Next generation firewall: Palo Alto Networks
December 01, 2009
Palo Alto NetworksProduct:
The firewall is dead. Long live the firewall! Well, not exactly. It's true that there are alternatives that are touted as replacing the firewall, but we don't think that most organizations are ready to toss the firewall on the scrap heap just yet, no matter what the pundits say. On the other hand, Palo Alto Networks is redefining the way the firewall does its job. The company looked at how firewalls generally are deployed - with multiple gateway devices behind them performing different sorts of protection - and asked why the firewall couldn't do the things that the multiple gateway devices were doing.
The idea of an application firewall that tries to do that is not new, but it is a sluggish performer and it has limitations as to what applications it can manage. The Palo Alto product, on the other hand, has identified about 900 applications that it can manage directly. This makes the firewall an application gateway of sorts, but it is a very fast one and one that understands lots of applications.
That is a key point, of course, because the application landscape changes very rapidly. To beat the old system, Palo Alto Networks has identified five requirements of a next generation firewall. First, it may not use ports and protocols. It focuses on applications. Second, it is policy-based, but the policy addresses who can use an application, not the IP. This requirement maps to Active Directory.
Third, the firewall must scan content to make sure it is safe and being used correctly, and that there is no unwanted data extrusion. Fourth, the firewall must provide granular visibility and control tools. And, finally, it must run very fast. This is a clear innovation on the part of Palo Alto - these requirements are identified explicitly and addressed directly.
So what, then, did their visionary feel is the tool's biggest contribution? To put it in his words, "They fixed the firewall." Selling that concept is a bit cheeky, but Palo Alto Networks takes a very direct approach. When met with skepticism, they simply show their wares and demonstrate exactly what the next generation firewall really can do under some pretty nasty conditions.
Of course it's not enough to block unwanted content from penetrating the firewall. In today's environment, it is even more likely that a user will bring something bad into the network by clicking on an email message attachment or surfing where there is malware. That activity bypasses the firewall completely. But, by using an application-based approach, there is no real concern.
AT A GLANCE
Flagship product: PA-4000 series next generation firewall
Vendor: Palo Alto Networks
Innovation: Recognizing and defining explicitly the requirements of the next generation of firewalls
Greatest strength: This is another company whose vision drives its innovation