Next Generation Firewalls: Myth vs. Reality
What if you possessed a high-performance firewall so accurate that you felt confident having it block threats automatically, significantly reducing the need for forensics? This tool can provide real-time visibility into all of your applications regardless of port or protocol, is transparent to implement and requires no network redesign.
The first time I came into contact with a Palo Alto Networks next-generation firewall, I was skeptical. I am naturally skeptical of all vendors until I am able to properly test the technology since many vendors exaggerate their claims. I understood the feature sets presented in the Palo Alto Networks firewall, but I began to wonder if the firewall is the best place to be scanning content for AV, IPS, spyware, etc?
Given that you can now create policies around applications and not ports, how well are these application definitions written? I can have false positives and false negatives as applications change.
After 3 years of installing, migrating and administrating Palo Alto Networks devices, I have seen one false positive in application identification. The team responsible for application definitions is very responsive and distributes weekly updates.
Is this product merely a fad in the security industry or a sustainable solution?
It is my belief that next-generation firewalls are here to stay. Some things to consider when doing your homework:
Is the vendor you're examining adding application awareness as an add-on module or was the platform designed from the ground up to be application aware?
Does the platform identify thousands of applications or just the basics like http and smtp?
After performing an in-depth review of the Palo Alto Networks technology, I became more comfortable with how the firewall was engineered:
The platform is Unix based, an operating system that can support any kind of software.
The amount of processing power on the device allows for AV, threat and spyware scanning with room to spare. You can limit what to scan on a per policy basis if this makes the administrator more comfortable.
The bottom line:
Be careful. Every firewall vendor out there is struggling to put the term "next-generation" into their product line, often with no real functionality. Bat Blue and Palo Alto Networks have partnered to bring a solution that does all of the above and more. As the 2010 Partner of the Year, Bat Blue has more experience in developing and implementing unique solutions around Palo Alto Networks' technologies than any other organization. Bat Blue is recognized by Palo Alto Networks as an Accredited Managed Services Partner, acknowledging the experience and expertise Bat Blue has achieved. To learn how Bat Blue can implement a Palo Alto Networks next-generation firewall for your company, please contact us directly.