Introduzione PAN
-
Upload
francesco-alla -
Category
Documents
-
view
178 -
download
0
Transcript of Introduzione PAN
Palo Alto Networks Overview Stefania Iannelli
System Engineer Palo Alto Networks
Breve storia di Palo Alto Networks
Today+
Legacy: Permetti o blocca
le applicazioni
Allow
Block
Next generation: Safely enable applications
the network security companytm
Metà anni 90 – oggi
2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Cloud + SaaS
Mobile + BYOD Attacchi più sofisticati
Social + consumerization
Breve storia dell’evoluzione informatica
3 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Il nostro nuovo approccio alla network security
Palo Alto Networks platform App-ID
Identifica le applicazioni
User-ID Identifica l’utente
Content-ID Analizza il contenuto
4 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Dal 2011 leader del Gartner Magic Quadrant - Enterprise Network Firewalls
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
344 KB
file-sharing URL category
pdf file type
roadmap.pdf file name
bjacobs user
prodmgmt group
canada destination country
172.16.1.10 source IP
64.81.2.23 destination IP
tcp/443 destination port
SSL protocol
HTTP protocol
slideshare application
slideshare-uploading application function
344 KB
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
unknown URL category
exe file type
shipment.exe file name
fthomas user
finance group
china destination country
SSL protocol
HTTP protocol
web-browsing application
172.16.1.10 source IP
64.81.2.23 destination IP
tcp/443 destination port
344 KB
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
172.16.1.10 source IP
64.81.2.23 destination IP
tcp/443 destination port
?
Palo Alto Networks NGFW vs Legacy Firewall
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Other’s Classificator
Inco
min
g pa
cket
s
PANW Classificator
Vuln
erab
ility
File
Viru
s
Spy
war
e
App
s P
rofil
e
IPS
Pro
file
File
Blo
ckin
g
Ant
i-Viru
s
Ant
i-Spy
war
e
DPI FilterChain
Single Pass Pattern Match
• User/Group • Platform • Application • URL (instance) • Network Attributes
Crit
eria
s Av
aila
ble
• User/Group • Network Attributes
Crit
eria
s Av
aila
ble
Our Approach: Seek First to Understand The Power of Context
• classify all traffic to app level even encrypted traffic
• determine who (users) • con8nually update this understanding
includes content inspec2on
Then Enforce Better decisions based on full situational awareness
• a posi8ve enforcement model • stepwise refinement • systema8cally manage the unknown
document xfer
Fred (finance group)
Enforce
other context
Allow
Deny
Allow, but:
Fully Understand (Enables) +
or
or
scan for threats block files/sensi8ve data per schedule other op2ons
A Fundamentally Different Architecture
Port Classification
Application Classification
Filter
+ File Classification
Filter
+ Threat Matching
Filter
+ etc.
User L1-‐4
User L1-‐4
User L1-‐4
Compe8tors: Sequen2al Filtering
?
Full Classification
Palo Alto Networks: Single Pass
Done ?
Applica8on User L1-‐4
Full Enforcement
Why Does This Matter? A Specific Scenario
Web Browsing
Cloud Backup
SharePoint Online
Block all file types
Allow all file types
Block only Executables
Desired Policy
Why? The Architecture.
Port Classification
Application Classification
Filter
+ File Classification
Filter
+ Threat Matching
Filter
+ etc.
User L1-‐4
User L1-‐4
User L1-‐4
Compe8tors: Sequen2al Filtering
?
Filter has no app knowledge
Full Classification
Palo Alto Networks: Single Pass
Done ?
Applica8on User L1-‐4
Full Enforcement
Evolving a Platform
Security PlaPorm
Future
Up-‐Level Understanding
collec2ve intelligence x 7500
? -‐> known (in minutes)
Up-‐Level Enforcement
• endpoint protec8on
• compromised endpoints
• disrupt the aUack lifecycle
Traps
Internet/WAN Mobile
WILDFIRE™
Aperture™ SaaS
AutoFocus™
Everywhere You Want Have to Be
Global Protect™
Traps
A Consumable Architecture Operations and IT-level Integration
Flexible Design • e.g. mix-‐and-‐match interface modes
Risk Intui8ve Management • single rule base • visibility & insight • at-‐scale
Agility Efficiency
Automa8on & Integra8on • Technology: API’s, address groups, network integra8on op8ons • Business: VMware, Amazon, etc.
Nobody Else Does What We Do Unique Architecture
NGFW
Security Pla@orm
simple
extensible
Iden
8ty
SIEM
Hybrid IT (e.g. cloud, SDN)
Unique Security Posture
Disrupt the ABack Lifecycle Risk
Agility Efficiency
Altre OPZIONI?
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Il ciclo di vita di un attacco
Bait the end-‐user
1
L'utente finale viene acrato da un'applicazione pericolosa o un sito web con contenu8 dannosi
Exploit
2
Viene sfruUata una vulnerabilita’ del sistema o dell’applicazione, senza che l’utente si accorga di nulla
Download Backdoor
3
In background viene scaricato un secondo payload. Il malware viene installato
Establish Back-‐Channel
4
Il malware stabilisce una connessione in uscita verso l’aUaccante, in modo che questo prenda il controllo
Explore & Steal
5
L’aUaccante remoto ha il controllo all'interno della rete e intensifica l'aUacco
20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Anatomia di una rete compromessa
21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Corporate Email Server
Initially targeted client
Phishing email (corporate email with link to malicious site)
Phishing email (web-based email with malicious attachment)
SMTP
HTTP
SSL
Domain Controller
Application servers
Command-and-control
Exploit delivery Remote access tool download Command-and-control
Hypervisor
Virtual server host
Brute-force Command injection
Exploitation
Mobile Devices
Workstations harvested for IP and used as mules
Data exfiltration
Compromise of mobile devices
Network ownership complete Legitimate credentials used
Exploitation, tool drops, credential and data theft
Exploitation, tool drops, credential and data theft
Soluzione di Advanced Threat Prevention
Il nostro approccio ci rende l'unica soluzione in grado di ...
§ Effettuare una scansione di TUTTE LE APPLICAZIONI (incluso il traffico SSL) per controllare tutti gli accessi IN/OUT della rete, ridurre la superficie di attacco e fornire un contesto per l’analisi forense
§ Prevenire gli attacchi attraverso TUTTI i vettori di infezione (exploit, DNS e URL) verso malware, command & control, con signature content-based
§ Rilevare i malware e gli exploit zero day usando un cloud pubblico o privato e creando in automatico delle signature per tutti gli utenti, a livello globale
Identify & control Prevent known threats
Detect unknown threats
Rapid, global sharing
All applications
Architettura WildFire
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Enterprise Risk Report
24 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Firewall Firewall Throughput Threat Preven8on Throughput Ports Session Capacity
PA-‐5060 20 Gbps 10 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
4,000,000
PA-‐5050 10 Gbps 5 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit
2,000,000
PA-‐5020 5 Gbps 2 Gbps 8 SFP 12 copper gigabit 1,000,000
PA-‐3060 4 Gbps 2 Gbps 2 SFP+ (10 Gig) 8 SFP (1Gig) 8 copper gigabit
500,000
PA-‐3050 4 Gbps 2 Gbps 8 SFP 12 copper gigabit 500,000
PA-‐3020 2 Gbps 1 Gbps 8 SFP 12 copper gigabit 250,000
PA-‐500 250 Mbps 100 Mbps 8 copper gigabit 64,000
PA-‐200 100 Mbps 50 Mbps 4 copper gigabit 64,000
Hardware Platforms
Protezione di tutta la rete Data center/
cloud Perimetro Branch/BYOD
Next-Generation Firewall
IDS / IPS / APT / malware Data Center Gateway
Panorama e appliance M-100
PAN-OS™
Segmento di rete
Next-Generation appliance
Subscription
Use case
Management system
Operating system
Fisici: PA-200, PA-500, Serie PA-3000, Serie PA-5000, PA-7050 Virtuali: VM-Serie APT: WF-500
URL Filtering GlobalProtect™
WildFire™
Threat Prevention
26 | ©2013, Palo Alto Networks. Confidential and Proprietary.
VM-Series
Page 27 | © 2012 Palo Alto Networks. Proprietary and Confidential.
• VM-‐100, VM-‐200, VM-‐300 deployed as guest VMs on VMware ESXi
• Deployed as part of virtual network configura8on for East-‐West traffic inspec8on
VM-Series perV Mware vSphere (ESXi)
• VM-‐100, VM-‐200, VM-‐300 deployed as guest VMs on Citrix NetScaler SDX
• Consolidates ADC and security services for mul8-‐tenant and Citrix XenApp/XenDesktop deployments
VM-Series per Citrix NetScaler SDX
• VM-‐Series for NSX deployed as a service with VMware NSX and Panorama
• Ideal for East-‐West traffic inspec8on
VM-Series per VMware NSX
VM-Series per Amazon Web Services
28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
AWS Management Console
Web DB App
corporate data center
VM-Series per KVM in cloud pubblico e privato
29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Standard Hardware
GlobalProtect: un’unica infrastruttura integrata per la Mobile Security
TRAPS
Advanced Endpoint Protection
Advanced Endpoint Protection Overview § Una soluzione endpoint che permette di prevenire
§ Advanced Persistent Threats (APTs) § Attacchi Zero Day
§ Grazie al blocco delle tecniche di attacco utilizzate e non a delle signature
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Advanced Endpoint Protection Overview § Prevenzione Exploit
§ Blocco delle tecniche utilizzate per sfruttare una vulnerabilita’ § Buffer overflow § Heap corruption § DLL hijacking (sostituire una DLL legittima con una malevola, utilizzando lo stesso nome) § etc
33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Next-generation enterprise security platform
§ Raccoglie poteziali minacce provenienti dalla rete e dagli Endpoint
§ Analizza e correla minacce
§ Diffonde informazioni sulle minacce alla rete e agli Endpoint
Threat Intelligence Cloud § Ispeziona tutto il traffico
§ Blocca le minacce note
§ Manda cio’ che non conosce nel cloud
§ Protezione anche per mobile e virtual networks
Next-Generation Firewall
Palo Alto Networks Advanced
Endpoint Protection
Palo Alto Networks Next-Generation
Firewall
Palo Alto Networks Threat Intelligence Cloud
§ Ispeziona tutti i processi e i file
§ Previene sia exploit noti che sconosciuti
§ Integrato con il cloud per prevenire malware noti e sconosciuti
Advanced Endpoint Protection
Preveniamo gli attacchi ad ogni livello della kill-chain Breach the perimeter 1 Deliver the malware 2 Lateral movement 3 Exfiltrate data 4
URL Filtering
§ Prevent use of social engineering § Block known malicious URLs and IP
addresses
Next-Generation Firewall / GlobalProtect
§ Visibility into all traffic, including SSL
§ Enable business-‐cri8cal applica8ons § Block high-‐risk applica8ons§ Block commonly exploited file types
Threat Prevention
§ Block known exploits, malware and inbound command-‐and-‐control communica8ons
WildFire
§ Send specific incoming files and email links from the internet to public or private cloud for inspec8on
§ Detect unknown threats § Automatically deliver protections
globally
Next-‐GeneraPon Firewall / GlobalProtect
§ Establish secure zones with strictly enforced access control
§ Provide ongoing monitoring and inspec8on of all traffic between zones
Threat PrevenPon
§ Block outbound command-‐and-‐control communica8ons
§ Block file and data paUern uploads § DNS monitoring and sinkholing
Traps / WildFire
§ Block known and unknown vulnerability exploits
§ Block known and unknown malware § Provide detailed forensics on attacks
URL Filtering
§ Block outbound communication to known malicious URLs and IP addresses
WildFire
§ Detecting unknown threats pervasively throughout the network
Unit-42
Unit-42 Overview § Unit-42 e’ Threat Intelligence Team di Palo Alto Networks
§ Composto da massimi esperti di cybersecurity
§ Si occupa di § Raccogliere § Ricercare Tutte le ultime cyber threats § Analizzare
§ Inoltre analizza anche tutti i risultati di WildFire per fornire contesto, motivazioni e metodologie legati agli attachi
§ Condivide tutte le informazioni con i clienti Palo Alto Networks e la community
37 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Unit-42 links § Blog
§ researchcenter.paloaltonetworks.com/unit42
§ Eventi § https://www.blackhat.com/us-14/ § https://www.blackhat.com/eu-14/
§ Cyber Threat Alliance § http://cyberconsortium.org/
38 | ©2014, Palo Alto Networks. Confidential and Proprietary.
EXPANSIVE PARTNER ECOSYSTEM
Enterprise Security VirtualizaPon Networking Mobility Security AnalyPcs
Page 40 |