Powerful Firewall Protection
Firewalls first came out in the late 1980s when security breaches drew attention to the need to make networks more secure. In those early days, just having a firewall made a network more secure, because hackers hadn’t yet written applications that could get around it. but as hackers have created new applications, the firewall has become like a utility belt with more and more necessary gadgets—URL filtering, content filtering, intrusion detection—to block new threats that can dodge the firewall’s port-based security.
Then came unified threat management, or UTM, the practice of putting all those gadgets in the same box as the firewall. Vendors touted the benefits of UTM, suggesting that the one-box solution was the way to have a simpler but more effective security infrastructure.
But to Chris King, director of product marketing for security software provider Palo Alto Networks (www.paloaltonetworks.com), UTM was just putting old code in new boxes. “The way that traditional firewalls have denied or allowed traffic is by network port, but applications stopped respecting their assigned port years ago,” says King. “So organizations have had to add more and more to the traditional firewall to help it do what it’s supposed to do. our position is to stop with the Band-Aids and fix the core problem.”
Palo Alto has done so by building what it calls a next-generation firewall, which shipped for the first time in 2007. rather than allowing or denying traffic based on what port it’s coming in on, it allows or denies traffic based on what the application is. “A traditional firewall might allow traffic over port 80 in a designated IP address range,” King says. “Ours identifies the application and which user or group of users is using it. so, for example, an organization can use our firewall to allow Skype only for international sales reps.”
Comprehensive Offerings
Palo Alto’s firewalls include App-ID, User-ID, and Content-ID. App-ID can identify applications regardless of the port or protocol they use and detect them even when they try to tunnel through other applications. User-ID works with Active Directory to maintain links between users, groups, and the IP addresses they’re using so as to be able to detect who is using what application. Content-ID uses a URL database and stream-based scanning to keep an eye on file transfers, threats, and Web surfing. All of the firewall’s functions are architected for parallel processing and low latency so that increased security doesn’t mean slower networks.
“UTM put a lot of functions in the same box, which was nice, but if you don’t have the right architecture, it’s going to have a much higher performance hit when you start turning on threat detection, antivirus, or URL filtering,” King says.
The company has three series of firewalls, which offer varying maximum numbers of sessions and network speeds. For example, the PA-500 has 250Mbps of throughput and can handle up to 64,000 sessions, while the higher-end models in the PA-4000 series offer 10Gbps of throughput and up to 2 million sessions.
Its integrated architecture is what makes Palo Alto’s firewalls “next-generation” firewalls, King says, and it means that organizations that install them can get rid of those extra boxes that have been running along with the firewall.
“If you go into a traditional enterprise’s data center, you’re going to find them running a firewall, an intrusion detection system, a URL filter, [and] maybe four or five types of boxes for their security infrastructure, along with the firewall,” King says. “When you fix the core problem of the firewall, it makes all those boxes unnecessary.”
Doing more with Less
Data center managers are under all kinds of pressure these days, but one particular type of pressure is to find ways to make the data center more green—or at least to cost less green. At the crossroads of those mandates is power usage, and King says that the reduction of power usage for environmental, financial, or both is a top-of-mind concern for a lot of managers he talks to. It’s one of the priorities that he hopes will make Palo Alto’s firewall more attractive to potential customers. “Managers are looking at virtualization, consolidation of servers, the cloud, and other technologies,” he says. “They really like hearing that they can reduce the number of boxes they use to deliver their network security and gain functionality while greening the data center a little because they don’t have to use as much AC to keep everything cool.”
They also like hearing about being able to do more with less in the sense of being able to automate as many tasks as possible so that IT staff can be deployed to other assignments. here, too, King says, the firewall has more than security benefits, because it’s able to block applications that older firewalls would need more help with. “For example, you might need 20 different firewall rules to block one P2P sharing application,” King says. “But with our firewall, it’s possible to block all P2P applications—40 of them, right now—with a single rule. It’s possible to go from 3,000 rules on a checkpoint device to about 250 on one of ours.”
Data Security
In the data center world, with more and more organizations handling credit card data, the PCI (Payment Card Industry) security standards are becoming more prevalent as a responsibility for managers. any organization that handles credit card data must meet these standards and must demonstrate compliance with an audit.
King notes that the network segmentation capabilities of Palo Alto’s firewall have made it more attractive for customers that are or may soon be trying to maintain PCI compliance. “If you have cardholder data and need to get compliant, if you have a flat network, the whole network is going to be in scope for the PCI audit,” he says. “But if you segment your network, then only the segments that contain the cardholder data will be in the scope of the audit. so our customers have used our firewall to do some internal segmentation; for example, they might set it up so that only financial people who are using a certain Oracle application can get into that segment. that reduces the time and cost of preparing for and having the audit.”
by Holly Dolezalek
Twitter Comment
RT @flaggerin: hackers Powerful Firewall Protection [link to post] :O
– Posted using Chat Catcher