Western & Southern Financial Group had what it considered defense in depth for its IP network but recognized that there were still ways that sensitive data might leave the network undetected, so it looked for more protection. The company, which manages $47 billion in assets, chose to add Palo Alto Networks' next-generation firewall
to its existing traditional firewall, intrusion prevention system, URL filtering and data-loss prevention gear.

The result is that Western & Southern now has better visibility into traffic leaving the network, says Doug Ross, CTO of the Cincinnati, Ohio financial firm.

Palo Alto’s PA-4000 appliances perform deep packet inspection on traffic originating in business networks that is perhaps destined for servers outside the company. The devices identify what applications are running on the network and apply filters based on them.

Click to see: Diagram of Western and Southern Group's network

Layer 7 firewalls, sometimes called next-generation firewalls, can parse traffic to the point of detecting content, and traditional firewall vendors are adding intrusion prevention to their products to attain this type of support, analysts say.

“A next-generation firewall needs to look within traffic streams and determine whether this is the traffic I expected,” says Rob Whiteley, an analyst with Forrester Research. The key to protection is peering deep into packets to decide what poses a threat and what doesn’t, not merely on what ports it uses, he says.

Palo Alto, for instance, can detect peer-to-peer traffic such as file sharing and Skype, applications that seek random ports and so are more difficult to block with traditional firewalls. Such applications can be simply unwanted or even dangerous - letting sensitive data leave the corporate network -- and Palo Alto gear can at least reveal that they are running, Ross says, allowing network security staff to deal with them.

“Data-loss prevention doesn’t give you insight into what applications are running out there,” he says.

Western & Southern doesn’t trust the Palo Alto gear yet to enforce policies; it is installed in monitoring mode, he says. “We have found significant value in understanding the geographic and application profiles of our network traffic. Long term, we intend to block,” he says.

The Palo Alto gear can tell where in the world connections are being made and flag suspicious traffic. “We do no business outside the U.S.,” Ross says of Western & Southern. “Why would we even allow a source to come from a specific country or allow a destination address in a country where we have no business relationship? [Palo Alto’s equipment] allows us to manage risk in a more comprehensive way than we could with any of the tools we had before.”