This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
Firewall vendors have tried to keep up with the ever changing Internet-landscape, adding functionality to the core firewall engine that enables enterprises to obtain intelligence on network traffic beyond the IP address and ports used. But, no firewall has been able to achieve all that without the help of other tools and technologies,from packet sniffers to IDS/IPS to proxy servers.
Palo Alto Networks, founded by world-renowned firewall authority Nir Zuk, just might have found the answer in the PA-4050 appliance, running a hardened Linux OS and powered by Intel Xeon processors to deliver up to 10 Gbps of firewall throughput.
Unlike traditional firewalls that identify applications only by protocol and port number, Palo Alto's next-generation firewall uses packet inspection and a library of application signatures to distinguish between applications that use same protocols and ports, and to identify potentially malicious apps that use nonstandard ports. Beyond application visibility, The PA-4050 allows admins to control the flow of an application, regardless of ports used.
Although the PA 4050 offers a command-line interface, using the Web GUI was much simpler, at least for the initial setup. The appliance can be run in three modes: virtual wire, Layer 2, or Layer 3.
Virtual wire, best known as transparent mode or inline mode, is the default configuration and does not require too many configuration changes. In Layer 2 mode, the appliance, which is equipped with 24 interfaces--16 10/100/1000 and eight SFP ports, can act as a firewall and address your switching needs. This comes handy in situations where the network is divided into multiple VLANs, each with their own security requirements. Layer 3 is the most like the traditional firewalls that operate on the network layer.
A given interface can only be run in one mode at any given time but, the device as a whole can have multiple interfaces operating in any of the three modes simultaneously. This allows organizations to consolidate network security gateway devices while increasing overall throughput and simplifying administration without losing visibility into network traffic at each OSI layer. Also, in Layer 3 mode, customers have an option to further segment the network by creating multiple virtual systems, which allow administrators to customize firewall rules for various departments based on physical interfaces, IP addresses or subnets.
The policy rule interface has a very familiar look with couple of extra parameters. In addition to the typical source/destination zone/IP/service fields, administrators can also set application rules as an added control,.such as P2P, IM, and multimedia apps that use dynamically assigned ports or well-known ports such as port 80 or 443, used by required business applications.
Additional options provide real-time threat prevention with add-on components like antivirus, antispyware, vulnerability protection, URL filtering, and/or file blocking profiles. User/group-based firewall rules can be customized through Active Directory integration. Maintaining a 5Gbps throughput with all of the above working at the same time is what sets PA-4050 apart from the major players in the market.
We were impressed to see the Applipedia (wiki for applications) and the analysis provided through the UI as well as on the company website.
This was first published in March 2008