1. No category

next-generation security platform

NEXT-GENERATION
SECURITY PLATFORM
The Next-Generation Security Platform for Cable Operators
Challenges and Opportunities
• Preserve returns on invested
capital
• Secure services, subscribers
and businesses
• Grow ARPU
• Monetize the network
• Secure NFV/SDN
The Palo Alto Networks Advantage
• Effective threat prevention
• Lower OPEX and TCO
• A platform for managed services
• Proven for NFV/SDN
Next-Generation Security: Enabling Business
­Acceleration for Cable Operators
The enterprise services segment clearly presents a
growing opportunity, and priority, for cable operators.
“Cable First” initiatives that deliver highly lucrative
location-based services, IoT, cloud-hosting environments for traditional applications, CaaS-based collaboration/contact center solutions, and managed security
services are rapidly transforming the value proposition
of the MSO. Combining their highly scalable access
footprints with their rich subscriber/business relationships, MSOs are uniquely positioned at the forefront
of enterprise technology services. At the same time,
the proliferation of cloud-based applications, cloud
computing, and virtualization has created a paradigm
shift in how these types of networks must be secured.
Port-centric, detection-based solutions that are
isolated from collective analytics and remediation from
the cloud are no longer adequate. Palo Alto Networks®
has created a network security solution focused on
the requirements of the MSO, one that positions
prevention versus detection, application filtering via
application ID, access to cloud-based security updates,
virtualization at scale, and end-to-end threat lifecycle mitigation (from the network all the way to the
desktop/endpoint).
Legacy Security Architectures and the ROSI
Approach Fail to Deliver Business Value
The traditional approach to evaluating security investments uses Return on Security Investment (ROSI)
as a key metric. ROSI compares the cost to buy and
operate a proposed security solution to the expected
loss avoidance the solution will deliver. Some organizations also factor in a risk-based approach in order
to account for the need to mitigate low-probability,
Palo Alto Networks | Solution Brief
PA-7050
PA-5000 Series
PA-5060, PA-5050, PA-5020
PA-3000 Series
PA-3060, PA-3050, PA-3020
PA-2000 Series
PA-2050, PA-2020
PA-500
PA-200
VMSERIES
VM-Series
VM-300, VM-200, VM-100
1
but potentially catastrophic losses. Legacy firewalls, IPS and UTMs
have not played much of a role in enabling MSOs to execute their
business strategies because the value of those solutions is very
much aligned with this insurance policy model of security. They
have been a necessary, but unwanted, cost of doing business.
Next-generation security from Palo Alto Networks is architected
to provide fully integrated security based on application, user and
content. The result of this fundamental difference is security that
is easier to configure and manage; provides better reporting; and,
most importantly, does a far better job of securing data, assets and
services. In that respect it delivers a much higher ROSI than legacy
solutions, but the value goes well beyond that. The visibility, reporting and security capabilities provide MSOs with new opportunities
to deliver value-added services and monetize their networks.
The Palo Alto Networks security platform delivers 10 critical
capabilities that enable MSOs to secure infrastructure and services
while enabling high-growth business initiatives.
The 10 Critical Security Functions
1.Identify and control applications regardless of port, protocol,
evasive tactic or encryption
Legitimate application developers and hackers alike share a
common goal: to get their applications through firewalls. They
have done an excellent job of this by taking advantage of the
fact that traditional firewalls use port and protocol as the
indicator of application. So, they simply write their applications
to use commonly open ports and protocols (e.g., TCP port 80,
443), or they dynamically discover open ports. Applications such
as Skype®, SharePoint®, Box, or Facebook® all look like HTTP or
HTTPS to traditional firewalls. Networks that rely on this legacy
technology are effectively wide open. The Palo Alto Networks
solution is not port-based. Our exclusive App-ID™ technology
enables you to directly configure policy based on applications
and users. The reporting capability associated with this technology provides true visibility into application usage. This enables
MSOs to secure the network and offer differentiated services,
and they can leverage it to gain visibility into OTT traffic.
2. Apply a positive security model
Positive security controls mandate that anything not explicitly
allowed is denied. A negative model is just the opposite, allowing
everything that is not explicitly prohibited. Given that virtually
all threats start as unknowns,
a negative control model
“The benefit of using a
is doomed to fail. Legacy
positive security model is
port-based firewalls can deliver
that new attacks will be
positive security controls
prevented. The negative
(i.e., deny all, except traffic to
specified ports and destinamodel can be quite
tions), but they only look at
tempting..., however a
the packet header. In contrast,
negative model means
IPS devices look at the
you’ll never be sure you’ve
packet contents, but they apply
addressed everything. You’ll
negative controls. They allow
all traffic that does not match a
also end up with a long list
signature in the database.
of negative signatures that
has to be maintained.”
Source: owasp.org
Palo Alto Networks | Solution Brief
As legacy vendors incorporated IPS functions into their
­firewalls, their application
control functions were embed-
ded into the IPS because
“Palo Alto (sic) is the only
their firewall function was
single device that can give
unable to look beyond the
header. As a result, these
you the insights, the ­reports
so-called next-generation
and the ­flexibility that we
solutions cannot apply
require. We ­needed a next-­
positive security controls
generation firewall to do it at
at the application level. The
­gigabytes speed.”
Palo Alto Networks firewall
is fundamentally different in
— Networx Australia
that firewall policy is configured based on application
— unknown applications (or unknown sub-functions of allowed
applications, or misuse of an allowed application) can be stopped
automatically. This is a critical difference because unknown applications, and the misuse or exploitation of known applications, are
primary vectors for attacks on
today’s networks.
3. Decrypt outbound SSL and control SSH
Visibility and control must also be applied to encrypted traffic,
which comprises a growing proportion of traffic overall. The
MSO security team may have a large and growing blind spot with
respect to the visibility and control of SSL and SSH. However,
flexibility is needed. The Palo Alto Networks next-generation
firewall has the flexibility to leave some SSL-encrypted traffic
alone (e.g., Web traffic from financial services or health care
organizations), while other types (e.g., SSL on non-standard ports,
HTTPS from unclassified websites in Eastern Europe) can be
decrypted via policy. It also provides visibility and control over
SSH, which is easily configured by end users for non-authorized
purposes (e.g., application tunneling, remote desktop). SSH is also
commonly used by high-privilege users, so control and visibility is
an important security capability.
4. Control application function
Applications typically offer multiple functions, some of which
an MSO may need to prohibit for security or regulatory reasons.
For example, conferencing applications often allow remote desktop sharing and file transfer capabilities. The Palo Alto Networks
platform continually classifies each application, monitoring for
changes that may indicate a different function is being used. It
detects when a different function or feature is introduced in the
session, notes it within the state tables, and performs a policy
check. This continual state tracking to understand the different
functions of each application and their associated risks is a
critical element of visibility, control and security.
5. Safely enable new applications
A wide range of applications enable your business and the business of your customers. The applications may be hosted internally
or in the cloud. Whether hosted by SharePoint, Box.net, Google®
Docs™, Microsoft® Office 365™, or even an extranet application
hosted by a partner, many organizations have a requirement to use
an application that may use non-standard ports, SSL or can share
files. These applications are essential to the business, but they can
also act as a cyberthreat vector. The tendency to use non-standard
ports is highly accentuated in the world of malware.
Safe enablement means allowing an application but constantly
scanning it for threats. Applications communicate over a
combination of protocols (e.g., SharePoint uses CIFS, HTTP
and HTTPS). The Palo Alto Networks platform identifies the
2
application (regardless of port or encryption) and enables policy
control over the functions you want to allow or deny. It continually scans the allowed components for threats and misuse:
exploits, viruses/malware, spyware, and confidential, regulated
or sensitive information.
6. Enable application visibility and control for all users and devices
The MSO workforce is increasingly mobile, working from laptops, smartphones and tablets. Whether working from a coffee
shop, home or a customer location, users need to connect to
their applications. Regardless of where the user is, or even
where the employed application might be, the same standard of
policy control should apply. The GlobalProtect™ mobile security
service in the Palo Alto Networks platform delivers consistent
visibility, security and policy control over traffic, regardless of
where the user is. It has the flexibility to apply policies that are
adapted to the user, location, endpoint and application. For example, some organizations might want employees to use Skype
when on the road, but not inside headquarters, where others
might have a policy that says, if outside the office, users may
not download salesforce.com attachments, unless they have
hard disk encryption turned on. Securely enabling the mobile
workforce is a key business value that MSOs can leverage for
both their internal workforce and business services subscribers.
7. Make network security simpler
MSOs struggle with incorporating more information feeds,
policies and management into overloaded security processes
and people. The more distributed the policy is (e.g., port-based
firewall allows port 80 traffic, IPS looks for and blocks threats
and applications, secure Web gateway enforces URL filtering),
the harder it is to manage that policy. Typical port-based
firewall installations have rule bases that include thousands of
rules. Business is based on applications, users and content —
not ports and protocols. Palo Alto Networks Next-Generation
Firewall policy control, reporting and event logging are based
on application (App-ID™), content (Content-ID™) and user
(User-ID™). The concept is simple and straightforward: build
policies based on who the user is (user identity and job role),
and specify which applications and sub-functions they are permitted in the context of their job role, endpoint and location.
“Regardless of which ... features we enabled — intrusion
prevention, antispyware, antivirus, or any combination
of these — results were essentially the same as if we’d
turned on just one such feature. Simply put, there’s no
extra performance cost...”
— Network World, 2011
to secure their assets while enabling mobility for their users,
BYOD and cloud-based applications. Recognizing that they do
not have the core competency and resources to adequately do
this on their own, they are looking to their network providers
to provide these services. MSOs are in an excellent position
to move up the customer value chain by offering managed
security services in either a hosted model, CPE model or both.
Because of its tightly integrated but modular suite of capabilities, Palo Alto Networks is the ideal platform for delivering
managed services.
10. Enable security for NFV/SDN deployments
The explosive growth of virtualization and cloud computing
introduces new security challenges that are difficult or impossible
for legacy firewalls to effectively manage. Simply having a platform
that can run on a VM does not enable the benefits of NFV/SDN.
The security functions need to be dynamically and automatically
instantiated in concert with new instances of applications and
servers. Static firewall policies based on IP addresses, ports and
protocols are incompatible with SDN environments where VM-toVM traffic flows are dynamically and automatically instantiated.
Key capabilities in the Palo Alto Networks NGFW, such as
dynamic address groups, enable fully automated orchestration of
virtualized security. The Palo Alto Networks NGFW VM-Series
supports open source technology platforms (e.g., KVM and OpenStack®) and VMware® NSX™. This is a critical enabling technology
for MSO adoption of NFV/SDN.
THREAT INTELLIGENCE
CLOUD
8. Deliver the same throughput and performance with
application control fully activated
AUTOMATED
I
T
TW
OI
N
NATIVELY
INTEGRATED
ORK
CLOUD
END
MSOs cannot afford to compromise between performance and
security. The Palo Alto Networks Next-Generation Firewall
maintains performance even with all of the security functions
enabled because of its unique “single-pass” inspection architecture. Traffic is inspected once and processed in parallel for all
security elements (e.g., application, user, content, malware, URL
filtering). Competing solutions typically employ multi-bladed
architectures, which require each security function to perform
its own inspection. The result is throughput degradation of over
90 percent in many cases. It is critical that performance and
security both scale to the high throughput needs of MSOs.
NE
EXTENSIBLE
9. Provide a platform for managed services
According to IDC, the managed security services is over $15
billion and will grow at a compound annual rate of 12 percent
for the next several years. Businesses of all sizes are struggling
NEXT-GENERATION
FIREWALL
ADVANCED ENDPOINT
PROTECTION
Palo Alto Networks Next-Generation Security Platform
Palo Alto Networks | Solution Brief
3
Summary
We have seen how the Palo Alto Networks next-generation
architecture delivers a positive, security control model in a
straightforward, elegant fashion. This alone provides major
business benefits for the MSO, including effective security,
simpler management and lower overhead. The solution also
integrates additional security and access capabilities into the
platform architecture. These functions allow the MSO to replace
point solutions for remote access, mobile device management,
Web proxies and sandboxing. The result is fewer devices on the
network, efficient management, better reporting, and greater
agility in responding to the needs of the business:
GlobalProtect: SSL and IPSec VPN with integrated Mobile
­Device Management. Extends NGFW policy control and
visibility to remote and mobile users. No need for a separate
VPN and MDM platform.
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:+1.866.320.4788
Support:+1.866.898.9087
www.paloaltonetworks.com
WildFire™: Integrated IPS and APT protection. Connected to the
Palo Alto Networks Threat Intelligence Cloud, every NGFW is
updated with new protections from zero-day threats every 15
minutes.
URL Filtering: Integrated policy control for user access plus protection from malicious websites, CnC servers and malicious DNS.
Traps™: Advanced endpoint security. Traps detects and stops
malware on the endpoint before it executes. Unlike AV signature-based and behavior-based endpoint security products,
Traps stops both known and unknown malware by blocking the
methods of exploit that all malware employs. This approach is
proven to be more effective and to have far less impact on the
endpoint than other solutions.
For more information:
https://paloaltonetworks.com/solutions/industry/
service-providers-telco.html
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of
Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may
be trademarks of their respective companies. pan-ng-security-platform-for-­c ableoperators-sb-030316

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz