VMware and Palo Alto Networks Integrated
Transforming Network Security for the Software Defined Data Center Palo Alto Networks at a glance Revenues Corporate highlights $700 Founded in 2005; first customer shipment in 2007 $MM $598 $600 $500 $396 $400 Safely enabling applications and preventing cyber threats $300 $255 $200 $119 $100 $13 $49 $0 FY09 Able to address all enterprise cybersecurity needs FY10 FY11 FY12 FY13 FY14 Fiscal Year Ends July Enterprise customers Exceptional ability to support global customers >19,000 20.000 13,500 15.000 Experienced team of 1,900+ employees 5.000 FY14: $598M revenue; 19,000+ customers 9.000 10.000 4.700 0 Jul-11 Jul-12 Jul-13 Jul-14 2015 Magic Quadrant for Enterprise Network Firewalls “Palo Alto Networks is assessed as a Leader, mostly because of its NGFW focus, and because of its consistent visibility in Gartner shortlists for advanced firewalls use cases, frequently beating competition on feature quality.” --Gartner, Magic Quadrant for Enterprise Network Firewalls 3 | ©2015, Palo Alto The Next-Generation Enterprise Security Platform Identify, control & decrypt Detect & prevent known & unknown threats Network Traditional infrastructure Automated forensics & remediation Endpoint Cloud Public Cloud SaaS Private Cloud Cloud Mobile devices Evolution of virtual datacenter architectures Traditional Data Center DB App Web Current Data Center DB App Web Dynamic, automated, “services-oriented” Future Data Center Security challenges Physical firewalls may not see the East-West traffic MS-SQL SharePoint Web Front End Firewalls placement is designed around expectation of layer 3 segmentation Network configuration changes required to secure East-West traffic flows are manual, time-consuming and complex Ability to transparently insert security into the traffic flow is needed Security challenges Incomplete security features on existing virtual security solutions MS-SQL SharePoint Web Front End In the cloud, applications of different trust levels now run on a single server VM-VM traffic (East-West) needs to be inspected Port and protocol-based security is not sufficient Virtualized next-generation security is needed to: Safely enable application traffic between VMs Protect against against cyber attacks Security challenges Static policies cannot keep pace with dynamic workload deployments Provisioning of applications can occur in minutes with frequent changes Security approvals and configurations may take weeks/months Dynamic security policies that understand VM context are needed Zero Trust Security Segmentation for Data Center Users / Corp Net / DMZ Application Network Physical Firewalls Security Inter-host Segmentation HA Physical security devices will continue to be deployed to secure and segment data centers. Orchestration systems Virtualized Firewalls Intra-host Segmentation VM-Series provides the ability to safely enable east-west communication Physical Servers Virtualized servers 9 | ©2014, Palo Alto Networks. Confidential and Proprietary. Orchestration Integration through API, NSX Integration, VM Monitoring and Dynamic Address Groups provide the key to tracking VM movement and automating workflows for deployments and network changes. A Comprehensive Approach to the Data Center Physical Form Factor Safe application enablement Virtual Form Factor App-ID, User-ID, Content-ID, GlobalProtect, WildFire Threat protection without performance implications North South Control Multi-core hardware Separate management & data plane Single pass software architecture East-West Control Single pass software architecture Separate management & data plane. Flexible integration Comprehensive networking foundation (routing, VLAN) Integration at layer 1, 2, 3 ESXi VMware NSX Multi-tenancy Multi-tenancy via virtual systems Multi-tenancy via virtual instances Cloud-readiness Centralized management, one integrated policy 10 | ©2014, Palo Alto Networks. Confidential and Proprietary. Dynamic Address Groups ties VM movement to policy Cloud Orchestration via REST API Panorama with Centralized Provisioning, Policy and Logging VM-Series for VMWare NSX Transforming network security for the data center Challenges Solution FW doesn’t see the traffic Automated, transparent services insertion at workload Incomplete security capabilities Virtualized next-generation security supporting PAN-OSTM Static policies Dynamic security policies with VM context VM-Series for VMware NSX New VM-Series for VMware NSX deployed as a service • Integrated solution with VMware for EastWest traffic inspection • Automated provisioning and deployment where a VM-Series is deployed on every ESXi server • NSX automatically steers traffic to VM-Series • Dynamic context sharing between NSX and Panorama Packet flow NSX Firewall installs a dvFilter on Guest VM vNIC VM-Series firewall is deployed and connected to NSX Firewall Rules to re-direct traffic VMSeries are configured in NSX Filter Packet emerging from Guest VM is redirected to VM-Series NSX FW Re-direct NetX Agent Virtual Switch Hypervisor VM-Series inspects packet and applies Security Policy Packet is forwarded to the virtual switch How it works: Components How it works: Registration How it works: Deployment How it works: Licensing and Configuration How it works – Traffic redirection rules How it works - Real-time updates How it works – Dynamic Address Groups – Address updates How it works – Complete picture Security that keeps pace with datacenter changes Security that keeps pace with datacenter changes Security that keeps pace with datacenter changes Security that keeps pace with datacenter changes Security that keeps pace with datacenter changes Security that keeps pace with datacenter changes Security that keeps pace with datacenter changes Security that keeps pace with datacenter changes Scale Out & Extend Dynamic Address Groups VM Context Dynamic Address Groups Dynamic Address Groups Dynamic Address Groups Dynamic Address Groups Dynamic Address Groups Dynamic Address Groups
© Copyright 2024