Next-Generation Firewall Buyer's Guide: Palo Alto Networks
As business applications migrate to Web 2.0, IP/port-based control is becoming far less effective. Next-generation firewalls (NGFWs) up the ante by identifying and inspecting application content, independent of port, to detect application-specific attacks and enforce more granular rules.
In this EnterpriseNetworkingPlanet buyer's guide, we examine capabilities and features offered by Palo Alto Networks PA Series next-generation firewalls. Founded by Nir Zuk in 2005, Palo Alto Networks pioneered the NGFW approach now being embraced throughout the market.
"Our company was founded to solve the problem that applications had changed, but firewalls hadn't," explained senior product manager Matt Keil. "So we decided to ignore port and protocol and start from scratch. Our App-ID technology looks across all ports, all the time, examining streams to identify applications as the basis for security policy."
Next-generation firewalls -- from the ground up
To run App-ID in an optimal fashion, Palo Alto engineered purpose-built platforms, ranging from the PA-500 series (for medium businesses and branch offices) to the PA-5000 series (for large enterprises and service providers). Models differ in horsepower and connectivity, but all deliver the same NGFW services.
"With the PA-4000 series, we designed an architecture that used dedicated processors for networking, security, threat prevention, and management," said Keil. "High speed Cavium processors for security, high speed Field-Programmable Gate Arrays for threat prevention, and so on. We've carried that through to our PA-5000 series, using more processors [to increase capacity]."
Top-of-the-line PA-5060 sports a 20 Gbps network processor, 16 Cavium security processors, and 2 FPGA threat processors, attached to 20 Gbps backplane. A single-pass parallel processing architecture inspects each packet once for low-latency performance under load, while the management processor is separated to avoid data plane impact.
"It's easy to get 20 Gbps with a single allow-any/any rule," said Keil. "But when you add policies that turn on services and allow/deny applications, our performance remains at fairly high levels. App-ID tends to maintain 20 Gbps; threat prevention still delivers 10 Gbps. In NSS Labs tests, we beat our own [specs] while competitors significantly under-achieved theirs."
The PA-5060 supports up to 4M sessions (120K sessions per second), 20K SSL VPN users, and 40K policies. The PA-5050 delivers half that capacity (10 Gbps firewall/5 Gbps IPS/2M sessions), while the PA-5020 cuts that in half once again. All three models have 12 10/100/1000 Ethernet ports and 8 Gigabit SFP ports; the 5060 and 5040 sport another four 10 Gigabit SFP+ ports.
Drilling into apps
These platforms run classification engines to identify and control applications, users, and content rather than ports, IP addresses, and packets. Dubbed App-ID, User-ID, and Content-ID, these key technologies put Palo Alto Networks on the map.
"The value of a classification mechanism that looks across all ports all the time is that many applications, whether business or personal, hop ports or use SSL. Being able to identify these is very important to secure the network," explained Keil. A recent study by Palo Alto estimates that 40 percent of applications fall into this category.
"Using applications as a basis for policy also allows you to positively enable application use cases instead of employing black-and-white rules," said Keil. "App-ID lets customers see applications first, learn what use cases are, and then take the appropriate approach to securely enable them. For example, Google file sharing might be summarily blocked, but other [Google services] that enhance productivity could still be enabled."
But basing policy on App-ID requires frequent update to identify new applications and features therein. "We'd be fooling ourselves if we said we identified all apps," admitted Keil. "We have over 1300 apps today, and there will always be a small amount of unknown traffic – internal applications or old or commercial applications that we haven't added."
Palo Alto takes a multi-prong approach to manage this residual risk. "First, there's an unknown App-ID category [for] anything not classified by a signature," said Keil. "Customers can quickly drill into that bucket to see users, sources, and destinations. They can rename a stream to eliminate an internal server or create a custom App-ID, using our signature development platform. If it's a commercial app, they can turn on packet capture to send us traffic. We develop new App-IDs, test them with customers, and then roll them into weekly updates."
To cover the worst case – malicious unknown traffic – Palo Alto recently added behavioral botnet reporting. "We use several elements – DNS lookups, URL lookups – to provide a list of IPs and risk factors to help customers assess unknown traffic." This evolved from a Wireshark plug-in first developed to characterize Mariposa botnet traffic.
Adding user and threat awareness
Although powerful, App-ID doesn't tell the whole story. To make strong policies practical, Palo Alto introduced User-ID.
"User-ID allows us to build policies that say only Marketing can use Facebook, or only Sales can use Salesforce.com," explained Keil. "We tie into a customer's Active Directory or LDAP or eDirectory to pull user identity into policy." This is done by installing a Palo Alto agent on domain controllers. Whenever a user logs into or out of the network, related addresses are made available to firewall.
To look for viruses, spyware, trojans, and vulnerability exploits, Palo Alto employs a third technology: Content-ID. "One benefit of being a start-up with no legacy technology is that we developed Content-ID with a uniform signature format," said Keil. "We didn't inherit multiple scanning engines that duplicate effort. We use one engine to look for all kinds of threats; policy determines which we look for, using a process that begins looking for threats at the start of the stream, rather than waiting for an entire file to arrive."
Eliminating gaps in next-gen firewalls
Another challenge is encrypted traffic. "Over the past two and a half years, we've seen a big jump in the number of applications that use SSL," said Keil. Among over 1300 applications studied by Palo Alto during the past six months, 262 made some use of SSL.
"This is an increasingly large black hole that customers need to manage. We support forward and reverse SSL decryption, disabled by default. Customers can selectively choose which applications they want to decrypt to apply their policies before re-encrypting traffic," said Keil.
For example, Gmail might be decrypted for all users to look for viruses and malware, without requiring decryption for SSL-protected applications. "We give customers the ability to manage SSL traffic, not based on port 443, but at a user, group, and application level."
But encryption can also be applied by protocols other than SSL or TLS. "Users have gotten smarter and more capable of using tools like SSH to [tunnel back] to home machines and do non-work related activities. To address this, our latest release gives customers the ability to look at SSH to see what it's being used for. We don't decrypt SSH, but we determine whether it's being used for tunneling, so that customers can decide whether SSH should be allowed by particular users and groups," he said.
Tapping into Palo Alto's firewall
Most customers get their feet wet with Palo Alto by deploying a PA as a perimeter firewall. "When we started, we were in there competing with incumbents like Cisco, Juniper, and Check Point, so were happy to just get a couple of boxes into an account. Customers would deploy us in tap mode behind another perimeter firewall to protect users from themselves, block bad applications, and allow good applications." But Keil estimates that 60 to 70 percent of customers eventually move on to deploy a PA as their primary perimeter firewall.
"We're still very successful at the perimeter, but as customers have become more comfortable with our capacity and reliability, they've moved us further inside their networks," said Keil. "We can make sure that Oracle or Sharepoint are the only things running in the data center, that only authorized users are sending traffic, and scanning content to prevent malware from running inside the data center. We've had customers find P2P traffic between virtual machines and rogue SSH sessions."
Bottom Line on Next-Gen Firewall
By using App-ID for primary classification, Palo Alto brought a different approach to enterprise firewalling. "In an IP/port-based firewall, you're effectively letting [all web traffic] past the moat, re-checking everything at the gate. Instead of making you play whack a mole with a flashlight, we let you run with lights on to see every threat in the room," said Keil.
Today, Palo Alto Networks continues to nudge the yardstick higher by facilitating rapid App-ID development, drilling into SSH, and incorporating reputation-based threat intelligence. To learn more about Palo Alto Networks PA Series products, visit this link.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.