Date post: | 28-Feb-2018 |
Category: |
Documents |
Upload: | durgasainath |
View: | 221 times |
Download: | 0 times |
7/25/2019 Vm Series Amazon Web Services
http://slidepdf.com/reader/full/vm-series-amazon-web-services 1/3
Palo Alto Networks | Datasheet 1
VM-Series for AWS Use Cases Hybrid Cloud
Hybrid Cloud
• Securely enable a hybrid cloud using our complete
next-generation firewall and advanced threat
prevention features
• Move applications and data to and from AWS via
a standards-based, site-to-site IPsec VPN tunnel
Segmentation Gateway
• Control application communication across different
subnets within a VPC and between VPCs while
blocking lateral threat movement
• Maintain separation of confidential data from other
traffic for security and compliance purposes
Internet Gateway
• Control applications within AWS while preventing
advanced cyberattacks from breaching your cloud
and moving laterally
• Extend firewall and threat prevention policies to
remote users and mobile devices with GlobalProtect
Security Challenges in the Public Cloud
AWS introduces well-known advantages of greater appli-
cation development and deployment agility, scalability andflexibility. However, the security challenges you face in AWS
are exactly the same as those you face when protecting a
physical network.
These challenges include a lack of application visibility and
control, an inability to prevent cyberattacks, and cumbersome
policy update processes that can induce delays between
workload deployment and security policy updates. The
VM-Series for AWS solves these challenges, enabling you to:
• Identify and control applications traversing your AWS
deployment, regardless of which ports they may use.
• Determine who should be allowed to use the applications,
and grant access based on need and credentials.• Stop malware from gaining access to, and moving laterally
(east-west) within the cloud.
• Extend perimeter protection mechanisms to all users and
devices, regardless of location.
• Simplify management and minimize the security policy lag
as virtual workloads change.
The VM-Series for AWS protects your workloads and data
with the same next-generation firewall and advanced
threat prevention features that are available in our security
appliances, allowing you to securely move to the cloud.
Amazon Web Services (AWS) is fueling an evolutionwithin today’s data centers, enabling you to rapidly de-velop, deploy and manage new applications on a globalscale. The VM-Series for AWS enables you to protectyour applications and data in AWS with next-generationfirewall and threat prevention features.
VM-SERIES FOR AMAZON WEB
SERVICES
7/25/2019 Vm Series Amazon Web Services
http://slidepdf.com/reader/full/vm-series-amazon-web-services 2/3
Palo Alto Networks | Datasheet 2
Are Native Security Features Sufficient?
As part of their services offering, AWS provides users with
some basic security features, such as Security Groups Access
Control Lists (ACLs) and Web Application Firewalls (WAF).
These features will help you protect your AWS deployment;
however, Security Groups and ACLs are looking at traffic only
from a port and IP address perspective and cannot identify
and control your AWS traffic based on the application iden-
tity. A WAF looks only at HTTP/HTTPS applications and noother applications. These features only provide a base level of
security to reduce your attack surface; they will not control
all applications, protect against inbound threats, nor will they
stop their lateral movement. As the public cloud becomes an
extension of your data center, advanced security features,
such as those available from a next-generation firewall,
should become a requirement.
The VM-Series for AWS
The VM-Series for AWS enables you to securely implement
a cloud-first methodology while transforming your data
center into a hybrid architecture that combines the scalability
and agility of AWS with your on-premises resources. This
allows you to move your applications and data to AWS while
maintaining a security posture that is consistent with the one
you may have established on your physical network with
Palo Alto Networks® appliance-based firewalls.
The VM-Series for AWS natively analyzes all traffic in a single
pass to determine the application identity, the content, and
the user identity. These are key components in defining your
security posture and performing the related management
efforts, including visibility, policy control, reporting and
incident investigation.
Improve Security Decisions with Application Visibility
The VM-Series for AWS provides you with the identity ofthe application, irrespective of port, which means you have
far more relevant information about your AWS deployment,
including the application, who the user is, and from where it
emanates. This increased knowledge means you can make
more informed policy decisions and respond to incidents
more quickly.
Limit Security Exposure with Whitelisting Policies
With the VM-Series for AWS, you can extend your firewall
access control policies to the application level, forcing them
to operate on specific ports, while leveraging the “deny all
else” premise that a firewall is based on to block all others.
The added level of control becomes critically important asyou deploy more of your data center assets in AWS.
Strengthen Security Posture with User-Based Controls
Integration with a wide range of user repositories, such
as Microsoft® Active Directory®, LDAP and Microsoft
Exchange, introduces the user identity as a policy element,
complementing application whitelisting with an added
access control component. User-based policies mean you
can grant access to critical applications and data based on
user credentials and respective need. For example, the App
team can have full access to the Development VPC, while the
Operations team has RDP/SSH access to the production VPC.
When deployed in conjunction with GlobalProtect™, the
VM-Series for AWS enables you to extend your corporate
security policies to mobile devices and users, regardless of
their location.
Prevent Advanced Attacks at the Application Level
Attacks, much like many applications, are capable of using
any port, rendering traditional prevention mechanisms
ineffective. The VM-Series for AWS allows you to use theThreat Prevention and WildFire™ services to apply applica-
tion-specific threat prevention policies that block exploits,
malware, and previously unknown threats (APTs) from
infecting your cloud.
Improve Data Security with Segmentation
Today’s cyberthreats commonly compromise an individual
workstation or user and then move laterally across your
physical or virtualized network, placing your mission-critical
applications and data at risk. Using security zones and
whitelisting policies allows you to segment applications
communicating across different subnets and between VPCs
for regulatory compliance. Enabling the Threat Preventionand WildFire services to complement your segmentation
policies will block both known and unknown threats and stop
them from moving laterally from workload to workload.
Policy Consistency with Centralized Management
Panorama™ enables you to manage your VM-Series
deployments across multiple cloud deployments, along with
your physical security appliances, thereby ensuring policy
consistency and cohesiveness. Rich, centralized logging
and reporting capabilities provide visibility into virtualized
applications, users and content.
Automate Security Deployment and Policy Updates
The VM-Series for AWS includes native management features
that enable you to integrate security into your cloud-first
development projects. Bootstrapping automatically provi-
sions a firewall with a working configuration, complete with
licenses and subscriptions, and then auto-registers itself with
Panorama. To automate policy updates as workloads change,
a fully documented XML API and Dynamic Address Groups
allow the VM-Series to consume external data in the form of
tags that can drive policy updates dynamically. The end result
is that new applications and next-generation security can be
deployed simultaneously in an automated manner.
A Z
1
b
C4
GPVM- S E R I E S
7/25/2019 Vm Series Amazon Web Services
http://slidepdf.com/reader/full/vm-series-amazon-web-services 3/3
4401 Great America Parkway
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at http://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. pan-vm-series-for-
aws-ds-032216
VM-Series for AWS Use Cases
The VM-Series can be deployed for AWS to address a
number of different use cases.
Hybrid Cloud: Securely Extend Your Data Center into AWS
One of the easiest ways to securely address new application
requirements and cloud-first development initiatives is
through a hybrid deployment that integrates your exist-
ing data center with AWS via a secure connection. Thisapproach enables you to start small and expand as your
requirements change while maintaining a strong security
posture. When deployed in AWS, the VM-Series can act as
a VPN termination point to allow the secure movement of
applications and data to and from AWS. Application control
and threat prevention policies can be layered atop the IPsec
VPN tunnel as added security elements.
Segmentation Gateway: Separation for Security and
Compliance
High-profile breaches have shown that cybercriminals are
adept at hiding in plain sight, bypassing perimeter controls
and moving at will across networks – both physical andvirtualized. An AWS VPC provides an isolation and security
boundary for your workloads. The VM-Series can augment
that seperation through application-level segmentation
policies to control traffic between VPCs. With applica-
tion-level policies, you have greater control over application
traffic moving laterally, and you can apply threat prevention
policies to block their movement as well. If traffic is flowing
between VPCs in different regions across the Internet,
encryption can be enabled for added protection
Internet Gateway: Secure the Network, the Cloud, and
the Device
As your AWS deployment expands, you can build upon yourhybrid deployment by using the VM-Series as an Internet
gateway, further strengthening your security posture. With
the VM-Series you can control AWS access with application
whitelisting policies that are based on user identity and
business need. Application-specific threat prevention
policies to block exploits, malware, and previously unknown
threats (APTs) from gaining access to your AWS deployment
can also be applied, giving you added control and protection.
GlobalProtect will enable you to extend your security
policies to your remote users and mobile devices, regard-
less of their location. GlobalProtect establishes a secure
connection to protect the user from Internet threats and
enforces application-based access control policies. Whether
the need is for access to the Internet, data center or SaaS
applications, the user will enjoy the full protection provided
by the platform.
P A N O R A
M A
C4
V M-Series
C4
V M-Series
C4
GP V
M- S E R I E S
Exert policy consistency
across the network, AWS
cloud, and your devices
Application whitelisting
and threat prevention
policies protect your
AWS perimeter
Segment applications
and data for security
and compliancepurposes
Securely extend your
data center into AWS