O slideshow foi denunciado.
Palo Alto Networks ™ é a empresa de segurança de rede. Seus firewalls de próxima geração permitem visibilidade sem precedentes e controle de políticas granulares de aplicativos e conteúdo – por usuário, não apenas o endereço IP- até 20Gbps sem degradação do desempenho.
Com base na tecnologia App-ID ™, os firewalls da Palo Alto Networks ™ identificam com precisão e controlam os aplicativos – independentemente da porta, protocolo, evasiva tática ou criptografia SSL – e conteúdo de varredura para bloquear ameaças e evitar o vazamento de dados.
Empresas podem, pela primeira vez, abraçar a Web 2.0 e manter a visibilidade completa e controle, reduzindo significativamente o custo total de propriedade por meio da consolidação de dispositivos. Mais recentemente, os firewalls da Palo Alto Networks ™ tem permitido à empresas estenderem essa mesma segurança de rede para os usuários remotos com o lançamento do GlobalProtect ™ e para combater malwares modernos direcionados com seu serviço
WildFire ™. Veja mais em www.paloaltonetworks.com.
Palo Alto Networks Overview November 2011
About Palo Alto Networks • Palo Alto Networks is the Network Security Company • World-class team with strong security and networking experience - Founded in 2005, first customer July 2007, top-tier investors • Builds next-generation firewalls that identify / control 1,300+ applications - Restores the firewall as the core of enterprise network security infrastructure - Innovations: App-ID™, User-ID™, Content-ID™ • Global momentum: 6,000+ customers - August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters •A few of the many enterprises that have deployed more than $1M Page 2 | © 2011 Palo Alto Networks. Proprietary and Confidential.(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellableorders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.
Next-Generation Firewalls Are Network SecurityPage 3 | © 2011 Palo Alto Networks. Proprietary and Confidential.
2011 Magic Quadrant for Enterprise Network FirewallsPage 4 | © 2010 Palo Alto Networks. Proprietary and Confidential.
Applications Have Changed; Firewalls Have NotThe firewall is the right placeto enforce policy control• Sees all traffic• Defines trust boundary• Enables access via positive control BUT…applications have changed • Ports ≠ Applications • IP Addresses ≠ Users • Packets ≠ Content Need to restore visibility and control in the firewallPage 5 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Enterprise 2.0 Applications and Risks WidespreadPalo Alto Networks’ latest Application Usage & RiskReport highlights actual behavior of 1M+ users in 1253organizations - More enterprise 2.0 application use for personal and business reasons. - Tunneling and port hopping are common - Bottom line: all had firewalls, most had IPS, proxies, & URL filtering – but none of these organizations could control what applications ran on their networks Page 6 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Technology Sprawl & Creep Are Not The Answer Internet • “More stuff” doesn’t solve the problem • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Putting all of this in the same box is just slowPage 7 | © 2011 Palo Alto Networks. Proprietary and Confidential.
The Right Answer: Make the Firewall Do Its Job New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address 3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradationPage 8 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Why Visibility & Control Must Be In The Firewall Application Control as an Add-on • Port-based FW + App Ctrl (IPS) = two policiesTraffic Port • Applications are threats; only block what you Firewall IPS expressly look for Applications Implications • Network access decision is made with no •Port Policy •App Ctrl Policy information Decision Decision • Cannot safely enable applications NGFW Application Control • Application control is in the firewall = single policy Traffic Application • Visibility across all ports, for all traffic, all the time Firewall IPS Implications • Network access decision is made based on Applications application identity •App Ctrl Policy •Scan Application • Safely enable application usage Decision for Threats Page 9 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Your Control With a Next-Generation Firewall Safely enable the Only allow the applications relevant apps you need to your business » Traffic limited to » Complete threat library with no approved business blind spots use cases based on App and User Bi-directional inspection » Attack surface Scans inside of SSL reduced by orders of Scans inside compressed magnitude files» The ever-expanding Scans inside proxies and universe of applications, tunnels services and threats Page 10 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Identification Technologies Transform the Firewall •App-ID™•Identify the application •User-ID™ •Identify the user •Content-ID™ •Scan the contentPage 11 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Single-Pass Parallel Processing™ (SP3) Architecture Single Pass • Operations once per packet - Traffic classification (app identification) - User/group mapping - Content scanning – threats, URLs, confidential data • One policy Parallel Processing • Function-specific parallel processing hardware engines • Separate data/control planes •Up to 20Gbps, Low LatencyPage 12 | © 2011 Palo Alto Networks. Proprietary and Confidential.
PA-5000 Series Architecture RAM RAM • Highly available mgmt Signature Match HW Engine • High speed logging and • Stream-based uniform sig. match RAM RAM route update • Dual hard drives • 40+ processors • Vulnerability exploits (IPS), virus, Signature Match Signature Match spyware, CC#, SSN, and more RAM RAM • 30+ GB of RAM RAM RAM RAM • Separate high speed data and 10Gbps 10GbpsQuad-core RAM CPU CPU CPU CPU control planesCPU RAM RAM CPU CPU CPU CPU ... CPU RAM HDD ... ... 1 2 12 RAM 1 2 12 RAM 1 2 12 RAM HDD Control Plane SSL • 20Compress. firewall IPSec Compress. IPSec De- Gbps SSL De- throughput SSL IPSec De- Compress. • 10 Gbps threat prevention throughput 20Gbps • 80 Gbps switch fabric Security Processors interconnect • 20 Gbps QoS engine • 4 Million concurrent sessions • High density parallel processing for flexible security Route, functionality Flow Network Processor ARP, • Hardware-acceleration for MAC NAT • 20 Gbps front-end network Switch control QoS standardized complex functions lookup processing Fabric (SSL, IPSec, decompression) • Hardware accelerated per-packet route lookup, MAC lookup and Switch Fabric Data Plane NATPage 13 | © 2011 Palo Alto Networks. Proprietary and Confidential.
PAN-OS Core Firewall FeaturesVisibility and control of applications, users and content complement core firewall features PA-5060• Strong networking foundation • Zone-based architecture PA-5050 - Dynamic routing (BGP, OSPF, RIPv2) - All interfaces assigned to security zones for policy - Tap mode – connect to SPAN port enforcement PA-5020 - Virtual wire (“Layer 1”) for true transparent in-line deployment • High Availability PA-4060 - L2/L3 switching foundation - Active/active, active/passive - Policy-based forwarding - Configuration and session synchronization PA-4050• VPN - Path, link, and HA monitoring - Site-to-site IPSec VPN PA-4020 - SSL VPN • Virtual Systems - Establish multiple virtual firewalls• QoS traffic shaping in a single device (PA-5000, PA- PA-2050 4000, and PA-2000 Series) - Max/guaranteed and priority PA-2020 - By user, app, interface, zone, & more • Simple, flexible - Real-time bandwidth monitor management PA-500 - CLI, Web, Panorama, SNMP, Syslog PA-200 Page 14 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Introducing GlobalProtect• Users never go “off-network” regardless of location• All firewalls work together to provide “cloud” of network security• How it works: - Small agent determines network location (on or off the enterprise network) - If off-network, the agent automatically connects the laptop to the nearest firewall via SSL VPN - Agent submits host information profile (patch level, asset type, disk encryption, and more) to the gateway - Gateway enforces security policy using App-ID, User-ID, Content-ID AND host information profilePage 15 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Enterprise-Wide Next-Generation Firewall Protection •Perimeter •Data Center •Distributed Enterprise •Branch •Remote Office Users• Identify and control applications, • Network segmentation based on users • Extending consistent security to all users users and content and applications and locations• Positive enablement • High performance threat prevention • Visibility and control over applications, users and content Same Next-Generation Firewall, Different Benefits…
Comprehensive View of Applications, Users & Content • Application Command Center (ACC) - View applications, URLs, threat s, data filtering activity • Add/remove filters to achieve desired result Page 17 | © 2010 Palo Alto Networks. Proprietary and Confidential.Filter on Facebook-base Filter on Facebook-base Remove Facebook to and user cook expand view of cook
Palo Alto Networks Next-Gen Firewalls PA-5060 PA-5050 PA-5020 • 20 Gbps FW/10 Gbps threat • 10 Gbps FW/5 Gbps threat • 5 Gbps FW/2 Gbps threat prevention/4,000,000 sessions prevention/2,000,000 sessions prevention/1,000,000 sessions • 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 • 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 • 8 SFP, 12 copper gigabit copper gigabit copper gigabit PA-4060 PA-4050 PA-4020 • 10 Gbps FW/5 Gbps threat • 10 Gbps FW/5 Gbps threat • 2 Gbps FW/2 Gbps threat prevention/2,000,000 sessions prevention/2,000,000 sessions prevention/500,000 sessions • 4 XFP (10 Gig), 4 SFP (1 Gig) • 8 SFP, 16 copper gigabit • 8 SFP, 16 copper gigabit PA-2050 PA-2020 PA-500 PA-200 • 1 Gbps FW/500 Mbps • 500 Mbps FW/200 Mbps • 250 Mbps FW/100 Mbps • 100 Mbps FW/50 Mbps threat threat threat prevention/64,000 threat prevention/64,000 prevention/250,000 prevention/125,000 sessions sessions sessions sessions • 8 copper gigabit • 4 copper gigabit • 4 SFP, 16 copper gigabit • 2 SFP, 12 copper gigabit Page 18 | © 2011 Palo Alto Networks. Proprietary and Confidential
Addresses Three Key Business Problems• Identify and Control Applications - Visibility of over 1300 applications, regardless of port, protocol, encryption, or evasive tactic - Fine-grained control over applications (allow, deny, limit, scan, shape) - Addresses the key deficiencies of legacy firewall infrastructure• Prevent Threats - Stop a variety of threats – exploits (by vulnerability), viruses, spyware - Stop leaks of confidential data (e.g., credit card #, social security #, file/type) - Stream-based engine ensures high performance - Enforce acceptable use policies on users for general web site browsing• Simplify Security Infrastructure - Put the firewall at the center of the network security infrastructure - Reduce complexity in architecture and operationsPage 19 | © 2011 Palo Alto Networks. Proprietary and Confidential.
Thank YouPage 20 | © 2010 Palo Alto Networks. Proprietary and Confidential.