Securing the Virtualized Data Center With Next-Generation Firewalls Customer-Facing EBC Deck Confidential Data Center Evolution © 2012 Palo Alto Networks. Proprietary and Confidential. Page 2 | Security Hasn’t Kept Up with Rate Of Change © 2012 Palo Alto Networks. Proprietary and Confidential. Page 3 | • Configuration of security policies are manual and slow • Weeks to provision security policies versus minutes for workloads • Security policies require manual and repetitive steps • Policies do not follow VM adds, moves, changes • Policies are not tied to VM instantiation • Policies cannot track VM movement (server or data center) • Lack of visibility into the virtual infrastructure • Segmentation of virtualized apps of different trust levels • Virtualized traffic may not flow outside of virtualized server (Sharepoint application communicating with SQL database) But Your Existing Challenges Didn’t Go Away © 2012 Palo Alto Networks. Proprietary and Confidential. Page 4 | Internal employees Enterprise boundary Mobile and remote users Partners & Contractors Distributed Enterprise New Application Landscape Modern Attacks Attackers Table Stakes Security Considerations © 2012 Palo Alto Networks. Proprietary and Confidential. Page 5 | Mobile and remote users Partners & Contractors Distributed enterprise introduces safe application enablement challenges Applications using random ports or evasive techniques to bypass security Modern threats are sophisticated, stealthy and targeted malware botnets exploits 0101010001110101???????? 11000001111011101010011010100001001010010101111101011100111 11000101010110100111000101111101100000111010101101010????? ??? 0001001010010010001111XXXXXXXXXX110010101000111010111000 00111101110101001101010000100101001010111110101110011111000 1010101101001110001011111011000001110101010101010000100101 00100100???????? 0111111001010100011101011100000111101110101001101010000100 10100101011111010111001111100010101011010011100010111110110 000011101010101010100001001010001000111111001010100?????? ?? 0111010111000001111011101010011010100001001010010101111101 0111001111100010101011010011100010111101100000111010101010 101000010010100100100011111101011010101001010101001010110 010101001010100011101011???????? 10000011110111010100110101000010010100101011111010111001111 1000101010110100111000101111101100000111010101010101000010 010010101001010100011101011???????? 100000111101110101001101XXXXXXXXXX0100001001010010101111 10101110011111000101010110100111000101111101100000111010101 010101000010010010101001010100011101011???????? 10000011110111010100110101000010010100101011111010111001111 100010101XXXXXXXXXXXXXX11011000001110101010101010000011 10101010101010000011101010101XXXXXXXXXX0101010101010000 01110101010100100101010100000 ??? ??? All Apps, All Ports, All the Time All Users, All Locations, Any Repository All Exploits, Malware, Files, and URLs © 2012 Palo Alto Networks. Proprietary and Confidential. Page 6 | A New Paradigm for Security is Needed • Deliver all the features that are table stakes: - Safe app enablement, threat protection, flexible integration • Must become more dynamic - Security policy must be there when VM is created - Security policy must follow VM movement - Security workflows must be automated//orchestrated so it doesn’t slow down the data center • Consistent, centralized management - Centralized management is critical - Must be consistent for all environments - physical, hybrid, mixed Safely Enable All Traffic in the DC © 2012 Palo Alto Networks. Proprietary and Confidential. Page 7 | WHO WHERE WHAT HOW User/Group/Device Server/Hardware Application Exploits, malware, spyware Content Security Profile Segment applications by function, trust levels, and compliance needs Inspect all traffic between security zones by default Manage unknown traffic Introducing the VM-Series Safe Application Enablement of Intra-Host Traffic © 2012 Palo Alto Networks. Proprietary and Confidential.Page 8 | Next-generation firewall in a virtual form factor Consistent features as hardware-based next-generation firewall Inspects and safely enables intra-host communications (East-West traffic) Tracks VM creation and movement with dynamic address objects Initial support on VMware platform - ESXi 4.1 and ESXi 5.0 Available in 3 models (VM-100, VM-200, VM-300), and supports 2, 4, 8 CPU cores Licensing by firewall capacity – Individual, Enterprise, Service-Provider VM-100 VM-200 VM-300 50,000 sessions 100,000 sessions 250,000 sessions 250 rules 2,000 rules 5,000 rules 10 security zones 20 security zones 40 security zones Page 9 | ©2012, Palo Alto Networks. Confidential and Proprietary. VM orchestration When new VMs are created, and assigned to address objects, security policies are in place Page 10 | ©2012, Palo Alto Networks. Confidential and Proprietary. VM Migration Dynamic address objects tracks VM movement to allow security policy to follow VM . applications in the datacenter - Protects against all datacenter threats without performance impact - Provides simplified integration into the infrastructure - Ties. VM Security Network Putting It All Together © 2012 Palo Alto Networks. Proprietary and Confidential. Page 11 | Inter-host Segmentation Intra-host Segmentation Physical