From The Labs: Palo Alto's Firewall Appliance - InformationWeek
04:15 PM

From The Labs: Palo Alto's Firewall Appliance

Using signatures to identify unwanted apps, Palo Alto Networks puts control over network traffic back in the hands of IT.

CLAIM:  The PA-4000 line of firewall appliances filters traffic based on applications rather than just IP addresses and TCP/IP ports and offers optional integrated network antivirus and URL blocking. Palo Alto can tie firewall rules to individual users through Microsoft Active Directory.

CONTEXT:  Application identification isn't unique to Palo Alto--Fortinet, Packeteer, and Procera do it, too. But the fact that IT can enforce which applications are allowed and which aren't sets the device line apart from rival products.

CREDIBILITY:  The signatures that identify applications are accurate, and the company routinely releases new ones. Though Palo Alto Networks is a startup, it's loaded with firewall industry luminaries such as CTO Nir Zuk, who helped develop stateful packet inspection technology while at Check Point.

Does your firewall really stop all the traffic you want it to block? Given the spread of software that tunnels network traffic over HTTP or hops TCP/IP ports to evade firewalls, it's all too likely that the answer is no.

Palo Alto Networks' PA-4000 series firewall appliances use proprietary App-ID signature technology to determine the applications entering and leaving your network, even those encrypted via SSL. This enables IT to better enforce security policies stating which applications are allowed to enter and leave the network. What's more, Palo Alto offers integration with Microsoft Active Directory, so firewall rules can be applied to specific users. Add the beginnings of in-line antivirus and intrusion prevention, and Palo Alto is shaping up to be a very potent competitor in the unified threat management market.

InformationWeek Reports

Firewalls are supposed to act as network gatekeepers, allowing or denying traffic based on IT policy. However, it's no secret that almost every firewall allows Web traffic, leading software developers to game the system by sneaking their applications' traffic onto networks, using Web protocols. For instance, Microsoft's RPC over HTTP is frequently used to slip connections from Outlook clients to Exchange servers past firewalls.

For security groups trying to protect against incursion and restrict unwanted applications, most of today's firewalls essentially lock the front door but leave the window wide open. The exception is application proxies, which essentially re-create applications inside the firewall, guaranteeing that only traffic generated by approved applications is allowed to pass. But proxies have their own problems, not least of which is the difficulty of keeping up with the rush of new apps and protocols. Even minor changes in an application can totally break a proxy's compatibility, cutting off users from the application.

Palo Alto says it solves this dilemma with a signature-based system that allows for matching network traffic against a database of more than 550 applications. The company also provides signatures to detect viruses in network traffic, and it's rapidly developing a comprehensive set of threat signatures to spot exploit attempts and other malicious traffic. Of course, all standard firewall actions can be taken, allowing IT the ability to choose exactly which applications are permitted.

Palo Alto's PA-4050 sports throughput up to 10 Gbps over 24 copper and fiber ports
The PA-4000 can also block viruses and send out alerts about or deny entry to potentially malicious traffic. In addition, using the same signature-matching routines, a partnership deal lets Palo Alto add SurfControl's Web site classification database, so that all network traffic control can be integrated into a single box and management interface.

We were intrigued, so we brought a PA-4050 into our University of Florida Real-World Labs. We set the device for transparent Virtual Wire mode, in which the firewall doesn't route, switch, or modify VLAN tags of packets passing through it, and placed it in between a router and an existing IDS, so that we could reuse our span port. After allowing the 4050 to observe traffic for a while, we dug into the App-Scope Web-based management GUI.

Network traffic graphs were impressive--applications were clearly shown, and we could drill down to charts of source and destination IP addresses and traffic counts by clicking on the colored boxes that represent particular apps. The company has released a management platform for multiple devices, which we were not able to test.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll