Next-Generation Firewall Buyer's Guide: Palo Alto Networks - Page 2
Next-generation firewall pioneer continues to raise the bar, using App-ID to control port-hoppers and encrypted Web apps.
Drilling into apps
These platforms run classification engines to identify and control applications, users, and content rather than ports, IP addresses, and packets. Dubbed App-ID, User-ID, and Content-ID, these key technologies put Palo Alto Networks on the map.
"The value of a classification mechanism that looks across all ports all the time is that many applications, whether business or personal, hop ports or use SSL. Being able to identify these is very important to secure the network," explained Keil. A recent study by Palo Alto estimates that 40 percent of applications fall into this category.
"Using applications as a basis for policy also allows you to positively enable application use cases instead of employing black-and-white rules," said Keil. "App-ID lets customers see applications first, learn what use cases are, and then take the appropriate approach to securely enable them. For example, Google file sharing might be summarily blocked, but other [Google services] that enhance productivity could still be enabled."
But basing policy on App-ID requires frequent update to identify new applications and features therein. "We'd be fooling ourselves if we said we identified all apps," admitted Keil. "We have over 1300 apps today, and there will always be a small amount of unknown traffic – internal applications or old or commercial applications that we haven't added."
Palo Alto takes a multi-prong approach to manage this residual risk. "First, there's an unknown App-ID category [for] anything not classified by a signature," said Keil. "Customers can quickly drill into that bucket to see users, sources, and destinations. They can rename a stream to eliminate an internal server or create a custom App-ID, using our signature development platform. If it's a commercial app, they can turn on packet capture to send us traffic. We develop new App-IDs, test them with customers, and then roll them into weekly updates."
To cover the worst case – malicious unknown traffic – Palo Alto recently added behavioral botnet reporting. "We use several elements – DNS lookups, URL lookups – to provide a list of IPs and risk factors to help customers assess unknown traffic." This evolved from a Wireshark plug-in first developed to characterize Mariposa botnet traffic.
Adding user and threat awareness
Although powerful, App-ID doesn't tell the whole story. To make strong policies practical, Palo Alto introduced User-ID.
"User-ID allows us to build policies that say only Marketing can use Facebook, or only Sales can use Salesforce.com," explained Keil. "We tie into a customer's Active Directory or LDAP or eDirectory to pull user identity into policy." This is done by installing a Palo Alto agent on domain controllers. Whenever a user logs into or out of the network, related addresses are made available to firewall.
To look for viruses, spyware, trojans, and vulnerability exploits, Palo Alto employs a third technology: Content-ID. "One benefit of being a start-up with no legacy technology is that we developed Content-ID with a uniform signature format," said Keil. "We didn't inherit multiple scanning engines that duplicate effort. We use one engine to look for all kinds of threats; policy determines which we look for, using a process that begins looking for threats at the start of the stream, rather than waiting for an entire file to arrive."