Palo Alto Networks next-generation firewalls offer a flexible security platform that can be deployed to address your unique business initiatives. Whether your IT initiatives range from addressing mobility and BYOD issues, to enabling security for your dynamic virtualized datacenter, we can help solve your needs. We understand the challenges you face, and can provide a security offering that empowers your users and aligns with your core business objectives.
Internet Gateway:
Problem
Access to the Internet is a vital component for doing business today. Users depend on being able to access the Internet in order to use applications, collaborate with colleagues, and to conduct research. However, the Internet can also be the conduit for both inappropriate and malicious activity. Today, applications, exploits, and malware are easily able to slip through the existing traditional firewall as well as web security gateways, proxies, and IPS security devices. Even controlling legitimate applications is problematic, due to the growing use of evasive technologies and techniques including port hopping, encryption, and proxies.
The challenge is to find a way to say "yes" to the applications that your business needs while systematically managing risks.
Solution
The Palo Alto Networks next-generation firewall allows you to provide safe access to Internet resources through an innovative approach that identifies and manages traffic. By using the core App-ID, User-ID, and Content-ID technologies, you can establish visibility and control over your traffic using the same business-oriented criteria that you use to define acceptable use. Instead of basing policy on port numbers and IP addresses, take control of your traffic by building security policies based on who can use particular applications while scanning for undesirable or inappropriate content. Understand what’s on your network by examining all traffic on all ports. The Palo Alto Networks next-generation firewall allows you to say "yes" to the applications that your organization needs without introducing unnecessary risks.
Establishing Safe Application Enablement.
Safe application enablement is a systematic approach for managing applications on your network while removing risky and undesirable elements. It starts with having the visibility to see the applications in use on your network and knowledge of the risks that they could pose. Next, the use of policies that govern the applications - tied to the identity of the specific user, not just the IP address - provides precise control over user traffic. Finally, the use of the next-generation firewall’s content inspection technologies deliver protection against malware, vulnerabilities, undesirable web content, dangerous file types, and much more. In addition, through WildFire, the next-generation firewall can protect against highly customized, targeted modern malware.
Restoring Control Back to the Firewall.
All Internet traffic passes through the firewall, but unfortunately, many firewalls simply let too much traffic through. Your firewall may be in the right location to enforce network security, but it has to be much more intelligent in understanding and managing traffic in order to be effective.
The Palo Alto Networks next-generation firewall restores control by providing a clear understanding of applications, users, and content. With the knowledge of who is using the network, what they are using, and where the traffic is going, your security teams can establish the appropriate application enablement policies for Internet access.
Extend control to users in all locations.
The Palo Alto Networks next-generation firewall provides control over user browsing and protection from threats wherever the user may go through GlobalProtect. By using GlobalProtect, users stay connected to the next-generation firewall for policy enforcement regardless of whether they are on the local network, the wireless network, or outside of the office. All of the application control, threat prevention, and URL filtering rules are in effect, providing consistent security at all times. GlobalProtect is available for Windows, Mac OS X, iOS, and Android platforms, providing coverage for laptops, smartphones, and tablets.
Mobility:
Problem
The explosive growth of mobile devices in the workplace creates new opportunities for business innovation, while at the same time introduces new vectors for risk. Security should provide the means to mitigate risk, but to date, common approaches for mobile security are limited in scope. These approaches include:
- Blocking mobile devices - Some organizations try to use blocking technologies in an attempt to insulate themselves from the risks that come with mobile computing. However, employees want to use their mobile devices at work, and will find ways to use them without the company’s knowledge or support.
- Hoping existing security products will protect mobile devices – Some organizations hope that their existing security measures will protect mobile devices. This will not provide satisfactory results, because traditional network and endpoint security measures are not optimized for mobile use cases and may not provide adequate protection against mobile threats.
- Applying basic security measures – Not all mobile security measures are the same, and the limitations are not always apparent at first. Mobile security measures for basic use cases (such as ActiveSync for email), do not necessarily provide the necessary protection for other applications and data. As organizations adopt more sophisticated mobile use cases, the security requirements will change as well.
A new approach for mobile security is necessary in order to fully realize all of the benefits that it can provide to the organization. It requires a shift in the expectations for what mobile security must deliver in the first place.
Solution
GlobalProtect from Palo Alto Networks provides a comprehensive, integrated solution to safely enable mobile devices. It is designed to help customers embrace their mobile initiatives for smartphones and tablets by providing the necessary security to make them safe platforms for business applications and data
GlobalProtect has three primary components:
- GlobalProtect Gateway: Delivers mobile threat prevention and policy enforcement based on apps, users, content, device and device state. Extends a VPN tunnel to mobile devices with GlobalProtect App. Integrates with WildFire for preventing new malware.
- GlobalProtect App: Enables device management, provides device state information, and establishes secure connectivity. Connects to the GlobalProtect Gateway to access applications and data in accordance to policy. Exchanges device configuration and device state with the GlobalProtect Mobile Security Manager.
- GlobalProtect Mobile Security Manager: Provides device management to configure the device. Uses WildFire malware signatures to identify devices with infected apps. Shares information about the device and device state with GlobalProtect Gateway for enforcing security policies. Hosts an enterprise app store for managing business apps. Isolates business data by controlling lateral data movement between business and personal apps.
The GlobalProtect components work together to address mobile security requirements in the following manner:
Manage the device
GlobalProtect Mobile Device Manager provides device management capabilities to manage mobile device configuration, deploy business apps and oversee device usage throughout the organization. It also simplifies the deployment and setup of new devices, helping administrators manage mobile devices at enterprise scale.
Protect the Device
GlobalProtect App establishes an IPsec/SSL VPN tunnel to GlobalProtect Gateway. The tunnel terminates at GlobalProtect Gateway running on the Palo Alto Networks next-generation firewall for consistent enforcement of network security policies.
Mobile threat prevention technologies protect the device from the latest exploits and malware, powered by global intelligence provided by WildFire.
Control the data
In order to control access to data, GlobalProtect Gateway enforces security policies that control network access to applications and data. It uses application, user, content, device and device state as policy criteria, providing the granularity to make precise policy decisions. The information about the device and device state comes from the GlobalProtect Mobile Security Manager, thus establishing a direct link between the applications that particular devices can access.
In order to isolate business data and control data movement on the device, GlobalProtect can control business data so that it is used with business apps, and prevent sharing the data with unmanaged personal apps. If a user leaves the organization or the mobile device is lost or stolen, the organization can either wipe only the business data or the entire device if necessary.
Zero Trust Approach To Network Segmentation:
Problem
The continued, high frequency of successful cyberattacks against today’s enterprises has made it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. There is inadequate visibility, control and protection of user and application traffic transiting high-risk network boundaries, and an outdated assumption that everything on the inside of an organization’s network should be trusted.
The Zero Trust architecture approach, first proposed by Forrester Research, is intended to address this by promoting "never trust, always verify" as its guiding principle. With Zero Trust there is no default trust for any entity—including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network. By establishing Zero Trust boundaries that effectively compartmentalize different segments of the network, you can protect critical intellectual property from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network.
Some organizations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect your traffic for threats. True Zero Trust network segmentation requires an enterprise security platform that understands your applications, users, and content.
Solution
Palo Alto Networks enterprise security platform addresses critical Zero Trust concepts such as:
- Secure access - GlobalProtect™ delivers consistent secure IPsec and SSL VPN connectivity for all employees, partners, customers, and guests wherever they’re located (e.g., at remote/branch offices, on the local network, or over the Internet). Policies to determine which users and devices can access sensitive applications and data can be defined based on application, user, content, device, and device state.
- Inspection of ALL traffic - App-ID™ accurately identifies and classifies all traffic, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. This eliminates methods that malware may use to hide from detection and provides complete context into applications, associated content, and threats. Least privileges access control- The combination of App-ID, User-ID™, and Content-ID™ deliver a positive control model that allows organizations to control interactions with resources based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, user and group identity, and the specific types or pieces of data being accessed (e.g., credit card or social security numbers). Compared to alternative solutions which let too much traffic through because they’re limited to port and protocol level classification, the result is truly granular access control that safely enables the right applications for the right sets of users while automatically eliminating unwanted, unauthorized, and potentially harmful traffic from gaining access to the network.
- Advanced threat protection - A combination of anti-virus/malware, intrusion prevention, and advanced threat prevention technologies (Content-ID and WildFire™), provide comprehensive protection against both known and unknown threats, including threats on mobile devices. In addition, support for a closed-loop, highly integrated defense ensures that inline enforcement devices and other components in the threat protection framework are automatically updated with the findings from WildFire and other sources of threat intelligence.
To get started, IT security teams can take advantage of our virtual wire deployment mode to non-disruptively deploy Palo Alto Networks devices at one or more locations within your network. Configured in listen-only mode, you can then obtain a detailed picture of transaction flows throughout the network, including where, when and to what extent specific users are using specific applications and data resources. Armed with these details, your security team can then incrementally deploy devices in appropriate locations to establish internal trust boundaries for identified trust zones, and configure the appropriate enforcement and inspection policies to effectively put each trust boundary "on line."
With the right Zero Trust architecture for your network, you will gain unparalleled situational awareness of malicious activity, prevent the exfiltration of sensitive data and simplify adherence to compliance regulations.
Server Virtualization and Cloud:
Problem
As more companies look to leverage the agility and flexibility of cloud by deploying a hybrid cloud architecture, there are three key challenges that they face in achieving the promise of hybrid cloud: inconsistencies in network architecture between the private data center and the public cloud, the lack of rich next-generation security capabilities to counter today’s sophisticated cyber threats, and the portability of both the application and the security policies that protect it, regardless of where the application is deployed. The ultimate promise of the hybrid cloud is the ability to write an application once, define a security policy around that application once, and have the ability to deploy that application anywhere without compromise.
Thanks to virtualization, virtual machines (VMs) can communicate with other VMs on the same hypervisor, creating an assortment of applications and services with different risk classifications and confidential data—all on the same host server. The problem with this flexibility is the challenge in segmenting and enforcing security for ‘East-West’ traffic communications between these applications. Furthermore, when VMs are created or moved from hypervisor to hypervisor, rack to rack, or datacenter to datacenter—it’s difficult trying to apply static security policies to the individual virtual machines.
As you evolve your datacenter towards a cloud-based architecture, you begin orchestrating the automated tasks for provisioning workloads (compute, storage, network). Unfortunately, securing these workloads with today’s existing network security appliances is a manual, time-consuming process. Security teams simply cannot keep up with how quickly these workloads are being provisioned by the virtual infrastructure teams.
Solution
Palo Alto Networks enterprise security platform allows you to leverage the same rich security policies across your private and public infrastructure, enabling a consistent approach to security whether the application is virtual, physical, on-premises, or off-premises. Our next-generation firewalls give you the ability to segment your datacenter network, while our VM-Series, virtual firewall, allows you to realize the full agility and flexibility promises of the cloud. Both physical and virtual form factors run the same PAN-OSTM operating system. Working together, our enterprise security platform safely enables the north-south and east-west traffic throughout your virtual, physical and cloud environments with consistent next-generation security protection. This gives you complete visibility into the applications being used, knowledge of the users accessing those applications, and protection against known and unknown threats.
Bring Next-Generation Security to the Public Cloud
The VM-Series extends the benefits of the VMware NSX and Palo Alto Networks VM-1000HV integration into a new service within VMware’s vCloud Air*, a public cloud platform built on the trusted foundation of vSphere. The VM-Series also gives organizations the flexibility to maintain next-generation security across a number of cloud service providers with support for cloud infrastructure providers like Amazon Web Services (AWS), and support for Kernal Virtual machine (KVM), a popular open source hypervisor used in many other public cloud computing environments.
Applying Next-Generation Security to Virtualized Environments
The VM-Series virtualized firewall is based upon the same full-stack traffic classification engine that can be found in our physical form factor firewalls. The VM-Series natively classifies all traffic, inclusive of applications, threats and content, then ties that traffic to the user. The application, content, and user— the elements that run your business— are then used as the basis of your virtualized security policies, resulting in an improved security posture and a reduction in incident response time.
Isolate Mission Critical Applications and Data Using Zero Trust Principles
Security best practices dictate that your mission critical applications and data should be isolated in secure segments using Zero Trust (never trust, always verify) principles at each segmentation point. Our physical and virtual next-generation firewalls can be deployed throughout your virtualized server infrastructure, exerting control based on application, and user identity. This allows you to control the applications traversing your virtualized environment, while blocking potentially rogue or misconfigured applications and controlling access based on user identity.
Block lateral movement of cyber threats
Today’s cyber threats will commonly compromise an individual workstation or user and then they will move across the network, looking for a target. Within your virtual network, cyber threats will move laterally from VM-to-VM, in an east-west manner, placing your mission critical applications and data at risk. Exerting application level control using zero trust principles in between VMs will reduce the threat footprint while applying policies to block both known and unknown threats.
Automated Deployment and Provisioning
A rich set of automation features and APIs allow you to streamline your security policy deployment so that security keeps pace with the build-up and tear down of your mission critical applications.
- Virtual Machine monitoring: automatically polls your virtual network for VM changes, collecting this data in the form of tags that can then be used to keep policies up-to-date via Dynamic Address Groups.
- Dynamic Address Groups: allow you to create policies using tags [from VM monitoring] as an identifier for virtual machines instead of a static object definition. Multiple tags representing virtual machine attributes such as IP address and operating system can be resolved within a Dynamic Address Group, allowing you to easily apply policies to virtual machines as they are created or travel across the network.
- REST-based APIs: allow you to integrate with all of our next-generation firewalls with 3rd party tools for reporting, management or cloud orchestration for virtualized environments.
Centrally Manage All Security Policies
Panorama is a management platform that provides the ability to manage security policies for all Palo Alto Networks network security platforms – regardless of whether they are virtual or physical – from a centralized location. Panorama provides compliance through consistent enforcement of policy across your entire datacenter network, as well as rich centralized logging and reporting capabilities.
*vCloud Air will be available on the Palo Alto Networks VM-Series 1000HV in the first half of 2015.
Threat Prevention:
In today’s threat landscape, traditional malware has become highly targeted and evasive, and specifically designed to be completely undetectable. The goal is to breach the network perimeter by delivering malware that can move laterally across an organization, extracting valuable data as it spreads — all this while remaining invisible to traditional network defenses.
Palo Alto Networks protects your network against these threats by providing multiple layers of prevention, confronting threats at each phase of the attack. Our Threat Prevention subscription protects the network from advanced threats by identifying and scanning all traffic — applications, users, and content across all ports and protocols.
Block Threats At The Perimeter
Intrusion Prevention
Vulnerability-based protections detect and block exploit attempts and evasive techniques on both the network and application layers, including port scans, buffer overflows, protocol fragmentation, and obfuscation.
- Protections are based on both signature matching and anomaly detection
- Anomaly detection decodes and analyzes protocols, and uses the information learned to block malicious traffic patterns
- Stateful pattern matching detects attacks across multiple packets, taking into account arrival order and sequence
SSL Decryption
A large portion of today's network traffic — nearly 35% — is encrypted with SSL, leaving a gaping hole in network defenses if left unchecked. Palo Alto Networks next-generation firewalls have built-in SSL decryption capabilities, eliminating this blind spot. All traffic is inspected and advance security services, all without the need for a separate device — removing the complexities of having to manage separate, non-integrated technology.
File Blocking
Reduce the likelihood of a malware infection by preventing file types known to hide malware from entering your network. Further narrow your window of exposure by sending allowed file types to WildFire for analysis.
Shut Down Malware Delivery
Network Anti-Malware
Palo Alto Networks Threat Prevention security service protects against malware delivery through custom-built signatures that are based on content — not hash — to protect against known malware, including variants that haven’t been seen in the wild yet. Protections against newly discovered malware are delivered daily by WildFire, keeping the latest threats from breaching your network.
Prevent Threats From Exploring the Network
Because our platform is flexible, highly available, and supports high throughput with its Single-Pass scanning architecture, it can be implemented anywhere in the network:
- At the perimeter (Next-Generation Firewall)
- Data center edge (PA-7050)
- Between virtual-machines (VMs) in the data center (VM-series)
- Distributed enterprise — remote & mobile users, branch offices and operations plants (GlobalProtect & Traps)
- All points of segmentation
Put a Stop to Data Exfiltration
Command-and-Control (Spyware)
We know that there’s no silver bullet when it comes to preventing all threats from entering your network. This is why we focus on preventing attackers from leaving with important data. Our CnC signatures flag on both inbound and outbound requests to malicious domains, protecting your data from being stolen.
DNS Sinkhole
Our exfiltration protection goes a step further by providing sinkhole capabilities for outbound requests to malicious DNS entries. Any outbound request to a malicious domain or IP address can be redirected to an internal IP address set up by an administrator. This feature prevents those requests from ever leaving the network and compiles a report of compromised machines making those requests on which incident response teams can act.
Leverage Global Threat Intelligence
Detailed logs of all threats aren’t merely housed within the same management interface, but are shared between all prevention mechanisms to provide context. We leverage global threat intelligence through the close integration of Threat Prevention security services, URL Filtering, and WildFire to automatically discover unknown malware and deliver protections to our entire customer base, keeping them secured against the latest advanced threats.
Palo Alto Networks threat research team, Unit 42, analyzes threat data amassed by our global intelligence community to identify and investigate cutting-edge attack methods and malware, and report on unfolding trends within the blackhat space.
Virtual Desktop Infrastructure:
Problem
Your rapidly changing business environment demands a flexible infrastructure to support the evolving desktop, application, and data access requirements of your staff. One logical approach involves the implementation of a virtual desktop infrastructure (VDI), empowering your employees to work via laptop, tablet, and even their smartphone – wherever they are on the globe. Although a VDI solution presents many desktop security advantages – including centralized control, reduced complexity, and efficient management of user access and privileges – it’s critical to ensure that the entire virtual desktop infrastructure is secure. But securing this new, centralized environment is difficult, especially when a single IP address can represent thousands of different users all accessing their applications and data using a variety of devices. While employing a VDI environment, users may have access to other applications in your datacenter besides their virtual desktop.
Solution
Palo Alto Networks next-generation firewalls enable advanced, identity-based granular application control, threat prevention, and content leak protection for resources being accessed from virtual desktops. Our firewall can be deployed at the backend of your virtual desktop infrastructure to safely enable applications for your virtual desktop users. Palo Alto Networks User-ID technology allows you to set up firewall policies based on your users and user-groups, rather than relying on static IP addresses on the network. We offer User-ID and Terminal Services agents that allow you to easily identify your virtual desktop users and apply security policies to them, regardless of which type of VDI environment you’ve implemented. We also provide a wide-range of purpose-built hardware platforms that are optimized for performance to ensure that protection will scale alongside your VDI efforts.
With Palo Alto Networks, you can maximize the availability, performance, and scalability of your virtual desktops, while experiencing the peace of mind that your entire infrastructure is secure from known and unknown malware and targeted attacks.
Our integration with Citrix NetScaler SDX also provides you a consolidated security and application delivery controller (ADC) solution for Citrix XenApp XenDesktop deployments.
Wireless Infrastructure:
Problem
Today, wireless networks are a ubiquitous part of every large network. Nearly every office and school must have the means to provide wireless connectivity to its users and a new generation of devices. In fact, BYOD trends show that users are selecting their own devices to use at work, and bringing them on to the corporate wireless network with or without the approval of the IT security team.
With wireless networks, there is no longer any vestige of being able to control network access by physical means. As a result, the access point has to provide enterprise-class authentication methods to identify the user and the types of devices associating to the network. But what happens once the user establishes connectivity? Unfortunately, for many organizations, there’s no way to control what the user and device accesses, compounding the problem of making your wireless environment safe for BYOD devices.
Solution
The solution is to leverage safe application enablement principles from the Palo Alto Networks next-generation firewall. Palo Alto Networks partners with wireless network infrastructure providers to utilize the user and device information provided as the user associates to an access point. The wireless infrastructure controls the authentication, and the next-generation firewall applies policy based on the context of application, user, content, and device.
Now you can be very specific on the types of applications and content a particular user can access from a given device, and allow IT to make BYOD safe on your wireless networks.