Palo Alto Networks expanded its virtual data center network security portfolio this week with an application-aware virtual firewall and protection against advanced malware attacks. The new technology positions the next-generation firewall innovator to compete head-on with incumbent security vendors that have complex data center offerings.
The virtual data center security enhancements include Palo Alto's new VM series of virtual firewalls, which can run as virtual machines on a VMware hypervisor, along with technology that allows firewall rules to track virtual machine (VM) movement.
"[The virtual firewall] has the same features as our hardware firewalls," said Chris King, director of product marketing. "It addresses east-west traffic where traffic is going from one virtual machine to another without exiting that physical machine. We now have the ability to do network security on that traffic."
A virtual firewall with the application awareness of a next-generation firewall will introduce "much needed simplicity and agility into the ever growing space of virtualized cloud environments," said Paul Carugati, manager of information security systems with Motorola Solutions, a Palo Alto customer.
Palo Alto also introduced Dynamic Address Objects, a feature in its PAN operating system that enables its firewalls to adapt to changes within the virtual infrastructure.
"The idea is to have a firewall rule object that is dynamic in nature and can have multiple IP addresses without requiring a commit on the firewall," King said. "The VMs can fly around and have different IP addresses and the correct policy will follow it. We integrate with the technology that does that -- vCenter and vMotion, or any orchestration or automation tools -- much as we integrate with directories for users today."
More on Palo Alto Networks and virtual firewalls
Palo Alto goes public with $175 million IPO
Palo Alto, SonicWall, offer branch next-gen firewalls
Do you need a virtual firewall
The evolution from static to dynamic environments has caught up with legacy security architecture and, therefore, requires a dynamic solution that provides the necessary visibility to scale operationally, as well as manage next-generation threats, said Motorola's Carugati.
In addition to the virtual data center security enhancements, Palo Alto launched a new mid-level physical firewall, the PA-3000 series. The company is shipping a 2 Gbps and 4 Gbps model of this series, which fills a capacity gap between its PA-2000 and PA-4000 series firewalls. The company also introduced a new firewall management appliance, the M-100. This gives customers dedicated, high-performance hardware for running Palo Alto's Panorama firewall management system, and allows network security managers to deploy Panorama without having to involve the server or virtualization team.
"A lot of this is catching up and equalizing with the Check Points and Fortinets and Ciscos," said John Pescatore, vice president and research fellow for Stamford, Conn.-based Gartner Inc. While Palo Alto has been a disruptive innovator in the firewall market, other vendors have been in data centers longer and have broader portfolios for dealing with issues like securing virtual infrastructure and scaling management, he said. Palo Alto had to add products like its virtual firewall in order to continue attacking incumbent vendors directly.
"In the near term, having a virtual machine version [of a firewall] is really a key piece," Pescatore said. Dynamic firewall rules are still two to three years from being very important to enterprises, because few are that advanced with their server virtualization, he said.
The MC-100 management appliance is also an example of Palo Alto positioning itself to compete head-on with incumbent firewall vendors, Pescatore added.
"What you typically run into when you start selling to larger accounts -- where instead of selling five firewalls at a time, you're selling to some global account that's buying 50 -- they say, 'We don't want to take software and load it onto different hardware everywhere. We want one appliance, in one place that can be a manager of managers.' It's all part of having scalability. That's been one of Palo Alto's weak points. They haven't been selling big deals with hundreds of firewalls and they haven't had proven [management] scalability, so they're building out those features."
Carugati agreed that "some of the limitations of the existing [Palo Alto] centralized management were based upon the underlying architecture, limiting operational turnaround and performance." Palo Alto's appliances "and distributed logging/reporting architecture now provide a more scalable and performance-driven solution for larger deployments with less hindrance from shared computing."
Wildfire: Advanced malware protection
Palo Alto is also evolving WidlFire, its free malware sandboxing service, turning it into an advanced malware protection service, WildFire Subscription. WildFire was originally a cloud-based service where customers could voluntarily upload executable files for analysis. Palo Alto would identify whether the file was malware and warn customers.
With WildFire Subscription, Palo Alto will offer one-hour turnaround for full protection against targeted malware. WildFire will identify executable files, source URLs and network behavior for this malware, and automatically upload protection signatures onto the firewalls of WildFire subscribers.
This malware protection is more targeted than traditional antivirus technology that relies on honeynets to detect and analyze threats, Palo Alto's King said. WildFire catches threats that target its enterprise customers.
"Forty-five percent of the malware we discover is not recognized by any of the leading antivirus vendors when we discover it," he said. "A lot of the targeted or unique malware isn't spread out all over the world. They just aim it directly at a target so it never hits the honeynets. These are threats that are targeting our customers today."
Many other vendors offer targeted malware detection and protection, Gartner's Pescatore said. Cisco, for instance, has its IronPort and ScanSafe services. FireEye offers appliances with similar capabilities. However, to get total protection (anti-malware, firewall, etc.), customers have to deploy multiple appliances and services.
Palo Alto offers an edge by delivering multiple layers of protection in one appliance. Motorola's Carugati said Palo Alto's integration of WildFire Subscription's behavioral analysis for zero-day threats on its firewalls will offer lower cost of ownership because customers don't have to buy another appliance.
The next step in the evolution of malware protection is to do as much as possible of this analysis and protection on premises, Pescatore said. "I think the real battlefield is who can do the most on the box and not call out to the cloud," he said. "Today Palo Alto calls out to the cloud. FireEye looks at executables right on the box. If [Palo Alto] continues to be the innovative leader, then next year they'll have to show that, 'Yeah we can do this in the cloud, but right on the box, too.'"
Local malware analysis and protection not only provides faster protection against zero-day attacks, Pescatore said. It also helps enterprises who have firewalls that can't call out to the Internet for downloads of signatures. "Firewalls are constantly going into places where they can't be talking to the external Internet," Pescatore said.
Let us know what you think about the story; email: Shamus McGillicuddy, news director.