Next generation firewall: Palo Alto Networks
December 01, 2009
Palo Alto NetworksProduct:
The firewall is dead. Long live the firewall! Well, not exactly. It's true that there are alternatives that are touted as replacing the firewall, but we don't think that most organizations are ready to toss the firewall on the scrap heap just yet, no matter what the pundits say. On the other hand, Palo Alto Networks is redefining the way the firewall does its job. The company looked at how firewalls generally are deployed - with multiple gateway devices behind them performing different sorts of protection - and asked why the firewall couldn't do the things that the multiple gateway devices were doing.
The idea of an application firewall that tries to do that is not new, but it is a sluggish performer and it has limitations as to what applications it can manage. The Palo Alto product, on the other hand, has identified about 900 applications that it can manage directly. This makes the firewall an application gateway of sorts, but it is a very fast one and one that understands lots of applications.
That is a key point, of course, because the application landscape changes very rapidly. To beat the old system, Palo Alto Networks has identified five requirements of a next generation firewall. First, it may not use ports and protocols. It focuses on applications. Second, it is policy-based, but the policy addresses who can use an application, not the IP. This requirement maps to Active Directory.
Third, the firewall must scan content to make sure it is safe and being used correctly, and that there is no unwanted data extrusion. Fourth, the firewall must provide granular visibility and control tools. And, finally, it must run very fast. This is a clear innovation on the part of Palo Alto - these requirements are identified explicitly and addressed directly.
So what, then, did their visionary feel is the tool's biggest contribution? To put it in his words, "They fixed the firewall." Selling that concept is a bit cheeky, but Palo Alto Networks takes a very direct approach. When met with skepticism, they simply show their wares and demonstrate exactly what the next generation firewall really can do under some pretty nasty conditions.
Of course it's not enough to block unwanted content from penetrating the firewall. In today's environment, it is even more likely that a user will bring something bad into the network by clicking on an email message attachment or surfing where there is malware. That activity bypasses the firewall completely. But, by using an application-based approach, there is no real concern.
AT A GLANCE
Flagship product: PA-4000 series next generation firewall
Vendor: Palo Alto Networks
Innovation: Recognizing and defining explicitly the requirements of the next generation of firewalls
Greatest strength: This is another company whose vision drives its innovation
Sign up to our newsletters
SC Magazine Articles
- CISO salaries and demand for cyber-skills skyrockets, surprising no-one
- Student SSNs exposed in University of Central Florida breach
- Malwarebytes says sorry for multiple AV bugs, still unpatched
- Ransomware and POS attackers to zero in on small businesses, retailers
- TaxAct breached: Customer banking and Social Security information compromised
- Hacker threatens to expose info on DHS, FBI employees
- Avast patches its web browser after Google finds flaw in Chromium-inspired product
- Draft bill seeks to improve U.S. military cyber warfare capabilities
- Skype targeted by T9000 backdoor trojan
- Clean house to keep WordPress infection from coming back again and again