Juniper Migration Webinar
Download
Report
Transcript Juniper Migration Webinar
Migrating from Juniper to
Palo Alto Networks
Agenda
Overview
Key Differences
Key Reasons to Migrate
Migration Best Practices
Q&A
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Applications Have Changed, Firewalls Haven’t
Network security policy is enforced at the
firewall
•
Sees all traffic
•
Defines boundary
•
Enables access
Traditional firewalls don’t work any more
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Firewall as a Business Enablement Tool
Applications: Enablement begins with
application classification by App-ID.
Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
Content: Scanning content and protecting
against all threats, both known and unknown,
with Content-ID and WildFire.
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Controlling Applications, Content and Users
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Broad Range of Hardware Platforms
Firewall
PA-7050
Firewall Throughput
Threat Prevention
Throughput
Ports
24 SFP+ (10 Gig)
48 SFP (1 Gig)
72 copper gigabit
Session Capacity
System: 120 Gbps
System: 60 Gbps
NPC: 20 Gbps
NPC: 10 Gbps
PA-5060
20 Gbps
10 Gbps
PA-5050
10 Gbps
5 Gbps
PA-5020
5 Gbps
2 Gbps
8 SFP
12 copper gigabit
1,000,000
PA-3050
4 Gbps
2 Gbps
8 SFP
12 copper gigabit
500,000
PA-3020
2 Gbps
1 Gbps
8 SFP
12 copper gigabit
250,000
PA-2050
1 Gbps
500 Mbps
4 SFP
16 copper gigabit
250,000
PA-2020
500 Mbps
250 Mbps
8 copper gigabit
125,000
PA-500
250 Mbps
100 Mbps
8 copper gigabit
64,000
PA-200
100 Mbps
50 Mbps
4 copper gigabit
64,000
PA-7000-NPC
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
24,000,000
4,000.000
4,000,000
2,000,000
Juniper SRX Overview
SRX = Security services gateways.
Successor to the NetScreen/ScreenOS products
Uses JUNOS – a high performance routing OS
Two platform families
Enterprise and datacenter (SRX1400 to SRX5800)
Small, distributed enterprise (SRX100 to SRX650)
AppSecure addresses next-generation firewall features
NGFW feature components added to Stateful inspection
AppTrack (visibility), AppFW (id apps), AppQoS (QoS) and AppDoS (DoS)
Application identification and control are performed after an initial port-based
firewall decision is made
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
AppSecure
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Three Reasons to Migrate
Top 3 Reasons to Migrate
1. Context-based policy management
2. Positive control model?
3. APT prevention
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
slideshare-uploading
application function
pdf
file type
slideshare
344
KB
application
shipment.exe
roadmap.pdf
file name
HTTP
unknown
file-sharing
protocol
URL category
SSL
china
canada
protocol
destination country
172.16.1.10
tcp/443
64.81.2.23
source IP
destination port
destination IP
prodmgmt
group
context-based policy management
bjacobs
user
Shared Context Highlights the Value of Integration
Apps | Functions | Users | IPS | AV | AS | Malware | QoS | Files | Patterns
Safe Enablement Policies
Applications
------Users
------Content
Reporting | Logging | Forensics | Panorama
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Operational Efficiency: Unified Policy Control
Users/User Groups
Application
Threat Prevention
Antivirus
Anti-Spyware
Vulnerability Protection
URL Filtering
WildFire
Single Policy for application, user and content (threat prevention)
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
AppSecure Management
Different policy
management components
AppSecure Management Challenges
Multiple management components required – Space, CLI, STRM = more work, less visibility &
control, slows responsiveness
User information is not natively integrated – requires UAC + Pulse = more work, more devices and
components to manage, less effective
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application Control in the Firewall
X
Firewall
Allow Facebook
App-ID
Policy Decision
positive control
Key Difference
Benefit
Single firewall policy
•
Less work, more secure. Administrative effort is reduced; potential
reconciliation holes eliminated.
Positive control model
•
Allow by policy, all else is denied. It’s a firewall.
Single log database
•
Less work, more visibility. Policy decisions based on complete information.
Systematically manage unknowns
•
Less work, more secure. Quickly identify high risk traffic and systematically
manage it.
Shared context
•
Less work, more secure. App, content and user are pervasive - visibility,
policy control, logging, reporting
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application Control as an Add-on
Firewall
tcp service
on port 80
Allow port 80
Policy
Decision #1
App-Control
Add-on
Applications
Policy
Decision #2
Open ports to
allow the application
Allow Facebook
Facebook allowed…what
about the other 299 apps?
Key Difference
Ramifications
Two separate policies
•
•
More Work. Two policies, more admin effort
Possible security holes. No policy reconciliation tools
Two separate policy decisions
•
Weakens the deny-all-else premise. Applications allowed by FW decision
Two separate log databases
•
Less visibility with more effort. Informed policy decisions require more effort ,
slows reaction time
No concept of unknown traffic
•
•
Increased risk. Unknown is found on every network = low volume, high risk
More work, less flexible. Significant effort to investigate; limited management
No shared context
•
More work, less knowledge, slows reaction time. Finding and correlating app,
user, content requires significant effort
16 | ©2013 Palo Alto Networks. Confidential and Proprietary.
*Based on Palo Alto Networks Application Usage and Risk Report
A Unique Approach to Protecting your Network
APT protection
Scan ALL applications (including SSL traffic) to secure all avenues
in/out of a network, reduce the attack surface area, and provide
context for forensics
Prevent attacks across ALL attack vectors (exploit, malware, DNS,
command & control, and URL) with content-based signatures
Detect zero day malware & exploits using public/private cloud and
automatically creates signatures for global customer base
17 | ©2014 Palo Alto Networks. Confidential and Proprietary.
WildFire: Stopping the Unknowns
10Gbps advanced threat visibility
and prevention on all traffic, all ports
(web, email, SMB, etc.)
Global intelligence
and protection
delivered to all users
Malware run in the cloud with open
internet access to discover C2
protocols, domains, URLs and
staged malware downloads
New malware signatures
automatically created by WildFire
and delivered to customers globally
Stream-based malware engine
performs ongoing in-line
enforcement
On-premises WildFire appliance
available for additional data privacy
Command-and-control
Staged malware downloads
Host ID and data exfil
Anti-malware signatures
DNS intelligence
Malware URL database
Anti-C2 signatures
WildFire
TM
WildFire Appliance
(optional)
WildFire Users
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Soak sites, sinkholes,
3rd party sources
Feb 2014: Continued Security Business Uncertainty
The company could cut $200 million in annual operating
costs and buy back $2.5 billion in stock immediately and an
additional $1 billion in 2015, Elliott said in a presentation of
its proposals. Juniper should also review its security and
switching businesses to streamline products, and “focus on
projects and areas where Juniper has clear competencies
and the greatest risk-adjusted return on investment,” Elliott
said.
security commitment?
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Our next-generation enterprise security platform
Threat Intelligence Cloud
Next-Generation Firewall
Gathers potential threats from network and
endpoints
Inspects all traffic
Blocks known threats
Analyses and correlates threat intelligence
Sends unknown to cloud
Disseminates threat intelligence to network
and endpoints
Extensible to mobile & virtual networks
Advanced Endpoint Protection
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known &
unknown malware
Migration Best Practices
From Consulting Services
Perceived Port/Protocol/IP Migration Challenges
Cost – people and time
Perception of workload and a lot of tedious typing to migrate from your current
configuration
Risk
Moving configurations can seem daunting and seem to involve a lot of risk
Legacy policy
Policies were originally created with the mindset of port / protocol / IP and not
optimized for applications and users
Lost history
Many companies face “policy bloat” and “cruft” in their firewall configurations
22 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Performing the Migration
An effective migration requires a combination of people, process, and
technology to efficiently and effectively migrate from legacy firewalls to
Palo Alto Networks
This approach reduces potential risks and lowers cost.
The engineers performing the task need
knowledge of the current platform and Palo
Alto Networks
Migration tools can
automate the routine
conversion tasks
reducing effort (cost)
and risk.
Any migration should
follow a proven
methodology and
process
(audit, analyze, migrate, cutover)
23 | ©2014 Palo Alto Networks. Confidential and Proprietary.
The Spectrum of Conversion Options
Many options exist when performing the initial conversion from IP/port/protocol
to user/application-based policies
There is a spectrum of options each with pros/cons and potential risk
Less risk
Lower effort
Small reward
More risk
Higher effort
Big reward
Initial policy / object conversion options
Migrate objects and
policies “as is”
24 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Policy / object
“cleanup”
Policy / object
“cleanup” + move
to application
policies
Migrate to
user/application
policies
Palo Alto Networks Firewall Migration Tool
Web 2.0 application in a VMWare image
Parses configurations into a database backend and web UI frontend
Provides multiple options:
Migrate objects & policies
Migrate used or both used / unused objects
Allows “in-place” editing of PAN-OS objects, services & policies prior to
exporting
Doesn’t replace the need for people with expertise in the current technology
and PAN-OS
Goal of the tool is 85+% policy migration automation
25 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Process - Walk Through
Migrate L4 to L4 (Phase I)
Reduce amount of Rules “Combining” similar ones. By destination address for
example.
Clean all the unused objects. Clean disabled rules.
Change services based on other protocols than TCP/UDP to Palo Alto Networks
App-IDs. Example: IKE, IPSEC, GRE
Change services with ALG to Palo Alto Networks App-IDs. Example: FTP, SIP
Review & add all NAT rules. Check the security policies to match the destination
zones when destination NAT is defined.
26 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Example: Reducing Policy Rules
Due to the simplistic nature of the security rules, we can often combine many
policies into one, especially if we can utilize App-ID
27 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Process - Walk Through (Cont’d)
Migrate from L4 to L7 (Phase II)
Put the migrated L4 policy in your Palo Alto Networks device. Connect to your
network.
In-line ( L3 , L2, VWire ).
Off-line (TAP mode).
From this moment the Palo Alto Networks device will classify all the traffic in your
network. That means it will identify all the applications and generate all the log
entries for the application traffic.
From the current logs we can extract the applications seen by each rule and we
can start to swap from L4 Services to App-ID without to break anything.
28 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Additional Migration Considerations
Once we have changed services by App-ID, change the service to
“application-default” or leave the previous port. Reduce the surface to detect
the application to this port if it always uses the same.
Control the Unknown
From the logs check for unknown traffic (tcp/udp/p2p) and generate custom
signatures to identify custom apps. Use Application Override when need.
If you have URL filtering activated check for app we-browsing and the Category is
“unknown”. Generate proper App-id to identify this traffic as your custom app
instead of web-browsing. This is more efficient.
Block all the unknown.
Threat Prevention
Activate WildFire where the apps can transfer files (PE, PDF, Office, APK, Jar).
Activate IPS/AV/SPY profiles to your rules. Use the migration tool to do it massively.
User-ID
Integrate with your user repository to move from static ip address to users and
groups. Improve visibility and win in mobility.
29 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Tool – Juniper Caveats
Objects in Address-Books
Check if an object was defined in many address-books (based by zone) If equal,
import only once.
Check if the IP address/ port is different based in the zone. If different, use different
names to avoid duplicates errors.
Policies and Zones
Reduction of policies only because we can use more than one zone by rule or use
the zone ANY. Potential for significant rule reductions here.
Customer with 4,623 rules. Direct reduction by 3 only playing with zones.
30 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Best Practices to Make Your Migration Successful
1. Align people, process and technology
2. Understand conversion options and optimize policies (ports vs. apps)
3. Utilize migration tool to automate conversion tasks (Objects, Rule base)
4. Validation of accuracy and verification of changes
5. Post migration
Implement custom App-IDs
Rule cleanup - “Highlight Unused Policies” feature to cleanup post-migration
Enable additional security features (User-ID, Content-ID, WildFire, etc…)
31 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Get Your Free AVR Report
Find out which applications and threats are on your network with
a FREE assessment from Palo Alto Networks
Palo Alto Networks Application Visibility and Risk Report (AVR) :
Request an evaluation
Place Palo Alto Networks inside your network
We’ll tell you what applications and threats we see in your network!
Register today at: http://connect.paloaltonetworks.com/JuniperMigration
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.