Skip Links

UTM - the buzzword Palo Alto won't cop to

By , Network World
August 11, 2008 12:02 AM ET

Network World - The PA-4020 is indeed a unified threat management firewall, even if Palo Alto Networks would like to pretend it isn't. Because it's a firewall with integrated VPN, intrusion prevention and detection, URL filtering, antivirus/antispyware and file blocking, the PA-4020 fits squarely into the definition of a UTM firewall.

Of course, there are some important differences, largely because of the application visibility afforded by the PA-4020. For example, if you want to do antivirus scanning on many traditional UTM firewalls, you usually only have a limited selection of applications and ports. On the PA-4020, each access control rule in the firewall can have a set of UTM profiles attached, listing which applications are scanned for viruses, which for spyware, and which are eligible for file blocking. URL filtering configuration -- because it only applies to Web browsing -- and intrusion-detection/prevention system (IDS/IPS) rules are applied without specifying which application they use.

The additional flexibility in the PA-4020 UTM definitions can give better coverage than a typical UTM firewall. As we found in our UTM test late last year, out of 13 UTM firewalls, only one (SonicWall) was able to scan for viruses across all applications. The PA-4020 adds one more to that list: in our antivirus test, the PA-4020 was able to catch viruses it has signatures for across any Web session we set up, including encrypted ones — something even SonicWall can't do.

The magic caveat there is "has signatures for." We quickly discovered that the antivirus protection in the PA-4020 is not meant to be primary protection. We set the PA-4020 in parallel with our production antispam/antivirus gateway and watched the first 20 live viruses come into our network. The PA-4020 caught seven, a catch rate of only 35% compared with the Sophos AV scanner running on the e-mail gateway. Palo Alto confirmed that it doesn't intend the antivirus protection in the PA-4020 as primary protection.

We had better results in our UTM tests focusing on the IPS performance. Again repeating our UTM tests with client-centric and server-centric attacks, the PA-4020 caught an astonishingly high 89% of the client attacks, and 76% of the server attacks. These catch rates are higher than any of the UTM firewalls we tested last year. Although the PA-4020 IPS policy management is fairly weak, it's clear that the integrated IPS engine and signature database are fairly aggressive. Of course, an aggressive IPS engine has another potential problem: false positives and inappropriate traffic blocking. We found a number of false positives in reviewing results from using the PA-4020 on our production network. For example, the PA-4020 caused a service interruption by misidentifying normal traffic as a buffer overflow attack between our on-site and off-site DNS servers. We didn't, however, track any IPS false positives in client-to-server outbound traffic, again underscoring how tightly focused the PA-4020 is on protection of end users.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News