Securing the Virtualized Data Center With Next-Generation Firewalls
Customer-Facing EBC Deck
Confidential
Data Center Evolution
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 2 |
Security Hasn’t Kept Up with Rate Of Change
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 3 |
•
Configuration of security policies are manual and slow
•
Weeks to provision security policies versus minutes for workloads
•
Security policies require manual and repetitive steps
•
Policies do not follow VM adds, moves, changes
•
Policies are not tied to VM instantiation
•
Policies cannot track VM movement (server or data center)
•
Lack of visibility into the virtual infrastructure
•
Segmentation of virtualized apps of different trust levels
•
Virtualized traffic may not flow outside of virtualized server (Sharepoint application
communicating with SQL database)
But Your Existing Challenges Didn’t Go Away
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 4 |

Internal employees
Enterprise
boundary
Mobile and
remote users
Partners &
Contractors
Distributed Enterprise
New Application
Landscape
Modern Attacks
Attackers
Table Stakes Security Considerations
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 5 |
Mobile and remote users
Partners & Contractors
Distributed enterprise introduces safe application
enablement challenges
Applications using random ports or evasive
techniques to bypass security
Modern threats are sophisticated, stealthy and
targeted
malware
botnets
exploits
0101010001110101????????
11000001111011101010011010100001001010010101111101011100111
11000101010110100111000101111101100000111010101101010?????
???

0001001010010010001111XXXXXXXXXX110010101000111010111000
00111101110101001101010000100101001010111110101110011111000
1010101101001110001011111011000001110101010101010000100101
00100100????????
0111111001010100011101011100000111101110101001101010000100
10100101011111010111001111100010101011010011100010111110110
000011101010101010100001001010001000111111001010100??????
??
0111010111000001111011101010011010100001001010010101111101
0111001111100010101011010011100010111101100000111010101010
101000010010100100100011111101011010101001010101001010110
010101001010100011101011????????
10000011110111010100110101000010010100101011111010111001111
1000101010110100111000101111101100000111010101010101000010
010010101001010100011101011????????
100000111101110101001101XXXXXXXXXX0100001001010010101111
10101110011111000101010110100111000101111101100000111010101
010101000010010010101001010100011101011????????
10000011110111010100110101000010010100101011111010111001111
100010101XXXXXXXXXXXXXX11011000001110101010101010000011
10101010101010000011101010101XXXXXXXXXX0101010101010000
01110101010100100101010100000
???
???
All Apps, All Ports, All the Time
All Users, All Locations, Any Repository
All Exploits, Malware, Files, and URLs
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 6 |
A New Paradigm for Security is Needed

•
Deliver all the features that are table stakes:
-
Safe app enablement, threat protection, flexible integration
•
Must become more dynamic
-
Security policy must be there when VM is created
-
Security policy must follow VM movement
-
Security workflows must be automated//orchestrated so it doesn’t slow
down the data center
•
Consistent, centralized management
-
Centralized management is critical
-
Must be consistent for all environments - physical, hybrid, mixed
Safely Enable All Traffic in the DC
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 7 |
WHO WHERE
WHAT
HOW
User/Group/Device
Server/Hardware
Application
Exploits,
malware,

spyware
Content
Security
Profile
Segment applications by function, trust levels, and compliance needs
Inspect all traffic between security zones by default
Manage unknown traffic
Introducing the VM-Series
Safe Application Enablement of Intra-Host Traffic
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 8 |
Next-generation firewall in a virtual form factor
Consistent features as hardware-based next-generation firewall
Inspects and safely enables intra-host communications (East-West traffic)
Tracks VM creation and movement with dynamic address objects
Initial support on VMware platform - ESXi 4.1 and ESXi 5.0
Available in 3 models (VM-100, VM-200, VM-300), and supports 2, 4, 8 CPU cores
Licensing by firewall capacity – Individual, Enterprise, Service-Provider
VM-100 VM-200 VM-300
50,000 sessions 100,000 sessions 250,000 sessions
250 rules 2,000 rules 5,000 rules
10 security zones 20 security zones 40 security zones
Page 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
VM orchestration
When new VMs are created, and assigned
to address objects, security policies are in
place
Page 10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
VM Migration
Dynamic address objects tracks VM
movement to allow security policy to

follow VM
Security
Network
Putting It All Together
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 11 |

Inter-host
Segmentation
Intra-host
Segmentation
Physical Servers
Virtualized servers
HA
Physical Firewalls
Virtualized Firewalls
Orchestration
systems
A Comprehensive Approach to Virtualized DC
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 12 |

Physical Form Factor Virtual Form Factor
Safe application enablement App-ID, User-ID and Content-ID
Threat protection without
performance implications
Multi-core hardware.
Separate management & data plane.
Single pass software architecture
Single pass software architecture

Flexible integration • Comprehensive networking foundation (routing, VLAN)
•
Integration at layer 1, 2, 3
Cloud-readiness Multi-tenancy via virtual systems Multi-tenancy via virtual instances
Dynamic objects ties VM movement to policy
Cloud orchestration via REST API
Centralized management, one
integrated policy
Panorama with centralized provisioning and logging
VM-Series
PA-5000 Series
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 13 |

Securing The Next-Gen Data Center Requires a
Next-Generation Firewall
•
Modern threats, applications, and datacenter architectures are creating
network security challenges
•
The dynamic nature of virtualization and cloud requires security to be
more agile, and keep up with VM movement
•
Next-generation network security
-
Safely enables all applications in the datacenter
-
Protects against all datacenter threats without performance impact
-
Provides simplified integration into the infrastructure
-

Ties security policies to VM creation and movement
-
Security policies orchestrated in line with virtualized workloads
•
Consistent management for virtualized or physical firewalls
Questions
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 15 |