1. No category

Transforming Network Security for the
Software Defined Data Center
Palo Alto Networks at a glance
Revenues
Corporate highlights
$700
Founded in 2005; first customer shipment in 2007
$MM
$598
$600
$500
$396
$400
Safely enabling applications and preventing cyber threats
$300
$255
$200
$119
$100
$13
$49
$0
FY09
Able to address all enterprise cybersecurity needs
FY10
FY11
FY12
FY13
FY14
Fiscal Year Ends July
Enterprise customers
Exceptional ability to support global customers
>19,000
20.000
13,500
15.000
Experienced team of 1,900+ employees
5.000
FY14: $598M revenue; 19,000+ customers
9.000
10.000
4.700
0
Jul-11
Jul-12
Jul-13
Jul-14
2015 Magic Quadrant for Enterprise Network Firewalls
“Palo Alto Networks is assessed as a
Leader, mostly because of its NGFW
focus, and because of its consistent
visibility in Gartner shortlists for
advanced firewalls use cases,
frequently beating competition on
feature quality.”
--Gartner, Magic Quadrant for
Enterprise Network Firewalls
3 | ©2015, Palo Alto
The Next-Generation Enterprise Security Platform
Identify, control &
decrypt
Detect & prevent
known & unknown
threats
Network
Traditional infrastructure
Automated
forensics &
remediation
Endpoint
Cloud
Public
Cloud
SaaS
Private
Cloud
Cloud
Mobile devices
Evolution of virtual datacenter architectures
Traditional Data Center
DB
App
Web
Current Data Center
DB
App
Web
Dynamic, automated, “services-oriented”
Future Data Center
Security challenges
Physical firewalls may not see the East-West traffic
MS-SQL
SharePoint
Web Front End

Firewalls placement is designed
around expectation of layer 3
segmentation

Network configuration changes
required to secure East-West traffic
flows are manual, time-consuming
and complex

Ability to transparently insert
security into the traffic flow is
needed
Security challenges
Incomplete security features on existing virtual security solutions
MS-SQL
SharePoint
Web Front End
In the cloud, applications of different trust levels now run on a single server

VM-VM traffic (East-West) needs to be inspected

Port and protocol-based security is not sufficient
Virtualized next-generation security is needed to:

Safely enable application traffic between VMs

Protect against against cyber attacks
Security challenges
Static policies cannot keep pace with dynamic workload deployments

Provisioning of applications can occur
in minutes with frequent changes

Security approvals and configurations
may take weeks/months
Dynamic security policies that understand
VM context are needed
Zero Trust Security Segmentation for Data Center
Users / Corp Net / DMZ
Application
Network
Physical Firewalls
Security
Inter-host
Segmentation
HA
Physical security devices will continue
to be deployed to secure and
segment data centers.
Orchestration
systems
Virtualized Firewalls
Intra-host
Segmentation
VM-Series provides
the ability to safely
enable east-west
communication
Physical Servers
Virtualized servers
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Orchestration
Integration through
API, NSX
Integration, VM
Monitoring and
Dynamic Address
Groups provide the
key to tracking VM
movement and
automating
workflows for
deployments and
network changes.
A Comprehensive Approach to the Data Center
Physical Form Factor
Safe application enablement
Virtual Form Factor
App-ID, User-ID, Content-ID, GlobalProtect, WildFire
Threat protection without
performance implications
North South Control
Multi-core hardware
Separate management & data plane
Single pass software architecture
East-West Control
Single pass software architecture
Separate management & data plane.
Flexible integration
Comprehensive networking foundation
(routing, VLAN)
Integration at layer 1, 2, 3
ESXi
VMware NSX
Multi-tenancy
Multi-tenancy via virtual systems
Multi-tenancy via virtual instances
Cloud-readiness
Centralized management, one
integrated policy
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Dynamic Address Groups ties VM movement to policy
Cloud Orchestration via REST API
Panorama with Centralized Provisioning, Policy and Logging
VM-Series for VMWare NSX
Transforming network security for the data center
Challenges
Solution
FW doesn’t see the traffic
Automated, transparent services insertion at workload
Incomplete security capabilities
Virtualized next-generation security supporting PAN-OSTM
Static policies
Dynamic security policies with VM context
VM-Series for VMware NSX
New VM-Series for VMware NSX
deployed as a service
• Integrated solution with VMware for EastWest traffic inspection
• Automated provisioning and deployment
where a VM-Series is deployed on every
ESXi server
• NSX automatically steers traffic to VM-Series
• Dynamic context sharing between NSX and
Panorama
Packet flow
NSX Firewall installs a dvFilter
on Guest VM vNIC
VM-Series firewall is deployed
and connected to NSX Firewall
Rules to re-direct traffic VMSeries are configured in NSX
Filter
Packet emerging from Guest
VM is redirected to VM-Series
NSX FW
Re-direct
NetX Agent
Virtual Switch
Hypervisor
VM-Series inspects packet and
applies Security Policy
Packet is forwarded to the
virtual switch
How it works: Components
How it works: Registration
How it works: Deployment
How it works: Licensing and Configuration
How it works – Traffic redirection rules
How it works - Real-time updates
How it works – Dynamic Address Groups – Address updates
How it works – Complete picture
Security that keeps pace with datacenter changes
Security that keeps pace with datacenter changes
Security that keeps pace with datacenter changes
Security that keeps pace with datacenter changes
Security that keeps pace with datacenter changes
Security that keeps pace with datacenter changes
Security that keeps pace with datacenter changes
Security that keeps pace with datacenter changes
Scale Out & Extend
Dynamic
Address
Groups
VM Context
Dynamic
Address
Groups
Dynamic
Address
Groups
Dynamic
Address
Groups
Dynamic
Address
Groups
Dynamic
Address
Groups
Dynamic
Address
Groups