$28 Million For An Old Idea-Part 2

We have to kill the firewall in order to save it. That's the essential message from startup Palo Alto Networks.
We have to kill the firewall in order to save it. That's the essential message from startup Palo Alto Networks.In a previous blog I discussed the irony of Palo Alto Networks getting funded for a product based on old ideas. But that doesn't mean PAN isn't on to something. The company's value proposition has less to do with technological innovation and more to do with reframing the notion of a firewall's primary function.

A typical firewall's primary function is to allow or deny traffic based on the ports and protocols in use. This has to led to some pernicious problems.

  • Problem 1: Typical firewalls never deny a known set of ports and protocols, leaving gaping holes through which numerous applications pass. Some of these applications carry malicious code.

  • Problem 2: Some of the applications coming through holes in the firewall are very useful. Many are less useful, and a few can be downright dangerous. A typical firewall can't help you distinguish among or control these applications.
  • PAN addresses these problems by reframing the primary function of a firewall. In PAN's view, job one is to precisely identify every application that comes in and goes out of the network. This makes all kinds of interesting things possible.

    First, it provides visibility into, and control of the applications on your network. If you don't want users fooling around with P2P apps, you shut them down at the gateway. If you only want them to use a corporate-approved IM system, PAN's firewall allows that one and no others.

    PAN's firewall also includes attack protection capabilities. It can detect and block viruses, spyware, and exploits.

    There are other ways to do this, of course. IPSs block malware. Web and IM proxies can enforce policies and control some rogue apps. And Network Behavioral Analysis systems can help identify and control application usage.

    But why add to the network architecture if, by rethinking the firewall, you can integrate these functions into one platform?

    PAN's application-based policy enforcement goes a long way to addressing issues such as regulatory compliance, employee productivity, and bandwidth management. It also lets administrators shut off common channels for malware and other exploits.

    The company's secret sauce is its application identification technology. Just as an IPS uses signatures to identify malware, PAN's firewall uses signatures to identify applications.

    And here's where we get to drawbacks. Signatures are contradictory by nature. On the one hand, you can never have enough because new applications appear all the time, and existing applications change. PAN says it has a database of 500 application signatures, with 5 to 10 new ones added each week. Still, that's a fairly limited set, which means a lot of policy work as administrators decide how the firewall should handle unidentified applications. Home-grown apps also may be a cause for concern.

    On the other hand, the bigger the signature database, the more time and processing power you invest in scanning traffic. Firewalls that introduce significant latency don't last long. The company says its firewalls can process tens of thousands of signatures at line rate (it sells 2Gig and 10Gig appliances). That's an extraordinary claim, and it remains to be seen if the company can live up to it. Signatures also aren't omniscient; false positives and false negatives should be expected.

    That said, I like Palo Alto Networks' approach. If they don't screw up on execution, I predict one of two outcomes: they disrupt the firewall and IPS markets, or get bought. Or maybe both.