Palo Alto Networks offers a next-generation firewall... really

My shop has been combating some pretty nasty battles with P2P file sharing, anonymizers like TOR and Hopster, Web-based e-mail, Google Docs, IM clients that you can attach files to. Could this new generation firewall from Palo Alto Networks be the answer?

My shop has been combating some pretty nasty battles with P2P file sharing, anonymizers like TOR and Hopster, Web-based e-mail, Google Docs, IM clients that you can attach files to. Could this next generation firewall from Palo Alto Networks be the answer? 


Before I finish off the CRM thread of posts, I thought I would share an interesting technology I came across. Earlier this week, I had a meeting with a company called Palo Alto Networks regarding a "Next Generation" firewall. It was a cold call but I was somewhat interested. I thought firewalls had progressed enough so that incremental enhancements would no longer be grounds for calling a firewall "Next Generation." I was wrong. To get the scope of the product, I'll provide a summarized and brief history of firewalls.

Since the beginning of Internet Protocol there have been firewalls. Engineers at Digital Equipment Corp wrote one of the first papers on firewall technology and why they were needed back in 1988. Not too long after that, a couple of engineers at AT&T Labs built the first generation firewall leveraging a rudimentary approach to packet filtering. It operated by "inspecting" the contents of individual packets and checking those contents against filter rules. If it triggered a filter rule, the packet was not allowed through.

Around 1990, three more engineers from AT&T Labs came up with "stateful" inspection firewalls. Instead of just looking at individual packets for issues, a stateful packet inspection firewall looked at the context of the packet within the connection. These firewalls were able to keep track of connections and where they start and where they end. This technology came along to combat denial of service attacks and other attacks that exploit existing connections.

The third generation firewall has been named an application layer or proxy firewall. This version understood some applications and protocols (http, ftp, etc.) to the point where it could discover other applications or protocols using these common ports or if the correct protocols are behaving oddly. This was in the 1991 to 1993 time frame.

Fast forward 15 years and you have other so called next generation firewalls taking a lot of off-shoot or existing technologies and combining them to be an overall security czar. So you have these devices that serve as a combined content filter, firewall, IPS, virus, spam filter, etc., appliance that will sit on your network inline (to provide for IPS functionality) and take care of all the access control, bug squishing and junk filtering. But basically, the firewall itself has remained somewhat unchanged. It still provides access control based upon static rules. Other appliances like IPS were developed to shore up some of the firewall security shortfalls later discovered by combating new network exploits.

When I spoke with the Palo Alto Networks company representative, my expectations were pretty low. Once we got into what the appliance did, I had to say "WOW!" For over a year I have been combating the proliferation and use of some pretty nasty applications. P2P file sharing, anonymizers like TOR and Hopster, web-based e-mail, Google Docs, IM clients that you can attach files to. Basically, anything you can think of that will propel corporate data leakage control into something akin to herding cats.

At the same time, many users (including myself) liked to leverage some of these same tools because they made us more productive. I make sure I get IM addresses of the consultants that have done work for me. I can't tell you how many times I have used that to get a quick question answered. Very efficient and effective.What this new product does is actually understand the various applications that are out there and lets you, the IT leader, control what features of these applications you can allow. Even webmail. You can enable email viewing and attachment downloads while preventing uploading outbound attachments. The system truly understands the nature of the application and not just a few protocols like proxy firewalls. You can choose what to turn on and what to turn off. Another bonus is that Palo Alto Networks finds all these applications for you so you don't have to keep up with every new MEEBO that pops up. Their team finds them and builds the new signatures.

Tony McIlvenna from Palo Alto Networks said that once the behavior or signature is discovered, it can take up to a week to deploy a new signature update for their appliance. If they are copy cat applications or knock-offs, that window can be shorter. Right now they have over 700 signatures built in. They have a pretty cool tool available on their Web site here that you should really check out called applipedia. This shows you the current signatures, their perceived threat, a description of what they are and an overview of what you can control.

The product also performs other content filtering, firewall and IPS functions as well as software bolt-ons. Be aware, however, that the company is still in start up mode. They received a third round of funding at around $38 million a few months ago. Given the economy, that a large third round closed so recently says a lot to me. They have under 200 installs already out there and in evaluation phase with a slew of other companies.

I have not used this product. I have only seen the demo, but this approach makes a lot of sense to me. The true cost of e-mail marketing post I did last week touches on ExactTarget as a company that keeps track of all of the whitelist/blacklist/spam filter, etc. issues involved with bulk e-mail. Palo Alto Networks does the same thing for invasive SaaS, etc. applications. They go out for you and do all of the legwork. If you're having these types of problems, definitely check them out.