While in Las Vegas for Interop this spring, I stopped by Ignite, Palo Alto Networks' annual customer conference....
I met with a few Palo Alto Networks customers to discuss how they're using the company's next-generation firewalls. Two customers agreed to go on the record to share their experiences and their plans for the future.
Palo Alto Networks customers: Support rapid growth, mobility with NGFWs
Exeter Financial, an Irving, Texas automobile loan company, relies on Palo Alto firewalls to support a rapidly growing business with a highly mobile work force.
"When I started here 11 months ago, we were at around 800 employees," said Blake Wofford, senior security engineer at Exeter. "Today we're around 1,500. The challenge of that rapid growth is the expansion of partner channels and a rapidly growing sales force that requires mobile device management. We're also relying on third-party vendors and contracting for hosted applications and cloud services. We face the risk and compliance associated with that."
Palo Alto is Exeter's primary firewall vendor. Its visibility into applications and users plays a large role in all the ways that Exeter secures its infrastructure with the technology.
"We use it for URL filtering, proxying Internet traffic and for defense for the perimeter," Wofford said. The company also uses Palo Alto's threat detection product, WildFire. Exeter chose WildFire over advanced threat protection specialist FireEye due to its integration with Palo Alto's firewalls. "With WildFire there is not any additional network infrastructure we have to deal with. It's already on the box."
Palo Alto is playing a critical role in connecting Exeter's mobile employees, Wofford said.
"We are currently in the stages of developing a fully-fleshed out mobile device management program," he said. "Right now we are using GlobalProtect [Palo Alto's SSL VPN portal] as our bring your own device interface."
Exeter is using GlobalProtect as a remote access gateway even as the firm investigates third-party products, such as mobile device management, which integrate with Palo Alto.
GlobalProtect uses Palo Alto's application identification and third-party directory integration, which allows Wofford to unify policy enforcement for employees whether they are in the office or on the road.
"I'm not doing something separate for my remote users," he said. "I can truly present an environment to my users that is the same when they are at their desks or [on the road]."
Palo Alto Networks customers: Motorola segments its private cloud
Motorola Solutions Inc., which has been a Palo Alto customer for six years, has replaced 98% of its legacy firewalls with the vendor, according to Paul Carugati, Motorola's senior manager of information security. The technology vendor uses the next-generation firewalls in its extranet environment and its internal data center network segmentation.
"We took the approach of being our own cloud provider," Carugati said. "I look at my business customer as almost like an external-facing customer. We're essentially offering core IT services like load balancing and security to them."
This private cloud approach meant that Motorola went from having just one big, flat data center network to one with a highly segmented Layer 2 and Layer 3 network where each application gets very specific quality of service and levels of security. Palo Alto's visibility features allow Carugati to segment the network by application.
More on Palo Alto Networks
Modular Palo Alto firewall scales to 120 Gbps
Citrix adds Palo Alto firewall software to NetScaler
"Previously the data center was one standard internal network and everything was created equal. Everything got the same level of protection," he said. "Now I have the ability to put in granular levels of control around data of concern, based on its specific risk profile. If I have an ERP application or perhaps a customer-facing application, I can choose to lock that down further, versus something that doesn't require the same level of protection."
Although some incumbent firewall vendors suggest that next-generation firewalls don't have the bandwidth for internal network segmentation, Carugati said he has Palo Alto's application awareness turned up in most cases.
"We certainly have some zones where we have a next-generation firewall acting as a Layer 2/Layer 3 firewall, but the overwhelming majority of our internal network segments within the data center are taking advantage of the application awareness, the user identification functionality for additional policy restrictions, and the threat prevention capabilities [of WildFire]," he said. "We can pick and choose. If a customer risk profile says, 'I don't really want to get into application awareness. I just want these two IP addresses and this port' -- OK, great. We can certainly do that. But we have the ability to afford them more."
Palo Alto Networks customers want firewalls to integrate with SDN and network virtualization
Both Wofford and Carugati are keeping a close watch on Palo Alto's involvement in SDN and network virtualization. The company has integrated its firewalls into VMware's NSX network virtualization overlay and Cisco's Application Centric Infrastructure.
"Virtual firewalls are not new, but the ability to integrate that wholly within a VMware ESX-NSX environment -- I think that's where [the industry] is going," Carugati said. "Having Palo Alto work with those vendors so that I don't have to go and architect a solution is key."
"I want to see [Palo Alto's integration with NSX] grow," Wofford said. "One of the failings in the security industry is that everyone takes a perimeter approach. Everything that happens is inside [the perimeter]. If I get an outbreak or a user that's gone rogue inside the network, I need to know about it. Right now I don't have that visibility as much. That's why I'd like see the VMware NSX stuff advance further, so that it becomes more seamless and more friendly to my VMware engineers. I'm looking at it because I want to know what's going on with east-west traffic."
The VMware engineers at Exeter are looking hard at NSX and they've asked Wofford to find out as much as he can about Palo Alto's role in the overlay.
"That in itself is huge," he said. "When has my server guy ever cared what's going on in my firewall? Now he does, because he's starting to understand that there is value for him. [Firewalls that are able to] deal with virtual networks and provision to that easily --- those are big interesting things to a VMware guy."