Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Palo Alto Networks - Just another Firewall
Ähnlich wie Palo Alto Networks - Just another Firewall (20)
Palo Alto Networks - Just another Firewall
- 1. Palo Alto Networks Just another Firewall? Matthias J. Canisius Regional Manager DACH mcanisius@paloaltonetworks.com
- 2. Evolution © 2009 Palo Alto Networks. Proprietary and Confidential.Page 2 | •Packet Filter •Stateful Inspection •Proxy Firewall •Deep Packet Inspection Next Generation Firewall •Statische Anwendungen •Web- Anwendungen •„Social Network/Medi a“ •Enterprise 2.0•Web 2.0
- 3. Fakten... • Facebook 100 mio . neue User innerhalb von 9 Monaten (TV brauchte 13 Jahre für 50 Mio.) • 80% aller Unternehmen nutzen LinkedIn oder Xing als Quelle neue Mitarbeiter zu finden • YouTube ist die 2. größte Suchmaschine der Welt mit über 100 mio. Videos • Wikipedia über 13 Millionen Artikel und gilt als umfassender als die Encyclopeda Britannica (78% der Artikel sind nicht in englischer Sprache)... • (R)evolution!? © 2009 Palo Alto Networks. Proprietary and Confidential.Page 3 |
- 4. © 2009 Palo Alto Networks. Proprietary and Confidential.Page 4 | Warum eine Next Generation Firewall? Need to Restore Visibility and Control in the Firewall Firewalls sollten Anwendungen, User und Angriffe erkennen und kontrollieren . . . • . . . doch sie kontrollieren nur Ports, Protokolle und IP- Adressen – bedeutungslos.
- 5. © 2007 Palo Alto Networks. Proprietary and ConfidentialPage 5 | Das Ende der Kontrolle? • Intelligente Anwendungen umgehen Ihre Security (Evasive Attacks) - Port Hopping, “non-standard” Ports, Tunneling (Port 80), … • Bedrohungen finden auf Anwendungsebene statt (SANS TOP 20) • Benutzer und Anwender werden kreativer - Aktive Umgehung von Sicherheitsrichtlinien (Bypassing via Ultrasurf, …) • Oder die Anwendung selbst transportiert das Risiko - P2P Fileshare, Tunneling, Videos,…
- 6. Internet Bisher – Viel hilft viel? • Komplex und teuer in Anschaffung und Betrieb • Nicht sonderlich performant • Keine wirkliche Transparenz und Kontrolle © 2009 Palo Alto Networks. Proprietary and Confidential.Page 6 |
- 7. © 2009 Palo Alto Networks. Proprietary and Confidential.Page 7 |
- 8. •Page 8 | Neue Anforderungen 1. Identifizierung von Anwendungen unabängig von Port, Protokoll, SSL-Tunnel … 2. Identifizierung von Benutzern unabhängig von IP-Adressen 3. Granulare Darstellung und Kontrolle über Zugriff und Funktion von Anwendungen 4. Schutz in Echtzeit vor in Anwendungen eingebetteten Angriffen 5. Multi-Gigabit, In-Line Implementierung ohne Performance-Einbußen Next Generation Firewall™
- 9. Die Lösung •App-ID •Identifikation der Anwendung
- 10. Application Identification Components • Detect Protocol in Protocol • Provide context for signatures Protocol Decoders • Man in the middle SSL decryption Protocol Decryption • Detect applications initiating Application Signatures • Uses patterns of communication Heuristics © 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 10 |
- 11. Application Identification - Signatures © 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 11 | •Protocol Decoders •Decryption •Application Signatures •SSL •Forward proxy •HTTP •webex •Webex desktop sharing •Mode shift
- 12. Application identification - Heuristics © 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 12 | •Unknown •Encrypted Bittorrent •Azureus •Heuristics •Protocol Decoders •Examine communications
- 13. Die Lösung •App-ID •Identifikation der Anwendung •User-ID •Identifikation der Benutzer •Content-ID •Untersuchung des Inhalts
- 14. Bisheriger Ansatz •Port/Protocol-based ID •HTTP Decoder •L2/L3 Networking, HA, Config Management, Reporting •URL Filtering Policy •Port/Protocol-based ID •L2/L3 Networking, HA, Config Management, Reporting •Firewall Policy •Port/Protocol-based ID •IPS Signatures •L2/L3 Networking, HA, Config Management, Reporting •IPS Policy •IPS Decoder •Port/Protocol-based ID •AV Signatures •L2/L3 Networking, HA, Config Management, Reporting •AV Policy •AV Decoder & Proxy •Page 15 | •© 2008 Palo Alto Networks. Proprietary and Confidential
- 15. Parallel nicht sequentiel! •L2/L3 Networking, HA, Config Management, Reporting •App-ID •Content-ID •Policy Engine •Application Protocol Detection and Decryption •Application Protocol Decoding •Heuristics •Application Signatures •URL Filtering •Real-Time Threat Prevention •Data Filtering •Page 16 | •© 2008 Palo Alto Networks. Proprietary and Confidential •User-ID
- 16. © 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 17 | Single-Pass Parallel Processing Architectur
- 17. © 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 18 | System-Architektur (PA-4000) Flash Matching HW Engine • Palo Alto Networks’ einheitliche Signaturen • Erweiterbarer Speicher – Speicher skaliert Leistungsfähigkeit Multi-Core Security Prozessor • Flexible Sicherheitsfunktionalität • Hardware-Beschleunigung von komplexen, standardisierten Funktionen (SSL, IPSec, Dekomprimierung) Dedizierte Management Plattform: • Hochverfügbarkeit • Hochperformant : • Logging • Routing • … Flash Matching Engine RAM RAM RAM RAM Dual-Core CPU RAM RAM HDD 10 Gig Netzwerk Prozessor • Front-End etzwerkprozessor entlastet Security Prozessor • Hardware-beschleunigts QoS, Route Lookup, MAC Lookup, NAT CPU 16 . . SSL IPSec De- Compression CPU 1 CPU 2 RAM RAMCPU 3 QoS Route, ARP, MAC lookup NAT
- 18. © 2009 Palo Alto Networks. Proprietary and Confidential.Page 19 | PAN-OS Core Firewall Features • Strong networking foundation - Dynamic routing (OSPF, BGP, RIPv2) - Tap mode – connect to SPAN port - Virtual wire (“Layer 1”) for true transparent in-line deployment - L2/L3 switching foundation • VPN - Site-to-site IPSec VPN - SSL VPN • QoS traffic shaping - Max/guaranteed and priority - By user, app, interface, zone, and more • Zone-based architecture - All interfaces assigned to security zones for policy enforcement • High Availability - Active / passive - Configuration and session synchronization - Path, link, and HA monitoring • Virtual Systems - Establish multiple virtual firewalls in a single device (PA-4000 and PA-2000 Series only) • Simple, flexible management - CLI, Web, Panorama, SNMP, Syslog Visibility and control of applications, users and content complement core firewall features PA-500 PA-2020 PA-2050 PA-4020 PA-4050 PA-4060
- 19. © 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 20 | Flexibel einsetzbar! Visualisierung Transparent In-Line Primäre Firewall • Applikation • Benutzer • Content • Ohne Inline Einbindung • IPS mit Applikations-Darstellung und -Kontrolle • Konsolidierung von IPS & URL Filter • Primäre Firewall mit Applikations- Darstellung und Kontrolle • Firewall + IPS • Firewall + IPS + URL-Filter
- 20. Application Visibility and Risk Report © 2009 Palo Alto Networks. Proprietary and Confidential.Page 21 | Einfache Auswertung Ihrer Daten • Top Application Usage • High Risk Applications • Http Applications • Top Threats •AVR
- 21. Palo Alto Networks Next-Generation Firewalls © 2010 Palo Alto Networks. Proprietary and Confidential.Page 22 | PA-4050 • 10 Gbps FW • 5 Gbps threat prevention • 2,000,000 sessions • 16 copper gigabit • 8 SFP interfaces PA-4020 • 2 Gbps FW • 2 Gbps threat prevention • 500,000 sessions • 16 copper gigabit • 8 SFP interfaces PA-4060 • 10 Gbps FW • 5 Gbps threat prevention • 2,000,000 sessions • 4 XFP (10 Gig) I/O • 4 SFP (1 Gig) I/O PA-2050 • 1 Gbps FW • 500 Mbps threat prevention • 250,000 sessions • 16 copper gigabit • 4 SFP interfaces PA-2020 • 500 Mbps FW • 200 Mbps threat prevention • 125,000 sessions • 12 copper gigabit • 2 SFP interfaces PA-500 • 250 Mbps FW • 100 Mbps threat prevention • 50,000 sessions • 8 copper gigabit
- 22. •. •Page 24 | Vertrauen • Gegründet 2005 von Security Visionär Nir Zuk • Entwickelt von Security-Experten von CP, Netscreen, Juniper, McAfee, BlueCoat, Cisco, … • $65 Million “Funding” der Top Venture Capital Unternehmen (Sequoia Capital, Greylock Partners, Globespan Capital Partners, …) • Mittlerweile über 1800 Kunden weltweit • 9000 gelieferte Maschinen • Gartner: Top Visionary in Gartner Quadrant!
- 23. 2010 Magic Quadrant for Enterprise Network Firewalls © 2010 Palo Alto Networks. Proprietary and Confidential.Page 25 | Source: Gartner Palo Alto Networks Check Point Software Technologies Juniper Networks Cisco Fortinet McAfee Stonesoft SonicWALL WatchGuard NETASQ Astaro phion 3Com/H3C completeness of vision visionaries abilitytoexecute As of March 2010 niche players
- 24. Proven IPS Quality Testing performed by NSS Labs, Summer 2010 - Recognized industry leaders for IPS testing - Tests based on established NSS IPS methodology - Tested against a battery of 1,179 live exploits using real world traffic patterns © 2009 Palo Alto Networks. Proprietary and Confidential. Criteria Results Overall Rating Recommended IPS Block Rate 93.4% (at 2.3 Gbps) Performance 2.3 Gbps (115% of stated performance)* IPS Evasion 100% Resistance Simple Tuning and Management “Tuning consisted of changing just three settings within the policy” Review the full NSS Report at http://www.paloaltonetworks.com/literature/forms/nss-report.php *Testing performed on a Palo Alto Networks PA-4020 which is rated at 2 Gbps of Threat Prevention
- 25. Sehen heißt glauben... •... Live Demonstration
- 26. Kurz und knapp • Verbesserte Sicherheit - Applikationserkennung: Transparenz führt zu Kontrolle, Kontrolle führt zu Sicherheit - Intelligente zentrale Content Inspection (AV, IPS, URL,...) - Aussagekräftiges Monitoring • Erhöhte Performance - Parallelverarbeitung mittels Single Pass- Architektur (PANOS) + angepasste Hardware • Produktivität - Granulare Applikationskontrolle • Einsparungspotential - Einsparung durch Konsolidierung bestehender Insellösungen (Proxy, AV, IPS, URL, ...) - Niedrigere Betriebskosten Lizenzierung („flat rate“, nicht per user, ...) Management + Konsolidierung © 2009 Palo Alto Networks. Proprietary and Confidential.Page 28 |
- 27. Thank You
Hinweis der Redaktion
- Personal Applications: IM, P2P, file sharing, web-mail, social networks, …Enterprise 2.0Projektkoordination, Innen- und AußenkommunikationfreienWissensaustauschUnternehmenskulturderautonomenSelbststeuerung von Teams
- The Palo Alto Networks solution utilizes 4 major technologies to identify applications.Protocol Decoders: These software constructs understand the application at the protocol level and provide contexts for the application. For example the HTTP decoder understands that there will be a Method and a Version for each HTTP request. The decoders are what assist in detecting when a second protocol is tunneled within an existing session. This is called “Protocol in Protocol”.Protocol Decryption: Secure Socket layer communication is decrypted so that the internal content can be examined. This is done by using a man in the middle attack as the data crosses the firewall.Application Signatures: Both stream and contextual signatures are used to identify the application or the changing in application mode. Heuristics: This system looks at overall patterns of communication to detect applications that are not suited to signature based identification.
- As an example of signature based detection look at WebEx.The initial connection is an SSL based communication. Protocol decoders and Decryption will detect that is it SSL, decrypt the SSL and then detect that it is HTTP traffic. Once the decoder has the HTTP stream the system can apply contextual signatures and detect that the application using the SSL / HTTP connection is WebEx.If the user were to press the button to initiate desktop sharing the application would undergo a “Mode Shift”. Now the session has altered from a conferencing application to a remote access application. Application signatures will detect this and the application will be updated to WebEx Desktop Sharing.
- When traffic is unable to be identified by the application decoders and signatures the Heuristics engine kicks in. This engine will look at patterns of communication in an attempt to identify the application based on its network behavior.This type of detection is required for applications that use proprietary end to end encryption such as Skype and encrypted bit torrent.
- Using the Known Good and Known Bad groups, three policies can be created. It is worth noting that this configuration can be made more complex as needed, but the basic design is pictured above.The first rule allows all approved traffic. The second rule block all known bad traffic. This configuration allows the administrator to block a category while allowing an example of that category. For example, Instant Messenger applications can be blocked as a Filter in rule 2 while Yahoo Messenger can be allowed as an Application in rule 1. The third rule catches all traffic that does not match the first two rules. Depending on the environment the third rule can be a block or an allow. For organizations where security is the primary concern the rule would be block. If the traffic ultimately is needed, it can be added to rule 1.In any case, all traffic matching rule 3 must be logged and checked by the security team. Any applications being caught by the last rule need to be examined and a determination needs to be made if they need to be added to the Known Good or Known Bad groups. Over time there should be very little traffic hitting the third rule. Ultimately this design should be compressed down to a single allow rule for the approved traffic and all other applications will be denied by the implied deny all at the end of the policy set.
- Unified = vereinigt/vereinheitlicht
- The design of the Palo Alto Networks firewall allows for a variety of deployment options. Some simple examples include:Application Visibility: By utilizing tap mode interfaces the device can be connected to a core switches span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the device cannot block any harmful traffic nor can it decrypt SSL connections. This typically leads to one of the following deployment types.Transparent In-Line: Using Vwire interfaces the device can be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology. In this mode all of the protection and decryption features of the device can be used.Firewall Replacement: Using L3 interfaces the device can take the place of any current enterprise firewall deployment.A unique advantage of the device is the ability to mix and match these interface types on a single chassis. The same system could be deployed in an Application Visibility role for one portion of the network while being in line with another.