Introduzione PAN

Palo Alto Networks Overview Stefania Iannelli

System Engineer Palo Alto Networks

Breve storia di Palo Alto Networks

Today+

Legacy: Permetti o blocca

le applicazioni

Allow

Block

Next generation: Safely enable applications

the network security companytm

Metà anni 90 – oggi

2 | ©2013, Palo Alto Networks. Confidential and Proprietary.

Cloud + SaaS

Mobile + BYOD Attacchi più sofisticati

Social + consumerization

Breve storia dell’evoluzione informatica


Il nostro nuovo approccio alla network security

Palo Alto Networks platform App-ID

Identifica le applicazioni

User-ID Identifica l’utente

Content-ID Analizza il contenuto


Dal 2011 leader del Gartner Magic Quadrant - Enterprise Network Firewalls


344 KB

file-sharing URL category

pdf file type

roadmap.pdf file name

bjacobs user

prodmgmt group

canada destination country

172.16.1.10 source IP

64.81.2.23 destination IP

tcp/443 destination port

SSL protocol

HTTP protocol

slideshare application

slideshare-uploading application function

344 KB


unknown URL category

exe file type

shipment.exe file name

fthomas user

finance group

china destination country

SSL protocol

HTTP protocol

web-browsing application

172.16.1.10 source IP



344 KB


172.16.1.10 source IP



?

Palo Alto Networks NGFW vs Legacy Firewall


Other’s Classificator

Inco

min

g pa

cket

s

PANW Classificator

Vuln

erab

ility

File

Viru

s

Spy

war

e

App

s P

rofil

e

IPS

Pro

file

File

Blo

ckin

g

Ant

i-Viru

s

Ant

i-Spy

war

e

DPI FilterChain

Single Pass Pattern Match

•  User/Group •  Platform •  Application •  URL (instance) •  Network Attributes

Crit

eria

s Av

aila

ble

•  User/Group •  Network Attributes

Crit

eria

s Av

aila

ble

Our Approach: Seek First to Understand The Power of Context

•  classify all traffic to app level even encrypted traffic

•  determine who (users) •  con8nually update this understanding

includes content inspec2on

Then Enforce Better decisions based on full situational awareness

•  a posi8ve enforcement model •  stepwise refinement •  systema8cally manage the unknown

document xfer

Fred (finance group)

Enforce

other context

Allow

Deny

Allow, but:

Fully Understand (Enables) +

or

or

scan for threats block files/sensi8ve data per schedule other op2ons

A Fundamentally Different Architecture

Port Classification

Application Classification

Filter

+ File Classification

Filter

+ Threat Matching

Filter

+ etc.

User L1-‐4

User L1-‐4

User L1-‐4

Compe8tors: Sequen2al Filtering

?

Full Classification

Palo Alto Networks: Single Pass

Done ?

Applica8on User L1-‐4

Full Enforcement

Why Does This Matter? A Specific Scenario

Web Browsing

Cloud Backup

SharePoint Online

Block all file types

Allow all file types

Block only Executables

Desired Policy

Why? The Architecture.

Port Classification

Application Classification

Filter

+ File Classification

Filter

+ Threat Matching

Filter

+ etc.

User L1-‐4

User L1-‐4

User L1-‐4

Compe8tors: Sequen2al Filtering

?

Filter has no app knowledge

Full Classification

Palo Alto Networks: Single Pass

Done ?

Applica8on User L1-‐4

Full Enforcement

Evolving a Platform

Security PlaPorm

Future

Up-‐Level Understanding

collec2ve intelligence x 7500

? -‐> known (in minutes)

Up-‐Level Enforcement

•  endpoint protec8on

•  compromised endpoints

•  disrupt the aUack lifecycle

Traps

Internet/WAN Mobile

WILDFIRE™

Aperture™ SaaS

AutoFocus™

Everywhere You Want Have to Be

Global Protect™

Traps

A Consumable Architecture Operations and IT-level Integration

Flexible Design •  e.g. mix-‐and-‐match interface modes

Risk Intui8ve Management •  single rule base •  visibility & insight •  at-‐scale

Agility Efficiency

Automa8on & Integra8on •  Technology: API’s, address groups, network integra8on op8ons •  Business: VMware, Amazon, etc.

Nobody Else Does What We Do Unique Architecture

NGFW

Security Pla@orm

simple

extensible

Iden

8ty

SIEM

Hybrid IT (e.g. cloud, SDN)

Unique Security Posture

Disrupt the ABack Lifecycle Risk

Agility Efficiency

Altre OPZIONI?


Il ciclo di vita di un attacco

Bait the end-‐user

1

L'utente finale viene acrato da un'applicazione pericolosa o un sito web con contenu8 dannosi

Exploit

2

Viene sfruUata una vulnerabilita’ del sistema o dell’applicazione, senza che l’utente si accorga di nulla

Download Backdoor

3

In background viene scaricato un secondo payload. Il malware viene installato

Establish Back-‐Channel

4

Il malware stabilisce una connessione in uscita verso l’aUaccante, in modo che questo prenda il controllo

Explore & Steal

5

L’aUaccante remoto ha il controllo all'interno della rete e intensifica l'aUacco


Anatomia di una rete compromessa


Corporate Email Server

Initially targeted client

Phishing email (corporate email with link to malicious site)

Phishing email (web-based email with malicious attachment)

SMTP

HTTP

SSL

Domain Controller

Application servers

Command-and-control

Exploit delivery Remote access tool download Command-and-control

Hypervisor

Virtual server host

Brute-force Command injection

Exploitation

Mobile Devices

Workstations harvested for IP and used as mules

Data exfiltration

Compromise of mobile devices

Network ownership complete Legitimate credentials used

Exploitation, tool drops, credential and data theft

Exploitation, tool drops, credential and data theft

Soluzione di Advanced Threat Prevention

Il nostro approccio ci rende l'unica soluzione in grado di ...

§  Effettuare una scansione di TUTTE LE APPLICAZIONI (incluso il traffico SSL) per controllare tutti gli accessi IN/OUT della rete, ridurre la superficie di attacco e fornire un contesto per l’analisi forense

§  Prevenire gli attacchi attraverso TUTTI i vettori di infezione (exploit, DNS e URL) verso malware, command & control, con signature content-based

§  Rilevare i malware e gli exploit zero day usando un cloud pubblico o privato e creando in automatico delle signature per tutti gli utenti, a livello globale

Identify & control Prevent known threats

Detect unknown threats

Rapid, global sharing

All applications

Architettura WildFire


Enterprise Risk Report


Firewall Firewall Throughput Threat Preven8on Throughput Ports Session Capacity

PA-‐5060 20 Gbps 10 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit

4,000,000

PA-‐5050 10 Gbps 5 Gbps 4 SFP+ (10 Gig) 8 SFP (1 Gig) 12 copper gigabit

2,000,000

PA-‐5020 5 Gbps 2 Gbps 8 SFP 12 copper gigabit 1,000,000

PA-‐3060 4 Gbps 2 Gbps 2 SFP+ (10 Gig) 8 SFP (1Gig) 8 copper gigabit

500,000

PA-‐3050 4 Gbps 2 Gbps 8 SFP 12 copper gigabit 500,000

PA-‐3020 2 Gbps 1 Gbps 8 SFP 12 copper gigabit 250,000

PA-‐500 250 Mbps 100 Mbps 8 copper gigabit 64,000

PA-‐200 100 Mbps 50 Mbps 4 copper gigabit 64,000

Hardware Platforms

Protezione di tutta la rete Data center/

cloud Perimetro Branch/BYOD

Next-Generation Firewall

IDS / IPS / APT / malware Data Center Gateway

Panorama e appliance M-100

PAN-OS™

Segmento di rete

Next-Generation appliance

Subscription

Use case

Management system

Operating system

Fisici: PA-200, PA-500, Serie PA-3000, Serie PA-5000, PA-7050 Virtuali: VM-Serie APT: WF-500

URL Filtering GlobalProtect™

WildFire™

Threat Prevention


VM-Series

| © 2012 Palo Alto Networks. Proprietary and Confidential.

•  VM-‐100, VM-‐200, VM-‐300 deployed as guest VMs on VMware ESXi

•  Deployed as part of virtual network configura8on for East-‐West traffic inspec8on

VM-Series perV Mware vSphere (ESXi)

•  VM-‐100, VM-‐200, VM-‐300 deployed as guest VMs on Citrix NetScaler SDX

•  Consolidates ADC and security services for mul8-‐tenant and Citrix XenApp/XenDesktop deployments

VM-Series per Citrix NetScaler SDX

•  VM-‐Series for NSX deployed as a service with VMware NSX and Panorama

•  Ideal for East-‐West traffic inspec8on

VM-Series per VMware NSX

VM-Series per Amazon Web Services


AWS Management Console

Web DB App

corporate data center

VM-Series per KVM in cloud pubblico e privato


Standard Hardware

GlobalProtect: un’unica infrastruttura integrata per la Mobile Security

TRAPS

Advanced Endpoint Protection

Advanced Endpoint Protection Overview §  Una soluzione endpoint che permette di prevenire

§  Advanced Persistent Threats (APTs) §  Attacchi Zero Day

§  Grazie al blocco delle tecniche di attacco utilizzate e non a delle signature


Advanced Endpoint Protection Overview §  Prevenzione Exploit

§  Blocco delle tecniche utilizzate per sfruttare una vulnerabilita’ §  Buffer overflow §  Heap corruption §  DLL hijacking (sostituire una DLL legittima con una malevola, utilizzando lo stesso nome) §  etc


Next-generation enterprise security platform

§  Raccoglie poteziali minacce provenienti dalla rete e dagli Endpoint

§  Analizza e correla minacce

§  Diffonde informazioni sulle minacce alla rete e agli Endpoint

Threat Intelligence Cloud §  Ispeziona tutto il traffico

§  Blocca le minacce note

§  Manda cio’ che non conosce nel cloud

§  Protezione anche per mobile e virtual networks

Next-Generation Firewall

Palo Alto Networks Advanced

Endpoint Protection

Palo Alto Networks Next-Generation

Firewall

Palo Alto Networks Threat Intelligence Cloud

§  Ispeziona tutti i processi e i file

§  Previene sia exploit noti che sconosciuti

§  Integrato con il cloud per prevenire malware noti e sconosciuti

Advanced Endpoint Protection

Preveniamo gli attacchi ad ogni livello della kill-chain Breach the perimeter 1 Deliver the malware 2 Lateral movement 3 Exfiltrate data 4

URL Filtering

§  Prevent use of social engineering §  Block known malicious URLs and IP

addresses

Next-Generation Firewall / GlobalProtect

§  Visibility into all traffic, including SSL

§  Enable business-‐cri8cal applica8ons §  Block high-‐risk applica8ons§  Block commonly exploited file types

Threat Prevention

§  Block known exploits, malware and inbound command-‐and-‐control communica8ons

WildFire

§  Send specific incoming files and email links from the internet to public or private cloud for inspec8on

§  Detect unknown threats §  Automatically deliver protections

globally

Next-‐GeneraPon Firewall / GlobalProtect

§  Establish secure zones with strictly enforced access control

§  Provide ongoing monitoring and inspec8on of all traffic between zones

Threat PrevenPon

§  Block outbound command-‐and-‐control communica8ons

§  Block file and data paUern uploads §  DNS monitoring and sinkholing

Traps / WildFire

§  Block known and unknown vulnerability exploits

§  Block known and unknown malware §  Provide detailed forensics on attacks

URL Filtering

§  Block outbound communication to known malicious URLs and IP addresses

WildFire

§ Detecting unknown threats pervasively throughout the network

Unit-42

Unit-42 Overview §  Unit-42 e’ Threat Intelligence Team di Palo Alto Networks

§  Composto da massimi esperti di cybersecurity

§  Si occupa di §  Raccogliere §  Ricercare Tutte le ultime cyber threats §  Analizzare

§  Inoltre analizza anche tutti i risultati di WildFire per fornire contesto, motivazioni e metodologie legati agli attachi

§  Condivide tutte le informazioni con i clienti Palo Alto Networks e la community


Unit-42 links §  Blog

§  researchcenter.paloaltonetworks.com/unit42

§  Eventi §  https://www.blackhat.com/us-14/ §  https://www.blackhat.com/eu-14/

§  Cyber Threat Alliance §  http://cyberconsortium.org/


EXPANSIVE PARTNER ECOSYSTEM

Enterprise Security VirtualizaPon Networking Mobility Security AnalyPcs

Introduzione PAN

Documents

Transcript of Introduzione PAN