Security

Palo Alto Networks offers a next-generation firewall... really

My shop has been combating some pretty nasty battles with P2P file sharing, anonymizers like TOR and Hopster, Web-based e-mail, Google Docs, IM clients that you can attach files to. Could this new generation firewall from Palo Alto Networks be the answer?

My shop has been combating some pretty nasty battles with P2P file sharing, anonymizers like TOR and Hopster, Web-based e-mail, Google Docs, IM clients that you can attach files to. Could this next generation firewall from Palo Alto Networks be the answer? 

-------------------------------------------------------------------------------------------------------------------

Before I finish off the CRM thread of posts, I thought I would share an interesting technology I came across. Earlier this week, I had a meeting with a company called Palo Alto Networks regarding a "Next Generation" firewall. It was a cold call but I was somewhat interested. I thought firewalls had progressed enough so that incremental enhancements would no longer be grounds for calling a firewall "Next Generation." I was wrong. To get the scope of the product, I'll provide a summarized and brief history of firewalls.

Since the beginning of Internet Protocol there have been firewalls. Engineers at Digital Equipment Corp wrote one of the first papers on firewall technology and why they were needed back in 1988. Not too long after that, a couple of engineers at AT&T Labs built the first generation firewall leveraging a rudimentary approach to packet filtering. It operated by "inspecting" the contents of individual packets and checking those contents against filter rules. If it triggered a filter rule, the packet was not allowed through.

Around 1990, three more engineers from AT&T Labs came up with "stateful" inspection firewalls. Instead of just looking at individual packets for issues, a stateful packet inspection firewall looked at the context of the packet within the connection. These firewalls were able to keep track of connections and where they start and where they end. This technology came along to combat denial of service attacks and other attacks that exploit existing connections.

The third generation firewall has been named an application layer or proxy firewall. This version understood some applications and protocols (http, ftp, etc.) to the point where it could discover other applications or protocols using these common ports or if the correct protocols are behaving oddly. This was in the 1991 to 1993 time frame.

Fast forward 15 years and you have other so called next generation firewalls taking a lot of off-shoot or existing technologies and combining them to be an overall security czar. So you have these devices that serve as a combined content filter, firewall, IPS, virus, spam filter, etc., appliance that will sit on your network inline (to provide for IPS functionality) and take care of all the access control, bug squishing and junk filtering. But basically, the firewall itself has remained somewhat unchanged. It still provides access control based upon static rules. Other appliances like IPS were developed to shore up some of the firewall security shortfalls later discovered by combating new network exploits.

When I spoke with the Palo Alto Networks company representative, my expectations were pretty low. Once we got into what the appliance did, I had to say "WOW!" For over a year I have been combating the proliferation and use of some pretty nasty applications. P2P file sharing, anonymizers like TOR and Hopster, web-based e-mail, Google Docs, IM clients that you can attach files to. Basically, anything you can think of that will propel corporate data leakage control into something akin to herding cats.

At the same time, many users (including myself) liked to leverage some of these same tools because they made us more productive. I make sure I get IM addresses of the consultants that have done work for me. I can't tell you how many times I have used that to get a quick question answered. Very efficient and effective.What this new product does is actually understand the various applications that are out there and lets you, the IT leader, control what features of these applications you can allow. Even webmail. You can enable email viewing and attachment downloads while preventing uploading outbound attachments. The system truly understands the nature of the application and not just a few protocols like proxy firewalls. You can choose what to turn on and what to turn off. Another bonus is that Palo Alto Networks finds all these applications for you so you don't have to keep up with every new MEEBO that pops up. Their team finds them and builds the new signatures.

Tony McIlvenna from Palo Alto Networks said that once the behavior or signature is discovered, it can take up to a week to deploy a new signature update for their appliance. If they are copy cat applications or knock-offs, that window can be shorter. Right now they have over 700 signatures built in. They have a pretty cool tool available on their Web site here that you should really check out called applipedia. This shows you the current signatures, their perceived threat, a description of what they are and an overview of what you can control.

The product also performs other content filtering, firewall and IPS functions as well as software bolt-ons. Be aware, however, that the company is still in start up mode. They received a third round of funding at around $38 million a few months ago. Given the economy, that a large third round closed so recently says a lot to me. They have under 200 installs already out there and in evaluation phase with a slew of other companies.

I have not used this product. I have only seen the demo, but this approach makes a lot of sense to me. The true cost of e-mail marketing post I did last week touches on ExactTarget as a company that keeps track of all of the whitelist/blacklist/spam filter, etc. issues involved with bulk e-mail. Palo Alto Networks does the same thing for invasive SaaS, etc. applications. They go out for you and do all of the legwork. If you're having these types of problems, definitely check them out.

12 comments
gblalack
gblalack

Red Lambda's "Integrity" product can stop your P2P problems today. It is a software product that uses deep packet inspection to identify all P2P traffic, even when encrypted, collects user telemetry, and offers the administrator a series of predetermined steps to deal with the problem, up to a dynamic quarantime of the offender. If you want to know more, go to redlambda.com or contact me, Greg Blalack at gblalack@redlambda.com

junkyemail22
junkyemail22

eSafe from Aladdin Knowledge Systems has been blocking/controlling this malware years before Nir Zuk even thought of jumping out of Netscreen!!!

aminaya
aminaya

who does palo alto working in the virtual world, (virtual servers and virtual works station )vmware, citrix, ncomputing, etc......

BALTHOR
BALTHOR

The Internet is on two wires that go to my DSL box or phone card.The DSL box turns the phone wire stuff into a network digital format.Then this network stuff barely glances the BIOS and the CPU?What happens to the Internet when it enters my computer could be very deep.

smullaney
smullaney

Yes, all that you say about us actually is true. 15 years ago the firewall actually did something, but now with every application and threat tunneling over HTTP / HTTPS or hopping around to open ports - it has basically become totally ineffective as a security device. In fact, today's firewall's are not security devices any more - just stable port-blockers that have no idea what is coming in/out of the network and therefore no ability to set/enforce access/usage policies. We started with a "clean slate" and re-designed the firewall from the ground up to handle these issues. We did not start with the port/protocol classification of legacy firewalls and then "bolt on" additional functionality. Bottom line - people have no expectations of the firewall anymore because there has not been any innovation in it for over 15 years. But as you've seen, real innovation does exist and you should demand it from the firewall. Also, as part of what a "next-generation" firewall should do, we are the first to deliver data leakage prevention functionality in the firewall. We can scan for social security and credit card numbers (in real-time, low latency manner). At no extra cost. Just another example of the value of true innovation.

postingresponse2006
postingresponse2006

Anyone interested in whether Palo Alto does indeed offer a great leap forward will be interested in two videos at: http://www.demosondemand.com/dod_security/events/topics/dods049.asp We (Demos on Demand) produced a discussion on the firewall topic featuring Richard Stiennon, Amrit Williams, Mike Murray and Martin McKeay. Two members of this panel vociferously contend that "there's been zero innovation in firewall technology since 2001" and Nir Zuk from Palo Alto responds with some comments of his own --- but the meat of this and the proof point is in the in-depth demo that follows.

Jay Rollins
Jay Rollins

...Or eSafe needs better marketing :-)

robo_dev
robo_dev

as well as Cisco....who else did I forget? Palo Alto does some neat stuff, as do the latest offerings from the other firewall vendors. The trend is for firewalls to dig beyond the packet layer into what those packets are doing (layer 4 and above) Palo Alto is the 'new kid on the block' with respect to NGFWs. (Next Generation Firewalls). At this point these units are typically deployed behind a more robust traditional firewall to provide more granular application control. http://mediaproducts.gartner.com/reprints/juniper/vol4/article1/article1.html

pgit
pgit

This sounds very interesting. I'm having a tough time imagining what a control interface would look like, that is what parameters you would be dealing with. I would also wonder what would really be happening in the firewall and behind it, (trusted LAN) which leads me to ask; will there be an open source version of this device? Will at least source code be available so the paranoid can assuage their fears? @ BALTHOR; ...don't forget wide, brother. Wide is more misleading than deep.

Editor's Picks