PALO ALTO, Ca. – The application landscape has changed over the years and yet the firewall hasn’t. With this in mind, Palo Alto Networks is telling customers and channel partners its’ new PAN-OS 3.0 software for its firewalls is designed to supersede the ‘find it and kill it’ model other security technologies are based upon.
“Any application can use any port and firewalls tend to make all policies and assumptions based on ports so they don’t really do anything anymore,” said Chris King, Palo Alto Networks director of product marketing. “You’ve got this whole crop of firewall helpers that came up into orbit around the firewall and our contention is if you fix the firewall . . . you can rip off a lot of the band-aids.”
The OS includes significant new functionality, including QoS features and a fully integrated SSL VPN. These features further enable enterprise customers to embrace new applications while managing the risks inherent in using those applications, the company says.
King pointed to how organizations are using a wider array of Internet-based, consumer-oriented applications for cultural reasons, or to improve efficiency, foster customer intimacy, or speed up business processes. Security technologies, unfortunately, have retained an outmoded “block or allow” model, lacking the granularity and intelligence to recognize and appropriately control these new applications.
“A lot of our channel partners find fairly ready acceptance of the solution as the need is fairly acute,” he said. “It is top of mind from a problem-perspective, solving it, (businesses) are grappling with the tools that they have.”
The company cited comments from Gartner Inc. that state, “through 2012, enterprises that take a ‘block or ignore’ stance toward employee use of consumer IT will incur security incident costs two to four times those of enterprises that use ’embrace or contain’ strategies . . . security companies selling products that take simple block-all approaches will need to develop capabilities that support more-granular security controls.”
PAN-OS 3.0 introduces traffic shaping in the firewall, enabling enterprises to ensure that priority is given to business critical functions. Palo Alto Networks’ application visibility and fine-grained control capabilities offer organizations an array of flexible policy responses to applications — including allow, deny, allow for certain users or functions, threat scanning, and now — shape. Administrators are able to manage the bandwidth consumed by applications, as well as their priority — all in firewall policy, instead of simply killing applications or having no visibility or control over them.
According to Palo Alto Networks’ “Application Usage and Risk Report (April, 2009)”, in the sample of actual application traffic from more than 900,000 users, more than half of the bandwidth was being consumed by 28 percent of the applications, most of which were consumer oriented.
“This is actual customer data . . . we pull together a database of some the traffic over the previous few months and make some observations based on real enterprise data versus surveys,” he explained. “One of those observations is the existing infrastructure fails completely to control applications . . . 100 percent of organizations have firewalls and most have additional security mechanisms in place . . . yet 92 percent of organizations had peer-to-peer file sharing on their network and not just some; lots.”
Rapidly responding to customer requirements, PAN-OS 3.0 also adds SSL VPN functionality, which employs the easy-to-use secure network extension model but extends the company’s full complement of industry-leading visibility and control over users, applications, and content. Previously, enterprises have had to choose between an open VPN approach that was simple and cost-effective, or a high-control extranet portal approach that was expensive and complex.
The QoS features in PAN-OS 3.0 enable organizations to shape and prioritize traffic based on application with multi-gigabit throughput due to the single pass software married to hardware accelerated queuing. Similarly, the new SSL VPN capabilities in PAN-OS 3.0 provide application visibility and control, coupled with specific SSL hardware acceleration.
“Applications aren’t threats, but they do carry risk,” he said. “As a firewall, Palo Alto Networks uses a positive security model which offers organizations the flexibility they need to embrace new applications, and yet still manage risk — going beyond the outdated ‘find it and kill it’ model that many other security technologies are based on.”
PAN-OS 3.0, including the SSL VPN and QoS functionality, is delivered at no charge to customers with current software maintenance contracts. PAN-OS 3.0 is available for download later this month at Paloaltonetworks.Com
This column was written by Liam Lahey of ConnectIT, an IntegratedMarCompany
a>>
