Palo Alto Networks
“Simplify your security”
Agenda
1.
Komplexität – Risiken und Probleme
2.
Wie sieht eine Security-Umgebung heute aus?
3.
Wie geht Palo Alto Networks dieses Problem an?
4.
Unsere Lösung im Detail
2 | ©2013, Palo Alto Networks. Confidential and Proprietary.
“Complexity is the Worst Enemy of Security” - Bruce Schneier
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Komplexität – Risiken und Nebenwirkungen… For starters, the global survey of 2,400 IT security administrators found that more than half of their organizations work with at least seven security vendors. Not coincidentally, in every country surveyed the complexity of managing security operations ranked as the No. 1 information security challenge. In the U.S., complexity (the main challenge for 33% of survey respondents) ranked well ahead of data theft by insiders (21%), compliance (19%), security policy enforcement (15%), and data theft by outsiders (12%). That's right: Security groups aren't spending most of their energy battling malicious insiders, hackers, or the latest malware. Rather, they're combating the complexity of their own security programs. Furthermore, organizations report that they're loathe to cut vendors, fearing that they'll have to settle for higher prices, greater total cost of ownership, and fewer capabilities. --Ponemon PonemonInstitute Institute(sponsored (sponsored by by Checkpoint) Checkpoint)
4 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Komplexität – Risiken und Nebenwirkungen…
Die Komplexität des Betriebs ist die TOP-Herausforderung für die IT-Sicherheit
5 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Komplexität – Risiken und Nebenwirkungen…
Security-Teams verbringen mehr Zeit im Kampf mit der eigenen Infrastruktur – anstatt gegen externe und interne Angriffs-Vektoren
6 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Komplexität – Risiken und Nebenwirkungen… Think about this for a minute. In our attempts to defend the network and critical assets from cyber threats, we have fallen into the trap of bolting on more and more security layers and policies. The result is that we’ve increased the level of complexity within the environment to the point where we have actually created risk because of human errors, misconfigurations, etc. - Wired
7 | ©2013, Palo Alto Networks. Confidential and Proprietary.
8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Wie sieht eine Security-Umgebung heute aus? Viel hilft viel?
10 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Internet Enterprise Network
•
Am Anfang war die Firewall…
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Internet IPS
Enterprise Network
•
Ergänzung um ein IPS-System
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Internet IPS
DLP
Enterprise Network
•
Ergänzung um ein Data-Loss-Prevention-System
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Internet IPS
DLP
QoS
Enterprise Network
•
Eventuell noch Quality of Service?
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Internet IPS
DLP
QoS
AV
Enterprise Network
•
Netzwerk-Antivirus
15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Internet IPS
DLP
QoS
AV
URL
Enterprise Network
•
URL-Filter – dediziert oder integriert mit Proxy
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
Internet IPS
DLP
QoS
AV
URL
Proxy
Enterprise Network
•
Proxy
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Derzeitig verwendete Ansätze
•
“Mehr” nicht unbedingt “mehr gut”…
•
Jedes Gerät sieht lediglich einen Traffic-Ausschnitt
•
Komplex – teuer – intensive Wartung
•
“Legacy”-Architektur
•
Keine integrierte Applikations-Kenntnis je Modul
UTM
Internet Enterprise Network
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
UTM-Architektur – “einer geht noch…” IPS
Antiviren
URL
IPS Signatures
AV Signatures
Firewall
HTTP Decoder
IPS Decoder
AV Decoder & Proxy
Port/Protocol-based ID
Port/Protocol-based ID
Port/Protocol-based ID
Port/Protocol-based ID
L2/3 Networking
L2/3 Networking
L2/3 Networking
L2/3 Networking
Page 19 |
© 2008 Palo Alto Networks. Proprietary and Confidential
Wie geht Palo Alto Networks dieses Problem an?
20 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Firewall Security Plattform – ganzheitliche Lösung
21 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Security Plattform Next-Generation Firewall Analysiert alle Daten Blockiert bekannte Threats… …lässt unbekannte analysieren Erweiterbar (mobil/virtuell)
22 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Security Plattform Next-Generation Threat Cloud Potentielle Netzwerk- und EndpunktThreats werden gesammelt Analyse der Daten auf Schadhaftigkeit Stellt Ergebnisse den Netzwerk- und Endpunkt-Systemen zur Verfügung
23 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Security Plattform
Next-Generation Endpoint Inspiziert alle Prozesse und Dateien Verhindert bekannte & unbekannte Exploits Integriert mit Cloud-Analyse zur MalwareErkennung (unbekannte) 24 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Security Plattform
Unbekannte
25 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Bekannte & zero-dayFunde
Enterprise Security Plattform
Real-time signatures
26 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Security Plattform
Integriertes Reporting
Bestätigt Gefahrenfund
27 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Enterprise Security Plattform
① Schützt vor Angriffen — auch neuartige/unbekannte ② Schützt alle Anwender und Applikatinen — inkl. mobile und virtuelle! ③ Nahtlose Integration von Netzwerk- und Endpunkt-Security - nutzt Stärken beider ④ Ermöglicht schnelle Analyse neuer Threats
28 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Unsere Lösung im Detail “Let the Firewall do its job!”
29 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Heutige Firewalls – noch zeitgemäß?
30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applikationen - Angriffsvektor und Ziel zugleich
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Verschlüsselte Applikationen – “Unsichtbare” Gefahren
32 | ©2012, Palo Alto Networks. Confidential and Proprietary.
“Enabling Applications, Users and Content – Safely”
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Making the Firewall a Business Enablement Tool Applikationen: Akkurate Klassifizierung des Traffics mit App-ID.
Anwender: Einbinden von Usern und Gruppen mit User-ID und GlobalProtect.
Inhalte: Analyse und Schutz vor Schadinhalten, bekannter oder unbekannter Natur mit Content-ID und WildFire.
34 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Wildfire?
35 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Verbreitung von “0-Day Malware” 10000
9000
Malware-Angriffsversuche
8000
7000
6000
• Analyse von 50 “0-Day malware”-Proben
5000
4000
• Mit WildFire abgefangen in einem Kundennetz
3000
2000
1000
0 1 2 3 4 5 6 7 8
• Zeigt die Infektionsrate neuer Malware über Stunden 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 Stunden
36 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Abdeckung der Gefahr durch AV-Signaturen Abdeckungsrate durch AV-Anbieter von neuer Malware (50 Proben) 100% 90%
Abeckungsrate in Prozent
80% 70% 5 vendors 60%
4 vendors 3 vendors
50%
2 vendors 40%
1 vendor 0 vendors
30% 20% 10% 0% Day-0
Day-1
Day-2
Day-3
Day-4
Day-5
Day-6
Abeckungsrate der Top 5 AV-Hersteller (vendor) nach Tagen 37 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Verbreitung von “0-Day Malware” 10000
9000
Malware-Angriffsversuche
8000
WildFire-Kunden
7000
6000
5000
Erfolgreiche 4000
3000
2000
Eindämmung und Schutz erlaubt keine Wartezeit!
95% der Opfer neuer Malware werden innerhalb von 24 Stunden infiziert!
1000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Stunden 38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire-Architektur
39 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire-Architektur
• 10 Gbps Durchsatz für Threat Prevention • Jeglicher Traffic, alle Ports • Web, Email, FTP, SMB, etc
40 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire-Architektur • Malware kann sich “frei entfalten” in unserer Sandbox. • Updates an den SandboxSystemen ohne Einfluß auf Kunden/Anwender
41 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire-Architektur • Signaturen werden erstellt und getestet basierend auf dem Binary selber.
• Stream-basierte Analyselogik für echtes Inline-Scanning
42 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Welche Dateien werden analysiert? Mobile Malware
Android APK
Simultane Analyse auf verschiedenen Plattformen
43 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Die Hardware
44 | ©2013, Palo Alto Networks. Confidential and Proprietary.
PAN-OS Core Firewall Features Visibility and control of applications, users and content complement core firewall features PA-7050
Strong networking foundation Dynamic routing (BGP, OSPF, RIPv2) Tap mode – connect to SPAN port Virtual wire (“Layer 1”) for true transparent in-line deployment L2/L3 switching foundation Policy-based forwarding
VPN Site-to-site IPSec VPN Remote Access (SSL) VPN
QoS traffic shaping Max/guaranteed and priority By user, app, interface, zone, & more Real-time bandwidth monitor
45 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Zone-based architecture All interfaces assigned to security zones for policy enforcement
High Availability Active/active, active/passive Configuration and session synchronization Path, link, and HA monitoring
Virtual Systems Establish multiple virtual firewalls in a single device (PA-7050, PA-5000, PA4000, PA-3000, and PA-2000 Series)
Simple, flexible management
PA-5000 Series PA-5060, PA-5050 PA-5020
PA-4000 Series PA-4060, PA-4050 PA-4020
PA-3000 Series PA-3050, PA-3020
PA-2000 Series PA-2050, PA-2020
PA-500
PA-200
CLI, Web, Panorama, SNMP, Syslog
VM-Series VM-300, VM-200, VM-100
Single Pass Platform Architecture
46 | ©2013, Palo Alto Networks. Confidential and Proprietary.
Flexibel einsetzbar Tap Mode
• Application, user and content visibility without inline deployment
Transparent In-Line
• IPS with app visibility & control • Consolidation of IPS & URL filtering
© 2012 Palo Alto Networks. Proprietary and Confidential.
Firewall Replacement
• Firewall replacement with app visibility & control • Firewall + IPS • Firewall + IPS + URL filtering
Within The Host
• VM-Series introduces the ability for secure segmentation to be done within the host
NGFW as a VM, versus as a Service VM-Series as a Guest VM • • •
Virtual Networking configured to pass traffic through Firewall Requires vSwitch and Port Group Configuration Connects as L3, L2, V-wire, or Tap
Page 48 | © 2012 Palo Alto Networks. Proprietary and Confidential.
VM-Series NSX Edition as a Service • • •
NGFW is an NSX Service Resides below the vSwitch and above vNIC NSX steers traffic to and from VM before Networking
VM-Series support for Citrix NetScaler SDX
•
Citrix NetScaler SDX is an open service-delivery platform that consolidates ADC (application delivery controller) and best-in-class network and security services
•
VM-Series is now supported on Citrix SDX 11500 and 17550 Series
•
Key use cases:
VM-100, VM-200, VM-300 deployed as guest VMs
49 | ©2014, Palo Alto Networks. Confidential and Proprietary.
•
Multi-tenant cloud deployments to meet individual needs of business unit, application owners, service provider customers
•
Integrated solution for Citrix XenApp/XenDesktop deployments
Sicherheit durch Vereinfachung
Alle Funktionen vereint Zentrales Logging
IPS Proxy QoS
Drastisch reduzierter administrativer Aufwand
AV
URL DLP
Einheitliche Policies Performance APT/zero-day
50 | ©2012, Palo Alto Networks. Confidential and Proprietary.
“Simplicity is power” (Citrix)
[…] half of the survey respondents […] stated that complex policies ultimately led to a security breach, system outage or both.
51 | ©2012, Palo Alto Networks. Confidential and Proprietary.