29. July 2012 · Comments Off on Speaking of Next Gen Firewalls – Forbes · Categories: blog · Tags: , , , ,

I would like to respond to Richard Stiennon’s Forbes article, Speaking of Next Gen Firewalls. Richard starts off his article as follows:

“As near as I can tell the salient feature of Palo Alto Networks’ products that sets them apart is application awareness. … In my opinion application awareness is just an extension of URL content filtering.”

First, let me start my comment by saying that application awareness, out of context, is almost meaningless. Second, I view technical controls from a risk management perspective, i.e. I judge the value of a proposed technical control by the risks it can mitigate.

Third, the purpose of a firewall is to establish a positive control model, i.e. limit traffic into and out of a defined network to what is allowed and block everything else. The reason everyone is focused on application awareness is that traditional stateful inspection firewalls are port-based and cannot control modern applications that do not adhere to the network layer port model and conventions established when the Internet protocols were first designed in the 1970s.

The reason Palo Alto Networks is so popular is that it extends firewall functionality from the network layer up through the application layer in a single unified policy view. This is unlike most application awareness solutions which, as Richard says, are just extensions of URL filtering, because they are based on proxy technology.

For those more technically inclined, URL Filtering solutions are generally based on proxy technology and therefore only monitor a small set of ports including 80 and 443. However, Palo Alto Networks monitors all 65,535 TCP and UDP ports at specified speeds, all the time from the network layer up through the application layer. If you doubt this, try it yourself. It’s easy. Simply run a standard application on a non-standard port and see what the logs show.

Furthermore, Palo Alto provides a single policy view that includes user, application, zone, URL filtering, and threat prevention columns in addition to the traditional five tuples – source IP, destination IP, source port, destination port, and service.

To the best of my knowledge, Palo Alto Networks is the only firewall, whether called Next Generation Firewall or UTM that has this set of features. Therefore, from a risk management perspective, Palo Alto Networks is the only firewall that can establish a positive enforcement model from the network layer up through the application layer.