Next-Generation Firewall Overview

Similar documents
App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

Palo Alto Networks Stallion Spring Seminar -Tech Track. Peter Gustafsson, June 2010

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Paloalto Networks PCNSA EXAM

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Palo Alto Networks PCNSE7 Exam

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

A Comprehensive CyberSecurity Policy

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Cisco ASA Next-Generation Firewall Services

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

PANORAMA. Figure 1: Panorama deployment

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

The Application Usage and Risk Report End User Application Trends in the Enterprise - Country Specific Findings

WatchGuard Total Security Complete network protection in a single, easy-to-deploy solution.

Coordinated Threat Control

Palo Alto Networks PAN-OS

VM-SERIES FOR VMWARE VM VM

SRX als NGFW. Michel Tepper Consultant

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

CA Security Management

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

TRAPS ADVANCED ENDPOINT PROTECTION

PANORAMA. Key Security Features

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Compare Security Analytics Solutions

NetDefend Firewall UTM Services

A Unified Threat Defense: The Need for Security Convergence

Juniper Sky Advanced Threat Prevention

JUNIPER SKY ADVANCED THREAT PREVENTION

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

SECURING YOUR MICROSOFT ENVIRONMENT

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Future-ready security for small and mid-size enterprises

Snort: The World s Most Widely Deployed IPS Technology

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Symantec Network Access Control Starter Edition

Symantec Security.cloud

Pulse Secure Application Delivery

Cisco Intrusion Prevention Solutions

ACTIONABLE SECURITY INTELLIGENCE

McAfee Public Cloud Server Security Suite

Symantec Network Access Control Starter Edition

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

1110 Cool Things Your Firewall Should Do. Extend beyond blocking network threats to protect, manage and control application traffic

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

McAfee Skyhigh Security Cloud for Citrix ShareFile

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Cisco IOS Inline Intrusion Prevention System (IPS)

High Availability Synchronization PAN-OS 5.0.3

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

Seceon s Open Threat Management software

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

Symantec Network Access Control Starter Edition

Paloalto Networks Exam PCNSE6 Palo Alto Networks Certified Network Security Engineer 6.0 Version: 6.1 [ Total Questions: 153 ]

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

Corrigendum 3. Tender Number: 10/ dated

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Symantec Protection Suite Add-On for Hosted Security

Reducing the Cost of Incident Response

NCIRC Security Tools NIAPC Submission Summary Juniper IDP 200

IBM Proventia Network Anomaly Detection System

CA Host-Based Intrusion Prevention System r8

ForeScout Extended Module for MaaS360

McAfee Security Management Center

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

IBM Security Network Protection Solutions

IBM Next Generation Intrusion Prevention System

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Enterprise Guest Access

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Reducing Operational Costs and Combating Ransomware with McAfee SIEM and Integrated Security

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

IPS-1 Robust and accurate intrusion prevention

McAfee Total Protection for Data Loss Prevention

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

BYOD: BRING YOUR OWN DEVICE.

RSA INCIDENT RESPONSE SERVICES

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

RSA INCIDENT RESPONSE SERVICES

McAfee Skyhigh Security Cloud for Amazon Web Services

Seqrite Endpoint Security

Cisco s Appliance-based Content Security: IronPort and Web Security

Trend Micro Deep Security

Cisco ASA 5500 Series IPS Solution

McAfee Endpoint Security

IBM Internet Security Systems Proventia Management SiteProtector

Novetta Cyber Analytics

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

ForeScout ControlFabric TM Architecture

Transcription:

Next-Generation Firewall Overview Contact NextGig Systems, Inc. 805-277-2400 NextGigSystems.com Business and technology advancements have steadily eroded the protection that the traditional firewall provided. Users have come to expect to be able to work from any location they desire the office, their home, a hotel room, or a coffee shop rendering the traditional concept of a perimeter obsolete. Furthermore, applications easily bypass traditional port-based firewalls; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. Attempts to restore visibility and control have produced duplicate security polices for local and remote users. The local policy includes firewall helpers deployed either stand-alone, or through sheet-metal integration, while the remote user policy is delivered via parallel, end-point offerings. These approaches introduce policy inconsistency and do not solve the visibility and control problem due to inaccurate or incomplete traffic classification, cumbersome management, and multiple latency-inducing scanning processes. Restoring visibility and control requires a new, fresh, from-the-ground-up approach. What s needed is a next-generation firewall that unifies security policies for all users, and all applications, both local and remote. Key Next-Generation Firewall Requirements: Identify applications, not just ports: Identify exactly what the application is, across all ports, irrespective of protocol, encryption (SSL or SSH), or evasive tactic. The application identity becomes the basis for all security policies. Identify users, not just IP addresses: Employ user and group information from enterprise directories for visibility, policy creation, reporting, and forensic investigation no matter where the user is located. Inspect content in real-time: Protect the network against vulnerability exploits and malware embedded in application traffic, regardless of origin. Simplify policy management: Securely enable applications with easy-to-use graphical tools that tie them together in a unified policy. Enable a logical perimeter: Secure all users, including traveling and telecommuter users, with consistent security that extends from the physical to the logical perimeter. Deliver multi-gigabit throughput: Combine purpose-built hardware and software to enable low-latency, multi-gigabit performance with all services enabled. Palo Alto Networks next-generation firewalls enable unprecedented visibility and control of applications, users, and content not just ports, IP addresses, and packets using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies, found in every Palo Alto Networks enterprise firewall, enable enterprises to embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation.

App-ID: Classifying Applications, All Ports, All the Time Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-ID TM addresses the traffic classification visibility limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network. Unlike add-on offerings that rely solely on IPS-style signatures, implemented after port-based classification, every App-ID automatically uses up to four different traffic classification mechanisms to determine the exact identity of the application. There is no need to apply specific settings for a particular application, App-ID continually classifies the traffic, using the appropriate identification mechanism, resulting in consistent and accurate application identification, across all ports, for all the traffic, all the time, in many cases, down to the function level. Application Protocol Detection / Decryption Application Protocol Decoding Application Signature Heuristics As applications are identified by the successive mechanisms, the policy check determines how to treat them: block, allow, or securely enable (scan for, and block embedded threats, inspect for unauthorized file transfer and data patterns, or shape using QoS). enable organizations to incorporate user information into their security policies. A network-based User-ID agent communicates with the domain controller, mapping the user information to the IP address that they are using at a given time. 10.0.0.227 10.0.0.211 Login 10.0.0.232 Monitoring 10.0.0.220 10.0.0.239 10.0.0.242 10.0.0.245 10.0.0.209 10.0.0.217 End Station 10.0.0.232 Polling 10.0.0.221 User-ID Role Discovery Captive Portal Paul I Engineering Finance Group User and group information provided by User-ID is pervasive throughout the Palo Alto Networks next-generation firewall feature set including Application Command Center, the policy editor, logging and reporting. Content-ID: Protecting Allowed Traffic Today s employees are using any application they want for a combination of both work and personal purposes; simultaneously, attackers are taking full advantage of this unfettered usage to achieve their goals. Content-ID, in conjunction with App-ID, provides administrators with a two-pronged solution to protecting their network assets. App-ID can be used to identify and control the applications on the network, allowing specific applications to be used. Then, using Content-ID, specific policies can be applied to each application as a means of blocking attacks and limiting the transfer of unauthorized files and sensitive data. Rounding out the control elements that Content-ID offers is a comprehensive URL database to control web surfing. N User-ID: Enabling Applications by Users and Groups Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and computing means that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. DATA CC # SSN Files THREATS Vulnerability Exploits Viruses Spyware URLS Web Filtering User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with the widest range of enterprise directories on the market; Active Directory, edirectory, Open LDAP, Citrix, Microsoft Terminal Server, and XenWorks. An XML API and Captive Portal round out the range of mechanisms that Content-ID PAGE 2

Content-ID uses a stream-based scanning engine and a uniform signature format to look for and block a wide range of attacks including vulnerability exploits, viruses, spyware, and worms. Stream-based scanning means that threat prevention begins as soon as the first packet is scanned while the uniform signature format eliminates redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.). The result is a reduction in latency and improved performance. Secure Application Enablement The seamless integration of App-ID, User-ID, and Content-ID enables organizations to establish consistent application enablement policies, down to the functional level in many cases, that span the permissiveness spectrum from allow to deny. The same policies that protect users within the corporate headquarters can be extended to all users, no matter where they are located, thereby establishing a logical perimeter for users outside of the corporate walls. Secure enablement policies begin with the application identity, determined by App-ID, as soon as traffic hits the device. The application identity is then mapped to the associated user with User-ID, while traffic content is scanned for threats, files, data patterns, and web activity by Content-ID. These results are displayed in Application Command Center (ACC) where the administrator can learn, in near real-time, what is happening on the network. Then, in the policy-editor, the datapoints gleaned from ACC about applications, users, and content can be turned into appropriate security policies that block unwanted applications, while allowing and enabling others in a secure manner. Finally, any detailed analysis, reporting, or forensics can be performed, again, with applications, users, and content as the basis. Application Command Center: Knowledge is Power Application Command Center (ACC) utilizes a subset of the log database to graphically display a high-level summary of the applications traversing the network, who is using them, and their potential security impact. ACC is dynamically updated, leveraging the continuous traffic classification that App-ID performs; if an application changes ports, App-ID continues to see the traffic, displaying the results in App-ID. There are no settings to modify, no signatures to enable or configure. New or unfamiliar applications that are seen in ACC can be quickly investigated with a single click that displays a description of the application, its key features, its behavioral characteristics, and who is using it. Additional data on URL categories, threats, and data provides a complete and well-rounded picture of network activity. With ACC, an administrator can very quickly learn more about the traffic traversing the network and then translate that information into a more informed security policy. Application Visibility View application activity in a clear, easy-to-read format. Add and remove filters to learn more about the application, its functions and who is using them. PAGE 3

Policy Creation A familiar look and feel enables the rapid creation and deployment of policies that control applications, users and content. Policy Editor: Translating Knowledge into Secure Enablement Policies Immediate access to the knowledge of which applications are traversing the network, who is using them, and the potential security risk empowers administrators to quickly deploy application-, application function-, and port-based enablement policies in a systematic and controlled manner. Policy responses can range from open (allow), to moderate (enabling certain applications or functions, then scan, or shape, schedule, etc.), to closed (deny). Examples may include: groups by leveraging user and group information. to finance groups, forcing the traffic across the standard ports, and inspect the traffic for application vulnerabilities. applications across their standard ports. inspects specific webmail and instant messaging usage. use of their respective file transfer functions. administration team, and allow access to SharePoint Docs for all other users. intensive applications but limit their impact on VoIP applications. card numbers or social security numbers, either in text or file format. non-work related sites, monitor questionable sites, and coach access to others using customized block pages. unwanted applications such as P2P file sharing, circumventors, and external proxies. The tight integration of application control, based on users and groups, and the ability to scan the allowed traffic for a wide range of threats, allows organizations to dramatically reduce the number of policies they are deploying along with the number of employee adds, moves and changes that may occur on a day-to-day basis. PAGE 4

Content and Threat Visibility View URL, threat and file/data transfer activity in a clear, easyto-read format. Add and remove filters to learn more about individual elements. Policy Editor: Protecting Enabled Applications Securely enabling applications means allowing access to the applications, then applying specific threat prevention and file, data, or web traffic blocking policies with Content-ID. Each of the elements included in Content-ID can be configured on a per-application or application-function basis, allowing administrators to be very targeted in their prevention efforts. Intrusion Prevention System (IPS): Vulnerability protection integrates a rich set of intrusion prevention system (IPS) features to block known and unknown network and application-layer vulnerability exploits, buffer overflows, DoS attacks, and port scans. Network Antivirus: Stream-based antivirus protection blocks from millions of malware variants, including PDF viruses and malware hidden within compressed files or web traffic (compressed HTTP/HTTPS). Policy based SSL decryption enables organizations to protect against malware moving across SSL encrypted applications. URL Filtering: A fully-integrated, customizable URL filtering database of 20 million URLs across 76 categories allows administrators to apply granular web-browsing policies, complementing application visibility and control policies and safeguarding the enterprise from a full spectrum of legal, regulatory, and productivity risks. File and Data Filtering: Data filtering features enable administrators to implement policies that will reduce the risks associated with file and data transfers. File transfers and downloads can be controlled by looking inside the file (as opposed to looking only at the file extension), to determine if it allowed or not. Executable files, typically found in drive-by downloads, can be blocked, thereby protecting the network from unseen malware propagation. Finally, data filtering features can detect, and control the flow of confidential data patterns (credit card and social security numbers). Traffic Monitoring: Analysis, Reporting and Forensics Security best practices dictate that administrators strike a balance between being proactive, continually learning and adapting to protect the corporate assets and being reactive, investigating, analyzing and reporting on security incidents. ACC and the policy editor can be used to proactively apply application enablement policies, while a rich set of monitoring and reporting tools provide organizations with the necessary means to analyze and report on the application, users and content flowing through the Palo Alto Networks nextgeneration firewall. App-Scope: Complementing the real-time view of applications and content provided by ACC, App-scope provides a dynamic, user-customizable view of application, traffic and threat activity over time. PAGE 5

Reporting: Predefined reports can be used as-is, customized, or grouped together as one report in order to suit the specific requirements. All reports can be exported to CSV or PDF format and they can be executed and emailed on a scheduled basis. Behavioral Botnet Detection: Data regarding unknown applications, IRC traffic, malware sites, dynamic DNS, and newly created domains is analyzed with the results displaying the list of potentially infected hosts that can be investigated as members of a botnet. Logging: Real-time log filtering facilitates rapid forensic investigation into every session traversing the network. Log filter results can be exported to a CSV file or sent to a syslog server for offline archival or additional analysis. Trace Session Tool: Accelerate forensics or incident investigation with a centralized, correlated view across all of the logs for traffic, threats, URLs, and applications related to an individual session. GlobalProtect: Extending Policy Control to All Users For users within the physical perimeter, enforcing security policies with a next-generation firewall is straightforward. Traffic is classified by the firewall, enablement policies are applied, traffic is scanned for threats, and the network is protected. However, the rapid pace of today s business has forced an abstraction of applications, users, and content from the physical perimeter, making the deployment and enforcement of a consistent set of security policies for remote users nearly impossible. based policies that are enforced within the physical perimeter to all users, no matter where they are located. In the physical perimeter. Employees working from home, on the road for business, or logging in from a coffee shop will be protected by the logical perimeter in the same manner that they would be if they were working from their office. a consistent firewall-based security policy for all users. The creation and management of separate policies for firewalls and remote users is eliminated, as are the associated management efforts. The result is a streamlined security infrastructure and a more consistent security policy. GlobalProtect Enforce consistent secure application enablement policies for all users, no matter where they are located. Contact NextGig Systems, Inc. 805-277-2400 NextGigSystems.com Palo Alto Networks 232 E. Java Drive Sunnyvale, CA. 94089 Sales 866.320.4788 408.738.7700 www.paloaltonetworks.com Copyright 2011, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID, GlobalProtect and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_DS_FFOV_041311

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback