Palo Alto Networks “Simplify your security” - Startseite · Palo Alto Networks “Simplify your...
Transcript of Palo Alto Networks “Simplify your security” - Startseite · Palo Alto Networks “Simplify your...
Palo Alto Networks
“Simplify your security”
Agenda
2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
1. Komplexität – Risiken und Probleme
2. Wie sieht eine Security-Umgebung heute aus?
3. Wie geht Palo Alto Networks dieses Problem an?
4. Unsere Lösung im Detail
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
“Complexity is
the Worst Enemy of Security”
- Bruce Schneier
Komplexität – Risiken und Nebenwirkungen…
4 | ©2013, Palo Alto Networks. Confidential and Proprietary.
For starters, the global survey of 2,400 IT security administrators found that more than half of their organizations work with at least seven security vendors. Not coincidentally, in every country surveyed the complexity of managing security operations ranked as the No. 1 information security challenge. In the U.S., complexity (the main challenge for 33% of survey respondents) ranked well ahead of data theft by insiders (21%), compliance (19%), security policy enforcement (15%), and data theft by outsiders (12%). That's right: Security groups aren't spending most of their energy battling malicious insiders, hackers, or the latest malware. Rather, they're combating the complexity of their own security programs. Furthermore, organizations report that they're loathe to cut vendors, fearing that they'll have to settle for higher prices, greater total cost of ownership, and fewer capabilities.
- Ponemon Institute (sponsored by Checkpoint) - Ponemon Institute (sponsored by Checkpoint) - Ponemon Institute (sponsored by Checkpoint)
Komplexität – Risiken und Nebenwirkungen…
5 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Die Komplexität des Betriebs ist die TOP-Herausforderung für die IT-Sicherheit
Komplexität – Risiken und Nebenwirkungen…
6 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Security-Teams verbringen mehr Zeit im Kampf mit der eigenen Infrastruktur – anstatt gegen externe und interne Angriffs-Vektoren
Komplexität – Risiken und Nebenwirkungen…
7 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Think about this for a minute. In our attempts to defend the network and critical assets from cyber threats, we have fallen into the trap of bolting on more and more security layers and policies. The result is that we’ve increased the level of complexity within the environment to the point where we have actually created risk because of human errors, misconfigurations, etc.
- Wired
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Wie sieht eine Security-Umgebung heute aus?
Viel hilft viel?
10 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Enterprise Network
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Internet
• Am Anfang war die Firewall…
Derzeitig verwendete Ansätze
Enterprise Network
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IPS
Internet
• Ergänzung um ein IPS-System
Derzeitig verwendete Ansätze
Enterprise Network
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
DLP IPS
Internet
• Ergänzung um ein Data-Loss-Prevention-System
Derzeitig verwendete Ansätze
Enterprise Network
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
DLP IPS
Internet QoS
• Eventuell noch Quality of Service?
Derzeitig verwendete Ansätze
Enterprise Network
15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
DLP IPS
Internet AV
• Netzwerk-Antivirus
QoS
Derzeitig verwendete Ansätze
Enterprise Network
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
DLP IPS
Internet AV URL
• URL-Filter – dediziert oder integriert mit Proxy
QoS
Derzeitig verwendete Ansätze
Enterprise Network
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
DLP IPS
Internet AV URL Proxy
• Proxy
QoS
Derzeitig verwendete Ansätze
Enterprise Network
• “Mehr” nicht unbedingt “mehr gut”…
• Jedes Gerät sieht lediglich einen Traffic-Ausschnitt
• Komplex – teuer – intensive Wartung
• “Legacy”-Architektur
• Keine integrierte Applikations-Kenntnis je Modul
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
UTM
Internet
UTM-Architektur – “einer geht noch…”
Port/Protocol-based ID
HTTP Decoder
L2/3 Networking
URL
Port/Protocol-based ID
L2/3 Networking
Firewall
Port/Protocol-based ID
IPS Signatures
L2/3 Networking
IPS
IPS Decoder
Port/Protocol-based ID
AV Signatures
L2/3 Networking
Antiviren
AV Decoder & Proxy
Page 19 | © 2008 Palo Alto Networks. Proprietary and Confidential
Wie geht Palo Alto Networks dieses Problem an?
20 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Firewall Security Plattform – ganzheitliche Lösung
21 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Security Plattform
22 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Next-Generation Firewall
Analysiert alle Daten
Blockiert bekannte Threats…
…lässt unbekannte analysieren
Erweiterbar (mobil/virtuell)
Enterprise Security Plattform
23 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Next-Generation Threat Cloud
Potentielle Netzwerk- und Endpunkt-Threats werden gesammelt
Analyse der Daten auf Schadhaftigkeit
Stellt Ergebnisse den Netzwerk- und Endpunkt-Systemen zur Verfügung
Enterprise Security Plattform
24 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Inspiziert alle Prozesse und Dateien
Verhindert bekannte & unbekannte Exploits
Integriert mit Cloud-Analyse zur Malware-Erkennung (unbekannte)
Next-Generation Endpoint
Enterprise Security Plattform
25 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Unbekannte Bekannte &
zero-day-
Funde
Enterprise Security Plattform
26 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Real-time
signatures
Enterprise Security Plattform
27 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Bestätigt Gefahrenfund
Integriertes Reporting
Enterprise Security Plattform
28 | ©2013, Palo Alto Networks. Confidential and Proprietary.
① Schützt vor Angriffen — auch neuartige/unbekannte
② Schützt alle Anwender und Applikatinen — inkl. mobile und virtuelle!
③ Nahtlose Integration von Netzwerk- und Endpunkt-Security - nutzt Stärken beider
④ Ermöglicht schnelle Analyse neuer Threats
Unsere Lösung im Detail
“Let the Firewall do its job!”
29 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Heutige Firewalls – noch zeitgemäß?
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applikationen - Angriffsvektor und Ziel zugleich
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Verschlüsselte Applikationen – “Unsichtbare” Gefahren
32 | ©2012, Palo Alto Networks. Confidential and Proprietary.
“Enabling Applications, Users and Content – Safely”
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Making the Firewall a Business Enablement Tool
Applikationen: Akkurate Klassifizierung des
Traffics mit App-ID.
Anwender: Einbinden von Usern und Gruppen
mit User-ID und GlobalProtect.
Inhalte: Analyse und Schutz vor
Schadinhalten, bekannter oder unbekannter
Natur mit Content-ID und WildFire.
34 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Wildfire?
35 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Verbreitung von “0-Day Malware”
36 | ©2012, Palo Alto Networks. Confidential and Proprietary.
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536373839404142434445464748
• Analyse von 50 “0-Day
malware”-Proben
• Mit WildFire
abgefangen in einem
Kundennetz
• Zeigt die Infektionsrate
neuer Malware über
Stunden
Malw
are
-Ang
riffsvers
uch
e
Stunden
Abdeckung der Gefahr durch AV-Signaturen A
be
cku
ngs
rate
in P
roze
nt
Abeckungsrate der Top 5 AV-Hersteller (vendor) nach Tagen
37 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Abdeckungsrate durch AV-Anbieter von neuer Malware (50 Proben)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Day-0 Day-1 Day-2 Day-3 Day-4 Day-5 Day-6
5 vendors
4 vendors
3 vendors
2 vendors
1 vendor
0 vendors
Verbreitung von “0-Day Malware”
38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536373839404142434445464748
WildFire-Kunden
Stunden
95% der Opfer neuer
Malware werden
innerhalb von 24
Stunden infiziert!
Malw
are
-Ang
riffsvers
uch
e
Erfolgreiche Eindämmung und
Schutz erlaubt
keine Wartezeit!
WildFire-Architektur
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire-Architektur
• 10 Gbps Durchsatz für
Threat Prevention
• Jeglicher Traffic, alle Ports
• Web, Email, FTP, SMB,
etc
40 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire-Architektur
• Malware kann sich “frei
entfalten” in unserer
Sandbox.
• Updates an den Sandbox-
Systemen ohne Einfluß auf
Kunden/Anwender
41 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire-Architektur
42 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Signaturen werden erstellt
und getestet basierend auf
dem Binary selber.
• Stream-basierte
Analyselogik für echtes
Inline-Scanning
Welche Dateien werden analysiert?
Simultane Analyse auf verschiedenen Plattformen
43 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Mobile Malware
Android APK
Die Hardware
44 | ©2013, Palo Alto Networks. Confidential and Proprietary.
PAN-OS Core Firewall Features
Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2)
Tap mode – connect to SPAN port
Virtual wire (“Layer 1”) for true
transparent in-line deployment
L2/L3 switching foundation
Policy-based forwarding
VPN
Site-to-site IPSec VPN
Remote Access (SSL) VPN
QoS traffic shaping Max/guaranteed and priority
By user, app, interface, zone, & more
Real-time bandwidth monitor
Zone-based architecture All interfaces assigned to security
zones for policy enforcement
High Availability
Active/active, active/passive
Configuration and session
synchronization
Path, link, and HA monitoring
Virtual Systems Establish multiple virtual firewalls in a
single device (PA-7050, PA-5000, PA-
4000, PA-3000, and PA-2000 Series)
Simple, flexible management CLI, Web, Panorama, SNMP, Syslog
Visibility and control of applications, users and content complement core firewall features
PA-500
PA-200
PA-2000 Series PA-2050, PA-2020
PA-3000 Series PA-3050, PA-3020
PA-4000 Series PA-4060, PA-4050 PA-4020
PA-5000 Series PA-5060, PA-5050 PA-5020
VM-Series VM-300, VM-200, VM-100
PA-7050
45 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Single Pass Platform Architecture
46 | ©2013, Palo Alto Networks. Confidential and Proprietary.
• Application, user and content visibility without inline deployment
• IPS with app visibility & control
• Consolidation of IPS & URL filtering
• Firewall replacement with app visibility & control
• Firewall + IPS
• Firewall + IPS + URL filtering
Firewall Replacement
Tap Mode
Transparent In-Line
© 2012 Palo Alto Networks. Proprietary and Confidential.
Flexibel einsetzbar
• VM-Series introduces the ability for secure segmentation to be done within the host
Within The Host
NGFW as a VM, versus as a Service
VM-Series as a Guest VM
• Virtual Networking configured to pass traffic through Firewall
• Requires vSwitch and Port Group Configuration
• Connects as L3, L2, V-wire, or Tap
Page 48 | © 2012 Palo Alto Networks. Proprietary and Confidential.
VM-Series NSX Edition as a Service
• NGFW is an NSX Service • Resides below the vSwitch and above vNIC • NSX steers traffic to and from VM before
Networking
VM-Series support for Citrix NetScaler SDX
• Citrix NetScaler SDX is an open service-delivery
platform that consolidates ADC (application
delivery controller) and best-in-class network and
security services
• VM-Series is now supported on Citrix SDX 11500
and 17550 Series
• Key use cases:
• Multi-tenant cloud deployments to meet
individual needs of business unit, application
owners, service provider customers
• Integrated solution for Citrix
XenApp/XenDesktop deployments
VM-100, VM-200, VM-300 deployed as guest VMs
49 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Sicherheit durch Vereinfachung
50 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IPS
QoS
DLP
AV
URL
APT/zero-day
Proxy
Alle Funktionen vereint
Zentrales Logging
Einheitliche Policies
Drastisch reduzierter
administrativer Aufwand
Performance
“Simplicity is power” (Citrix)
51 | ©2012, Palo Alto Networks. Confidential and Proprietary.
[…] half of the survey respondents […] stated
that complex policies ultimately led
to a security breach, system outage or both.