VM-Series on AWS • Complements Native AWS Security with Application Enablement Policies That Prevent Threats and Data Loss

VM-Series on AWS • Complements Native AWS Security with Application Enablement Policies That Prevent Threats and Data Loss

VM-Series on AWS • Complements native AWS security with application enablement policies that prevent threats and data loss. VM-Series on AWS • Allows you to transparently Palo Alto Networks VM-Series Virtual Next-Generation embed security in the application ® development process through Firewalls protect your Amazon Web Services (AWS ) automation and centralized workloads with next-generation security features that management. allow you to confidently and quickly migrate your business- • Enables security to scale dynamically critical applications to the cloud. AWS CloudFormation yet independently of your workloads through integration with AWS Auto Templates and third-party automation tools allow you to Scaling and Elastic Load Balancing. embed the VM-Series in your application development • Cost-effectively protects lifecycle to prevent data loss and business disruption. deployments with many VPCs through a transit VPC architecture. Strata by Palo Alto Networks | VM-Series on AWS | Datasheet 1 As AWS becomes the dominant deployment platform for your User-Based Policies Improve Security Posture business-critical applications, protecting the increased public Integration with on-premises user repositories, such as cloud footprint from threats, data loss, and business disruption Microsoft Exchange, Active Directory®, and LDAP, lets remains challenging. The VM-Series on AWS solves these you grant access to critical applications and data based on challenges, enabling you to: user credentials and needs. For example, your developer • Protect your AWS workloads through unmatched application group can have full access to the developer VPC while only visibility and precise control. IT administrators have RDP/SSH access to the production • Prevent threats from moving laterally between workloads VPC. When deployed in conjunction with Palo Alto Networks ™ and stop data exfiltration. GlobalProtect network security at the endpoint, the VM- Series on AWS can extend your corporate security policies to • Eliminate security-induced application development bottle- mobile devices and users regardless of their location. necks with automation and centralized management. Applications and Data Protected from Known AWS Security Groups or and Unknown Threats Attacks, like many applications, can use any port, render- VM-Series? ing traditional prevention mechanisms ineffective. Enabling Threat Prevention and WildFire®, Palo Alto Networks malware Organizations are migrating their enterprise applications on prevention service, as segmentation policy elements will pro- AWS for many reasons, including business agility and a desire tect you against exploits, malware, and previously unknown to reduce data center footprints. In nearly all cases, the AWS threats from both inbound and lateral movement perspectives. deployment is connected to the corporate network, making the AWS resources network-accessible by users—and possibly Multiple Defenses Block Data Exfiltration and attackers. Security best practices dictate that your public Unauthorized File Transfers cloud security posture should mimic your data center security approach: understand your threat exposure through application Data exfiltration can be prevented using a combination of ap- visibility; usepolicies to reduce the attack surface area; and then plication enablement with Threat Prevention and DNS Security prevent threats and data exfiltration within the allowed traffic. features. File transfers can be controlled by looking inside files, not only at their file extensions, to determine whether transfer AWS Security Groups perform port-based filtering to control actions should be allowed. Command and control, associated access to the AWS resources deployed, and they must be enabled data theft, and executable files found in drive-by downloads or for the cloud deployment to be operational. The VM-Series secondary payloads can also be blocked. Data filtering features complements AWS Security Groups port-based controls by can detect and control the flow of confidential data patterns, reducing your attack surface through application enablement, such as credit card and Social Security numbers, in addition to preventing threats, and stopping data exfiltration. custom patterns. VM-Series on AWS Centralized Management Delivers The VM-Series allows you to embrace a prevention-based Policy Consistency approach to protecting your applications and data on AWS. Automation and centralized management features enable you Panorama™ provides centralized network security to embed next-generation security in your AWS application management for your VM-Series firewalls across multiple workflow, enabling security to keep pace with development. cloud deployments alongside your physical appliances, ensuring consistent and cohesive policy. Rich, centralized Complete Visibility Improves Security Decisions logging and reporting capabilities provide deep visibility into Understanding the applications in use on your network, virtualized applications, users, and content. Panorama com- including those that may be encrypted, helps you make prises Panorama Manager and the Log Collector, allowing you informed security policy decisions. to centrally manage your VM-Series firewalls in a distributed manner. Panorama Manager and the Log Collector can be Segmentation and Application Allow Listing Aid deployed on AWS or on-premises using M-Series dedicated Data Security and Compliance appliances. Alternatively, you can deploy both Panorama Using application allow listing to enforce a positive security components on AWS or in a hybrid scenario, with Panorama model reduces your attack surface by allowing specific Manager deployed on-premises and the Log Collector deployed on AWS. You can also use Panorama in conjunction applications that align to your organization’s needs (e.g., allow ™ SharePoint® documents for all, but limit SharePoint adminis- with Cortex Data Lake. tration access to the IT group). Allow listing policies also allow you to segment applications that communicate across subnets and between virtual private networks (VPCs) to stop lateral threat movement and meet compliance requirements. Strata by Palo Alto Networks | VM-Series on AWS | Datasheet 2 Automation to Support App • Throughout (Kbps) Dev Workflows • Connection per Second • Packets per Second The VM-Series on AWS includes management and automa- You can use these metrics to monitor the capacity and health tion features that enable you to embed security in your appli- status, and get deeper visibility into the usage and performance cation development workflow: of your individual VM-Series deployed in your AWS environ- • Bootstrapping allows you to create a working VM-Series ment. Additionally, you can use these metrics to get an aggre- configuration, complete with licenses and subscriptions, gated view of performance of all your VM-Series firewalls in that can be deployed in an automated, scalable manner. your autoscaling deployments, and then use it as a means to • A fully documented API, Dynamic Address Groups, and initiate autoscaling events. External Dynamic Lists allow you to automate VM- Series configuration changes and consume external data to dynamically drive security policy updates. Action-Oriented Integration with Amazon Guard- Log Forwarding lets you drive actions based on observed Duty and AWS Security Hub incidents in the logs. ® • Custom AMI support enables you to use the AWS Marketplace Amazon GuardDuty and Security Hub both provide visibility VM-Series image to create a customized AMI for use as the into potentially malicious activity within your AWS deployment. standard firewall image. To ensure encryption-at-rest policy Integration with the VM-Series allows you to send malicious IP compliance is maintained, you can deploy the VM- Series address information to the VM-Series and automatically update from an encrypted volume using AWS Key Management a security policy to block malicious traffic. Service (KMS). VM-Series on AWS High Automated Policy Updates with Availability Tag-Based Policy Model Network infrastructure best practices dictate that you ensure VM-Series leverages the native tags from AWS in the formula- your business-critical applications maintain maximum tion of network security policies. By basing policies on native uptime using high availability regardless of their deployment AWS infrastructure tags, rather than static attributes such as location. When deployed on AWS, the VM-Series supports port or IP address, VM-Series policies can dynamically update either a traditional, two-device, active/passive approach or a as new workloads are created, moved, or deprecated. more cloud-centric approach. Active/Passive High Availability Automating Deployments with On AWS, the VM-Series supports high availability using two VM-Series firewalls deployed in an active/passive config- Terraform and Ansible uration within a single AWS Availability Zone. If a failure If your organization uses multiple public and private cloud occurs, the AWS Elastic Network Interface (ENI) from the platforms, or you want to embed VM-Series deployments in active VM-Series firewall is programmatically moved to the your application development processes, you can deploy and passive VM-Series firewall using AWS API calls. configure the VM-Series using third-party toolsets, such as Terraform® and Ansible®. The combination of these tools and Cloud Native High Availability VM-Series automation features enables you to deploy and con- High availability can also be achieved on AWS

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us