Our laser-like focus on innovation allows us to safely enable applications, user and content. Our broad family of platforms and rich feature set allow us to address all NW security needs (FW, VPN, IPS, URL filtering, Content inspection)The innovation we deliver to the market is influenced heavily by our customers who like us are innovating how their company is securing the NW. Our growth is driven by a product that works and a seasoned management team.
Use interesting examples that are not Facebook and Twitter to show that applications have changes firewalls have not. They use evasive techniques to simplify use and avoid detection. AV in the late 90s started using port 80 (it is a C/S app), AIM prompted you to find an open port, BitTorrent and Skype hop ports, use encryption, MS Lync uses 443, 3489 and a host of ports above 50,000, SharePoint and function control use a range of web ports, but it is not a web app (it uses Office! SAP, Oracle, DropBox, Box.net
Threat ramifications: Applications are a threat vector and a target
Exfiltration ramifications: Today’s threats are applications – their command/control requires network communications. Apps can act as the conduit for data theft.
SSL and SSH: more and more applications use encryption, rendering existing FWs useless.
the control that once existed in the firewall has eroded over time. UTMs exist for the sole purpose of consolidating devices to save money – just google the IDC definition from 2004UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etcUTMs are all stateful inspection based – the all make their first decision on port. We are not a utm.
Talk about how Stateful FWs default policy is deny all versus IPS being allow all. This is how competitive application identification technologies work unless tunedDiscuss need to forward traffic from Stateful FW engine to IPS engine. How do you determine what to send?Point out that in IPS model need to know what to block. What happens if you don’t know all components of an application or what is even available to me. How do you spend time doing this.Multiple rulebases, multiple databases, multiple log databases, etc – all mean policy reconciliation challenges, and a weakening of the deny all else premise…
The goal is to use applications, users and content as a means of talking about all 5 technologies and services: app-id, user-id, contentid, globalprotect and wildfire – not just the 3 core ones. This slide includes several good application examples – none of which are Facebook or Twitter . Each example has a user, an app and some content – doc, file, threat – when traversing the FW, those elements are either allowed or blocked for specific groups of users**********************Classifying all applications, across all ports, all the time with App-ID. Palo Alto Networks next-generation firewalls are built upon App-ID, a traffic classification technology that identifies the applications traversing the network, regardless of port, encryption (SSL or SSH) or evasive technique employed. The knowledge of exactly which applications are traversing the network, not just the port and protocol, then becomes the basis for all security policy decisions. Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically categorized for systematic management, which can include policy control and inspection, threat forensics, creation of a custom App-ID, or submission of a packet capture App-ID for development.Tying users and devices, not just IP addresses to applications with User-ID and GlobalProtect. The application identity is tied to the user through User-ID, allowing organizations to deploy enablement policies that are not based solely on the IP address. These policies can then be extended to any device at any location with GlobalProtect. User-ID integrates with a wide range of enterprise user repositories to provide the identity of the Microsoft Windows, Mac OS X, Linux or Android, iOS users accessing the application. GlobalProtect ensures that the remote user is protected consistently, in the same manner as they would be if they were operating on the local network. The combined visibility and control over a users' application activity means organizations can safely enable the use of Oracle, BitTorrent, or Gmail, or any other application traversing the network, no matter where or how the user is accessing the network.Protecting against all threats, both known and unknown, with Content-ID and WildFire. To protect against a blend of known exploits, malware and spyware as well as completely unknown and targeted threats, organizations can first reduce the threat footprint through an explicit deny policy for unwanted applications. Content-ID can then be used to protect the applications and associated features by blocking known vulnerability exploits, viruses, and spyware in the allowed traffic. Content-ID addresses common threat evasion tactics by executing the prevention policy using the application and protocol context generated by the decoders in App-ID. Custom or unknown malware that is not controlled through traditional signatures is addressed through WildFire, which executes unknown files and monitors for more than 100 malicious behaviors in a virtualized sandbox environment. If malware is found, a signature is automatically developed and delivered to the user community.Enterprise wide enablement: Safe application enablement policies can help organizations improve their security posture, regardless of the deployment location. At the perimeter, organizations can reduce their threat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats - both known and unknown. In the datacenter, application enablement translates to confirming the applications users and content are allowed and protected from threats while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration. Expanding outwards to enterprise branch offices and remote users, enablement is delivered through policy consistency - the same policy deployed at the corporate location and is extended, seamlessly to other locations.
Major benefit is predictable performance. It doesn’t matter if we enable 1 profile with one signature or all profiles/all signatures we have very consistent performance. Good spot to mention competitors recommend up to 20X of our TP performance number when they are sizing in the same deal.We are the only vendor where consistently, across all of our platforms, have dedicated dataplane processing to handle L7 inspection. Our competitors have a couple of platforms sprinkled throughout their extensive portfolios that do this…the rest of their products need to use their central CPU to process this traffic.Most other products have some scanning components that are proxy based
Take this slide as an opportunity to talk about VSYS and how we don’t have any feature loss when enabling it as well as don’t need additional products/OS to deploy it.Discuss how reporting is built in to the FW and the same when using Panorama which is mainly used to manage many firewallsI like to take some time to discuss QoS and how we can shape traffic during widely viewed events such as March Madness, etc and tie this into our App-ID story