Next-Generation Firewall Buyer's Guide: Palo Alto Networks - Page 3
Next-generation firewall pioneer continues to raise the bar, using App-ID to control port-hoppers and encrypted Web apps.
Eliminating gaps in next-gen firewalls
Another challenge is encrypted traffic. "Over the past two and a half years, we've seen a big jump in the number of applications that use SSL," said Keil. Among over 1300 applications studied by Palo Alto during the past six months, 262 made some use of SSL.
"This is an increasingly large black hole that customers need to manage. We support forward and reverse SSL decryption, disabled by default. Customers can selectively choose which applications they want to decrypt to apply their policies before re-encrypting traffic," said Keil.
For example, Gmail might be decrypted for all users to look for viruses and malware, without requiring decryption for SSL-protected applications. "We give customers the ability to manage SSL traffic, not based on port 443, but at a user, group, and application level."
But encryption can also be applied by protocols other than SSL or TLS. "Users have gotten smarter and more capable of using tools like SSH to [tunnel back] to home machines and do non-work related activities. To address this, our latest release gives customers the ability to look at SSH to see what it's being used for. We don't decrypt SSH, but we determine whether it's being used for tunneling, so that customers can decide whether SSH should be allowed by particular users and groups," he said.
Tapping into Palo Alto's firewall
Most customers get their feet wet with Palo Alto by deploying a PA as a perimeter firewall. "When we started, we were in there competing with incumbents like Cisco, Juniper, and Check Point, so were happy to just get a couple of boxes into an account. Customers would deploy us in tap mode behind another perimeter firewall to protect users from themselves, block bad applications, and allow good applications." But Keil estimates that 60 to 70 percent of customers eventually move on to deploy a PA as their primary perimeter firewall.
"We're still very successful at the perimeter, but as customers have become more comfortable with our capacity and reliability, they've moved us further inside their networks," said Keil. "We can make sure that Oracle or Sharepoint are the only things running in the data center, that only authorized users are sending traffic, and scanning content to prevent malware from running inside the data center. We've had customers find P2P traffic between virtual machines and rogue SSH sessions."
Bottom Line on Next-Gen Firewall
By using App-ID for primary classification, Palo Alto brought a different approach to enterprise firewalling. "In an IP/port-based firewall, you're effectively letting [all web traffic] past the moat, re-checking everything at the gate. Instead of making you play whack a mole with a flashlight, we let you run with lights on to see every threat in the room," said Keil.
Today, Palo Alto Networks continues to nudge the yardstick higher by facilitating rapid App-ID development, drilling into SSH, and incorporating reputation-based threat intelligence. To learn more about Palo Alto Networks PA Series products, visit this link.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.