Infrastructure
News
3/19/2008
04:15 PM
Connect Directly
RSS
E-Mail
50%
50%

From The Labs: Palo Alto's Firewall Appliance

Using signatures to identify unwanted apps, Palo Alto Networks puts control over network traffic back in the hands of IT.

THE UPSHOT
CLAIM:  The PA-4000 line of firewall appliances filters traffic based on applications rather than just IP addresses and TCP/IP ports and offers optional integrated network antivirus and URL blocking. Palo Alto can tie firewall rules to individual users through Microsoft Active Directory.

CONTEXT:  Application identification isn't unique to Palo Alto--Fortinet, Packeteer, and Procera do it, too. But the fact that IT can enforce which applications are allowed and which aren't sets the device line apart from rival products.

CREDIBILITY:  The signatures that identify applications are accurate, and the company routinely releases new ones. Though Palo Alto Networks is a startup, it's loaded with firewall industry luminaries such as CTO Nir Zuk, who helped develop stateful packet inspection technology while at Check Point.

Does your firewall really stop all the traffic you want it to block? Given the spread of software that tunnels network traffic over HTTP or hops TCP/IP ports to evade firewalls, it's all too likely that the answer is no.

Palo Alto Networks' PA-4000 series firewall appliances use proprietary App-ID signature technology to determine the applications entering and leaving your network, even those encrypted via SSL. This enables IT to better enforce security policies stating which applications are allowed to enter and leave the network. What's more, Palo Alto offers integration with Microsoft Active Directory, so firewall rules can be applied to specific users. Add the beginnings of in-line antivirus and intrusion prevention, and Palo Alto is shaping up to be a very potent competitor in the unified threat management market.

InformationWeek Reports

Firewalls are supposed to act as network gatekeepers, allowing or denying traffic based on IT policy. However, it's no secret that almost every firewall allows Web traffic, leading software developers to game the system by sneaking their applications' traffic onto networks, using Web protocols. For instance, Microsoft's RPC over HTTP is frequently used to slip connections from Outlook clients to Exchange servers past firewalls.

For security groups trying to protect against incursion and restrict unwanted applications, most of today's firewalls essentially lock the front door but leave the window wide open. The exception is application proxies, which essentially re-create applications inside the firewall, guaranteeing that only traffic generated by approved applications is allowed to pass. But proxies have their own problems, not least of which is the difficulty of keeping up with the rush of new apps and protocols. Even minor changes in an application can totally break a proxy's compatibility, cutting off users from the application.

Palo Alto says it solves this dilemma with a signature-based system that allows for matching network traffic against a database of more than 550 applications. The company also provides signatures to detect viruses in network traffic, and it's rapidly developing a comprehensive set of threat signatures to spot exploit attempts and other malicious traffic. Of course, all standard firewall actions can be taken, allowing IT the ability to choose exactly which applications are permitted.



Palo Alto's PA-4050 sports throughput up to 10 Gbps over 24 copper and fiber ports
The PA-4000 can also block viruses and send out alerts about or deny entry to potentially malicious traffic. In addition, using the same signature-matching routines, a partnership deal lets Palo Alto add SurfControl's Web site classification database, so that all network traffic control can be integrated into a single box and management interface.

We were intrigued, so we brought a PA-4050 into our University of Florida Real-World Labs. We set the device for transparent Virtual Wire mode, in which the firewall doesn't route, switch, or modify VLAN tags of packets passing through it, and placed it in between a router and an existing IDS, so that we could reuse our span port. After allowing the 4050 to observe traffic for a while, we dug into the App-Scope Web-based management GUI.

Network traffic graphs were impressive--applications were clearly shown, and we could drill down to charts of source and destination IP addresses and traffic counts by clicking on the colored boxes that represent particular apps. The company has released a management platform for multiple devices, which we were not able to test.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.