[MUSIC] Hello, everyone, my name is Warby Warburton. I'm a senior tech marketing engineer at Palo Alto Networks. And today I want to talked to you about how our next generation firewall technology can secure your data center. So we'll start with the data center. And we're going to put some applications in the data center. You might have applications for your employees, For your partners, And for your end users. So we'll draw next our corporate office. So we have IT, we've got our employees. And they will need to connect into these applications and manage it. Also, we might have a partner site, That we work with. In addition, we may have the need for a disaster recovery data center And of course we're going to have our end users out on the Internet. So with a a traditional firewall, We would have to allow applications based on ports, which isn't very secure and is difficult to manage. So, for example, your end users may come in, and they need port 80 or port 443. And we just have to hope that they're using a legitimate application over that port. Your disaster recovery site probably has some kind of dedicated connection. Lots of applications flowing between here, maybe databases are synchronizing for backup. Partners, you might have some kind of secure tunnel. And you need to know what those actual applications are accross that tunnel. Difficult to manage with the traditional firewall. You need to allow IT access to manage this infrastructure in the data center, as well employee access to the employee applications. The other problem you might have with a traditional firewall is a malicious user is going to hit your application. And, for example, hide on this 443 channel doing something other than the intended application, maybe trying to compromise a server, get BitTorrent installed and start uploading malware. With a traditional firewall, I don't even know that's happening. Because I've opened up a port without having any visibility of what that application is and whether or not there is malware on that channel. So next, I'll show you how a next generation firewall from Palo Alto Networks will solve these problems. Okay, so now, we've installed a next generation firewall. We can identify applications coming in and out of the data center. We can monitor for threats, we can use Wildfire to check for zero-day attacks to protect our data center from all these different sources. So now, in this point, we still have some kind of secure tunnel from our partner site. But we can actually see which applications are coming across that tunnel. We can limit them, we can report on them if we get anything we don't expect. We can allow, for example, IT to connect here to manage it. And based on their user Id, we can allow specific applications like RDP and SSH that we wouldn't allow other employees or other sources to connect to. We can have employees come in with something like SharePoint and ensure that it really is SharePoint. We can still connect our disaster recovery data center remotely and only allow things like SQL. Whatever that traffic should be, those applications we can monitor to make sure that malware isn't propagating. Our disaster recovery data center is specifically for disaster recovery, it needs to be protected as well. And our end users, We will now allow specifically the application they need, not just a random port or a specific port. Something like, for example, Microsoft Lync or Exchange. Now when my malicious user tries to come in and leverage this port, this channel, that traffic is inspected. I know that it's not Lync, it's something like Bittorrent or some other attempt to get into a login and I will block that traffic. I will also inspect traffic from users who maybe have unknown malware on their machines and make sure that malware isn't propagating into the data center and spreading to other sites. Next I'm going to show you on our firewall an actual sample configuration where I will allow traffic by application, by user, and I will check that traffic for malicious content and ensure that it is safe and it is secure. Next up I'm going to talk about how to secure the edge of your data center with our next generation firewall. Here's a sample logical topology. It's pretty simple, I've got a three tiered SharePoint deployment with two web front-end servers, a middle app SharePoint tier and a back-end MS SQL database tier. I also have a domain controller. These are running inside the data center. And I've got our next generation firewall running at the edge to secure and protect traffic in and out of the data center. >> Later I'll talk about, in another video, how to secure the east-west traffic. But the focus of this demo will be the north-south traffic. This is the actual firewall, and I have a pretty simple policy basically allowing client access to the SharePoint application. And I allow IT to RDP into the environment for the purpose of administration, but only IT can do that. And I use user ID to distinguish between the different groups. And I also have some test roles for allowing ping into the environment and traffic for the domain controller. So for the first step, I'm going to show how we can identify different traffic. So I have connected to my SharePoint server from my web client. And if I change this, we can see, This is my, again, my test client, in this case a Windows 7 PC, connecting to the environment, and I can see who the user is. If, for example, this user tried to RDP into the environment to the server, it should fail. So let's go ahead and try that out. And I'm not getting a response. Let me do a refresh on the log. And we can see RDP traffic for marketing user is denied, it says block all other RDP. So now what I'm going to do is I'm going to log out of this Windows box. I'm going to log back in as the IT user using the domain credentials. Log back in as an IT user and do the same exact test. So we can see I'm logged in the same computer. But this time I've logged in as an IT user, and I'm a member of the IT domain. So if I, again from the same source IP, I try again to connect to that same destination server. This time I get a prompt for a password. And I log in, if I come back and do a refresh on my traffic log, I can now see that the source and destination are identical. But it says IT user, in this case, and this case is allowed, because IT is allowed to do that. So that's showing how user Id can be a very powerful tool for the edge of your data center. Okay, next up I want to talk about dynamic address groups. It's very common to use dynamic address groups on a virtual firewall, for example, in a data center monitoring east-west traffic. It's also a very important use case to use dynamic address groups at the edge of you data center. So, for example, in this case, my data center firewall has a dynamic address group called WebFrontEndServers, which currently has the two IPs associated with my WebFrontEnd-01 server. If I go look in the vCenter view, I can see that the two IP addresses associated with WebFrontEnd-02 are not yet associated with that group. So 15.0.0.203 does not yet exist in this group. So, for example, if I go to my Windows client, and I ping 15.0.0.202, that's the first web front-end server that works. If I try to ping WebFrontEnd-02, it fails. And if we look in the logs for ping for recent traffic, we can see, for example, that the Windows client was able to ping the first one, WebFrontEnd-01. But when it tried to ping WebFrontEnd-02, it was denied. And the reason is it hasn't been yet added to that dynamic address group. So in this case, the dynamic address group membership is coming from NSX. It doesn't have to be from NSX. It could be directly from a vCenter or from a host. But in the case of NSX, I'm doing it based on security tags. So if I come in here and set the web front end server to be the WebServer security tag, that information will get pushed via Panorama to the edge firewall for the data center. And the group will automatically be updated. So we can see now that the 15.0.0.203 IP address has been added to the group. And if I again try to ping 203, and that works. And if I come back to the log, I can now see that same traffic that was previously denied is now being allowed. So same source and destination, same user. The only difference being that this IP, the destination IP, is now a member of the proper group, and so it's allowed by policy. So again, physical firewall for your perimeter of your data center. Very good place to do dynamic address groups. So that you don't have to change your policy or any part of your config when something like a web farm expands, which can happen very frequently in a virtualized data center. The last thing I wanted to mention is that, as with all our firewalls in this environment, threat and things like Wildfire for zero-day protection are very important. So I do have in my policy, for example, for my SharePoint Access, I absolutely want to turn on all of my antivirus, my spyware and my file blocking profiles. So I get the same protection I do for the perimeter of the enterprise also in the data center. You can no longer assume that because your data center maybe is part of your enterprise or maybe it's located at your corporate location. And you have an enterprise firewall that the data center will be safe. People either intentionally or unintentionally may bring malware in over a portable device into the corporate office. And they could propagate into the data center without this protection. So you definitely want to have threat protection turn on. You want to have your zero-day protection with wildfire in addition to your application identification and your user identification that I've already shown. So in the next video I will go through how to do east-west protection in this data center in addition to the north-south protection. The two of those solutions together give you complete security.
