zero trust network security software defined data...

Domenico Stranieri

Pre-Sales Engineer | EMEA Italy & Malta

[email protected]

Rome, 7th July

Zero Trust Network Security for the Software Defined Data Center

The Digital Disruption Has Already Happened

© 2016, Palo Alto Networks

o Most popular media owner creates no content (Facebook)

o Fastest growing banks have no actual money (SocietyOne)

o Largest accommodation provider owns no real estates (Airbnb)

o Largest phone companies own no telco infra (Skype, WeChat)

o World’s most valuable retailer has no inventory (Alibaba)

o World’s largest movie house owns no cinemas (Netflix)

o Largest software vendors don’t write the apps (Apple & Google)

o World’s largest taxi company owns no taxis (Uber)

SaaS SOCIAL +

CONSUMERIZATION

CLOUD +

VIRTUALIZATION MOBILITY +

BYOD

Massive opportunity

for cyber criminals

WHAT’S CHANGED? THE EVOLUTION OF BUSINESS

THIS IS WHAT REALLY CHANGED! THE EVOLUTION OF THE ATTACKER…

Majority of adversaries are just doing their job…. They have bosses, families, bills to pay.

They want to get in, accomplish their task, and get out (un-detected).

The goal isn’t making your life hard.

= 24 / 7

MALWARE UPDATES

support

$1.2B+/

SALES IN 18 MONTHS

WHAT’S CHANGED?


…NOT MUTUALLY EXCLUSIVE EXPLORING ACTOR MOTIVATIONS…

This is what CHANGED!

Cyber Hacktivism

Cyber Mischief

Cyber Warfare

Cyber Crime

Cyber Espionage

Cyber Terrorism

$$$ 100+ nations

CYBER WARFARE

$1+ CYBERCRIME NOW

trillion industry


…YOU BETTER KNOW YOUR ENEMY THE CYBER ATTACK LIFECYCLE…

Are you CHANGING as well?

Reconnaissance Weaponization and Delivery

Exploitation Command-and-Control Actions on the Objective

Unauthorized Access Unauthorized Use

Installation

“ There is no predictable path for the

advanced adversary ”


…MUST INCREASE THE COST OF THE ATTACK ATTACK TECHNIQUES / TOOLS…

ADVANCED PERSISTENT THREATS

Reality Myth

o Highly customized and unique tools are used

for every attack.

o Customized protocols, with unique

encryption types are used for CnC.

o Malicious Website are used to distribute

Malware

o Off-the-shelf tools are the most common

method of attack.

o HTTP and/or SSL are most common for

custom backdoors.

o Compromised Legitimate Websites are used

as “trusted” distribution center for Malware


BADs GOODs v

s

WHY BREACHES STILL HAPPEN?

Port-based Firewall

Static IPS

0-Day Malware &

Exploits

ID Credentials Hijacking

Why “Blacklisting-only” fails… © 2016, Palo Alto Networks

Zero Trust Network

“ Why a Next Generation Security

Approach is Needed…. “

Must improve your Security Posture…

What About Zero Trust Network?

The Zero Trust architecture approach, first proposed by Forrester Research

(2009), is intended to address this by promoting "never trust, always

verify" as its guiding principle.

With Zero Trust there is no default trust for any entity — including users,

devices, applications, and packets — regardless of what it is and its location

on or relative to the corporate network.

By establishing Zero Trust boundaries that effectively compartmentalize

different segments of the network, you can protect critical intellectual

property from unauthorized applications or users, reduce the exposure of

vulnerable systems, and prevent the lateral movement of malware

throughout your network

The Zero Trust Model Of Information Security


Zero Trust Networks

Access control is on a “need-to-know” basis and is strictly enforced.

All resources are accessed in a secure manner regardless of location.

Verify and never trust.

Inspect and log all traffic.

The network is designed from the inside out.

Zero Trust Concepts


Zero Trust Network?

Core

Distribution

Acces

s

Edge

To secure a Multi-Layer

Infrastructure is a hard

job Traditional Hierarchal Network


Zero Trust Network? Adding more and more

security functions at each

layer is necessary to get

a more granular control

Core

Distribution

Acces

s

Edge

DAM DB ENC VPN DLP WAF Email WCF

IPS

FW

FW FW WLAN GW NAC

IPS IPS

Security is an Overlay


Zero Trust Network? Many security functions provided

by different different Vendors is

not really scalable / agile, not

easy to manage, and does not

provide a natively integrated

security platform

Deconstructing the Network

Core

Distribution

Edge

Access

WAF DAM DB ENC VPN DLP Email WCF

IPS

FW FW WLAN GW NAC

IPS

IPS

FW


Zero Trust Network? Re-building the Secure Network

IPS FIREWALL

WAF DAM WLAN GW

DLP WCF

Email

NAC

DB ENC

Integrated

Security

Platform FW IPS

CRYPT

O

AM CF

AC

Packet Forwarding Engine

VPN

FW

AC

Natively Integrated Security Functions


Zero Trust Network? Re-building the Secure Network

FW

AC

o Very High Performance

o Multiple 10GE Interfaces

o Application Awareness

o Content Awareness

o User Awareness

o Known Threats Detection

o Unknown Threats Prevention

o URL-Filtering

o VPN / Access Management

o Security Events Logging

o Security Events Correlation

Next Generation Firewall


Zero Trust Network? Zero Trust Drives Future Network

Design

MCAP resources

have similar

functionality and

share global policy

attributes

MCAPs are

centrally managed

to create a unified

switching fabric

MCAP – Micro Core And Perimeter

FW

AC

Segmentation Gateway

Centralized MGMT

FW

AC

MCAP M

CA

P

FW

AC

MC

A

P

MCAP

Users MCAP

WWW MCAP

APP MCAP


Zero Trust Network

per il Software Defined IT “ Enhancing Security

in the Digital Age... “

Must improve your Security Posture…

* Non-GAAP financial measures. See appendix for reconciliation to most comparable GAAP measure.

Evolution towards a software defined data center

Server Virtualization Software Defined Data Center

A Software Defined Data Center is agile, flexible, elastic and simple

• Fast workload provisioning – reduce from weeks to hours

• Flexible workload placement

• Simplified data center operations & economics

Security is a critical component of the software defined data center


Security Challenges Physical firewalls may not see the East-West traffic

o Firewalls placement is designed

around expectation of layer 3

segmentation

o Network configuration changes

required to secure East-West traffic

flows are manual, time-consuming

and complex

o Ability to transparently insert

security into the traffic flow is

needed

MS-SQL SharePoint Web Front End


Security Challenges Incomplete security features on existing virtual security solutions

In the Cloud, applications of different trust levels now run on a single server

o VM-VM traffic (East-West) needs to be inspected

o Port & Protocol-based security is not sufficient

o Virtualized Next-Generation Security is needed to:

Safely Enable Application traffic between VMs

Protect against against cyber attacks

MS-SQL SharePoint Web Front

End


Security Challenges Static Policies cannot keep pace with dynamic workload deployments

o Provisioning of applications

can occur in minutes with

frequent changes

o Security approvals and

configurations may take

weeks/months

o Dynamic Security Policies that

understand VM context are

needed


Next Generation Firewall Technologies Visibility and Safe Enablement of All Traffic

Applications: Safe enablement in the data center begins with

application classification

Applications classified regardless of ports, protocols, evasive tactic,

encryption

Classify custom applications and unknowns in the data center

Users: Tying users and groups, regardless of location or

devices, to applications

Differentiate access based on user, device and endpoint profile

Content: Scanning content and protecting against all threats –

both known and unknown;

with

Protect any type of traffic from targeted attacks


Next Generation Firewall Technologies NGFW as a VM versus as a Service

VM-Series as a Guest VM

o Virtual Networking configured to pass

traffic through Firewall

o Requires vSwitch and Port Group

Configuration

o Connects as L3, L2, V-wire, or Tap

VM-Series NGFW as a Service

o NGFW is a SDN Service

o Resides below the vSwitch and above vNIC

o SDN steers traffic to and from VM before

Networking


Technology Partnership – VMware NSX Integration How it works (Complete Picture)


Technology Partnership – Citrix NetScaler SDX Security and Availability for XenApp/XenDesktop

Validated, Consolidated Security and ADC for XenApp/XenDesktop

Secure Remote Access and High Availability

Safe application enablement for XenApp/XenDesktop users

• Unique User-ID & Terminal-Services agent integration

Segmentation of XenApp/XenDesktop infrastructure

Any User

Any Device

Anywhere

Internet applications

Citrix NetScaler SDX

with PANW VM-Series

On-premise applications

Citrix Receiver

XenApp/XenDesktop

(VDI Environment)


Lifecycle Orchestration

• Provisioning and deployment

• Management and updating

• Decommissioning

Traffic flow and Policy Management

• Software Defined Networking and Network

Virtualization

• Service insertion and chaining

• Policy definition and enforcement

Context Awareness and Sharing

• From the environment to Palo Alto Networks

• From Palo Alto Networks back to the environment

Next Generation Firewall Technology Partnerships

Zero Trust for the Software Defined Data Center

Inter-host Segmentation

Intra-host Segmentation

Physical Servers Virtualized servers

HA

Physical Firewalls

Virtualized Firewalls

Security

Network

Applicatio

n

Orchestration Systems

Physical security devices will continue to be deployed to secure and segment data centers.

VM-Series provides the ability to safely enable east-west communication

Orchestration Integration through API, VM Monitoring and Dynamic Address Groups provide the key to tracking VM movement and automating workflows for deployments and network changes.

Users / Corp Net / DMZ



Open Discussion Questions & Answers

Palo Alto Networks Leadership


In our 36-criteria evaluation of automated malware analysis providers, we identified the 11 most significant ones — Blue Coat, Check Point, Cisco, Cyphort, Fidelis Cybersecurity, FireEye, Fortinet, Intel Security, Palo Alto Networks, Lastline, and Trend Micro — and researched, analyzed, and scored them.

Leaders

“…Palo Alto Networks’ strategy going forward is comprehensive, covering prevention as well as detection and response, and its development of AutoFocus to leverage threat intelligence looks promising…”

Palo Alto Networks Leadership


A GARTNER LEADER AGAIN. AGAIN.

Now a five-time Gartner Magic Quadrant Leader

Palo Alto Networks is assessed as a Leader mostly because of its NGFW focus and its record of delivering NGFW features ahead of competitors, and because of its consistent visibility in Gartner shortlists for advanced firewall use cases, frequently beating its competition on feature granularity and depth.


THANK YOU!

Domenico Stranieri Pre-Sales Engineer

[email protected]

mailto:[email protected]

zero trust network security software defined data...

Documents