What's the biggest firewall issue for enterprises?

Q & A with Matt Keil, the product manager for firewall vendor - Palo Alto Networks.

Out of 251 new Cisco CCIEs tallied in the most recent worldwide CCIE count, only 1 newly minted Security CCIE was included. Hopefully, the following Q & A with Matt Keil - product manager for firewall vendor Palo Alto Networks, will help us understand the current dynamics of the firewall marketplace as well as enterprise security in general. 1. What's the biggest firewall issue for enterprises and exactly how does Palo Alto Networks address that issue?

Matt Keil: The most significant issue for firewalls is the loss of visibility and control over applications, users and content. In the past, it was easy for firewalls to control traffic because applications were tightly tied to ports and protocols, so classifying them using stateful inspection technology worked well. But today’s applications are no longer tied to specific ports or protocols, they are being built to use any open port or they use SSL, all as a means to always make them accessible to users, despite possible security issues. As a result, applications can no longer be identified and controlled by today’s port-based firewalls. This loss of visibility and control introduces a wide range of security and business risks. Blindly blocking these new applications as if they were pure threats is not an option. Many are used to the benefit of the company and users have come to expect access to them. Using a firewall, an IPS, and other technologies all cobbled together cannot solve the problem either because not only does it make policy management a security nightmare, it won’t perform because of the significant overhead it creates.

Palo Alto Networks delivers visibility and control of applications, users and content through our next-generation firewall solution that we've based on 3 unique identification technologies: 1. App-ID - is a patent-pending traffic classification technology that determines exactly which applications are traversing the network using signatures, decoders, decryptions and heuristics – not ports and protocols. The application identity is then used as the basis for all policy decisions including appropriate usage and content inspection. 2. User ID - integrates our firewalls with Active Directory to dynamically tie the application identity to users and groups (not just IP addresses) within the policy. 3. Content-ID - combines a real-time threat prevention engine with a URL database and application identification functionality to limit the unauthorized transfer of data and files, detect and block a wide range of threats, and control non-work related web surfing. Security is very computationally intensive and the question of performance is common, so Palo Alto Networks provides multi-Gbps throughput using individual banks of function-specific processors for networking, security, content inspection, and management. 2. Since Palo Alto Networks is known for firewall control using application ID signatures, how do you see yourselves playing with endpoint security solutions that already provide application level firewall controls?

Matt Keil: We believe that application control belongs in the firewall – the most strategic piece of the security infrastructure. We take full advantage of the endpoint authentication that NAC solutions provide when a user logs into the network. Attempts to control applications at the end point are largely unsuccessful for two reasons: users quickly figure out how to get around the controls; and application developers make it easier by writing applications that do not require administrative rights.

The Palo Alto Networks Application Command Center allows customers to view current application, URL, data filtering and threat activity, adding and removing filters to learn more about the network activity, who the users are, and the security implications: 3. Which is the best place to provide this level of control: endpoint or access point/perimeter?

Matt Keil: The firewall is the best place to control applications traversing the network. That is what the firewall was originally designed to do – control access to the network. Over time, applications evolved, while the firewall did not. Palo Alto Networks restores strategic value to the firewall.

The Palo Alto Networks Policy Editor allows customers to create, deploy, and manage firewall policies control applications, users and content.: 4. How often does Palo Alto Networks update its application signatures?

Matt Keil: New applications (average of four per week), modified applications and threat signature updates are delivered weekly. Threat updates are also done on an emergency basis. As of September 2009, we have issued nearly 900 application signatures.

5. What are the false positive and false negative identification statistics of Palo Alto Networks?

Matt Keil: False positive rates are nearly immeasurable. On the rare occasions that they occur, the Palo Alto Networks - Application and Threat Research Team works with the customer to address the issue as rapidly as possible.

6. Does the Palo Alto Networks application ID control affect load-balance and high-availability in any way?

Matt Keil: Fully synchronized high availability is supported by all of our firewall products. QoS is also supported, allowing traffic to be shaped (guaranteed, maximum and priority) by application, user, source, destination, interface, IPSec VPN tunnel and more. In terms of integrating with other network elements such as a load balancer, App-ID does not adversely affect how traffic is treated. With our firewall, customers can be far more specific in their application usage control policies than with their previous firewall. They can block the applications they absolutely do not want – P2P, external proxies (PH Proxy, CGI Proxy), encrypted tunnels (TOR, UltraSurf). The traffic that is allowed can then be inspected by Palo Alto Networks and load-balanced by another network component.

7. Who is Palo Alto Networks using for your anti-virus engine, anti-spam, IPS, etc...?

Matt Keil: Our threat prevention and application control capabilities are developed in-house by our Application and Threat Research team. More specifically, virus definitions are generated directly from tens of thousands of live virus samples provided on a daily basis by several third party research organizations around the world. Once received, the virus samples are put through an automated process to weed out the duplicates and samples that are already detected by existing signatures. The Application and Threat Research team then generates signatures for the new virus samples that are left over and released.

8. How does Palo Alto Networks handle all of the threats coming into networks encrypted over port 443?

Matt Keil: SSL decryption of inbound and outbound traffic is a standard feature that can be enabled based on policy (by default, the feature is disabled). Encrypted traffic is decrypted, the application is identified and security policies (usage, content inspection) are applied. The traffic is then re-encrypted and sent to its destination.

9. It appears Unified Security has become an important phase of firewall development. How is Palo Networks different than Juniper, SonicWall, Fortinet?

Matt Keil: UTM solutions have their place in the firewall development phase but they do not solve the visibility and control problem. These solutions merely mashed several silos of technology together into a single box as a means of reducing costs. They all still rely on port and protocol to perform the traffic classification. Once classified, sometimes inaccurately, traffic must go through several scanning engines to prevent threats, slowing throughput. Application control in these platforms is rudimentary and unable to keep pace with today’s tech savvy users and application developers. The old days of summarily blocking a new application found on the network are gone. It might be needed by the CFO, the VP of Sales or the Chairman of the Board. The rapid growth in end-user applications is further being fueled by the new generation of employees, many recently out of college, who are always online, always using the latest and hottest application – and expect to be able to do so at work as well as at home. Their social and work lives are blended together, placing a burden on enterprise IT organizations that need to enable the safe use of today’s applications (social networking, audio, video, IM, webmail) while blocking known bad applications (circumventors, proxies, P2P, etc.). Enterprises turn to us because of the lack of control that port-based firewalls are providing. They are demanding a solution that is beyond "add more appliances" and it is our vision to deliver on this opportunity. Our differentiation lies in our identification technologies (App-ID, User-ID and Content-ID) that helps customers accurately determine what is on their network, and in so doing allows them to make more informed policy decisions and improve their security posture. This approach allows our customers to positively enable application usage by blocking unwanted applications, specifically allowing other applications based on users and groups, and scanning them for a wide range of threats.

10. The bulk of industry analysts feel that the firewall market is at the mature stage, so where does Palo Alto Networks see opportunity and why?

Matt Keil: The firewall market is ~$5 billion in size and growing at 7-10% per year. It is a mature market that is populated with stagnant products, which makes it ripe for innovation. Customers are still buying firewalls to upgrade those that are old or end-of-lifed, for new datacenters and new locations. Our opportunity lies in all of those areas – benefiting from the market growth as well as replacing the many obsolete incumbents – and our differentiation is in the fact that we address something that Cisco and others cannot — visibility and control over applications, users and content at the firewall. On a regular basis, our customers and the analysts we work with provide feedback that indicates that the firewall market was long overdue for new innovation.

11. How is Palo Alto Networks going to find success against Cisco, given Cisco’s size and installed firewall base?

Matt Keil: Our competitors have a large install base, which is why they are successful. But the need to support their legacy technology also slows their ability to innovate. So to a certain extent, their size and inability to act nimbly to deliver innovation plays to our advantage. Customers are purchasing our firewall because it solves a problem other firewall vendors have not addressed either directly in the firewall or indirectly via firewall helpers. Our current and continued success can be attributed to the innovative manner in which we solve the problem of visibility and control over applications, users and content.

12. That makes sense, but given the economic conditions of today, what can Palo Alto Networks offer enterprises that Cisco can’t?

Matt Keil: None of the existing firewall vendors, including Cisco, are able to deliver control over applications, users and content in the single most strategic device in the security infrastructure – the firewall. Our customers are supporting this as more than 70% of them have deployed us as their firewall. In many cases Palo Alto Networks is deployed as a replacement for one of the many different firewalls and security infrastructure products. In these cases, fewer infrastructure components saves money due to consolidated management and maintenance.

13. How will Palo Alto Networks build its vendor channel, through CRW, Techdata and Ingram-Micro?

Matt Keil: Palo Alto Networks is a channel focused company using one- and two-tier distribution models where they best make sense. In the U.S., we use a single-tier model and internationally, we use a two-tier model.

What's your take, do you think Palo Alto Networks is addressing the biggest firewall issue for enterprises?

BradReese.Com Cisco Refurbished - Services that protect, maintain and optimize Cisco hardware Contact: Brad Reese | Twitter: http://twitter.com/BradReese

1 2 Page 1
Page 1 of 2