Agenda. 11:30 11:45 Roadmap - Hrvoje Freuhwirth, Viši voditelj korisničkih rješenja 11:45 12:45 Ručak

Agenda

08:30 – 09:00 Registracija

09:00 – 09:15 Pozdravni govor- Aljoša Pavelin, Izvršni direktor za prodaju i marketing

09:15–10:15 Firewall nove generacije- Hrvoje Freuhwirth, Viši voditelj korisnič_{kih rješenja} 10:15 –10:30Pauza za kavu

10:30 –11:30Demo prezentacija funkcionalnosti u produkcijskom okruženju

2

10:30 –11:30Demo prezentacija funkcionalnosti u produkcijskom okruženju

Ivan Ščavničar, specijalist za mrežne tehnologije

Andrija Čondor_{, ekspert za mrežne tehnologije}

Davor Šerfez, viši konzultant

11:30–11:45Roadmap -Hrvoje Freuhwirth, Viši voditelj korisničkih rješenja 11:45–12:45Ruč_ak

Što smo postigli i s kojim smo se izazovima suočili?

Sadržaj

1.

FireWalls

2.

Next Generation FireWall

3.

Aplikacija, korisnik, sadržaj

6

Packet filtering FW

Stateful inspection FW

• stateful inspection = L3 – L7

Stateful FW

Nir Zuk

• developed stateful inspection FW technology

Danas u praksi

Princip “sigurnost na perimetru”:

zona povjerenja definirana perimetrom

FW - tipično mjesto implementacije sigurnosne politike

Tipi

č

no

• User Port Protocol Application • Port 80

• 216.27.61.137 80 HTTP Web Browsing?

• Mary Jones 80 IM Yahoo-IM

• Port 443

• 203.49.15.195 443 HTTPs Secure banking?

• Paul King 443 email Google gMail

Stanje se izmijenilo:

port ≠ aplikacija

IP adresa ≠ korisnik

• Paul King 443 email Google gMail

Ostali. . .

• 215.44.29.203 5060 SIP VOIP?

• John Smith many Gnutella Limewire P2P

port ≠ aplikacija

IP adresa ≠ korisnik

Aplikacije su rizik

Aplikacije nose sigurnosni rizik:

P2P file sharing, tunneling applications, anonymizers, media/video

SANS top 20 prijetnji – već_{ina su L7}

Č

ime se boriti?

I

P

S

A

V

U

R

L

F

A

S

P

W

Internet

Gomilanje opreme

“gomilanje opreme” ne rješava problem

FW “pomagač_{i” imaju ograni}č_{en uvid u promet}

kompleksno i skupo rješenje za nabavu i održavanje

Rješenje – NG FW

Novi zahtjevi za Firewall

1. Identificirati aplikacije bez obzira na korišteni port, protokol ili SSL

2. Identificirati korisnike bez obzira na IP adresu

3. Pružiti zaštitu u realnom vremenu

protiv prijetnji sadržanim u aplikacijama 4. Detaljan uvid i kontrola pristupa

aplikacijama

5. Multi-gigabit, in-line implementacije bez narušavanja performansi

• osnovan 2005

• inovacije: App-ID, User-ID, Content-ID

• NG FW – identificira i kontrolira 1000+ aplikacija • prisutni u 50+ zemalja, 24/7 support

• 03-2010: Gartner “Magic Quadrant” • 03-2010: Gartner “Magic Quadrant”

Klju

č

ne prednosti

App-ID

Identify the application

User-ID

User-ID

Identify the user

Content-ID

Scan the content

Identifikacija aplikacija

• Policy-based control more than 1000 applications distributed across five categories and 25 sub-categories

• Balanced mix of business, internet and networking applications and networking protocols

Identifikacija korisnika

• Users no longer defined solely by IP address

– Leverage existing Active Directory and LDAP infrastructure – NTLMv2 transparent challenge/response

– Microsoft Terminal Services & Citrix integration – Web-form based authentication

• Understand users application and threat behavior based on actual AD username, not just IP

• Manage and enforce policy based on user and/or AD/LDAP group • Investigate security incidents, generate custom reports

Identifikacija korisnika

Skeniranje sadržaja

• Detect and block a wide range of threats, limit unauthorized file transfers and control non-work related web surfing

non-work related web surfing

– Stream-based, not file-based, for real-time performance

• Uniform signature engine scans for broad range of threats in single pass

• Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)

– Block a wide range of file transfers by type

• Looks into file to determine type – not extension based

– Web filtering enabled via fully integrated URL database

• 20M URLs across 78 categories & custom categories • ‘In the cloud’ access to +180 million categorized URL’s • Local database ensure highly scalable solution

Single-Pass Parallel Processing (SP3)

Single Pass

Single processes for:

- Traffic classification (app

identification)

- User/group mapping

- Content scanning –

threats, URLs, confidential data

One policy

24

One policy

Parallel Processing

Function-specific hardware engines Multi-core security processing

Separate data/control planes

Na

č

ini/ topologije implementacije

Visibility Transparent In-Line Firewall Replacement

• Application, user and content visibility without inline

deployment

• IPS with app visibility & control • Consolidation of IPS & URL

filtering

• Firewall replacement with app visibility & control

• Firewall + IPS

Panorama

• Panorama central management application

– Consolidated management, logging, and monitoring of Palo Alto Networks devices

– Consistent web interface between Panorama and device UI

– Network-wide ACC/monitoring views, log collection, and reporting – Delegated administrators with per-vsys view/management

• All interfaces work on current configuration, avoiding sync issues

VSYS

• Up to 125 VSYS

• Granular delegated admin access

• Deploy transparently

behind existing equipment • Or replace existing

equipment. Flexible

• Provides application and network-based visibility and control, consolidated policy, high performance

Reporting

Page 28 |

© 2008 Palo Alto Networks. Proprietary and Confidential.

Karakteristike

• Strong networking foundation

– Dynamic routing (OSPF, RIPv2, BGP-4) – Tap mode – connect to SPAN port

– Virtual wire (“Layer 1”) for true transparent in-line deployment – L2/L3 switching foundation • VPN – Site-to-site IPSec VPN – SSL VPN • Zone-based architecture

– All interfaces assigned to security zones for policy enforcement

• High Availability

– Active / passive

– Configuration and session synchronization

– Path, link, and HA monitoring

• Virtual Systems

PA-4050 PA-4060

• SSL decrypt

• QoS traffic shaping

– Max/guaranteed and priority

– By user, app, interface, zone, IP and scheduled

• Virtual Systems

– Establish multiple virtual firewalls in a single device (PA-4000 & PA-2000 Series – from 6 to 125 VSYS)

– Delegated administrators

• Simple, flexible management

– CLI, Web, Panorama, SNMP, Syslog, XML API, audit trail, automated

reports delivery PA-500

PA-2020 PA-2050 PA-4020

Ukratko

• Firewall nove generacija sa uvidom u i kontrolom 1000+ aplikacija • integracija sa MS AD-om za identifikaciju korisnika

• Citrix/ MS terminal server: FW kontrola po korisniku • kontrola i autorizacija: aplikacija/ korisnik

• QOS: po korisniku, aplikaciji, interface-u, zoni • opciono IPS i URL filtering funkcionalnost

• opciono IPS i URL filtering funkcionalnost • izvrstan uvid u promet i kvalitetan reporting • 250 Mbps do 10 Gbps!

• do125 VSYS na jednom uređ_aju

Hvala!

Hrvoje Frühwirth, dipl. ing.

Palo Alto Networks Next-Gen Firewalls

PA-4050 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions, 125 vsys 16 copper gigabit 8 SFP interfaces PA-4020 2 Gbps FW 2 Gbps threat prevention 500,000 sessions, 125 vsys 16 copper gigabit 8 SFP interfaces PA-4060 10 Gbps FW 5 Gbps threat prevention 2,000,000 sessions, 125 vsys 4 XFP (10 Gig) I/O 4 SFP (1 Gig) I/O 32 8 SFP interfaces 8 SFP interfaces 4 SFP (1 Gig) I/O PA-2050 1 Gbps FW 500 Mbps threat prevention 250,000 sessions, 6 vsys 16 copper gigabit 4 SFP interfaces PA-2020 500 Mbps FW 200 Mbps threat prevention 125,000 sessions, 6 vsys 12 copper gigabit 2 SFP interfaces PA-500 250 Mbps FW 100 Mbps threat prevention 50,000 sessions 8 copper gigabit

1.

20 Gbps

2.

HA: A/A support

3.

225 VSYS

4.

SSH decryption

5.

GlobalProtect:

Uskoro

34 5.

GlobalProtect:

“VPN in the background”

end-station profiles – npr.“Encrypted HDD” filter

6.

Improved GUI:

Hvala!

Hrvoje Frühwirth, dipl. ing.

RECRO-NET d.o.o. Av. V. Holjevca 40 10 000 Zagreb CROATIA CROATIA Web: www.recro-net._hr E-mail: info@recro-net.hr