Transcript About Palo Alto Networks

New Solutions to
New Threats
The Threats, They Are A Changing
Page 2 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Security Technology Hasn’t Kept Up
• The gateway on the trust
border is the right place to
exert control
•
-
All traffic goes through
-
Defines trust boundary
SaaS
Collaboration / Media
Personal
Strategy is sound…
• BUT…
-
Can only see ports, protocol,
and IP address
-
Blind to applications, users, and
content
-
Blind to dynamic, multipronged
threats
• Execution is flawed
Page 3 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Threat Prevention Must Get Smarter
• Stop threats
- Block bad applications
- Block a widening array of threats (exploits, viruses, spyware
downloads and phone home)
• Enable business
- Safely enable applications
- Don’t slow down business traffic – i.e., manage risk at speed
of business
• One policy = no gaps
Page 4 |
© 2008 Palo Alto Networks. Proprietary and Confidential
About Palo Alto Networks
• Founded in 2005 by Nir Zuk, inventor of stateful inspection technology
• World class team with strong security and networking experience
• Builds next generation firewalls with innovative identification technologies that
manage applications, users, and content
• Named Gartner Cool Vendor in 2008; 2008 Best of Interop Grand Prize
Page 5 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Our Identification Technologies Change the Game
App-ID
Identify the application
User-ID
Identify the user
Content-ID
Scan the content
Page 6 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Traditional Multi-Pass Architectures
IPS Policy
AV Policy
URL Filtering Policy
IPS Signatures
AV Signatures
Firewall Policy
HTTP Decoder
IPS Decoder
AV Decoder & Proxy
Port/Protocol-based ID
Port/Protocol-based ID
Port/Protocol-based ID
Port/Protocol-based ID
L2/L3 Networking, HA,
Config Management,
Reporting
L2/L3 Networking, HA,
Config Management,
Reporting
L2/L3 Networking, HA,
Config Management,
Reporting
L2/L3 Networking, HA,
Config Management,
Reporting
Page 7 |
© 2008 Palo Alto Networks. Proprietary and Confidential
PAN-OS Architecture
Policy Engine
Data Filtering
CONTENT-ID
URL Filtering
Real-Time Threat
Prevention
Application Protocol
Decoding
APP-ID
Application Protocol
Detection and Decryption
Application Signatures
Heuristics
L2/L3 Networking, HA, Config
Management, Reporting
Page 8 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Real-Time Content Scanning With Content-ID
File-based Scanning
Stream-based Scanning
ID Content
ID Content
Buffer File
Scan Content
Scan File
Deliver Content
Deliver Content
Time
Time
• Stream-based, not file-based, for real-time performance
- Dynamic reassembly
• Uniform signature engine scans for broad range of threats in
single pass
• Threat detection covers vulnerability exploits (IPS), virus, and
spyware (both downloads and phone-home)
Page 9 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Purpose-Built Hardware: PA-4000 Series
RAM
Flash
Matching
Engine
Dedicated Control Plane
• Highly available mgmt
• High speed logging and route
updates
Flash Matching HW Engine
• Palo Alto Networks’ uniform signatures
• Multiple memory banks – memory
bandwidth scales performance
RAM
RAM
RAM
10Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
..
RAM
CPU
16
RAM
RAM
HDD
SSL
IPSec
DeCompression
Multi-Core Security Processor
• High density processing for flexible security
functionality
• Hardware-acceleration for standardized
complex functions (SSL, IPSec,
decompression)
10Gbps
QoS
Control Plane
Page 10 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Route,
ARP,
MAC
lookup
NAT
10 Gig Network Processor
• Front-end network processing offloads security
processors
• Hardware accelerated QoS, route lookup, MAC
lookup and NAT
Data Plane
Adds Up to Superior Performance
Performance
10Gbps; 5Gbps threat
prevention (XFP interfaces)
10Gbps; 5Gbps threat
prevention
•PA-4000 Series
2Gbps; 2Gbps threat
prevention
•1Gbps; 500Mbps threat
prevention
•PA-2000 Series
•500Mbps; 200Mbps
threat prevention
Remote Office/
Medium Enterprise
Page 11 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Large Enterprise
Flexible Deployment Options
Application Visibility
• Connect to span port
• Enables threat and application
visibility without inline
deployment
Page 12 |
Transparent In-Line
• Deploy transparently behind
existing firewall
• Enables application control and
threat prevention without
networking changes
© 2008 Palo Alto Networks. Proprietary and Confidential
Firewall Replacement
• Replace existing firewall
• Enables threat prevention,
application and network
visibility and control,
consolidated policy, high
performance
Summary
• App-ID enables visibility and control over applications
- Safe usage
• Traditional perimeter security technology hasn’t kept up
with change in threats
• SPA
• Next Gen Firewall delivers
- Performance
- Single policy
- TCO
Page 13 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Thank You