Transcript GlobalProtect Product Presentation

GlobalProtect
Product Presentation
Agenda
Overview of GlobalProtect
Technical Details
Use Cases
Overview
Challenge: Quality of Security Tied to Location
malware
exploits
botnets
Airport
Headquarters
Home Office
Branch Offices
Enterprise-secured with
full protection
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Hotel
Exposed to threats, risky
apps, and data leakage
Existing Approaches Fall Short
exploits
malware
botnets
Corp Resources
Traditional VPN
Indeterminate security
5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Corp Resources
Always-on VPN
Inconsistent security
Web
NonWeb
Mix of Proxies + VPN
Both indeterminate and
inconsistent security
GlobalProtect: Consistent Security Everywhere
exploits
malware
botnets
•Headquarters
•
•
•
•Branch Office
VPN connection to a purpose built firewall that is performing the security work
Automatic protected connectivity for users both inside and outside
Unified policy control, visibility, compliance & reporting
6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
How GlobalProtect Works
What GlobalProtect replaces
Existing Point Products
Next-Generation Firewall Components
VPN/Remote Access
External Gateways
Network Access Control
Internet Proxy
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Host Information Profile +
Internal Gateways at Layer 3
Threat Prevention + URL
Filtering
GlobalProtect Licensing
Licensing based on Portals and Gateways (firewall), not users
Portal
License
Gateway
Subscription
Single
Gateway
Multiple
Gateway
Internal
Gateway
HIP check
●
●
●
Mobile App
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Portal – one-time perpetual license

Required on the device that would run Portal

Required for multi-gateway deployments

Required for internal gateways
Gateway – annual subscription
●
●

Required on the devices that would check host
profile

Required on the devices that would connect
iOS and Android app

Provides ongoing content updates to check
the host profile
GlobalProtect
Technical Details
GlobalProtect Components

GlobalProtect Portal






Portal and Gateway
Gateway
GlobalProtect Gateway



Central authority for GlobalProtect
Provides list of known gateways
Provides certificates to validate gateways
Hosts GlobalProtect agent for initial download
May be installed on same device as a GlobalProtect
Gateway
Provides tunnel termination points
Enforces security policy for connected users
GlobalProtect Agent





Software that runs on endpoint
Supported on Windows 8, Windows 7, Windows
Vista 32/64bit
Mac OS X 10.6/10.7/10.8 ( PAN OS 4.1)
iOS 5.1+
Android 4.0.3+
Endpoint with
GlobalProtect Agent
iOS 5.1+

Third Party IPSec Client Support



iOS 4.3+
Android 4.0.3+
Linux vpnc
Android 4.0.3+
Gateway
Technical Details
Technical Details
External User Sequence - Step 1
LDAP
Radius
Kerberos
Gateway
Portal and Gateway
Gateway
User authenticates to portal
Site to Site IPSec tunnel
Portal pushes
• Certificates
• List of Gateways
• Agent software updates
• Host internal/external
detection parameters
• Host check requirements
External User Sequence - Step 2
LDAP
Radius
Kerberos
Gateway
Portal and Gateway
Gateway
Agent determines if it is
inside or outside the
corporate network
Site to Site IPSec tunnel
External User Sequence - Step 3
LDAP
Radius
Kerberos
Gateway
Portal and Gateway
Gateway
Agent checks available GWs
SSL/IPsec VPN tunnel
Site to Site IPSec tunnel
Automatically connects to
the best gateway
External User Sequence - Step 4
User moves to new location
Automatically connects to
the new best gateway
LDAP
Radius
Kerberos
Gateway
Portal and Gateway
Gateway
SSL/IPsec VPN tunnel
Site to Site IPSec tunnel
Internal User Sequence - Step 1
Data Center Firewall
Data Center
User authenticates to portal
Portal and Gateway
LAN
Portal pushes
• Certificates
• List of Gateways
• Agent software updates
• Host internal/external
detection parameters
• Host check requirements
Internal User Sequence - Step 1
Data Center Firewall
Data Center
Agent determines if it is
inside or outside the
corporate network
Portal and Gateway
LAN
Internal User Sequence - Step 3
The tunnel for internal users is
optional
Data Center Firewall
Agent sends user and HIP
information to gateway for
policy enforcement
Data Center
Portal and Gateway
LAN
Architecture
Example deployment scenario
Site to Site IPSec tunnel
Static NAT on router
76.220.12.43 – 192.168.1.2
Gateway
72.5.13.1
Portal / Gateway
76.220.12.43
.1
Data Center
.2
192.168.1.0/30
10.1.1.1
Remote Users
Function
IP address
Portal
76.220.12.43
External Gateway
76.220.12.43
External Gateway
72.5.13.1
Internal Gateway
10.1.1.1
LAN
Portal Failure Scenario
Single Portal Failure Scenario
Portal
Portal with High Availability
Portal
Portal
HA Link
Gateway
Gateway
Portal is not
available
Existing
GlobalProtect
users connect
to gateway
using cache
configuration
Portal in an
HA Pair
provides
redundancy
Same Gateway for External / Internal
External Gateway
Ethernet 2
External Users
Internal Gateway
Ethernet 1
Internal Users
Ethernet 3
DMZ
Data Center
Gateway Failure Scenario
Single Gateway Failure Scenario
Portal
Gateway High Availability
Portal
Gateway
New York
Gateway
Toronto
When gateway
is unavailable,
agent can
automatically
make
connection to
next best
gateway
Gateway New York
HA Link
Gateway
Toronto
Additional Use Cases
Consistent Enforcement of Application Policies
 Challenge in Education
o
School boards concerned about inappropriate teacher/student activity on social
media
o
Children’s Internet Protection Act requires school to block adult content
o
Students using web proxies to circumvent URL filters
o
Popular high-bandwidth applications such as bittorrent reduce available resources
 Solution
o
Use next-generation firewall
for protection
o
Enforce policy consistently
with GlobalProtect
•Page 26 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Consistent Enforcement of Application Policies
Policy for Teachers
Teacher and Students
using laptop at home
Always-On
GlobalProtect
Teachers and
Students using
laptops at school
Personal Devices
Facebook
Read/Post
Allow
Facebook Chat
Block
Facebook Short
URLs
Scan for
threats
Policy for Students
Captive Portal
•Page 27 | © 2013 Palo Alto Networks. Proprietary and Confidential.
URL Category
Adult
Block
Peer-to-Peer &
Proxy
Block
Streaming
Video
QoS
Untrusted Local Network
 Don’t assume everyone should have local network access
 Moving away from “give access to everyone” on LAN to “don’t trust anyone”
 Just like the external scenario, don’t trust anyone internally
 Solution
o
Use next-generation firewall for
protection
o
Enforce policy consistently with
GlobalProtect
•Page 28 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Secure Local Network
Internet
LAN
GlobalProtect
Portal and Gateway
Internet access
with safe
enablement
WAP w/WPA2
LAN access
through
GlobalProtect
GlobalProtect only permits
authorized users with access
to LAN resources
Contractors / Guests
Employees
•Page 29 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Tunnel provides privacy for
LAN traffic
Data Center:
Enforcing Policy with Host Information Profile

Challenge
 Data center has applications with sensitive data, like customer
info
 Concern about access from non-compliant endpoints, such as
laptops that do not have hard disk encryption
 Solution
 All users must have a
compliant endpoint to access
customer information
 Users with non-compliant
devices use virtual desktop
•Page 30 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Enforcing Policy with Host Information Profile
Application policy
enforcement
Devices with
GlobalProtect
Employees on IT
managed devices
Trusted user with
compliant host
information profile
Corporate
Laptop
GlobalProtect
Devices without
GlobalProtect
Personal
Laptop
Contractors on Guest WiFi
Captive
Portal
•Page 31 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Permit app access
Trusted user, with
neither
GlobalProtect nor
HIP
Permit Citrix Only
Data
Center
Features
User Authentication
Authentication Methods Supported:
• Local Database
• LDAP
• RADIUS
• Kerberos
Authentication Factors
Supports Single Sign-On from Windows authentication
Username/Password
X.509 Certificate
Smartcard + X.509
Certificate
RSA SecureID
Host Checks

Host checks can be used with security policy to restrict access to resources

Supported on both Windows and Mac

Portal
 Can be used to set policy for what attributes are evaluated

Gateway
 Examines the HIP report
 Controls access to applications based on matches
Host Check
Custom Host Checks
GlobalProtect for User-ID
 GlobalProtect agent
can identify users
for User-Id purposes
 Works with and
without a tunnel
 User identification
must be enabled
on the zone where
the gateway
interface is located
 IP to user mapping
happens once the
user successfully
connects to the
gateway.
GlobalProtect for iOS and Android

Available on App Store / Google Play

Supports Always-on Connection

Supports Automatic / Manual Gateway
Selection
iOS IPsec Client Support
Compatibility with iOS
-
Compatible with iOS 4.3
and later
-
Uses the IPSec VPN Client on the IOS
device
-
Support for group secret and device
certificates.
-
Remote access VPN can be configured

on the iPhone/iPad

through iOS Configuration Utility (send
profile via email or web)

using MDM from technology partners
Android IPsec Client Support
Compatibility with
Android
- Compatible with Android
4.0.3+
- Uses the IPSec VPN Client
- Support for group secret
and device certificates.
Demo
Demonstration of the User Experience
Demonstration of the Admin Experience
New Features for
GlobalProtect in PAN-OS
5.0
Overview

Manual gateway selection

Machine authentication

3rd Party Clients: vpnc IPsec client support

Localization
Manual Gateway Selection

Allows users to manually
select specific gateways

Any rediscovery event will
revert to Auto Discovery
mode

User may also manually
revert to Auto Discovery
mode
Manual Gateway Selection (On-Demand Mode)
User enables GlobalProtect in
Windows
Agent contacts Portal
Agent downloads configuration
Did user select
a gateway?
Yes
Agent contacts selected
gateway
Agent closes previously
connected tunnel (if necessary)
GlobalProtect tunnel
established
No
Agent discovers gateways using
standard methods
Manual Gateway Selection Persistence
Some actions taken by a user will switch GlobalProtect agent back to default
mode:
•
Rediscovery
•
Logoff, then login
•
Restart computer
•
Switch to another user, then switch back
•
User selects Auto discovery from the Connect to... Menu
•
Tunnel is terminated due to the user closing his laptop
(sleep/standby/hibernate)
Machine Authentication

Pre-logon connection
 GlobalProtect can be configured
to establish a connection using
a already deployed machine
certificate.
 VPN connection will be
established before the user
logs onto the machine.
 All AD policies and changes,
software distribution and
system management can
be applied even to remote
users if tunnel is established.
© 2010 Palo Alto Networks. Proprietary and Confidential.
Machine Authentication

Username not known at the time the connection is established, generic “prelogon user” is reported to User-ID instead.
 Can be used in policy to restrict access to authentication resources (see sample).
 Username is reported to gateway once the user logs in.
© 2010 Palo Alto Networks. Proprietary and Confidential.
Machine Authentication

Connection and authentication flow
 Certificates need to be pre-deployed
 Customers requiring this feature have PKIs
deployed already
 Agent uses machine certificates matching
the accepted CAs of the gateway
 Pre-logon username is updated as soon as
user logs in and GlobalProtect Agent starts.
© 2010 Palo Alto Networks. Proprietary and Confidential.
3rd Party Client Support

New: Now supports vpnc
 Common VPN client used on Unix systems with Cisco Concentrators
 Tested on Ubuntu Linux and CentOS
 Supports pre-shared key for IKE
© 2010 Palo Alto Networks. Proprietary and Confidential.
Localization






Localized GlobalProtect Agent UI
Japanese
Chinese (simplified)
French
Spanish
German (GlobalProtect only)
© 2010 Palo Alto Networks. Proprietary and Confidential.