Hello and

Welcome to:

Palo Alto Networks

Ultimate Test Drive Next-Generation Firewall

Presented by Secure Dynamics

PALO ALTO NETWORKS AT-A-GLANCE

CORPORATE HIGHLIGHTS

Founded in 2005; first customer

shipment in 2007

Safely enabling applications and

preventing cyber threats

Able to address all enterprise

cybersecurity needs

$MM

$598

$600

19,000

20,000
16,000

13,500

$396

$400

12,000
9,000

$255

Exceptional ability to support

global customers

$200

Experienced team of 2,300+

employees

$0

Q3 FY15: $234M revenue

2 | 2015, Palo Alto Networks. Confidential and Proprietary.

ENTERPRISE CUSTOMERS

REVENUES

8,000
4,700

$119
$13

$49

FY09 FY10 FY11 FY12 FY13 FY14

4,000
0
Jul-11 Jul-12 Jul-13 Jul-14

WHATS CHANGED?
THE EVOLUTION OF THE ATTACKER

CYBERCRIME NOW

$445 billion industry

CYBER WARFARE

100+ nations

3 | 2015, Palo Alto Networks. Confidential and Proprietary.

WHATS CHANGED?
THE EVOLUTION OF THE ATTACK
Mobile Threats

Changing Application Environment

Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware

Lateral Movement
Evasive Command-and-Control
Known Threats

4 | 2015, Palo Alto Networks. Confidential and Proprietary.

Organizational Risk

SSL Encryption

FAILURE OF LEGACY SECURITY

ARCHITECTURES
Limited Visibility

Lacks Integration

DNS protection for

outbound DNS

Manual Response

DNS protection cloud

Endpoint AV

DNS Alert
SMTP Alert
Web Alert
AV Alert
Endpoint Alert
DNS Alert
SMTP Alert
AV Alert
Endpoint Alert
Web Alert
AV Alert
DNS Alert
Web Alert

UTM/Blades

Internet

Enterprise Network

Anti-APT for
port 25 APTs

Anti-APT for
port 80 APTs

Vendor 1

Vendor 3

Internet Connection

Vendor 2

Vendor 4

Malware Intelligence

5 | 2015, Palo Alto Networks. Confidential and Proprietary.

Network AV
Anti-APT cloud

REQUIREMENTS FOR THE FUTURE

DETECT AND PREVENT THREATS AT EVERY
POINT ACROSS THE ORGANIZATION

Cloud

At the
mobile device

6 | 2015, Palo Alto Networks. Confidential and Proprietary.

At the
internet edge

Between
employees and
devices within
the LAN

At the
data center
edge and
between VMs

Within private,
public and
hybrid clouds

DELIVERING A NEXT-GENERATION
SECURITY PLATFORM
THREAT
INTELLIGENCE
CLOUD

AUTOMATED

NATIVELY
INTEGRATED

NEXT-GENERATION
FIREWALL

7 | 2015, Palo Alto Networks. Confidential and Proprietary.

EXTENSIBLE

ADVANCED ENDPOINT
PROTECTION

A COMPLETE ENTERPRISE SECURITY

ARCHITECTURE
THREAT
INTELLIGENCE
CLOUD

Public
Cloud

Private
Cloud

Enterprise Network

8 | 2015, Palo Alto Networks. Confidential and Proprietary.

PALO ALTO NEXT GENERATION FIREWALL

1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment

9 | 2015, Palo Alto Networks. Confidential and Proprietary.

MULTI-STEP SCANNING RAMIFICATIONS

Firewall

App-Control
Add-on

Allow port
80

Applications

Policy
Decision #1
Open ports to
allow the application

Policy
Decision #2
300+ applications allowed*

Allow Facebook

Facebook allowedwhat
about the other 299 apps?

Key Difference

Ramifications

Two separate policies

More Work. Two policies = double the admin effort (data entry, mgmt, etc)
Possible security holes. No policy reconciliation tools to find potential holes

Two separate policy decisions

Weakens the FW deny all else premise. Applications allowed by port-based FW

decision.

Two separate log databases

Less visibility with more effort. informed policy decisions require more effort ,
slows reaction time

No concept of unknown traffic

Increased risk. Unknown is found on every network = low volume, high risk
More work, less flexible. Significant effort to investigate; limited ability to manage
if it is found.

10 | 2015, Palo Alto Networks. Confidential and Proprietary.

*Based on Palo Alto Networks Application Usage and Risk Report

BENEFITS OF CLASSIFYING TRAFFIC IN THE

FIREWALL

Firewall

Allow Facebook

App-ID
Policy Decision

Key Difference

Benefit

Single firewall policy

Less work, more secure. Administrative effort is reduced; potential

reconciliation holes eliminated.

Positive control model

Allow by policy, all else is denied. Its a firewall.

Single log database

Less work, more visibility. Policy decisions based on complete information.

Systematic management of
unknowns

Less work, more secure. Quickly identify high risk traffic and systematically
manage it.

11 | 2015, Palo Alto Networks. Confidential and Proprietary.

OUR FUNDAMENTALLY NEW APPROACH TO

ENTERPRISE SECURITY

App-ID
Identify the application

Content-ID
Scan the content

User-ID
Identify the user

12 | 2015, Palo Alto Networks. Confidential and Proprietary.

EXAMPLE: DNS
Legacy Firewalls
Security Rule: ALLOW Port 53

DNS

DNS

Security Rule: ALLOW DNS

DNS

Firewall
BitTorrent

DNS

Firewall
BitTorrent

Packet on Port 53: Allow

Packet on Port 53: Allow
Visibility: Port 53 allowed

Bittorrent

DNS = DNS: Allow

BitTorrent DNS: Deny
Visibility: BitTorrent detected and blocked

EXAMPLE: BITTORRENT
Legacy Firewalls
Security Rule: ALLOW Port 53

Security Rule: ALLOW DNS

Application IPS Rule: BLOCK Bittorrent

DNS

DNS

DNS

Firewall
Bittorrent

DNS

App IPS
Bittorrent

DNS

Firewall
Bittorrent

Packet on Port 53: Allow

DNS=DNS: Allow

Bittorrent: Deny

Bittorrent DNS: Deny

Visibility: Bittorrent detected and blocked

Visibility: Bittorrent detected and blocked

EXAMPLE: ZERO-DAY MALWARE

Legacy Firewalls
Security Rule: ALLOW Port 53
Application IPS Rule: BLOCK Bittorrent

Firewall

App IPS

Firewall
DNS

DNS

Bittorrent

Bittorrent

Zero-day
C&C

Security Rule: ALLOW DNS

Zero-day
C&C

DNS

DNS

DNS

Bittorrent

Zero-day
C&C

Packet on Port 53: Allow

C & C Bittorrent: Allow
Visibility: Packet on Port 53 allowed

Zero-day
C&C

DNS=DNS: Allow
Command & Control DNS: Deny
Visibility: Unknown traffic
detected and blocked

SAFELY ENABLE APPLICATIONS

Cloud

FACILITATE ACCESS
REDUCE AND CONTROL RISK

Remove threats from wanted traffic

Allow desired applications by user,

limit high-risk features
Visibility into all applications & users
on the network

16 | 2015, Palo Alto Networks. Confidential and Proprietary.

MOBILE SECURITY
GlobalProtect protects the mobile workforce
Use the enterprise security platform to extend security to laptops, mobile
phones and tablets. Enforce policy no matter where users go.

Mobile Threat
Prevention

Stop mobile exploits and malware

Block access to dangerous websites and content

Protect the
Network

Contextually control access and enforce security

policies based on application, user, and device
state

Manage
Applications &
Data

Manage mobile device settings & applications

Inspect business traffic and protect business data
while respecting the users privacy

COVERING THE ENTIRE ENTERPRISE

Network location

Data center/cloud

Enterprise perimeter

Distributed/BYOD

Endpoint

Next-generation
appliances

Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050
WildFire: WF-500
Virtual: VM-Series & VM-Series-HV for NSX

Threat Prevention
URL Filtering
GlobalProtect

Subscriptions

WildFire
Endpoint (Traps)
Use cases

Next-Generation
Firewall

Cybersecurity:
IDS / IPS / APT

Web gateway

Management system

Panorama, M-100 appliance, GP-100 appliance

Operating system

PAN-OS

18 | 2015, Palo Alto Networks. Confidential and Proprietary.

VPN

2015 Magic Quadrant for Enterprise Network

Firewalls
Palo Alto Networks is proud to be
named a Leader once again. We are
now a four-time Magic Quadrant leader
recognized for our ability to execute
and completeness of vision.

Gartner, Magic Quadrant for Enterprise Network Firewalls, Adam Hils, et al, April 22, 2015. This
graphic was published by Gartner, Inc. as part of a larger research document and should be
evaluated in the context of the entire document. The Gartner document is available upon request
from go.paloaltonetworks.com/gartnermq2015.
Gartner does not endorse any vendor, product or service depicted in its research publications,
and does not advise technology users to select only those vendors with the highest ratings or
other designation. Gartner research publications consist of the opinions of Gartner's research
organization and should not be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any warranties of merchantability or
fitness for a particular purpose.

19 | 2014, Palo Alto Networks. Confidential and Proprietary.

Thank you for attending!