Palo Alto Networks recently released PAN-OS 7.1 for our Next-Generation Security Platform. Many financial institutions will not immediately adopt a brand-new version of software, instead preferring to see how stable the new code is in other venues first. When the time is right, an effort to test and certify the new software will be launched to validate old and new features, interoperability and integration with network/systems management tools. Such is the life cycle of new software versions before they even get to the actual rollout phase.
With that being said, PAN-OS 7.1 does offer a number of key benefits to financial institutions:
1. Secure Any Cloud
Many financial institutions are pursuing private, public and hybrid cloud solutions to increase the agility, flexibility and scalability of their information technology (IT) environment. This has become necessary to meet unexpected business demands without the delays associated with provisioning a traditional IT infrastructure. Such capabilities are even more prominent in light of competition from FinTech startups, in addition to established competitors. Palo Alto Networks provides a holistic public and private cloud security solution that leverages our physical and virtual next-generation firewalls deployed across the extended network. This offers protection against sophisticated attacks, advanced persistent threats (APTs), and has visibility of applications and traffic sources, which is far beyond the native security capabilities offered by cloud service providers, such as Amazon Web Services (AWS) and Microsoft Azure.
2. Embrace SaaS
The use of SaaS applications (e.g., Salesforce, Box) continues to grow among financial institutions. To properly control such applications and minimize shadow IT, detailed visibility of the applications, their usage, and users, themselves, is needed. Palo Alto Networks Next-Generation Firewall was built to provide unparalleled visibility and control of all applications, as well as details about application usage across the network. In conjunction, Palo Alto Networks Aperture now enables safe usage of SaaS applications (e.g., Microsoft Office 365) with complete visibly and granular enforcement within the cloud. Ultimately, it boils down to limiting access to prevent data exposure risk and threat insertion while not disrupting business.
3. Accelerated Threat Intelligence
Financial institutions continue to be a favorite target for cyberattacks. The 2015 Verizon Data Breach Investigations Report ranked financial services as one of the top three industries for security incidents, confirmed data loss, and distributed denial of service, or DDoS, attacks. This has been the case in previous years as well. When truly unique and targeted attacks are found, financial institutions must accelerate analysis-and-response efforts with the right intelligence and threat context to maximize the effectiveness of their security operations professionals. With the new innovations across the Palo Alto Networks platform, we can provide threat visibility and remediation faster and more effectively then ever before. The new integration of Palo Alto Networks AutoFocus threat intelligence service with PAN-OS and Panorama centralized management brings advanced threat context to the entire organization − simplifying response efforts for the most critical attacks. This puts the largest collection of unknown malware data at the fingertips of the security operations center, allowing that team to automatically turn analysis efforts for unique, targeted attacks into proactive protections by blocking malicious domains, IP addresses and URLs with AutoFocus and PAN-OS dynamic block lists.
4. Prevent Breaches with Secure User Credentials
With Palo Alto Networks GlobalProtect mobile security service, users in financial institutions can be connected to the network at all times − eliminating the large and growing blind spot of users roaming off the enterprise network, where they and their credentials are more vulnerable. GlobalProtect works by connecting a user’s mobile device to the closest next-generation firewall so that full network security can be provided, regardless of the user’s physical location, such as a coffee shop or airport. With Palo Alto Networks VM-Series being consumable in public cloud services, such as AWS, the nearest next-generation firewall can be in close proximity to the user, wherever that person might be.
In addition to the key benefits above, PAN-OS 7.1 includes some features that will prove valuable for financial institutions:
- Elliptical Curve Cryptography (ECC) and Perfect Forward Secrecy (PFS) for Decryption− A number of financial institutions are moving toward ECC-based key exchange algorithms. The preferred method for authentication of secure web browsing is becoming ECC, rather than Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A growing number of sites use ECC to provide PFS, which is essential for online privacy. PAN-OS 7.1 supports decryption, even when ECC and PFS are in effect, to maintain application visibility.
- Bootstrapping Device Deployment – Financial institutions need to deploy firewalls at remote sites with minimal connectivity or in bulk for technology refresh projects. The new bootstrapping capability simplifies and automates the initial firewall-provisioning process. This allows for extremely low-touch, distributed deployments of hardware appliances.
- Structured Threat Intelligence Exchange (STIX) Support – Many financial institutions are members of the Financial Services Information Sharing and Analysis Center (FS-ISAC). STIX is the preferred format for the import or export of threat data between parties. AutoFocus adds the ability to share threat intelligence via an application programming interface (API) with output in the STIX standard.
- Bidirectional Forwarding Detection (BFD) – Some financial institutions use dynamic routing protocols with the Palo Alto Networks firewalls to establish paths for traffic flow through the network. Failure detection can be lengthy before a routing protocol re-convergence can even begin. BFD in PAN-OS 7.1 allows sub-second failure detection, which will immediately trigger re-convergence in routing protocols, such as Open Shorteath First (OSPF) and Border Gateway Protocol (BGP) to re-establish viable paths and traffic flow across the firewalls.
For further information about the new PAN-OS 7.1 release, please visit the following pages.
- Technical Documentation: Set Up the VM-Series Firewall in AWS
- Technical Documentation: VM-Series Firewall in Microsoft Azure
- Technical Documentation: PDF Report for Visibility into SaaS Applications
- Technical Documentation: Use AutoFocus with the Palo Alto Networks Firewall
- Technical Documentation: Perfect Forward Secrecy (PFS) Support
- Technical Documentation: Bootstrapping Firewalls for Rapid Deployment
- Technical Documentation: AutoFocus API STIX Support
- Technical Documentation: Failure Detection with BFD
[Palo Alto Networks Research Center]