PAN-OS - Network Security Platform and Zero Trust Architecture
•Descargar como PPTX, PDF•
3 recomendaciones•945 vistas
The document discusses Palo Alto Networks' Security Operating Platform. It describes the platform's single-pass architecture that allows for parallel processing of network traffic. It also covers the Zero Trust security model and how it secures north-south and east-west traffic flows. Finally, it provides an overview of Palo Alto Networks' physical and virtual firewall offerings.
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a PAN-OS - Network Security Platform and Zero Trust Architecture
Similar a PAN-OS - Network Security Platform and Zero Trust Architecture (20)
Más de Global Knowledge Training
Más de Global Knowledge Training (20)
Último
Último (20)
PAN-OS - Network Security Platform and Zero Trust Architecture
- 1. PAN-OS - Network Security/Prevention Everywhere Presented by Ryan Sharpston
- 2. © Global Knowledge Training LLC. All rights reserved. Page 2 Presenter Ryan Sharpston Senior Technical Instructor at Global Knowledge • 20 years of telecom field installation and maintenance experience. • Courses include Palo Alto Networks, SonicWALL, and Avaya technologies. • The lead SME for Global Knowledge integration and lab design for new course/environment updates.
- 3. EDU-210 Version A PAN-OS® 9.0 SECURITY OPERATING PLATFORM AND ARCHITECTURE PREVENTION EVERYWHERE • Security platform overview • Next-generation firewall architecture • Zero Trust security model • Firewall offerings
- 4. After you complete this module, you should be able to: Learning Objectives • Describe the characteristics of the Security Operating Platform • Describe the single-pass architecture • Describe the Zero Trust security model and how it relates to traffic moving through your network 4 | © 2019 Palo Alto Networks, Inc.
- 5. Cyber-attack Lifecycle Stop the attack at any point! Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Act on Objective | © 2019 Palo Alto Networks, Inc.5
- 6. Security Operating Platform Network Security Advanced Endpoint Protection Cloud Security Customer Apps Third-Party Partner Apps Application Framework and Logging Service Palo Alto Networks Apps Cloud-Delivered Security Services | © 2019 Palo Alto Networks, Inc.6 Common Framework for new Apps/Services
- 7. Security Operating Platform (Cont.) • Panorama: Management and reporting • Aperture: Software-as-a-service (SaaS) security • GlobalProtect: Extend platform externally • AutoFocus: Threat intelligence that can be acted on • MineMeld: Aggregate threat intelligence Network Security GlobalProtect Cloud-Delivered Security Services AutoFocusAperture | © 2019 Palo Alto Networks, Inc.7 Panorama MineMeld
- 8. Security platform overview Next-generation firewall architecture Zero Trust security model Firewall offerings
- 9. Palo Alto Networks Single-Pass Architecture Single pass: • Operations per packet: • Traffic classification with App-ID technology • User or group mapping • Content scanning: threats, URLs, confidential data • One single policy (per type) Parallel processing: • Function-specific parallel processing hardware engines • Separate data and control planes | © 2019 Palo Alto Networks, Inc.9
- 10. Palo Alto Networks Firewall Architecture Control Plane | Management Provides configuration, logging, and reporting functions on a separate processor, RAM, and hard drive Signature Matching Stream-based, uniform signature match including vulnerability exploits (IPS), virus, spyware, CC#, and SSN Security Processing High-density parallel processing for flexible hardware acceleration for standardized complex functions Network Processing Front-end network processing, hardware-accelerated per-packet route lookup, MAC lookup, and NAT Control Plane Data Plane SIGNATURE MATCHING exploits (IPS) | virus | spyware | CC# | SSN REPORT AND ENFORCE POLICY CPU RAM STORAGE configuration | logging | reporting SECURITY PROCESSING App-ID | User-ID | URL match policy match | app decoding | SSL/IPsec | decompression NETWORK PROCESSING flow control | route lookup | MAC lookup | QoS | NAT CPU RAM RAM FPGA Management configuration | logging | reporting Signature Matching exploits | virus | spyware | CC# | SSN Security Processing App-ID | User-ID | URL match | policy match | SSL/IPsec | decompression Network Processing flow control | MAC lookup | route lookup | QoS | NAT Data Interfaces MGT interfaceCPU Single-Pass Pattern Match consoleRAM SSD Enforce Policy Network Processing Components Hardware component types and sizes per layer vary per firewall model. Security Processing Components Signature Matching Components | © 2019 Palo Alto Networks, Inc.10 SSD=Solid State Drive
- 11. Security platform overview Next-generation firewall architecture Zero Trust security model Firewall offerings
- 12. Data Flows in an Open Network North- South Traffic East-West Traffic | © 2019 Palo Alto Networks, Inc.12
- 13. Data Flows Secured by Palo Alto Networks Solution | © 2019 Palo Alto Networks, Inc.13
- 14. Exploitation Installation Act on ObjectiveC2Delivery App-ID Block high-risk applications Block C2 on non- standard ports Prevent exfiltration and lateral movement URL Filtering Block known malware sites Block malware, fast-flux domains Vulnerabilit y Block the exploit Prevent lateral movement Anti- spyware Block spyware, C2 traffic Antivirus Block malware Prevent lateral movement Traps Monitor allowed processes and executables Prevent the exploit Prevent malicious .exe from running File Blocking Prevent drive-by downloads Prevent exfiltration and lateral movement DoS and/or Zone Prevent evasions Prevent DoS attacks WildFire® Identify malware Detect unknown malware Detect new C2 traffic coordinated Threat PreventionIntegrated Approach to Threat Prevention | © 2019 Palo Alto Networks, Inc.14
- 15. Security platform overview Next-generation firewall architecture Zero Trust security model Firewall offerings
- 16. Physical Platforms Panorama Next-Generation Firewalls M-200 M-500/WF-500/600 PA-220 PA-800 Series PA-5200 Series PA-7000 Series PA-3200 Series PA-220R | © 2019 Palo Alto Networks, Inc.16
- 17. VM-Series Models and Capacities Performance and Capacities VM-700 VM-500 VM-300 VM-100/ VM-200 VM-50 /Lite Firewall throughput (App-ID enabled) 16Gbps 8Gbps 4Gbps 2Gbps 200Mbps Threat prevention throughput 8Gbps 4Gbps 2Gbps 1Gbps 100Mbps New sessions per second 120,000 60,000 30,000 15,000 3,000 Dedicated CPU cores 2, 4, 8, 16 2, 4, 8 2, 4 2 2 Dedicated memory (minimum) 56GB 16GB 9GB 6.5GB 4.5GB/4GB Dedicated disk drive capacity (minimum) 60GB 60GB 60GB 60GB 32GB | © 2019 Palo Alto Networks, Inc.17
- 18. Virtual Systems • Separate, logical firewalls within a single physical firewall • Creates an administrative boundary • Use case: multiple customers or departments Physical firewall vsysA TrustZone UntrustZone vsysB TrustZone UntrustZone Data Interfaces Data Interfaces | © 2019 Palo Alto Networks, Inc.18
- 19. Now that you have completed this module, you should be able to: Module Summary • Describe the characteristics of the Security Operating Platform • Describe the single-pass architecture • Describe the Zero Trust security model and how it relates to traffic moving through your network | © 2019 Palo Alto Networks, Inc.19
- 20. © Global Knowledge Training LLC. All rights reserved. Page 20 Courses Firewall 9.0: Essentials - Configuration and Management Palo Alto Networks Training Courses Cybersecurity Certification Training
- 21. © Global Knowledge Training LLC. All rights reserved. Page 21 Learning More GlobalKnowledge.com For additional on-demand and live webinars, white papers, courses, special offers and more, visit us at…