Next-generation firewalls can hardly be considered vanguard these days. In fact, many vendors are rushing to add application visibility and a slew of other features to their
firewalls. But Palo Alto Networks stands apart from the competition.
The company coined the term "next-generation firewall," coming right out of the gate with technology that goes beyond port-level monitoring to peer deeply into applications. Beyond that, Palo Alto has managed to do one thing its competitors may never be able to grasp -- provide simplicity in a complex technology.
With next-generation firewalls, vendors integrate features beyond basic monitoring and prevention, ranging from malware protection to load balancing and WAN optimization. But in some cases, these devices have become too complex to manage.
Palo Alto firewalls are also multipurpose security devices, but the company has kept the devices clearly focused on detection and prevention. The company has worked to be sure the firewalls cleanly integrate into the overall network. What's more, the company provides a single software across every device in the network, as well as a centralized management system that tracks every firewall, regardless of where it lives in the enterprise.
There was a whole industry that was created simply because the traditional firewall vendors have always seen their role as just doing firewalls.
founder and chief technology officer, Palo Alto
In this interview, Nir Zuk, Palo Alto founder and chief technology officer, explains the role of next-generation firewalls across the entire enterprise network.
There are lots of definitions of the term next-generation firewall being tossed around. What is a next-generation firewall?
Nir Zuk: When you receive an email it goes through a lot of steps. Your IT department makes sure that you don't receive any dangerous attachments, that your email is checked for malware, that the email is not exposed to vulnerabilty. And on the way out, the email goes through a lot of checks as well, including making sure there is no data leakage. We can make any application as safe to use as email by applying the same controls and security checks on that traffic.
So when you browse the Internet, [the firewall] is making sure you don't go to sites you're not supposed to go and that the content that comes in is not going to harm you. Also, if your IT department wants to let you use other applications -- for example Sharepoint, Office 365, Dropbox or any other application that is capable of sending and receiving information -- there are three options: The first option is to stop the application, which is what many do today. The second option is to allow the application to go through without checking the traffic. The third option is to use a next-generation firewall. With that option, you are safely enabling the use of applications.
So you set policy based upon application type?
Zuk:What you do for each application is to mirror your email policy. You decide what applications users can access, what they can do with the application and what kind of content can they send.
Are there different rules and policy setting depending on where in the network the firewall lives -- for example, the data center, the branch office?
Zuk:Firewalls are deployed in many places -- at the Internet connection, in the branch office, in the corporate data center, in the Internet-facing data center and at the core of the data center. Most of these firewalls require central policy, which controls which users can access which applications; what they can do with these applications, etc. But the applications in the corporate data center are different than those that users are accessing on the Internet, for example. So your Internet firewall will have policies around Facebook and Dropbox and Office 365, while the firewall in your corporate data center will have policies around SAP applications.
Is there a difference in the capacity that firewalls in each part of the network must support?
Zuk: In terms of capacity, data centers use multiple 10 Gb links while Internet connections are usually a few gigs or even a few hundred mgs. Palo Alto firewalls all have the same software; it's just that the size of the firewall is different. The firewall at the data center has more capacity than the one facing the Internet, and that will be different than the one in your branch office.
Next-generation firewalls have features beyond monitoring, detection and policy enforcement, correct?
Zuk:Firewalls are the only devices that are ubiquitous throughout the enterprise network. They are deployed anywhere, from the branch office to core of the network. The traditional firewall vendor has always seen themselves as firewall vendors only, and they left the other work to IPS companies and malware companies and botnet companies. There was a whole industry that was created simply because the traditional firewall vendors have always seen their role as just doing firewalls. But next-generation firewalls marry capabilities that are not traditionally part of the firewalls. [Other devices] are capable of detecting bad things but aren't able to stop them because they are not the firewall. Next-generation firewalls do both.
How do Palo Alto firewalls play a role in traffic Quality of Service (QoS)?
Zuk:Traditional QoS is done based on port number, which was good when applications had port numbers 15 years ago. Today QoS is not meaningful because all of the applications look the same to the QoS engine. But because we have knowledge of the application, we can tell the QoS engine to do QoS based on the application. For example, a Cisco router can't differentiate between Facebook and Twitter; our [firewalls] can.
More on Palo Alto firewalls
Learn about the Palo Alto virtual firewall
Palo Alto offers branch office next-generation firewalls
How do you manage many firewalls with all this complex policy and features that are spread throughout the entire network?
Zuk: There is a central management system that configures and monitors all these firewalls, usually with a single policy or multiple policies. That is on the configuration, management and monitoring side. On the networking side you expect firewalls to take modern networking protocols; for example, dynamic routing protocols. When you are part of the network you have to speak the language of the network and communicate with routers and switches. This is unique for a firewall from all of the other security devices.
Palo Alto recently expanded its virtualization firewall offering. How do virtual and physical firewalls differ -- and where must they be the same?
Zuk:The main reason you need a virtualization firewall is that you can't see inside [a virtual environment] with a physical device. So if you have a SaaS provider that doesn't allow you to deploy physical devices on the network, you would deploy a virtual firewall there. The way virtualized data centers are built, traffic only goes from one rack to another. The [virtualization] firewall monitors traffic running between virtual machines.
Are there different methods for setting firewall policy in a virtual environment?
Zuk:With Palo Alto, the virtual firewall is exactly the same as the physical firewall in terms of functionality. However, the traditional firewall is even less meaningful in a virtualized environment because in the virtualized environment all the traffic is running on port 80 or 443.
Many people say that software-defined networking will be used to change the way traffic is routed to firewalls and improving granularity and policy. Is SDN on your radar?
Zuk: I think that SDN is mostly hype right now. The customer is using VXLAN, which is a protocol that is sometimes associated with SDN. The firewall needs to understand that protocol in order to be able to look into it. Also, the customer is using an API to program the network, so the firewall needs to be part of it. We do that, but I think this is still very far away and not very relevant now.