Palo Alto Networks Jumpstart

pvonwallenberg@paloaltonetworks.com

+49.172.5118275

About Palo Alto Networks

We are the network security company

• World-class team with strong security and networking experience

- Founded in 2005, first customer July 2007

• We offer next-generation firewalls that safely enable 1,400+ applications

- Restores the firewall as the core of the enterprise network security infrastructure

- Innovations: App-ID™, User-ID, Content-ID, GlobalProtect™, WildFire™

• Global footprint: 7.500+ customers in 100+ countries,60 of whom deployed more than $1M of our solution

• $200+M in bookings run rate*; 10 consecutive quarters of

positive cash flow from operations

© 2012 Palo Alto Networks. Proprietary and Confidential. Page 2 |

(*) Reported on August 1, 2011. Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are

defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.

2011 Magic Quadrant for Enterprise Network Firewalls

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 3 |

Source: Gartner, December 14, 2011

“Palo Alto Networks' high-performance NGFW functionality continues to drive competitors to react in the firewall market. It is assessed as a Leader mostly because of its NGFW design, redirection of the market along the NGFW path, consistent displacement of Leaders and Challengers, and market disruption forcing Leaders to react.”

Applications Have Changed; Firewalls Have Not

Page 4 |

Need to restore visibility and control in the firewall

BUT…applications have changed

• Ports ≠ Applications

• IP Addresses ≠ Users

• Packets ≠ Content

The gateway at the trust border is the right place to enforce policy control

• Sees all traffic

• Defines trust boundary

Technology Sprawl & Creep Are Not The Answer

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

Page 5 |

Internet

• Putting all of this in the same box is just slow

Firewalls MUST Do More to Be Relevant

Page 6 |

New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Protect in real-time against threats embedded across applications

4. Fine-grained visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

Why Visibility & Control Must Be In The Firewall

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 7 |

Port Policy

Decision

App Ctrl Policy

Decision

Application Control as an Add-on

• Port-based FW + App Ctrl (IPS) = two policies

• Applications are threats; only block what you expressly look for

Implications

• Network access decision is made with no information

• Cannot safely enable applications

IPS

Applications

Firewall

Port Traffic

Firewall IPS

App Ctrl Policy

Decision

Scan Application

for Threats

Applications

Application Traffic

NGFW Application Control

• Application control is in the firewall = single policy

• Visibility across all ports, for all traffic, all the time

Implications

• Network access decision is made based on application identity

• Safely enable application usage

Identification Technologies Transform the Firewall

Page 8 |

•App-ID™

•Identify the application

•User-ID™

•Identify the user

•Content-ID™

•Scan the content

Single-Pass Parallel Processing™ (SP3) Architecture

Page 9 |

Single Pass

• Operations once per packet

- Traffic classification (app identification)

- User/group mapping

- Content scanning – threats, URLs, confidential data

• One policy

Parallel Processing

• Function-specific parallel processing hardware engines

• Separate data/control planes

Up to 20Gbps, Low Latency

The Strategic Role of Modern Malware

Infection

Escalation

Remote Control

Malware provides the internal foothold to control

and expand a sustained attack

Industry Challenges in Controlling Malware

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 11 |

Unreliable enforcement

•Sandboxes lack enforcement, while enforcement points lack sandbox intelligence

•Lack of outbound traffic controls

•Lack of actionable information

Inability to recognize files as malware

•Targeted malware

•New and refreshed malware

•Long windows to protection

Infecting files are hidden

• Inside applications

•Encrypted traffic, proxies

•Non-standard ports

•Drive-by-downloads

Introducing WildFire

• Identifies unknown malware by direct observation in a cloud-based, virtual sandbox

- Detects more than 70 malicious behaviors

- Capture and enforcement performed locally by firewall

- Sandbox analysis performed in the cloud removes need for new hardware and provides single point of malware visibility

• Automatically generates signatures for identified malware

- Infecting files and command-and-control

- Distributes signatures to all firewalls via regular threat updates

• Provides forensics and insight into malware behavior

- Actions on the target machine

- Applications, users and URLs involved with the malware

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 12 |

WildFire Architecture

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 13 |

Unknown

Files From the

Internet

Coming into

the Enterprise

Compare to Known Files

Sandbox Environment

Signature Generator

Admin Web Portal

Firewall

Submits

File to

WildFire

Cloud

New Signatures

Delivered to ALL

Firewalls via

regular threat

updates. Portal

provides

malware

forensics

Visibility and Architecture Change the Game

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 14 |

NGFW is Required Must decode apps to

find hidden files

Must control SSL,

circumventors and

evasion

In-line enforcement and

blocking of command

and control

Centralized Analysis Intelligence and

protections shared with

ALL firewalls

No need to reprocess files

Easily update detection,

anti-detection logic

No new hardware required

✓ ✓

✓

✓

✓

Attack Stages of Modern Malware

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 16 |

Targeted malicious

email sent to user

User clicks on link to a

malicious website

Malicious website exploits

client-side vulnerability

Drive-by download of

malicious payload

URL Filtering

IPS

Behavioral Analysis

Signature Detection

© 2011 Palo Alto Networks. Proprietary and Confidential. Page 17 |

PAN-OS Core Firewall Features

• Strong networking foundation

- Dynamic routing (BGP, OSPF, RIPv2)

- Tap mode – connect to SPAN port

- Virtual wire (“Layer 1”) for true transparent in-line deployment

- L2/L3 switching foundation

- Policy-based forwarding

• VPN

- Site-to-site IPSec VPN

- SSL VPN

• QoS traffic shaping - Max/guaranteed and priority

- By user, app, interface, zone, & more

- Real-time bandwidth monitor

• Zone-based architecture

- All interfaces assigned to security zones for policy enforcement

• High Availability

- Active/active, active/passive

- Configuration and session synchronization

- Path, link, and HA monitoring

• Virtual Systems

- Establish multiple virtual firewalls in a single device (PA-5000, PA-4000, and PA-2000 Series)

• Simple, flexible management

- CLI, Web, Panorama, SNMP, Syslog

Visibility and control of applications, users and content complement core firewall features

PA-500

PA-2020

PA-2050

PA-4020

PA-4050

PA-4060

PA-5060

PA-5050

PA-5020

PA-200

Appliances – Übersicht

Firewall Firewall Throughput Threat Prevention Throughput Ports Session Capacity

PA-5060 20 Gbps 10 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit

4,000,000

PA-5050 10 Gbps 5 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit

2,000,000

PA-5020 5 Gbps 2 Gbps 8 SFP 12 copper gigabit 1,000,000

PA-4060 10 Gbps 5 Gbps 4 XFP (10 Gig) 4 SFP (1 Gig) 2,000,000

PA-4050 10 Gbps 5 Gbps 8 SFP 16 copper gigabit 2,000,000

PA-4020 2 Gbps 2 Gbps 8 SFP 16 copper gigabit 500,000

PA-3050 4 Gbps 2 Gbps 8 SFP 12 copper gigabit 500,000

PA-3020 2 Gbps 1 Gbps 8 SFP 12 copper gigabit 250,000

PA-2050 1 Gbps 500 Mbps 4 SFP 16 copper gigabit 250,000

PA-2020 500 Mbps 250 Mbps 8 copper gigabit 125,000

PA-500 250 Mbps 100 Mbps 8 copper gigabit 64,000

PA-200 100 Mbps 50 Mbps 4 copper gigabit 64,000

© 2012 Palo Alto Networks. Proprietary and Confidential.

VM-Series – Übersicht

• PAN-OS Next-Gen Firewall Features in einem virtuellen Form Faktor

• Sichtbarkeit und Kontrolle des Traffics zwischen VMs

Specifications

Model Sessions Rules Security Zones Address Objects IPSec VPN Tunnels SSL VPN Tunnels

VM-100 50,000 250 10 2,500 25 25

VM-200 100,000 2,000 20 4,000 500 200

VM-300 250,000 5,000 40 10,000 2,000 500

Supported on VMware ESX/ESXi 4.0 or later

Minimum of 2 CPU cores, 4GB RAM, 40GB HD, 2 interfaces

Supports active/passive HA without state synchronization. Does not support 802.3ad, virtual systems, jumbo frames

Performance

Cores Allocated Firewall (App-ID) Threat Prevention VPN Sessions per Second

2 Core 500 Mbps 200 Mbps 100 Mbps 8,000

4 Core 1 Gbps 600 Mbps 250 Mbps 8,000

8 Core 1 Gbps 1 Gbps 400 Mbps 8,000

© 2012 Palo Alto Networks. Proprietary and Confidential.

Page 20 |

Flexible Deployment Options

Visibility Transparent In-Line Firewall Replacement

• Application, user and content

visibility without inline

deployment

• IPS with app visibility & control

• Consolidation of IPS & URL

filtering

• Firewall replacement with app

visibility & control

• Firewall + IPS

• Firewall + IPS + URL filtering

Enterprise-Wide Next-Generation Firewall Protection

Same Next-Generation Firewall, Different Benefits…

Perimeter

Identify and control applications,

users and content

Positive enablement

Data Center

Network segmentation based on users

and applications

High performance threat prevention

Distributed Enterprise

Branch

Office Remote

Users

Extending consistent security to all users

and locations

Visibility and control over applications,

users and content

IT-Infrastructur: past

past: clear segregation

• Control by physical location

• „yours“ and „mine“ is clear to see

© 2012 Palo Alto Networks. Proprietary and Confidential. Page 22 |

IT infrastructure: present

present: partially open

• Outsorcing / Hosting relocates servers to the „outside“

• Cient2Site VPN for roaming clients

• „guest access“ for contractors

© 2012 Palo Alto Networks. Proprietary and Confidential. Page 23 |

IT infrastrukture: future

future: massive outsourcing of services and devices

• vDC and SaaS replace large chunks of todays IT

• Corporate WAN mostly replaced by Site2Site VPN

• BYOD is default

© 2012 Palo Alto Networks. Proprietary and Confidential. Page 24 |

Palo Alto Networks Weekly Jumpstart

contact_sales@paloaltonetworks.com

(408) 753-4000