Skip Links

Palo Alto earns short list status

App-aware firewall proves especially useful for controlling outbound traffic

By , Network World
August 22, 2011 12:06 AM ET

Network World - Palo Alto Networks has injected excitement and innovation into the firewall market with its "next-generation" appliances that combine traditional firewalls, threat mitigation technologies such as anti-malware and intrusion prevention, and the new magic dust of application identification.

We first tested Palo Alto in late 2008 and found the PA-4020 to be an interesting product that still needed work. This time around, we tested Palo-Alto's newest high-end appliance, the PA-5060 and found plenty to love.

The product clocked multi-gigabit speeds even with all threat mitigation and identification features enabled, proving that it's capable of conducting deep session analysis in an enterprise setting. In fact, using the exact same test scenario, the PA-5060 forwarded traffic 10 times faster than the product we tested in 2008 (see story, "Palo Alto PA5060 is one fast firewall").

With a solid basic firewall feature set and UTM protections such as anti-malware and intrusion-prevention system (IPS), the PA-5060 can be used for inbound traffic. And its application awareness makes it even better suited as an outbound firewall, giving extended visibility into what is happening, and fine-grained control over what is allowed.

Of course, no product is perfect. Palo Alto Networks is a relatively new company with limited resources, and features such as centralized management, Web-based GUI, VPN and network access control-like user identification and host scanning could be improved upon.

Next-gen firewalls: Off to a good start

Fast-forwarding firewall faceoff

However, none of these rough spots should stop network managers from looking carefully at the PA-5060, especially when tackling the thorny problem of outbound access control. The PA-5060 is also able to replace some Web security gateways, with the advantage of combining firewall and gateway in a single device.

Effective outbound traffic control

Security-conscious network managers have long known that port number is not the same as application. For example, two applications can share the same port, such as Skype and Web browsing over TCP Port 80. And, an application can change ports. For example, some network managers run SSL VPN servers on TCP Port 53, normally reserved for DNS, to tunnel through many pay-per-use Wi-Fi hotspots that allow DNS, but not much else.

A firewall rule that allows incoming traffic to specific ports is generally sufficient to control traffic, since you control your own servers and know what applications are running on them — in theory, at least. While the PA-5060 can be used for inbound traffic to enterprise networks, we focused most of our evaluation on outbound traffic, such as Web browsing.

Outgoing traffic has long ignored the idea of specific port numbers, with applications of all types running over whatever port seemed good at the time. Network managers using port restrictions to control applications such as Amazon Cloud Drive or Google Talk File can't easily do so, because those applications are happy to run over the traditional port for encrypted Web traffic, 443.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News