You are on page 1of 3

VM-SERIES FOR

AMAZON WEB
SERVICES
Amazon Web Services (AWS) is fueling an evolution
within todays data centers, enabling you to rapidly develop, deploy and manage new applications on a g
lobal
scale. The VM-Series for AWS enables you to protect
your applications and data in AWS with next-generation
firewall and threat prevention features.
VM-Series for AWS Use Cases Hybrid Cloud
Hybrid Cloud
Securely enable a hybrid cloud using our complete
next-generation firewall and advanced threat
prevention features
Move applications and data to and from AWS via
a standards-based, site-to-site IPsec VPN tunnel
Segmentation Gateway
Control application communication across different
subnets within a VPC and between VPCs while
blocking lateral threat movement

Security Challenges in the Public Cloud


AWS introduces well-known advantages of greater application development and deployment agility, scalability and
flexibility. However, the security challenges you face in AWS
are exactly the same as those you face when protecting a
physical network.
These challenges include a lack of application visibility and
control, an inability to prevent cyberattacks, and cumbersome
policy update processes that can induce delays between
workload deployment and security policy updates. The
VM-Series for AWS solves these challenges, enabling you to:
Identify and control applications traversing your AWS
deployment, regardless of which ports they may use.
Determine who should be allowed to use the applications,
and grant access based on need and credentials.

Maintain separation of confidential data from other


traffic for security and compliance purposes

Stop malware from gaining access to, and moving laterally


(east-west) within the cloud.

Internet Gateway

Extend perimeter protection mechanisms to all users and


devices, regardless of location.

Control applications within AWS while preventing


advanced cyberattacks from breaching your cloud
and moving laterally

Simplify management and minimize the security policy lag


as virtual workloads change.

Extend firewall and threat prevention policies to


remote users and mobile devices with GlobalProtect

Palo Alto Networks | Datasheet

The VM-Series for AWS protects your workloads and data


with the same next-generation firewall and advanced
threat prevention features that are available in our security
appliances, allowing you to securely move to the cloud.

The VM-Series for AWS


The VM-Series for AWS enables you to securely implement
a cloud-first methodology while transforming your data
center into a hybrid architecture that combines the scalability
and agility of AWS with your on-premises resources. This
allows you to move your applications and data to AWS while
maintaining a security posture that is consistent with the one
you may have established on your physical network with
Palo Alto Networks appliance-based firewalls.
The VM-Series for AWS natively analyzes all traffic in a single
pass to determine the application identity, the content, and
the user identity. These are key components in defining your
security posture and performing the related management
efforts, including visibility, policy control, reporting and
incident investigation.
Improve Security Decisions with Application Visibility
The VM-Series for AWS provides you with the identity of
the application, irrespective of port, which means you have
far more relevant information about your AWS deployment,
including the application, who the user is, and from where it
emanates. This increased knowledge means you can make
more informed policy decisions and respond to incidents
more quickly.
Limit Security Exposure with Whitelisting Policies
With the VM-Series for AWS, you can extend your firewall
access control policies to the application level, forcing them
to operate on specific ports, while leveraging the deny all
else premise that a firewall is based on to block all others.
The added level of control becomes critically important as
you deploy more of your data center assets in AWS.

Integration with a wide range of user repositories, such


as Microsoft Active Directory, LDAP and Microsoft
Exchange, introduces the user identity as a policy element,
complementing application whitelisting with an added
access control component. User-based policies mean you
can grant access to critical applications and data based on
user c redentials and respective need. For example, the App
team can have full access to the Development VPC, while the
Operations team has RDP/SSH access to the production VPC.

Palo Alto Networks | Datasheet

Prevent Advanced Attacks at the Application Level


Attacks, much like many applications, are capable of using
any port, rendering traditional prevention mechanisms
ineffective. The VM-Series for AWS allows you to use the
Threat Prevention and WildFire services to apply application-specific threat prevention policies that block exploits,
malware, and previously unknown threats (APTs) from
infecting your cloud.
Improve Data Security with Segmentation
Todays cyberthreats commonly compromise an individual
workstation or user and then move laterally across your
physical or virtualized network, placing your mission-critical
applications and data at risk. Using security zones and
whitelisting policies allows you to segment applications
communicating across different subnets and between VPCs
for regulatory compliance. Enabling the Threat Prevention
and WildFire services to complement your segmentation
policies will block both known and unknown threats and stop
them from moving laterally from workload to workload.
Policy Consistency with Centralized Management
Panorama enables you to manage your VM-Series
deployments across multiple cloud deployments, along with
your physical security appliances, thereby ensuring policy
consistency and cohesiveness. Rich, centralized logging
and reporting capabilities provide visibility into virtualized
applications, users and content.
Automate Security Deployment and Policy Updates
The VM-Series for AWS includes native management features
that enable you to integrate security into your cloud-first
development projects. Bootstrapping automatically provisions a firewall with a working configuration, complete with
licenses and subscriptions, and then auto-registers itself with
Panorama. To automate policy updates as workloads change,
a fully documented XML API and Dynamic Address Groups
allow the VM-Series to consume external data in the form of
tags that can drive policy updates dynamically. The end result
is that new applications and next-generation security can be
deployed simultaneously in an automated manner.

GP

VM-SERIES

Strengthen Security Posture with User-Based Controls

When deployed in conjunction with GlobalProtect, the


VM-Series for AWS enables you to extend your corporate
security policies to mobile devices and users, regardless of
their location.

1b

As part of their services offering, AWS provides users with


some basic security features, such as Security Groups Access
Control Lists (ACLs) and Web Application Firewalls (WAF).
These features will help you protect your AWS deployment;
however, Security Groups and ACLs are looking at traffic only
from a port and IP address perspective and cannot identify
and control your AWS traffic based on the application identity. A WAF looks only at HTTP/HTTPS applications and no
other applications. These features only provide a base level of
security to reduce your attack surface; they will not control
all applications, protect against inbound threats, nor will they
stop their lateral movement. As the public cloud becomes an
extension of your data center, advanced security features,
such as those available from a next-generation firewall,
should become a requirement.

AZ

Are Native Security Features Sufficient?

C4

VM-Series for AWS Use Cases


The VM-Series can be deployed for AWS to address a
number of different use cases.
Hybrid Cloud: Securely Extend Your Data Center into AWS
One of the easiest ways to securely address new application
requirements and cloud-first development initiatives is
through a hybrid deployment that integrates your existing data center with AWS via a secure connection. This
approach enables you to start small and expand as your
requirements change while maintaining a strong security
posture. When deployed in AWS, the VM-Series can act as
a VPN termination point to allow the secure movement of
applications and data to and from AWS. Application control
and threat prevention policies can be layered atop the IPsec
VPN tunnel as added security elements.
Segmentation Gateway: Separation for Security and
Compliance
High-profile breaches have shown that cybercriminals are
adept at hiding in plain sight, bypassing perimeter controls
and moving at will across networks both physical and
virtualized. An AWS VPC provides an isolation and security
boundary for your workloads. The VM-Series can augment
that seperation through application-level segmentation

policies to control traffic between VPCs. With application-level policies, you have greater control over application
traffic moving laterally, and you can apply threat prevention
policies to block their movement as well. If traffic is flowing
between VPCs in different regions across the Internet,
encryption can be enabled for added protection
Internet Gateway: Secure the Network, the Cloud, and
the Device
As your AWS deployment expands, you can build upon your
hybrid deployment by using the VM-Series as an Internet
gateway, further strengthening your security posture. With
the VM-Series you can control AWS access with application
whitelisting policies that are based on user identity and
business need. Application-specific threat prevention
policies to block exploits, malware, and previously unknown
threats (APTs) from gaining access to your AWS deployment
can also be applied, giving you added control and protection.
GlobalProtect will enable you to extend your security
policies to your remote users and mobile devices, regardless of their location. GlobalProtect establishes a secure
connection to protect the user from Internet threats and
enforces application-based access control policies. Whether
the need is for access to the Internet, data center or SaaS
applications, the user will enjoy the full protection provided
by the platform.

V
SeM
ries

C4

Segment applications
and data for security
and compliance
purposes

V
SeM
ries

Securely extend your


data center into AWS

C4

PA
N
O
R
A
M
A

4401 Great America Parkway


Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com

GP

VM-SERIES

Application whitelisting
and threat prevention
policies protect your
AWS perimeter

C4

Exert policy consistency


across the network, AWS
cloud, and your devices

2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at http://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. pan-vm-series-foraws-ds-032216

You might also like