295.pptx

Palo Alto Networks Customer Presentation November 2009 Ozan Ozkara

About Palo Alto Networks

• Founded in 2005 by a world-class team with strong security and

networking experience • Innovations: App-ID, User-ID, Content-ID

• Builds next-generation firewalls that identify and control more

than 850 applications; makes firewall strategic again • Global footprint: presence in 50+ countries, 24/7 support

Page 2 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Applications Have Changed – Firewalls Have Not • The gateway at the trust

border is the right place to enforce policy control -

Sees all traffic

-

Defines trust boundary

• BUT…Applications Have Changed -

Ports ≠Applications

-

IP Addresses ≠Users

-

Packets ≠Content

Need to Restore Visibility and Control in the Firewall Page 3 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Application Control Efforts are Failing • Palo Alto Networks’ Application Usage & Risk Report highlights actual behavior of

900,000 users across more than 60 organizations -

Bottom line: despite all having firewalls, and most having IPS, proxies, & URL filtering – none of these organizations could control what applications ran on their networks

• Applications evade, transfer files, tunnel other applications, carry threats, consume

bandwidth, and can be misused.

Applications carry risks: business continuity, data loss, compliance, productivity, and operations costs

Page 5 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

The Right Answer: Make the Firewall Do Its Job

New Requirements for the Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify users regardless of IP address

3. Protect in real-time against threats embedded across applications 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, in-line deployment with no performance degradation

Page 7 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Identification Technologies Transform the Firewall

App-ID Identify the application

User-ID Identify the user

Content-ID Scan the content Page 8 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Purpose-Built Architecture: PA-4000 Series RAM

Content Scanning Engine

Dedicated Control Plane • Highly available mgmt • High speed logging and route updates

RAM

RAM RAM

Content Scanning HW Engine • Palo Alto Networks’ uniform signatures • Multiple memory banks – memory bandwidth scales performance

10Gbps

RAM Dual-core CPU

CPU 1

CPU 2

CPU 3

..

RAM

CPU 16

RAM

RAM HDD

SSL

IPSec

DeCompression

Multi-Core Security Processor • High density processing for flexible security functionality • Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression)

10Gbps

QoS

Control Plane Page 9 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Route, ARP, MAC lookup

NAT

10 Gig Network Processor • Front-end network processing offloads security processors • Hardware accelerated QoS, route lookup, MAC lookup and NAT

Data Plane

Enables Visibility Into Applications, Users, and Content

Page 10 |

© 2008 2009 Palo Alto Networks. Proprietary and Confidential.

PAN-OS Core Firewall Features Visibility and control of applications, users and content complement core firewall features • Strong networking

foundation -

Dynamic routing (OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation

• VPN -

-

Site-to-site IPSec VPN SSL VPN

Max/guaranteed and priority By user, app, interface, zone, IP and scheduled

Page 11 |

-

All interfaces assigned to security zones for policy enforcement

PA-4060

• High Availability -

-

Active / passive Configuration and session synchronization Path, link, and HA monitoring

PA-4050

PA-4020

• Virtual Systems

• QoS traffic shaping -

• Zone-based architecture

-

Establish multiple virtual firewalls in a single device (PA-4000 & PA-2000 Series only)

• Simple, flexible

management -

CLI, Web, Panorama, SNMP, Syslog, XML API

© 2009 Palo Alto Networks. Proprietary and Confidential.

PA-2050

PA-2020

PA-500

Flexible Deployment Options Visibility

• Application, user and content visibility without inline deployment

Page 12 |

Transparent In-Line

• IPS with app visibility & control • Consolidation of IPS & URL filtering

© 2009 Palo Alto Networks. Proprietary and Confidential.

Firewall Replacement

• Firewall replacement with app visibility & control • Firewall + IPS • Firewall + IPS + URL filtering

Enterprise Device and Policy Management • Intuitive and flexible management

CLI, Web, Panorama, SNMP, Syslog - Role-based administration enables delegation of tasks to appropriate person -

• Panorama central management application

Shared policies enable consistent application control policies - Consolidated management, logging, and monitoring of Palo Alto Networks devices - Consistent web interface between Panorama and device UI - Network-wide ACC/monitoring views, log collection, and reporting -

• All interfaces work on current configuration, avoiding sync issues

Page 13 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Addresses Three Key Business Problems • Identify and Control Applications -

Visibility of over 850 applications, regardless of port, protocol, encryption, or evasive tactic

-

Fine-grained control over applications (allow, deny, limit, scan, shape)

-

Fixes the firewall

• Prevent Threats -

Stop a variety of threats – exploits (by vulnerability), viruses, spyware

-

Stop leaks of confidential data (e.g., credit card #, social security #)

-

Stream-based engine ensures high performance

• Simplify Security Infrastructure -

Fix the firewall, rationalize security infrastructure

-

Reduce complexity in architecture and operations

Page 14 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Thank You

Additional Information Speeds and Feeds, Deployment, Customers, TCO, Support, and Management

Palo Alto Networks Next-Gen Firewalls

PA-4060

PA-4050

PA-4020

• • • • •

• • • • •

• • • • •

10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O

10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions 16 copper gigabit 8 SFP interfaces

2 Gbps FW 2 Gbps threat prevention 500,000 sessions 16 copper gigabit 8 SFP interfaces

PA-2050

PA-2020

PA-500

• • • • •

• • • • •

• • • •

1 Gbps FW 500 Mbps threat prevention 250,000 sessions 16 copper gigabit 4 SFP interfaces Page 17 |

500 Mbps FW 200 Mbps threat prevention 125,000 sessions 12 copper gigabit 2 SFP interfaces

© 2009 Palo Alto Networks. Proprietary and Confidential

250 Mbps FW 100 Mbps threat prevention 50,000 sessions 8 copper gigabit

Leading Organizations Trust Palo Alto Networks Health Care

Financial Services

Government

Media / Entertainment / Retail

Service Providers / Services

Page 18 |

Mfg / High Tech / Energy

© 2009 Palo Alto Networks. Proprietary and Confidential

Education

Fix The Firewall – and Save Money! Capital cost – replace multiple devices

•

Legacy firewall, IPS, URL filtering device (e.g., proxy, secure web gateway)

-

Cut by as much as 80%

“Hard” operational expenses

•

Support contracts Subscriptions Power and HVAC

-

Save on “soft” costs too

• -

Page 19 |

Rack space, deployment/integration, headcount, training, help desk calls

© 2009 Palo Alto Networks. Proprietary and Confidential.

Cut by as much as 65%

Legendary Customer Support Experience • Strong TSE team with deep

network security and infrastructure knowledge -

Experience with every major firewall

-

TSEs average over 15 years of experience

• TSEs co-located with

engineering – in Sunnyvale, CA

• Premium and Standard

offerings • Rave reviews from

customers Page 20 |

© 2007 2009 Palo Alto Networks. Proprietary and Confidential Confidential.

Customer support has always been amazing. Whenever I call, I always get someone knowledgeable right away, and never have to wait. They give me the answer I need quickly and completely. Every support rep I have spoken with knows his stuff. -Mark Kimball, Hewlett-Packard

Customer support has been extraordinarily helpful – which is not the norm when dealing with technology companies. Their level of knowledge, their willingness to participate – it’s night and day compared to other companies. It’s an incredible strength of Palo Alto Networks. -James Jones, UPMC

Single-Pass Parallel Processing (SP3) Architecture Single Pass • Operations once per

packet -

Traffic classification (app identification)

-

User/group mapping

-

Content scanning – threats, URLs, confidential data

• One policy

Parallel Processing • Function-specific

parallel processing hardware engines • Separate data/control

planes

Up to 10Gbps, Low Latency Page 21 |

© 2009 Palo Alto Networks. Proprietary and Confidential.

Comprehensive View of Applications, Users & Content • Application Command Center (ACC) -

View applications, URLs, threats, data filtering activity

• Mine ACC data, adding/removing filters as

needed to achieve desired result

Filter on Skype

Page 22 |

Filter on Skype and user oharris

© 2009 Palo Alto Networks. Proprietary and Confidential.

Remove Skype to expand view of oharris