PaloAlto Training Print 01-30 PDF

Design and
Implementation of the
Palo Alto Networks
Firewall
PA-EDU-201 rev b
PaloAlto Training print.indd 1 3/8/10 12:24 PM

Agenda
• Day 1 • Day 2
1. Introduction 6. SSL Decryption
2. Firewall Deployment 7. VPN
3. Application Control 8. Advanced Deployment
Options
4
4. Content Identification
9. Management
5. User Identification
10. Data Mining
Page 2 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

Intruduction

Application Based Firewall Evasive Applications
VWDWHIXOLQVSHFWLRQ Port 5050

Blocked
tcp/443 tcp/443 •Yahoo Messenger
F
I
R •PingFU - Proxy
•Port 80 E
•Open
W
A •Bittorrent Client
L
•Port 6681
L •Blocked
Page 4 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

Web Based Applications PA-4000 Series Specifications
Traditional Firewall sees

this all as Web Browsing
PA-4060 PA-4050 PA-4020
10 Gbps FW 10 Gbps FW 2 Gbps FW
5 Gbps threat prevention 5 Gbps threat prevention 2 Gbps threat prevention
2,000,000 sessions 2,000,000 sessions 500,000 sessions
4 XFP (10 Gig) I/O 16 copper gigabit 16 copper gigabit
4 SFP (1 Gig) I/O 8 SFP interfaces 8 SFP interfaces
PA-4000 Classification
= Business Application - 2U, 19” rack-mountable chassis

- Dual hot swappable AC power supplies
= Media
- Dedicated out-of-band management port
= Instant Messaging - 2 dedicated HA ports
= Web Mail - DB9 console port

4000 Series Architecture PA-2000 Series Specifications
RAM
Flash RAM Flash Matching HW Engine

Dedicated Control Plane Matching • Palo Alto Networks’ uniform signatures PA-2050 PA-2020
Engine RAM
• Highly available mgmt • Multiple memory banks – memory 1 Gbps FW 500 Mbps FW
• High speed logging and bandwidth scales performance
RAM
route updates 500 Mbps threat prevention 200 Mbps threat prevention
250,000 sessions 125,000 sessions
RAM 16 copper gigabit 12 copper gigabit
RAM CPU CPU CPU .. CPU
Multi-Core Security Processor
1 2 3 16
RAM
4 SFP interfaces 2 SFP interfaces
Dual-core • High density processing for flexible
RAM
CPU security functionality
De- • Hardware-acceleration for standardized
HDD SSL IPSec
Compression complex functions (SSL, IPSec,
decompression) - 1U rack-mountable chassis
- Single non-modular power supply
Route, 10 Gig Network Processor
ARP, • Front-end network processing offloads
- 80GB hard drive (cold swappable)
QoS NAT
MAC
security processors
lookup
• Hardware accelerated QoS, route lookup,
- Dedicated out-of-band management port
MAC lookup and NAT
- RJ-45 console port, user definable HA port
Control Plane Data Plane

2000 Series Architecture PA-500 Specifications
RAM
Flash Matching HW Engine
Flash RAM
Dedicated Control Plane Matching • Palo Alto Networks’ uniform
• Highly available mgmt RAM signatures
Engine
• High speed logging and • Multiple memory banks – memory
route updates RAM bandwidth scales performance
1Gbps
RAM
RAM CPU
1
CPU
2
CPU
3
CPU
4 Multi-Core Security Processor
^ƉĞĐƐ 'ĞŶĞƌĂůŚĂƌĚǁĂƌĞ
Dual-core RAM
RAM • High density processing for flexible
CPU
security functionality ϮϱϬD&tͬϭϬϬDsWEͬϭϬϬDƚŚƌĞĂƚ ϭhƌĂĐŬŵŽƵŶƚĂďůĞ
HDD SSL IPSec • Hardware-acceleration for standardized
complex functions (SSL, IPSec) ϱϬ͕ϬϬϬƐĞƐƐŝŽŶƐ ^ŝŶŐůĞŶŽŶͲŵŽĚƵůĂƌƉŽǁĞƌƐƵƉƉůǇ
1Gbps ϮϱϬsWEƚƵŶŶĞůƐ ϴϬ'ŚĂƌĚĚƌŝǀĞ
Route, Network Processor
ϴĐŽƉƉĞƌŐŝŐĂďŝƚŝŶƚĞƌĨĂĐĞƐ ĞĚŝĐĂƚĞĚŵŐŵƚƉŽƌƚ
ARP, • Front-end network processing
MAC
NAT
offloads security processors ZƵŶƐWEͲK^ϯ͘ϬĂŶĚůĂƚĞƌ Z:ͲϰϱĐŽŶƐŽůĞƉŽƌƚ
lookup
• Hardware accelerated route lookup,
MAC lookup and NAT


PA-500 Architecture Single-Pass Parallel Processing (SP3) Architecture
Single Pass
Operations once per packet
- Traffic classification (app
identification)
ĞĚŝĐĂƚĞĚŽŶƚƌŽůWůĂŶĞ - User/group mapping

• ,ŝŐŚůǇĂǀĂŝůĂďůĞŵŐŵƚ - Content scanning –
• ,ŝŐŚƐƉĞĞĚůŽŐŐŝŶŐĂŶĚ Wh Wh Wh Wh ZD DƵůƚŝͲŽƌĞ^ĞĐƵƌŝƚǇWƌŽĐĞƐƐŽƌ
threats, URLs,
ƌŽƵƚĞƵƉĚĂƚĞƐ confidential data
ϭ Ϯ ϯ ϰ ZD • ,ŝŐŚĚĞŶƐŝƚǇƉƌŽĐĞƐƐŝŶŐĨŽƌ
ŶĞƚǁŽƌŬŝŶŐĂŶĚƐĞĐƵƌŝƚǇĨƵŶĐƚŝŽŶƐ One policy
^^> /W^ĞĐ • ,ĂƌĚǁĂƌĞͲĂĐĐĞůĞƌĂƚŝŽŶĨŽƌ
ZD Parallel Processing
ƵĂůͲĐŽƌĞ ƐƚĂŶĚĂƌĚŝǌĞĚĐŽŵƉůĞǆĨƵŶĐƚŝŽŶƐ;^^>͕
ZD /W^ĞĐͿ Function-specific hardware
Wh engines
• ^ŝŐŶĂƚƵƌĞŵĂƚĐŚǀŝƌƚƵĂůƐŽĨƚǁĂƌĞ
,
ĞŶŐŝŶĞ
Separate data/control planes

Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement
Thank You
• Application, user and content • IPS with app visibility & control • Firewall replacement with app
visibility without inline • Consolidation of IPS & URL visibility & control
deployment filtering • Firewall + IPS
© 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Firewall + IPS + URL filtering
Page 14 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 15 |

Firewall Deployment

Agenda
• Security Zones
• L3 Interface Configuration
• Virtual Routers
• Security Policy Basics
• NAT Policy

Security Zones Interfaces and Zones
• Zones represent networks of differing trust levels • An Interface must be in a Security Zone
• A Security Zone can have multiple Interfaces
DMZ
•Internet
Interface Zone Address

Internet - DMZ
Internet - Data Canter

E 1/2 Internet 161.23.4.56
•Guests E 1/11 DMZ 172.16.1.254
E 1/12.10 Users 192.168.10.254
•Data Center E 1/12.20 Users 192.168.20.254
•Users
E 1/12.30 VoIP 192.168.30.254

Layer 3 Interfaces Virtual Routers
• Provide Routing and NAT Functions • L3 Interfaces are

• All L3 interfaces in a Virtual Router share a routing table
added to Virtual
Routers (VR)
• Each L3 interface has an IP Address
• The VR contains all
routing information
E1/11
12.4.5.77
- Static Routes
E1/9
10.1.1.254 Internet
- Dynamic Routing
E1/10
Protocol configuration
PAN Device
192.168.100.254
LAN
10.1.1.0
Vrouter A DMZ
192.168.100.0

Configure L3 Interface Configuring DHCP Server
Interface
Type
Select
Interface IP Address
Virtual Range
Router
IP Address
Zone Lease
Options

Introduction to Security Policy Building Blocks of Policy
• All traffic going between security zones require an allow • Address Objects
policy - Hosts ( /32 mask)
• The policy list is evaluated from the top down - Networks
• The first rule that matches the traffic is used - Can be named
- Can be added to groups
• No further rules are evaluated after the match
• Users
• Applications
- Represent content
- Includes Static and Dynamic Groups
• Services
- Represent L4 addresses

Simple Policy Walkthrough NAT Policy
• Network Address Translation Policies define when and

how translation occurs
E 1/2 Zone Users E 1/1 Zone Internet
• Source Translation is commonly used for access to the
śŵŵŜŜ
Internet
śɪɩɨɩɰ • Destination Translation is used to provide external access
śɯɥ
to servers in the private network
•192.168.41.22 •74.125.19.23
•Private IP’s
•Public IP’s

Source Address Translation Destination Address Translation
SA DA SP DP
SA DA SP DP •Pre NAT – From L3-untrust -> L3-untrust
•Pre NAT – From L3-trust -> L3-untrust 12.67.5.2 64.10.11.103 5467 80
10.1.1.47 4.2.2.2 43778 80
SA DA SP DP SA DA SP DP
•Post NAT – From L3-trust -> L3-untrust •Post NAT – From L3-untrust -> L3-trust
64.3.1.22 4.2.2.2 1031 80 12.67.5.2 192.168.10.100 5467 80

Thank You
© 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 15 |

Application
Identification

Agenda
• What is an Application?
• Application Control Center (ACC)
• Application Identification
• Single Pass Architecture and Packet Flow
• Application groups and Filters
• Security Policy Examples
• Application Override Policy

What is an Application? Application Control Center
GMail
GTalk
Google Calendar
iGoogle
Central location to view
the state of the Network
Lotus Notes
eMule
UltraSurf


Application Identification Components Application Identification - Signatures
Protocol Decoders
• Detect Protocol in Protocol SSL Protocol Decoders

• Provide context for signatures
Forward proxy Decryption
Protocol Decryption
HTTP
Application Signatures
• Man in the middle SSL decryption
webex
Application Signatures
Mode shift
• Detect applications initiating
Webex desktop sharing
Heuristics
• Uses patterns of communication

Application identification - Heuristics Flow Logic
Initial Source
Forwarding Destination
Packet Zone /
Lookup Zone
NAT Policy
Encrypted Bittorrent Processing Address
Protocol Decoders Security Check

Session
Unknown Allowed
Pre Policy Created
Ports
Examine communications SSL Application

Check for
Application SSL
Decryption Override App ID
Heuristics Policy Policy
Encrypted Bittorent
Security Check Check
Security Security SP3
Policy Policy Profiles
Post Policy SSL Re- NAT Packet

Processing Encrypted Applied Forwarded

UDP Example TCP Example
DNS Query for www.meebo.com HTTP Connection to www.meebo.com
TCP syn
• Source Address • Source Address
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45
• Destination Address 00 30 d1 29 40 00 80 06 8f 60 0a 10 00 6e d0 51
bf 6e 3a 52 01 bb 31 d7 06 19 00 00 00 00 70 02
• Destination Address
ff ff 74 e4 00 00 02 04 05 b4 01 01 04 02
• Destination Port • Destination Port
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45 00
00 3b d1 26 00 00 80 11 54 18 0a 10 00 6e 0a 00 • Application Data syn ack • Application Data
00 f6 c1 76 00 35 00 27 c7 5a a3 24 01 00 00 01
ack
00 00 00 00 00 00 03 77 77 77 05 6d 65 65 62 6f
03 63 6f 6d 00 00 01 00 01 get
Meebo
1f 8b 08 00 00 00 00 00 00 03 b4 57 fd 6f db 36
13 fe 57 ae 1a 36 3b 99 2d 35 fb 00 da c4 f6 b0 .
26 e9 bb bc 48 9a 60 75 57 0c 7d 8b 81 92 4e 12
63 89 54 49 2a ae 57 e4 7f df 1d 25 39 b2 f7 91
fe b0 37 08 60 ea 78 3c de 3d 7c ee 78 9c 3d 39
bb 3e 5d fe 7a 73 0e 3f 2d af 2e e1 e6 cd 8b cb
...........................................

Applications Application Filters
Selecting all browser-based file-sharing applications

Dynamic Filter
Individual
Application
Static Group

Sample Common Filters Sample Security Policy – Application Groups
• Used to cover families of applications • Known_Good • Known_Bad

• Frequently used for policies that block traffic - Static Group of - Static Group of filters
Applications and applications
¾ DNS ¾ Games
¾ Web-browsing ¾ IM
¾ SSL ¾ P2P
¾ Flash ¾ Remote Access
¾ Tunneling

Security Policy Example User Defined Application usage
• Application Override
- Bypasses App ID for internal port based applications
• Customizing Application settings
- Changing time out
• First rule allows specific good applications
- Adjusting Risk
• Second rule blocks applications that are obviously • Defining new HTTP applications
unwanted - New App-ID signatures for specific HTTP based applications
• Third rule catches all other applications – could be - User defined regexp
allow or block based on environment - Contextual signature engine
• Administrators track traffic effected by the third

rule and add it to Known_Good or Known_Bad

PaloAlto Training Print 01-30 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

PaloAlto Training Print 01-30 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Design and

PaloAlto Training print.indd 1 3/8/10 12:24 PM

Page 2 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 2 3/8/10 12:24 PM

PaloAlto Training print.indd 4 3/8/10 12:24 PM

VWDWHIXOLQVSHFWLRQ Port 5050

PaloAlto Training print.indd 5 3/8/10 12:24 PM

Traditional Firewall sees

= Business Application - 2U, 19” rack-mountable chassis

PaloAlto Training print.indd 6 3/8/10 12:24 PM

Flash RAM Flash Matching HW Engine

PaloAlto Training print.indd 7 3/8/10 12:24 PM

Control Plane Data Plane

PaloAlto Training print.indd 8 3/8/10 12:24 PM

ĞĚŝĐĂƚĞĚŽŶƚƌŽůWůĂŶĞ - User/group mapping

Control Plane Data Plane

PaloAlto Training print.indd 9 3/8/10 12:24 PM

PaloAlto Training print.indd 10 3/8/10 12:25 PM

PaloAlto Training print.indd 12 3/8/10 12:25 PM

Page 2 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 13 3/8/10 12:25 PM

Interface Zone Address

Internet - Data Canter

PaloAlto Training print.indd 14 3/8/10 12:25 PM

• Provide Routing and NAT Functions • L3 Interfaces are

PaloAlto Training print.indd 15 3/8/10 12:26 PM

PaloAlto Training print.indd 16 3/8/10 12:26 PM

PaloAlto Training print.indd 17 3/8/10 12:26 PM

• Network Address Translation Policies define when and

PaloAlto Training print.indd 18 3/8/10 12:45 PM

PaloAlto Training print.indd 19 3/8/10 12:46 PM

© 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 20 3/8/10 12:46 PM

PaloAlto Training print.indd 22 3/8/10 12:46 PM

Page 2 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 23 3/8/10 12:46 PM

Page 4 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 24 3/8/10 12:46 PM

• Detect Protocol in Protocol SSL Protocol Decoders

• Uses patterns of communication

PaloAlto Training print.indd 25 3/8/10 12:46 PM

Protocol Decoders Security Check

Examine communications SSL Application

Post Policy SSL Re- NAT Packet

PaloAlto Training print.indd 26 3/8/10 12:46 PM

PaloAlto Training print.indd 27 3/8/10 12:47 PM

Selecting all browser-based file-sharing applications

PaloAlto Training print.indd 28 3/8/10 12:47 PM

• Used to cover families of applications • Known_Good • Known_Bad

PaloAlto Training print.indd 29 3/8/10 12:47 PM

• Administrators track traffic effected by the third

PaloAlto Training print.indd 30 3/8/10 12:47 PM

S-ar putea să vă placă și

ĞĚŝĐĂƚĞĚŽŶƚƌŽůWůĂŶĞ - User/group mapping