Agenda
08:30 – 09:00 Registracija
09:00 – 09:15 Pozdravni govor- Aljoša Pavelin, Izvršni direktor za prodaju i marketing
09:15–10:15 Firewall nove generacije- Hrvoje Freuhwirth, Viši voditelj korisničkih rješenja 10:15 –10:30Pauza za kavu
10:30 –11:30Demo prezentacija funkcionalnosti u produkcijskom okruženju
2
10:30 –11:30Demo prezentacija funkcionalnosti u produkcijskom okruženju
Ivan Ščavničar, specijalist za mrežne tehnologije
Andrija Čondor, ekspert za mrežne tehnologije
Davor Šerfez, viši konzultant
11:30–11:45Roadmap -Hrvoje Freuhwirth, Viši voditelj korisničkih rješenja 11:45–12:45Ručak
Što smo postigli i s kojim smo se izazovima suočili?
Sadržaj
1.
FireWalls
2.
Next Generation FireWall
3.
Aplikacija, korisnik, sadržaj
6
Packet filtering FW
Stateful inspection FW
• stateful inspection = L3 – L7
Stateful FW
Nir Zuk
• developed stateful inspection FW technology
Danas u praksi
Princip “sigurnost na perimetru”:
zona povjerenja definirana perimetrom
FW - tipično mjesto implementacije sigurnosne politike
Tipi
č
no
• User Port Protocol Application • Port 80
• 216.27.61.137 80 HTTP Web Browsing?
• Mary Jones 80 IM Yahoo-IM
• Port 443
• 203.49.15.195 443 HTTPs Secure banking?
• Paul King 443 email Google gMail
Stanje se izmijenilo:
port ≠ aplikacija
IP adresa ≠ korisnik
• Paul King 443 email Google gMail
Ostali. . .
• 215.44.29.203 5060 SIP VOIP?
• John Smith many Gnutella Limewire P2P
port ≠ aplikacija
IP adresa ≠ korisnik
Aplikacije su rizik
Aplikacije nose sigurnosni rizik:
P2P file sharing, tunneling applications, anonymizers, media/video
SANS top 20 prijetnji – većina su L7
Č
ime se boriti?
I
P
S
A
V
U
R
L
F
A
S
P
W
Internet
Gomilanje opreme
“gomilanje opreme” ne rješava problem
FW “pomagači” imaju ograničen uvid u promet
kompleksno i skupo rješenje za nabavu i održavanje
Rješenje – NG FW
Novi zahtjevi za Firewall
1. Identificirati aplikacije bez obzira na korišteni port, protokol ili SSL
2. Identificirati korisnike bez obzira na IP adresu
3. Pružiti zaštitu u realnom vremenu
protiv prijetnji sadržanim u aplikacijama 4. Detaljan uvid i kontrola pristupa
aplikacijama
5. Multi-gigabit, in-line implementacije bez narušavanja performansi
• osnovan 2005
• inovacije: App-ID, User-ID, Content-ID
• NG FW – identificira i kontrolira 1000+ aplikacija • prisutni u 50+ zemalja, 24/7 support
• 03-2010: Gartner “Magic Quadrant” • 03-2010: Gartner “Magic Quadrant”
Klju
č
ne prednosti
App-ID
Identify the application
User-ID
User-ID
Identify the user
Content-ID
Scan the content
Identifikacija aplikacija
• Policy-based control more than 1000 applications distributed across five categories and 25 sub-categories
• Balanced mix of business, internet and networking applications and networking protocols
Identifikacija korisnika
• Users no longer defined solely by IP address
– Leverage existing Active Directory and LDAP infrastructure – NTLMv2 transparent challenge/response
– Microsoft Terminal Services & Citrix integration – Web-form based authentication
• Understand users application and threat behavior based on actual AD username, not just IP
• Manage and enforce policy based on user and/or AD/LDAP group • Investigate security incidents, generate custom reports
Identifikacija korisnika
Skeniranje sadržaja
• Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing
non-work related web surfing
– Stream-based, not file-based, for real-time performance
• Uniform signature engine scans for broad range of threats in single pass
• Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)
– Block a wide range of file transfers by type
• Looks into file to determine type – not extension based
– Web filtering enabled via fully integrated URL database
• 20M URLs across 78 categories & custom categories • ‘In the cloud’ access to +180 million categorized URL’s • Local database ensure highly scalable solution
Single-Pass Parallel Processing (SP3)
Single Pass
Single processes for:
- Traffic classification (app
identification)
- User/group mapping
- Content scanning –
threats, URLs, confidential data
One policy
24
One policy
Parallel Processing
Function-specific hardware engines Multi-core security processing
Separate data/control planes
Na
č
ini/ topologije implementacije
Visibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline
deployment
• IPS with app visibility & control • Consolidation of IPS & URL
filtering
• Firewall replacement with app visibility & control
• Firewall + IPS
Panorama
• Panorama central management application
– Consolidated management, logging, and monitoring of Palo Alto Networks devices
– Consistent web interface between Panorama and device UI
– Network-wide ACC/monitoring views, log collection, and reporting – Delegated administrators with per-vsys view/management
• All interfaces work on current configuration, avoiding sync issues
VSYS
• Up to 125 VSYS
• Granular delegated admin access
• Deploy transparently
behind existing equipment • Or replace existing
equipment. Flexible
• Provides application and network-based visibility and control, consolidated policy, high performance
Reporting
Page 28 |
© 2008 Palo Alto Networks. Proprietary and Confidential.
Karakteristike
• Strong networking foundation
– Dynamic routing (OSPF, RIPv2, BGP-4) – Tap mode – connect to SPAN port
– Virtual wire (“Layer 1”) for true transparent in-line deployment – L2/L3 switching foundation • VPN – Site-to-site IPSec VPN – SSL VPN • Zone-based architecture
– All interfaces assigned to security zones for policy enforcement
• High Availability
– Active / passive
– Configuration and session synchronization
– Path, link, and HA monitoring
• Virtual Systems
PA-4050 PA-4060
• SSL decrypt
• QoS traffic shaping
– Max/guaranteed and priority
– By user, app, interface, zone, IP and scheduled
• Virtual Systems
– Establish multiple virtual firewalls in a single device (PA-4000 & PA-2000 Series – from 6 to 125 VSYS)
– Delegated administrators
• Simple, flexible management
– CLI, Web, Panorama, SNMP, Syslog, XML API, audit trail, automated
reports delivery PA-500
PA-2020 PA-2050 PA-4020
Ukratko
• Firewall nove generacija sa uvidom u i kontrolom 1000+ aplikacija • integracija sa MS AD-om za identifikaciju korisnika
• Citrix/ MS terminal server: FW kontrola po korisniku • kontrola i autorizacija: aplikacija/ korisnik
• QOS: po korisniku, aplikaciji, interface-u, zoni • opciono IPS i URL filtering funkcionalnost
• opciono IPS i URL filtering funkcionalnost • izvrstan uvid u promet i kvalitetan reporting • 250 Mbps do 10 Gbps!
• do125 VSYS na jednom uređaju
Hvala!
Hrvoje Frühwirth, dipl. ing.
Palo Alto Networks Next-Gen Firewalls
PA-4050 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions, 125 vsys 16 copper gigabit 8 SFP interfaces PA-4020 2 Gbps FW 2 Gbps threat prevention 500,000 sessions, 125 vsys 16 copper gigabit 8 SFP interfaces PA-4060 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions, 125 vsys 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O 32 8 SFP interfaces 8 SFP interfaces 4 SFP (1 Gig) I/O PA-2050 1 Gbps FW 500 Mbps threat prevention 250,000 sessions, 6 vsys 16 copper gigabit 4 SFP interfaces PA-2020 500 Mbps FW 200 Mbps threat prevention 125,000 sessions, 6 vsys 12 copper gigabit 2 SFP interfaces PA-500 250 Mbps FW 100 Mbps threat prevention 50,000 sessions 8 copper gigabit1.
20 Gbps
2.
HA: A/A support
3.225 VSYS
4.SSH decryption
5.GlobalProtect:
Uskoro
34 5.GlobalProtect:
“VPN in the background”end-station profiles – npr.“Encrypted HDD” filter
6.
Improved GUI:
Hvala!
Hrvoje Frühwirth, dipl. ing.
RECRO-NET d.o.o. Av. V. Holjevca 40 10 000 Zagreb CROATIA CROATIA Web: www.recro-net.hr E-mail: info@recro-net.hr