Documente Academic
Documente Profesional
Documente Cultură
Page 2 |
- The solution:
Palo Alto Networks next-generation firewalls enable policy-based visibility and control over applications, users and content We can easily co-exist with current FW, replacing it once our value has been well established
Page 3 |
- Policy: unified, graphical definition and enforcement of policies that control applications, users and content traversing the network
No FW or IPS can create and enforce user based policies Simple to use: many require multiple policy tables and data entry points
- Performance: purpose-built platform with function specific processing for networking, security, threat prevention, and management maximizes performance with services enabled
Single Intel ships can run fast, but will struggle with CPU intensive security processing (SSG, Cisco, CP)
Page 4 |
Weaknesses
- Firewalls use port-based classification and cannot identify the applications, users or content - Bolt-on IPS does not address solution because they only see the traffic the firewall - Bolt-on additions have multiple policy tables to control traffic making management complex - Firewall hardware and software architectures are optimized for port-based classification--add-on functions (IPS, AI, DPI) tend to introduce significant performance issues - Cannot decrypt any encrypted traffic
Page 5 |
Weaknesses
Only negative enforcement model- cannot restrict applications to certain people while blocking it from others, cannot allow good portions of applications. Competitors claim to be able to block P2P, but these and others successfully port hop or evade IPS Cannot decrypt any encrypted traffic- this is at least 30% of all traffic and will grow to over 50% in two years! Rely on port and protocol as initial traffic classification rendering it impotent at wide-spread application visibility and control Very limited network AV, limited scope and lifespan of company in standalone space- ie must become firewalls to survive
Page 6 |
Weaknesses
Proxies support a very small number of applications, limiting their scope of visibility and control, break everything else requiring huge port holes for applications to function Updates to existing applications are slow to be supported and tend to break applications typically a 6 month process to write a wrapper for an app- forcing chronic bypass Policy is limited to the relevant port/application support, missing huge chunks of traffic Management always a nightmare for any sized deployment Cost is typically staggering, still requires firewalls, IPSs, SSL decrypt (only for standard SSL ports) is another box Suffer from performance and scalability issues (100s of Mbps vs Gbps)
Page 7 |
Weaknesses
URL filtering classifies URLs nothing more unable to provide control apps or incredibly simple bypass mechanisms, applications, etc. Web content is dynamic URL database is one dimensional ignoring content, applications, web 2.0 and user generated content. It must be accompanied by other components, introducing huge policy management gaps User-based licensing tends to be an expensive, annually recurring cost
Page 8 |
Page 9 |
Thank You