35
Hours

WildFire Subscription Service

New WildFire subscription service

Signature coverage within an hour
XML API for scripted file
submissions
Integrated logging and reporting

Leverage cloud-based service to

get fastest, broadest malware
protection

Existing service remains standard

feature
Scanning and cloud-based
reporting
Antivirus signature updates will
include WildFire malware

16 | 2012, Palo Alto Networks. Confidential and Proprietary.

Introducing GlobalProtect
Users never go off-network regardless of location
All firewalls work together to provide cloud of network

security
How it works:
-

Small agent determines network

location (on or off the enterprise
network)

If off-network, the agent

automatically connects the laptop to
the nearest firewall via SSL VPN

Agent submits host information

profile (patch level, asset type, disk
encryption, and more) to the
gateway

Gateway enforces security policy

using App-ID, User-ID, Content-ID
AND host information profile

Page 17 |

2011 Palo Alto Networks. Proprietary and Confidential.

Palo Alto Networks Next-Gen Firewalls

PA-5060

PA-5050

PA-5020

20 Gbps FW
10 Gbps threat prevention
4,000,000 sessions
4 SFP+ (10 Gig), 8 SFP (1 Gig),
12 copper gigabit

10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
4 SFP+ (10 Gig), 8 SFP (1 Gig),
12 copper gigabit

5 Gbps FW
2 Gbps threat prevention
1,000,000 sessions
8 SFP, 12 copper gigabit

PA-3050

PA-3020

PA-500

PA-200

100 Mbps FW
50 Mbps Threat
Prevention
64,000 sessions
4 copper gigabit

4 Gbps FW
2 Gbps Threat Prevention
500,000 sessions
8 SFP, 12 copper gigabit

Page 18 |

2 Gbps FW
1 Gbps Threat Prevention
250,000 sessions
8 SFP, 12 copper gigabit

2011 Palo Alto Networks. Proprietary and Confidential

250 Mbps FW
100 Mbps Threat Prevention
64,000 sessions
8 copper gigabit

PAN-OS Core Firewall Features

Visibility and control of applications, users and content
complement core firewall features
PA-5060

Strong networking foundation

-

Dynamic routing (BGP, OSPF, RIPv2)

Tap mode connect to SPAN port
Virtual wire (Layer 1) for true
transparent in-line deployment
L2/L3 switching foundation
Policy-based forwarding

Zone-based architecture
-

Site-to-site IPSec VPN

SSL VPN

PA-5020

Active/active, active/passive
Configuration and session
synchronization

Path, link, and HA monitoring

PA-3050

Virtual Systems
-

QoS traffic shaping

-

Max/guaranteed and priority

By user, app, interface, zone, & more
Real-time bandwidth monitor

Establish multiple virtual firewalls

in a single device (PA-5000 and
PA-3000 Series)

Simple, flexible

management
-

Page 19 |

PA-5050

High Availability

VPN
-

All interfaces assigned to security

zones for policy enforcement

2011 Palo Alto Networks. Proprietary and Confidential.

CLI, Web, Panorama, SNMP,

Syslog

PA-3020

PA-500

PA-200

Segmenting Traffic in the Virtual Datacenter

Hardware firewalls will continue to be deployed to secure and segment

datacenters at the edge and for legacy servers

VM-Series introduces the ability for secure segmentation to be done within

VMware ESXi

VLAN

20 | 2012, Palo Alto Networks. Confidential and Proprietary.

VLAN

Tie Policy to Dynamic VM Environment

21 | 2012, Palo Alto Networks. Confidential and Proprietary.

Tie Policy to Dynamic VM Environment

22 | 2012, Palo Alto Networks. Confidential and Proprietary.

Tie Policy to Dynamic VM Environment

23 | 2012, Palo Alto Networks. Confidential

and Proprietary.

VM-Series PAN-OS in a Virtual Form Factor

Delivers proven next-gen firewall features of PAN-OS in virtual form factor

Provides visibility and control of traffic between VMs

Performance
Cores Allocated

Firewall (App-ID)

Threat Prevention

VPN

Sessions per Second

2 Core

500 Mbps

200 Mbps

100 Mbps

8,000

4 Core

1 Gbps

600 Mbps

250 Mbps

8,000

8 Core

1 Gbps

1 Gbps

400 Mbps

8,000

Specifications
Sessions

Rules

Security Zones

Address Objects

IPSec VPN
Tunnels

SSL VPN Tunnels

VM-100

50,000

250

10

2,500

25

25

VM-200

100,000

2,000

20

4,000

500

200

VM-300

250,000

5,000

40

10,000

2,000

500

Model

Supported on VMware ESX/ESXi 4.0 or later

Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces

Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames

24 | 2012, Palo Alto Networks. Confidential and Proprietary.

M-100 Hardware Appliance

Simple, high-performance, dedicated appliance for Panorama

Simplifies deployment and support

Introduces distributed log collection capability for large scale deployments

License migration path available for current Panorama customers

Specifications
1 RU form factor

Intel Xeon 4 core 3.4 GHz CPU

16 GB memory

64-bit operating system

120 GB SSD system disk

Up to 4 TB of RAID1 storage for logs

(ships with two 1 TB drives for 1 TB of RAID1 storage)

25 | 2012, Palo Alto Networks. Confidential and Proprietary.

Panorama Distributed Architecture

With M-100, manager and log collector functions can be split

Deploy multiple log collectors to scale collection infrastructure

26 | 2012, Palo Alto Networks. Confidential and Proprietary.

Panorama Deployment Options

< 10 devices
< 10,000 logs/sec
Sites with need for virtual appliance

< 100 devices

< 10,000 logs/sec

< 1,000 devices

> 10,000 logs/sec (50,000 per collector)

27 | 2012, Palo Alto Networks. Confidential and Proprietary.

New Threats Require a Different Model for IPS Functions

Stand-alone IPS has a negative security

model can only find it and kill it

Stand-alone IPS cant see into growing

volumes of SSL-encrypted traffic, nor

into compressed content
Next-generation firewalls enable allow

application, but scan for threats policy

response
Gartners Recommendations:
-

Move to next-generation firewalls at

the next refresh opportunity whether
for firewall, IPS, or the combination of
the two.

Page 28 | 2009 Palo Alto Networks. Proprietary and Confidential.

2013 Gartner Magic Quadrant for Enterprise Network

Firewalls
Palo Alto Networks continues to
both drive competitors to react in the
firewall market and to move the
overall firewall market forward. It is
assessed as a Leader, mostly
because of its NGFW design,
direction of the market along the
NGFW path, consistent
displacement of competitors, rapidly
increasing revenue and market
share, and market disruption that
forces competitors in all quadrants to
react.

Gartner, February 2013

Source: Gartner
Page 29 |

2011 Palo Alto Networks. Proprietary and Confidential.

Many Third Parties Reach Same Conclusion

Gartner Enterprise Network Firewall Magic

Quadrant
-

Palo Alto Networks leading the market

Forrester IPS Market Overview

-

Strong IPS solution; demonstrates effective consolidation

NetworkWorld Test
-

Most stringent NGFW test to date; validated sustained

performance and key differences

NSS Tests
-

IPS: Palo Alto Networks NGFW tested against competitors

standalone IPS devices; NSS Recommended

Firewall: traditional port-based firewall test; Palo Alto

Networks most efficient by a wide margin; NSS
Recommended
NGFW: Palo Alto Networks best combination of protectio n,
performance, and value; NSS Recommended (1 of only 3)

30 | 2012, Palo Alto Networks. Confidential

and Proprietary.

31 | 2012, Palo Alto Networks. Confidential and Proprietary.