Published: 01 Mar 2008
PA-4050 REVIEWED BY PHORAM MEHTA
Palo Alto Networks Price: $60,000
Firewall vendors have tried to keep up with the ever changing Internet-landscape, adding functionality to the core firewall engine that enables enterprises to obtain intelligence on network traffic beyond the IP address and ports used. But, no firewall has been able to achieve all that without the help of other tools and technologies,from packet sniffers to IDS/IPS to proxy servers.
Palo Alto Networks, founded by world-renowned firewall authority Nir Zuk, just might have found the answer in the PA-4050 appliance, running a hardened Linux OS and powered by Intel Xeon processors to deliver up to 10 Gbps of firewall throughput.
Unlike traditional firewalls that identify applications only by protocol and port number, Palo Alto's next-generation firewall uses packet inspection and a library of application signatures to distinguish between applications that use same protocols and ports, and to identify potentially malicious apps that use nonstandard ports. Beyond application visibility, The PA-4050 allows admins to control the flow of an application, regardless of ports used.
Although the PA 4050 offers a command-line interface, using the Web GUI was much simpler, at least for the initial setup. The appliance can be run in three modes: virtual wire, Layer 2, or Layer 3.
Virtual wire, best known as transparent mode or inline mode, is the default configuration and does not require too many configuration changes. In Layer 2 mode, the appliance, which is equipped with 24 interfaces--16 10/100/1000 and eight SFP ports, can act as a firewall and address your switching needs. This comes handy in situations where the network is divided into multiple VLANs, each with their own security requirements. Layer 3 is the most like the traditional firewalls that operate on the network layer.
A given interface can only be run in one mode at any given time but, the device as a whole can have multiple interfaces operating in any of the three modes simultaneously. This allows organizations to consolidate network security gateway devices while increasing overall throughput and simplifying administration without losing visibility into network traffic at each OSI layer. Also, in Layer 3 mode, customers have an option to further segment the network by creating multiple virtual systems, which allow administrators to customize firewall rules for various departments based on physical interfaces, IP addresses or subnets.
The policy rule interface has a very familiar look with couple of extra parameters. In addition to the typical source/destination zone/IP/service fields, administrators can also set application rules as an added control,.such as P2P, IM, and multimedia apps that use dynamically assigned ports or well-known ports such as port 80 or 443, used by required business applications.
Additional options provide real-time threat prevention with add-on components like antivirus, antispyware, vulnerability protection, URL filtering, and/or file blocking profiles. User/group-based firewall rules can be customized through Active Directory integration. Maintaining a 5Gbps throughput with all of the above working at the same time is what sets PA-4050 apart from the major players in the market.
We were impressed to see the Applipedia (wiki for applications) and the analysis provided through the UI as well as on the company website.
The PA-4050's key component, the App-ID, uses three classification engines working in concert to accurately identify the applications traversing the network, irrespective of the ports used. This enables enterprises to address security evasion tactics such as the use of nonstandard ports, dynamically changing ports and protocols, emulating other applications, and tunneling to bypass existing firewalls.
The application decoder engine identifies the protocol structure and the overall traffic pattern to flag anomalies. The signature engine identifies the exact application based on more than 450 definitions, which are updated periodically (updates have to be downloaded manually through the administration portal. We received two updates during our one-month review).
The SSL decryption engine offers visibility into encapsulated traffic without disclosing any of the data contents.
The application command center provides a very detailed multilayer graphical representation of the application activity at any given time, such as a real-time list of Top 10 applications in use, Top 10 high-risk applications, etc. These lists can be clicked on to obtain more information about each application, IP addresses, access times and even UserIDs if AD integration is configured.
The customizable dashboard displays general device information, such as the software version, the operational status of each interface, resource utilization, and up to 10 of the most recent entries in the threat, configuration, and system logs. Real-time on-box logging, in addition to the graphs, can be filtered on 17 different fields, including source/destination, user/group, application and usage. In addition to tracking user and traffic activities, the log viewer provides visibility into administrative changes to the firewall based on admin ID, timeframe, result and changes made. Except for the traffic log, all logs are saved locally by default. Traffic logs can be sent remotely to a syslog server or as email notifications. About 25 "top 50" predefined reports provide a good summary of all the major activities, threats, and traffic patterns. At this time, the reports cannot be exported to PDF, XML or any other format.
PA 4050 also supports high-availability configuration, and organizations with multiple Palo Alto devices can use Panorama, the central management system to manage all devices from a single interface.
Palo Alto's application-centric approach to traffic classification brings policy-based application control back to the network security team. The ability to trace network traffic to individual users rather than a subnet or an IP address might be of interest to many organizations as well. The add-on threat prevention components and real-time graphical reports make PA 4050 a coveted security solution for organizations requiring high firewall throughput, while consolidating security devices.
Testing methodology: PA 4050 was evaluated in a typical test lab environment open to the Internet. A variety of well-known and custom P2P and IM applications were used to send and receive traffic through the firewall along with attacks, suspicious URLs and worm downloads.