Applications Have Changed.

Why Hasnt the Firewall?

Dave Smith
214.674.7854
dsmith@paloaltonetworks.com

Von Nguyen
713.301.9929
vnguyen@paloaltonetworks.com
About Palo Alto Networks

Founded by security visionary Nir Zuk

World class team with strong security and networking experience

Built family of next generation firewalls with control of 600+ applications

Named Gartner Cool Vendor in 2008

Best of Interop Grand Prize, Best of Interop Security 2008

Page 2 | 2008 Palo Alto Networks. Proprietary and Confidential.

Leading Organizations Trust Palo Alto Networks
Health Care Financial Services Government

Media / Entertainment / Retail

Mfg / High Tech / Energy

Services
Education

Page 3 | 2007 Palo Alto Networks. Proprietary and Confidential

Why Palo Alto Networks?
Applications Have Changed Firewalls Have Not
Collaboration / Media
SaaS Personal
The gateway at the trust
border is the right place to
enforce policy control
Sees all traffic
Defines trust boundary

Need to Restore Visibility and Control in the Firewall

Page 5 | 2008 Palo Alto Networks. Proprietary and Confidential.
 Todays Architecture Appliance Bloat
Present day firewalls
require many
helper appliances INTERNET
to try and stop the
leakage.
Unfortunately,
application visibility
and control is STILL
lacking and the
evasiveness
continues unabated!

IM Proxy Packet Shaping

Content-Filtering
Logging/Reporting IPS/IDS HTTP/FTP Proxy
User Correlation

Page 6 | 2007 Palo Alto Networks. Proprietary and Confidential

Palo Alto Next Generation Firewall

Next-generation firewall
based on App-ID traffic
classification technology

Identifies over 700+ applications regardless of port, protocol or evasive tactic

Policy based decryption, identification and control of SSL applications

Application Command Center (ACC) for granular visibility & policy control of applications

FlashMatch engine for real-time threat prevention

Dedicated hardware processing for 10 Gbps in-line operation with no network degradation

Designed to transparently augment existing firewall

Page 7 | 2007 Palo Alto Networks. Proprietary and Confidential

Identification Technologies Change the Game

App-ID
Identify the application

User-ID
Identify the user

Content-ID
Scan the content

Page 8 | 2008 Palo Alto Networks. Proprietary and Confidential.

App-ID: Comprehensive Application Visibility

Policy-based control over more than 600 applications distributed

across five categories and 25 sub-categories
Balanced mix of business, internet and networking applications and
networking protocols
~ 5 new applications added weekly

Page 9 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Powerful Policy-Based Control
Browse more than 600 applications
based on name, category,
technology or characteristic
Immediately translate results into
positive enforcement model firewall
rules
Examples:
Allow all business and networking
apps
Allow IM but block file transfer
capabilities
Block all P2P
Policy enforcement by end-user /
group identities from Active
Directory or IP address

Page 10 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Comprehensive Application Visibility
Policy-based control for over 600 applications across categories
Business Applications (82)
active-directory adobe-connect altiris apple-
update avamar avaya-phone-ping backweb big-
brother ca-mq-service campfire centriccrm
convoq corba cpq-wbem cups cvs distcc
dynamicintranet eiq-sec-analyzer elluminate
eroom-host eroom-net filemaker flexnet
gkrellm google-calendar google-desktop
google-docs gotomeeting groupwise hp-jetdirect
innovative ipp jaspersoft kaspersky kerberos
ldap live-meeting lpd mcafee meeting-maker
mount ms-dtc ms-frs ms-groove ms-iis ms-
netlogon ms-scheduler ms-update msrpc
nagios ncp ndmp norton-av ntp perforce
portmapper radius rpc rstatd salesforce
seamless-phenom securemeeting snmp snmp-
trap soap spirent subversion symantec syslog
tacacs tacacs-plus time trendmicro vmware
vyew webex webex-weboffice ypserv yugma
Database (7)
Dabbledb db2 mssql-db mssql-mon mysql
oracle postgres
Email (7)
blackberry imap ms-exchange outlook-web
pop3 seven-email smtp
Encrypted Tunnel (11)
ciscovpn hamachi ike ipsec-ah ipsec-esp
ipsec-esp-udp secure-access ssh ssl swipe tor
File Sharing (28)
afp aim-file-transfer boxnet carbonite cvsup
dotmac dropboks esnips foldershare ftp gtalk-
file-transfer ibackup jubii mediamax
megaupload mozy ms-ds-smb msn-file-transfer
nfs omnidrive openomy rsync sosbackup tftp
titanize uucp xdrive yahoo-file-transfer
Page 11 | 2007 Palo Alto Networks. Proprietary and Confidential
Gaming (11)
bomberclone knight-online little-fighter party-
poker poker-stars source-engine steam
subspace war-rock wolfenstein worldofwarcraft
General Internet (28)
atom daytime dealio-toolbar discard echo
facebook finger google-safebrowsing google-
toolbar gopher hi5 livejournal msn-toolbar
myspace nntp razor rsh rss rusers send-to-
phone spark stumbleupon web-browsing web-
crawler webdav webshots whois yahoo-toolbar
Instant Messaging (39)
aim aim-audio aim-video camfrog ebuddy fix
google-talk gtalk-voice ichat-av icq iloveim
imhaha imvu irc jabber koolim mabber meebo
meetro meebo-repeater meebome meetro
messengerfx msn msn-video msn-voice
myspace-im oovoo p10 qq radiusim spark-im
swapper userplane webaim xfire yahoo-im
yahoo-webcam yoomba zoho-im
Media (45)
cooltalk eyejot flash folding-at-home foonz
gizmo google-earth google-picasa h.245 h.323
http-audio http-video itunes joost lifecam
live365 logitech-webcam metacafe miro mms
move-networks neokast netmeeting pandora
pna rdt rtmp rtp rtsp sccp shoutcast sip
skype skype-probe sling socialtv sopcast
teamspeak uusee vakaka ventrilo veohtv
yahoo-voice youtube
Networking (sample of 154 total)
Activenet bgp chargen compaq-peer dhcp
dns eigrp gre icmp igmp ipip ipv6 isis
mgcp ms-wins netbios-dg netbios-ns
netbios-ss ospf pim rip stun vrrp
Peer to Peer (34)
100bao allpeers applejuice ares azureus
babelgum bittorrent direct-connect emule
fasttrack flashget freenet generic-p2p
gnutella goboogy hotline imesh kazaa
mute neonet openft peerenabler poco
pplive ppstream soribada soulseek tesla
thecircle tvants vuze warez-p2p winmx
xunlei
Proxy (10)
bypass bypassthat hopster http-proxy
http-tunnel httport jap pingfu socks
socks2http
Remote Access (23)
avocent beinsync citrix crossloop fastviewer
foldera l2tp logmein ms-rdp netviewer
pcanyware pptp r-exec r-services radmin
rlogin teamviewer telnet unyte vnc x11
xdmcp
Webmail (7)
aim-mail fastmail gmail hotmail myspace-
mail yahoo-mail yousendit
Content-ID: Real-Time Content Scanning

Detect and block a wide range of threats, limit unauthorized file transfers and
control non-work related web surfing
Stream-based, not file-based, for real-time performance
Uniform signature engine scans for broad range of threats in single pass
Vulnerability exploits (IPS), viruses, and spyware (both downloads and phone-home)
Block a wide range of file transfers by type
Looks into file to determine type not extension based
Web filtering enabled via fully integrated URL database
20M URLs across 54 categories
Local database ensure highly scalable solution (1,000s!)

Page 12 | 2008 Palo Alto Networks. Proprietary and Confidential.

User-ID: Enterprise Directory Integration
Users no longer defined solely by
IP address
Leverage existing Active Directory
infrastructure
Understand users application
User
Identification
Agent(s) and threat behavior based on
actual AD username, not just IP
Manage and enforce policy
Active Directory based on user and/or AD group
Server(s)

Investigate security incidents,

generate custom reports

Page 13 | 2008 Palo Alto Networks. Proprietary and Confidential.

 User-Based Application Visibility
Application Command Center (ACC)
View exactly what applications are
running on the network
View by top applications, high risk,
and category

Drill into specific user activity

Top users of an application
List of applications used by a user
Malware and other threats detected
by user
Page 14 | 2007 Palo Alto Networks. Proprietary and Confidential
Enables Executive Visibility

Page 15 | 2008 Palo Alto Networks. Proprietary and Confidential.

Purpose-Built Architecture

RAM

Flash RAM Flash Matching HW Engine

Matching Palo Alto Networks uniform signatures
Dedicated Control Plane
Engine RAM
Highly available mgmt Multiple memory banks memory
High speed logging and RAM
bandwidth scales performance
route updates
10Gbps

CPU CPU CPU CPU RAM

RAM .. Multi-Core Security Processor
1 2 3 16
Dual-core RAM High density processing for flexible
RAM
CPU security functionality
De- Hardware-acceleration for standardized
HDD SSL IPSec
Compression complex functions (SSL, IPSec,
decompression)
10Gbps

Route, 10 Gig Network Processor

ARP, Front-end network processing offloads
QoS NAT
MAC
lookup security processors
Hardware accelerated QoS, route lookup,
MAC lookup and NAT

Control Plane Data Plane

Flexible Deployment Options
Application Visibility Transparent In-Line Firewall Replacement

Deploy transparently Replace existing firewall

Connect to span port
behind existing firewall Provides application and
Provides application
Provides application network-based visibility
visibility without inline
visibility & control without and control, consolidated
deployment
networking changes policy, high performance

Page 17 | 2007 Palo Alto Networks. Proprietary and Confidential

 PAN-OS Features
Visibility and control of applications, users and content are
complemented by core firewall features

Strong networking foundation: High Availability:

Dynamic routing (OSPF, RIPv2) Active / passive
Site-to-site IPSec VPN, Configuration and session synchronization
Tap mode connect to SPAN port Path, link, and HA monitoring
Virtual wire (Layer 1) for true transparent Virtual Systems:
in-line deployment
L2/L3 switching foundation
Establish multiple virtual firewalls in a
single device (PA-4000 Series only)
Zone-base architecture:
Legacy firewall support:
All interfaces assigned to security zones
for policy enforcement Application-based rules complement
inbound and outbound port-based firewall
Annual Subscriptions: rules
Threat prevention +20%
URL filtering +20%

Page 18 | 2008 Palo Alto Networks. Proprietary and Confidential.

Customer Use Case
Examples
Palo Alto Networks - Use Cases

MANY SOLUTION USE CASES and

BENEFITS
Application Visibility & Control

User-based App Visibility & Control

Real-time Threat Prevention

We now know what we didnt
know. And its scary what our Identify & Control SSL
users and contractors were doing. Content Security & DLP
. Monitor & Control Web Surfing
Mark Rein Consolidate Security Devices @ Wire
Senior Director, Information Technology Speed
Mercy Medical Center
Firewall Replacement

Significant Human and Capital ROI

Page 20 | 2007 Palo Alto Networks. Proprietary and Confidential

 Customer Example: Nordson Corporation
Problem
Needed cost-effective remote office
security solution
Was looking at a complex 3-box solution

Solution
The PA-4020 has simplified the PA-4000 Series deployed as primary
tasks of managing security at our firewall for visibility and control over
remote site. And it gives us visibility applications and threats
that no one else can match, telling us Consolidates multiple devices
exactly which applications are on the
network. Results
. Complete coverage - firewall, application
control, threat prevention - one box
Tim Harr
Manager, Corporate Information Technologies, Easy remote management - one UI
Nordson Deployed in 3 locations internationally
including headquarters

Industry: Manufacturing
Statistics: 30 Countries, 4100 employees, 2007 revenue - US$994M

Page 21 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: Greenhill Capital
Problem
No visibility into which applications were
running on the network
Couldnt control webmail, attachments and
unmonitored email a major issue
Tired of adding appliances and vendors to
security racks
The PA-4000 Series enables us to
manage applications and users Solution
which are far more relevant to our PA-4000 Series deployed as the firewall for
business that ports and protocols. visibility and control over applications
.
Results
John Shaffer Complete coverage - firewall, application
Greenhill control, threat prevention - one box
Easy remote management - one UI

Easier vendor management one support

line, one vendor

Industry: Financial Services, M&A research and analysis

Statistics: 250 employees, 2007 revenue - US$400M

Page 22 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: Constellation Energy
Problem
Lack of visibility and control over
applications traversing the network.
Want to be more proactive to enable
more rapid deployment of new
businesses and technology
The PA-4000 Series helps us be Heavy traffic across (2) DS3 pipes was
proactive in our security, allowing forcing them to look at costly OC3
expansion
us to set and enforce application
policies and protect our business Solution
assets much more effectively. PA-4000 Series provides unmatched
. visibility and control over applications and
web traffic traversing the centralized
Frank Chambers Internet connections
Director of Information Security
Management, Constellation Energy Results
Constellation found significant amounts of
IM and P2P traffic traversing the network
which it is now able to control
Industry: Energy, Energy Trading
Statistics: F117, 9700 employees, 2007 revenue - US$21B

Page 23 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: SanDisk Corporation
Problem
Unable to manage applications on the
network concerned about various
threats moving over rogue applications

Solution
With Palo Alto Networks, we are PA-4000 Series brings increased visibility
now for the first time able to identify and control over applications and web
rogue applications on the network traffic
such as P2P and Skype, and then
block them accordingly. Results
. Able to see which applications and users
are utilizing the network
Justin Smith Able to take action created policies to
Senior Network Engineer permit/deny groups or specific
SanDisk applications/users
Provide a level of assurance that networks
are being used for business purposes

Industry: High-Tech Manufacturing

Statistics: 3000 employees, 2007 revenue - US$3.9B

Page 24 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: Sisters of Mercy Health
Problem
Couldnt manage which applications ran
on the network
Application-level threats impacting
business
IPS up for renewal
Palo Alto Networks enables us to
provide real-time access to critical Solution
applications while stopping PA-4000 Series consolidates firewall,
threats and risky applications. URL filtering and threat prevention
. Enables visibility and control over
applications, web traffic and threats
Dan Schulte
Manager of Network Security Results
Sisters of Mercy Health System Visibility and control of applications

Able to stop a broad range of threats

(exploits, viruses, spyware)

Industry: Health Care

Statistics: 9 US States, 28,000 employees, over 4000 beds

Page 25 | 2008 Palo Alto Networks. Proprietary and Confidential.

Customer Example: Louis Dreyfus Energy
Problem
Firewalls couldnt stop threats

Solution
PA-4000 Series enables visibility and
control over applications and threats
Palo Alto Networks enables us
not only to stop threats, but to Results
understand how our networks Visibility and control of applications
are being used. Able to stop a broad range of threats
. (exploits, viruses, spyware)
Very happy with customer responsiveness
Dave Baker and support
Manager, Systems Administration
Louis-Dreyfus Highbridge Energy

Industry: Financial Services

Statistics: 290 employees, 2007 enterprise value US$1B

Page 26 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: ESPN
Problem
ISS IPS was struggling to handle ESPNs
traffic load

Solution
PA-4000 Series deployed primarily as a
threat prevention solution
We needed an IPS that could Enables visibility and control over threats
keep up with our business, and and applications
that could deal with todays Results
threats. Visibility and control of applications
. Able to stop a broader range of threats
(exploits, viruses, spyware) than previous
Scott Messina IPS
Director of Security Integrates with Active Directory for user- and
ESPN group-specific policy
Performance that keeps pace with business

Industry: Media
Statistics: over 50 outlets television, radio, publishing, ESPN.com

Page 27 | 2008 Palo Alto Networks. Proprietary and Confidential.

Customer Example: Nicolet National Bank
Problem
Couldnt maintain security posture in the
face of evasive application traffic
Couldnt control data leaving network

Too many appliances

Solution
We can now meet bank
PA-4000 Series deployed as primary
examiners expectations firewall for visibility and control over
regarding visibility and control applications and threats
on our network.
Results
.
Visibility, control and easier compliance
Jon Biskner
AVP and Chief Information Security Reducing and simplifying security
Officer, Nicolet National Bank infrastructure

Industry: Financial Services/Banking

Statistics: Regional; 6 branches, over $530M in assets

Page 28 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: City and Schools of
Staunton
Problem
Existing port-based firewall could not keep up
with traffic slowing the business of the city
Couldnt manage which applications ran on
the network
Our legacy firewall simply couldnt Application-level threats impacting business
deliver in terms of performance or
visibility. The PA-4000 Series keeps Solution
pace easily, and provides a level of PA-4000 Series consolidates multiple devices
visibility and control that translates into - enables visibility and control over
real and enforceable acceptable use applications, threats and web traffic
policies.
. Results
Kurt Plowman High-speed firewall
Chief Technology Officer Visibility and control of applications
City of Staunton
Able to stop a broad range of threats
(exploits, viruses, spyware)

Industry: Government
Statistics: over 2000 employees and students

Page 29 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: Lenox Hill Radiology

Problem
After evaluating the PA-4000 Series,
Application-level threats impacting business
its ability to control applications and
perform access control, as well as Looking at IPS + AV to stop threats
inspect content for threats and
vulnerabilities all through an easy, Solution
simple management structure just PA-4000 Series deployed as primary firewall
blew us away. enabling application visibilty and control
. Replaces multiple security appliances (firewall,
Joe Funaro IPS, Proxy, AV)
IT Director
Lenox Hill Radiology
Results
Visibility and control of applications

Able to stop a broad range of threats (exploits,

viruses, spyware)
Firewall + application visibility + threat blocking
in one policy, one appliance
Industry: Health Care
Statistics: 3 locations in New York Metro area, 400 employees

Page 30 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: Western & Southern
Insurance
Problem
Couldnt tell what was on the network,
despite firewall, IPS, DLP. Couldnt
catch L7 threats

Solution
We had every security device
imaginable, all in-line, but PA-4000 Series enables visibility and
couldnt stop layer 7 threats. control over applications
. Results
Doug Ross Visibility into whats on network
Chief Technology Officer
Western & Southern Financial Group Enable positive use of applications
while controlling port-agile apps, ID
malicious code on desktops that
nothing else could find
Long term, consolidate FW, URL
filtering, IPS devices as they near
Industry: Financial Services
end-of-life
Statistics: $4.8B, Ranked 480 on Fortune 1000 list, privately held

Page 31 | 2008 Palo Alto Networks. Proprietary and Confidential.

 Customer Example: Sonic Solutions
Problem
Had no control over port 80 traffic, no
ability to understand which users were
doing what

Our existing security solution is Solution

blind to traffic flowing across port PA-4000 Series for application visibility
80. Palo Alto Networks provides and control
us with user-based application
visibility and control Results
. Visibility and control over applications
Roger Blakely and users traversing the network
VP of Information Security Long term will enable replacement of
Sonic Solutions
Cisco PIX and Fortinet firewalls

Industry: High tech, software development

Statistics: 600 employees, multiple sites worldwide

Page 32 | 2008 Palo Alto Networks. Proprietary and Confidential.

Customer Example: Garland ISD
Problem
Students circumventing IT security controls
with tools such as UtraSurf and TOR
No visibility into user behavior, application
use
Existing firewalls not keeping up
Not only did the PA-4000 Series give us
total control over all applications, we saw Rate of change in applications
a significant performance increase in our Sheer throughput
network performance.
. Solution
Neil Moss
Network Engineer PA-4000 Series deployed as primary
Garland ISD
enterprise firewall
Results
Policy control by application and user
No longer struggle to keep up with
new/changed applications
Improved performance
Industry: K-12 Education Saved $80K in year one
Statistics: Largest district in TX, 57,000 students, 12,000
employees, 74 sites
Page 33 | 2008 Palo Alto Networks. Proprietary and Confidential.
Palo Alto Networks - Competitive Advantages
Application Level Visibility & Control (700+ Signatures)
User-based & Group-based Visibility & Policy Control via Microsoft AD
Integration
Tightly integrated and Comprehensive Threat Prevention (URL filtering, Anti-
Virus, Anti-Spyware, Anti-Malware & Anti-Vulnerability Protection)
Aggressive Platform-based Subscription Pricing (vs. Costly User-based!)
Embedded Virtual System Support (VSYS)
Embedded Zone Protection (Denial of Service, Reconnaissance Port Scan)
User-based Activity Reports and Ad-Hoc and Scheduled Reports
Single Management Interface for all features on a single appliance
Built-in Hardware/Software SSL Decryption capabilities
100% security protection during failover to the standby system
Sensitive Data Protection - SSN & Credit Card numbers (Q4, 2008)
Traffic Tagging Capability Now Full Traffic Shaping Coming (1H, 2009)
Page 34 | 2007 Palo Alto Networks. Proprietary and Confidential
 Palo Alto Networks is positioned as a Leader in the
Gartner Magic Quadrant for enterprise networkfirewalls.*

Palo Alto Networks is highest in execution

and a visionary within the Leaders
Quadrant.

Page 35 | 2007 Palo Alto Networks. Proprietary and Confidential

Thank You!