Palo alto networks_customer_overview_november2011-short

Palo Alto Networks Overview
November 2011

About Palo Alto Networks

• Palo Alto Networks is the Network Security Company

• World-class team with strong security and networking experience
- Founded in 2005, first customer July 2007, top-tier investors

• Builds next-generation firewalls that identify / control 1,300+ applications
- Restores the firewall as the core of enterprise network security infrastructure

- Innovations: App-ID™, User-ID™, Content-ID™

• Global momentum: 6,000+ customers
- August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last
five consecutive quarters

•A few of the many enterprises that have deployed more than $1M

Page 2 | © 2011 Palo Alto Networks. Proprietary and Confidential.
(*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable
orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

Next-Generation Firewalls Are Network Security


2011 Magic Quadrant for Enterprise Network Firewalls


Applications Have Changed; Firewalls Have Not
The firewall is the right place
to enforce policy control
• Sees all traffic
• Defines trust boundary
• Enables access via positive
control

BUT…applications have changed
• Ports ≠ Applications
• IP Addresses ≠ Users
• Packets ≠ Content

Need to restore visibility and control in the firewall

Enterprise 2.0 Applications and Risks Widespread

Palo Alto Networks’ latest Application Usage & Risk
Report highlights actual behavior of 1M+ users in 1253
organizations
- More enterprise 2.0 application use for personal and
business reasons.
- Tunneling and port hopping are common
- Bottom line: all had firewalls, most had IPS, proxies, &
URL filtering – but none of these organizations could
control what applications ran on their networks


Technology Sprawl & Creep Are Not The Answer

Internet

• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Putting all of this in the same box is just slow


The Right Answer: Make the Firewall Do Its Job

New Requirements for the Firewall

1. Identify applications regardless of port,
protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect in real-time against threats
embedded across applications

4. Fine-grained visibility and policy control
over application access / functionality

5. Multi-gigabit, in-line deployment with no
performance degradation


Why Visibility & Control Must Be In The Firewall
Application Control as an Add-on
• Port-based FW + App Ctrl (IPS) = two policies
Traffic Port
• Applications are threats; only block what you
Firewall IPS expressly look for

Applications Implications
• Network access decision is made with no
•Port Policy •App Ctrl Policy information
Decision Decision
• Cannot safely enable applications

NGFW Application Control
• Application control is in the firewall = single policy Traffic Application
• Visibility across all ports, for all traffic, all the time
Firewall IPS
Implications
• Network access decision is made based on Applications
application identity
•App Ctrl Policy •Scan Application
• Safely enable application usage Decision for Threats


Your Control With a Next-Generation Firewall

Safely enable the
Only allow the
applications relevant
apps you need
to your business

» Traffic limited to » Complete threat library with no
approved business blind spots
use cases based on
App and User  Bi-directional inspection
» Attack surface  Scans inside of SSL
reduced by orders of  Scans inside compressed
magnitude files

» The ever-expanding  Scans inside proxies and
universe of applications, tunnels
services and threats

Identification Technologies Transform the Firewall

•App-ID™
•Identify the application

•User-ID™
•Identify the user

•Content-ID™
•Scan the content


Single-Pass Parallel Processing™ (SP3) Architecture
Single Pass
• Operations once per
packet
- Traffic classification (app
identification)
- User/group mapping
- Content scanning –
threats, URLs,
confidential data
• One policy

Parallel Processing
• Function-specific parallel
processing hardware
engines
• Separate data/control
planes

•Up to 20Gbps, Low Latency

PA-5000 Series Architecture

RAM RAM
• Highly available mgmt Signature Match HW Engine
• High speed logging and • Stream-based uniform sig. match RAM RAM
route update
• Dual hard drives
• 40+ processors
• Vulnerability exploits (IPS), virus,
Signature
Match
Signature
Match
spyware, CC#, SSN, and more RAM RAM

• 30+ GB of RAM RAM RAM
RAM
• Separate high speed data and
10Gbps 10Gbps

Quad-core RAM
CPU CPU CPU CPU
control planesCPU RAM
RAM CPU CPU CPU CPU ... CPU RAM
HDD ... ...
1 2 12 RAM 1 2 12 RAM 1 2 12 RAM
HDD

Control Plane SSL • 20Compress. firewall IPSec Compress.
IPSec
De-
Gbps SSL
De-
throughput SSL IPSec
De-
Compress.

• 10 Gbps threat prevention throughput
20Gbps
• 80 Gbps switch fabric
Security Processors
interconnect
• 20 Gbps QoS engine
• 4 Million concurrent sessions
• High density parallel processing
for flexible security Route,
functionality Flow Network Processor
ARP,
• Hardware-acceleration for MAC
NAT • 20 Gbps front-end network
Switch control
QoS standardized complex functions lookup processing
Fabric (SSL, IPSec, decompression) • Hardware accelerated per-packet
route lookup, MAC lookup and
Switch Fabric Data Plane NAT


PAN-OS Core Firewall Features
Visibility and control of applications, users and content
complement core firewall features PA-5060

• Strong networking foundation • Zone-based architecture PA-5050
- Dynamic routing (BGP, OSPF, RIPv2) - All interfaces assigned to
security zones for policy
- Tap mode – connect to SPAN port enforcement PA-5020
- Virtual wire (“Layer 1”) for true
transparent in-line deployment • High Availability
PA-4060
- L2/L3 switching foundation - Active/active, active/passive
- Policy-based forwarding - Configuration and session
synchronization PA-4050
• VPN - Path, link, and HA monitoring
- Site-to-site IPSec VPN
PA-4020
- SSL VPN • Virtual Systems
- Establish multiple virtual firewalls
• QoS traffic shaping in a single device (PA-5000, PA-
PA-2050
4000, and PA-2000 Series)
- Max/guaranteed and priority
PA-2020
- By user, app, interface, zone, & more • Simple, flexible
- Real-time bandwidth monitor management PA-500
- CLI, Web, Panorama, SNMP,
Syslog PA-200


Introducing GlobalProtect

• Users never go “off-network” regardless of location
• All firewalls work together to provide “cloud” of network
security
• How it works:
- Small agent determines network
location (on or off the enterprise
network)
- If off-network, the agent
automatically connects the laptop to
the nearest firewall via SSL VPN
- Agent submits host information
profile (patch level, asset type, disk
encryption, and more) to the
gateway
- Gateway enforces security policy
using App-ID, User-ID, Content-ID
AND host information profile


Enterprise-Wide Next-Generation Firewall Protection
•Perimeter •Data Center •Distributed Enterprise

•Branch •Remote
Office Users

• Identify and control applications, • Network segmentation based on users • Extending consistent security to all users
users and content and applications and locations
• Positive enablement • High performance threat prevention • Visibility and control over applications,
users and content

Same Next-Generation Firewall, Different Benefits…

Comprehensive View of Applications, Users & Content
• Application Command
Center (ACC)
- View
applications, URLs, threat
s, data filtering activity
• Add/remove filters to
achieve desired result

Filter on Facebook-base Filter on Facebook-base Remove Facebook to
and user cook expand view of cook

Palo Alto Networks Next-Gen Firewalls

PA-5060 PA-5050 PA-5020
• 20 Gbps FW/10 Gbps threat • 10 Gbps FW/5 Gbps threat • 5 Gbps FW/2 Gbps threat
prevention/4,000,000 sessions prevention/2,000,000 sessions prevention/1,000,000 sessions
• 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 • 4 SFP+ (10 Gig), 8 SFP (1 Gig), 12 • 8 SFP, 12 copper gigabit
copper gigabit copper gigabit

PA-4060 PA-4050 PA-4020
• 10 Gbps FW/5 Gbps threat • 10 Gbps FW/5 Gbps threat • 2 Gbps FW/2 Gbps threat
prevention/2,000,000 sessions prevention/2,000,000 sessions prevention/500,000 sessions
• 4 XFP (10 Gig), 4 SFP (1 Gig) • 8 SFP, 16 copper gigabit • 8 SFP, 16 copper gigabit

PA-2050 PA-2020 PA-500 PA-200
• 1 Gbps FW/500 Mbps • 500 Mbps FW/200 Mbps • 250 Mbps FW/100 Mbps • 100 Mbps FW/50 Mbps
threat threat threat prevention/64,000 threat prevention/64,000
prevention/250,000 prevention/125,000 sessions sessions
sessions sessions • 8 copper gigabit • 4 copper gigabit
• 4 SFP, 16 copper gigabit • 2 SFP, 12 copper gigabit
Page 18 | © 2011 Palo Alto Networks. Proprietary and Confidential

Addresses Three Key Business Problems
• Identify and Control Applications
- Visibility of over 1300 applications, regardless of port, protocol, encryption, or
evasive tactic
- Fine-grained control over applications (allow, deny, limit, scan, shape)
- Addresses the key deficiencies of legacy firewall infrastructure
• Prevent Threats
- Stop a variety of threats – exploits (by vulnerability), viruses, spyware
- Stop leaks of confidential data (e.g., credit card #, social security #, file/type)
- Stream-based engine ensures high performance
- Enforce acceptable use policies on users for general web site browsing
• Simplify Security Infrastructure
- Put the firewall at the center of the network security infrastructure
- Reduce complexity in architecture and operations


Thank You


Palo alto networks_customer_overview_november2011-short

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (17)

Ähnlich wie Palo alto networks_customer_overview_november2011-short

Ähnlich wie Palo alto networks_customer_overview_november2011-short (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Palo alto networks_customer_overview_november2011-short

Hinweis der Redaktion