Downloaded 51 times
Uploaded byGlobal Knowledge Training
PAN-OS - Network Security/Prevention Everywhere
The document discusses Palo Alto Networks' Security Operating Platform. It describes the platform's single-pass architecture that allows for parallel processing of network traffic. It also covers the Zero Trust security model and how it secures north-south and east-west traffic flows. Finally, it provides an overview of Palo Alto Networks' physical and virtual firewall offerings.
More Related Content
Similar to PAN-OS - Network Security/Prevention Everywhere
![[CLASS 2014] Palestra Técnica - Delfin Rodillas](https://cdn.slidesharecdn.com/ss_thumbnails/ptclass04-delrodillas-141113064648-conversion-gate01-thumbnail.jpg?width=640&height=640&fit=bounds)
More from Global Knowledge Training
PAN-OS - Network Security/Prevention Everywhere
- 1. PAN-OS - NetworkSecurity/Prevention Everywhere Presented by Ryan Sharpston
- 2. © Global KnowledgeTraining LLC. All rights reserved. Page 2 Presenter Ryan Sharpston Senior Technical Instructor at Global Knowledge • 20 years of telecom field installation and maintenance experience. • Courses include Palo Alto Networks, SonicWALL, and Avaya technologies. • The lead SME for Global Knowledge integration and lab design for new course/environment updates.
- 3. EDU-210 Version A PAN-OS®9.0 SECURITY OPERATING PLATFORM AND ARCHITECTURE PREVENTION EVERYWHERE • Security platform overview • Next-generation firewall architecture • Zero Trust security model • Firewall offerings
- 4. After you completethis module, you should be able to: Learning Objectives • Describe the characteristics of the Security Operating Platform • Describe the single-pass architecture • Describe the Zero Trust security model and how it relates to traffic moving through your network 4 | © 2019 Palo Alto Networks, Inc.
- 5. Cyber-attack Lifecycle Stop theattack at any point! Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Act on Objective | © 2019 Palo Alto Networks, Inc.5
- 6. Security Operating Platform NetworkSecurity Advanced Endpoint Protection Cloud Security Customer Apps Third-Party Partner Apps Application Framework and Logging Service Palo Alto Networks Apps Cloud-Delivered Security Services | © 2019 Palo Alto Networks, Inc.6 Common Framework for new Apps/Services
- 7. Security Operating Platform(Cont.) • Panorama: Management and reporting • Aperture: Software-as-a-service (SaaS) security • GlobalProtect: Extend platform externally • AutoFocus: Threat intelligence that can be acted on • MineMeld: Aggregate threat intelligence Network Security GlobalProtect Cloud-Delivered Security Services AutoFocusAperture | © 2019 Palo Alto Networks, Inc.7 Panorama MineMeld
- 8. Security platform overview Next-generationfirewall architecture Zero Trust security model Firewall offerings
- 9. Palo Alto NetworksSingle-Pass Architecture Single pass: • Operations per packet: • Traffic classification with App-ID technology • User or group mapping • Content scanning: threats, URLs, confidential data • One single policy (per type) Parallel processing: • Function-specific parallel processing hardware engines • Separate data and control planes | © 2019 Palo Alto Networks, Inc.9
- 10. Palo Alto NetworksFirewall Architecture Control Plane | Management Provides configuration, logging, and reporting functions on a separate processor, RAM, and hard drive Signature Matching Stream-based, uniform signature match including vulnerability exploits (IPS), virus, spyware, CC#, and SSN Security Processing High-density parallel processing for flexible hardware acceleration for standardized complex functions Network Processing Front-end network processing, hardware-accelerated per-packet route lookup, MAC lookup, and NAT Control Plane Data Plane SIGNATURE MATCHING exploits (IPS) | virus | spyware | CC# | SSN REPORT AND ENFORCE POLICY CPU RAM STORAGE configuration | logging | reporting SECURITY PROCESSING App-ID | User-ID | URL match policy match | app decoding | SSL/IPsec | decompression NETWORK PROCESSING flow control | route lookup | MAC lookup | QoS | NAT CPU RAM RAM FPGA Management configuration | logging | reporting Signature Matching exploits | virus | spyware | CC# | SSN Security Processing App-ID | User-ID | URL match | policy match | SSL/IPsec | decompression Network Processing flow control | MAC lookup | route lookup | QoS | NAT Data Interfaces MGT interfaceCPU Single-Pass Pattern Match consoleRAM SSD Enforce Policy Network Processing Components Hardware component types and sizes per layer vary per firewall model. Security Processing Components Signature Matching Components | © 2019 Palo Alto Networks, Inc.10 SSD=Solid State Drive
- 11. Security platform overview Next-generationfirewall architecture Zero Trust security model Firewall offerings
- 12. Data Flows inan Open Network North- South Traffic East-West Traffic | © 2019 Palo Alto Networks, Inc.12
- 13. Data Flows Securedby Palo Alto Networks Solution | © 2019 Palo Alto Networks, Inc.13
- 14. Exploitation Installation Act on ObjectiveC2Delivery App-ID Blockhigh-risk applications Block C2 on non- standard ports Prevent exfiltration and lateral movement URL Filtering Block known malware sites Block malware, fast-flux domains Vulnerabilit y Block the exploit Prevent lateral movement Anti- spyware Block spyware, C2 traffic Antivirus Block malware Prevent lateral movement Traps Monitor allowed processes and executables Prevent the exploit Prevent malicious .exe from running File Blocking Prevent drive-by downloads Prevent exfiltration and lateral movement DoS and/or Zone Prevent evasions Prevent DoS attacks WildFire® Identify malware Detect unknown malware Detect new C2 traffic coordinated Threat PreventionIntegrated Approach to Threat Prevention | © 2019 Palo Alto Networks, Inc.14
- 15. Security platform overview Next-generationfirewall architecture Zero Trust security model Firewall offerings
- 16. Physical Platforms Panorama Next-Generation Firewalls M-200 M-500/WF-500/600 PA-220 PA-800Series PA-5200 Series PA-7000 Series PA-3200 Series PA-220R | © 2019 Palo Alto Networks, Inc.16
- 17. VM-Series Models andCapacities Performance and Capacities VM-700 VM-500 VM-300 VM-100/ VM-200 VM-50 /Lite Firewall throughput (App-ID enabled) 16Gbps 8Gbps 4Gbps 2Gbps 200Mbps Threat prevention throughput 8Gbps 4Gbps 2Gbps 1Gbps 100Mbps New sessions per second 120,000 60,000 30,000 15,000 3,000 Dedicated CPU cores 2, 4, 8, 16 2, 4, 8 2, 4 2 2 Dedicated memory (minimum) 56GB 16GB 9GB 6.5GB 4.5GB/4GB Dedicated disk drive capacity (minimum) 60GB 60GB 60GB 60GB 32GB | © 2019 Palo Alto Networks, Inc.17
- 18. Virtual Systems • Separate,logical firewalls within a single physical firewall • Creates an administrative boundary • Use case: multiple customers or departments Physical firewall vsysA TrustZone UntrustZone vsysB TrustZone UntrustZone Data Interfaces Data Interfaces | © 2019 Palo Alto Networks, Inc.18
- 19. Now that youhave completed this module, you should be able to: Module Summary • Describe the characteristics of the Security Operating Platform • Describe the single-pass architecture • Describe the Zero Trust security model and how it relates to traffic moving through your network | © 2019 Palo Alto Networks, Inc.19
- 20. © Global KnowledgeTraining LLC. All rights reserved. Page 20 Courses Firewall 9.0: Essentials - Configuration and Management Palo Alto Networks Training Courses Cybersecurity Certification Training
- 21. © Global KnowledgeTraining LLC. All rights reserved. Page 21 Learning More GlobalKnowledge.com For additional on-demand and live webinars, white papers, courses, special offers and more, visit us at…