Palo Alto Networks offers 'next-gen' firewall

New technology offers greater control over traffic by identifying users and
applications.

A new type of firewall promises to remedy the deficiencies of current security products by giving IT departments greater visibility and control over the applications being run across the network.

Palo Alto Networks has been operating in the US for about 18 months, but is now making its family of firewall appliances available in Europe. These address the threat posed by newer applications such as peer-to-peer and social networking that evade conventional firewalls because they look like browser traffic.

"Everyone has a firewall, but what is it doing for you? Nobody can really say. Their answers are usually about protecting servers and logging access. But the firewall is using port numbers and IP addresses to classify applications, and these apps don't follow normal conventions so they just look like a web browser to the firewall," said Palo Alto chief technology officer Nir Zuk.

The company analysed 60TB of traffic taken from corporate networks and found that 92 per cent of businesses had peer-to-peer applications operating, while 83 per cent had users running Google Docs, potentially uploading sensitive files into the cloud.

"If you look at the logs, the firewall will tell you that a user was web browsing," Zuk said.

Palo Alto claims that its technology can identify the source application of a packet, identify users regardless of their IP address, and protect against threats, all at multi-gigabit speeds without performance degradation.

Zuk said that administrators can set policies to secure data without having to block applications. Facebook could be allowed to some users, for example, but the firewall would block any attempts to upload documents to the site.

Each appliance uses custom silicon to examine packets, and classifies applications by signature. Called App-ID, this technology currently identifies more than 700 applications, according to Zuk.

If an application cannot be recognised, the traffic is recorded and can be uploaded to Palo Alto to be added to the database. The appliance also detects and blocks worms, viruses and spyware in real time, the firm said.

The appliances can be deployed in place of an existing firewall, or alongside it to provide application visibility for setting policy-based controls.

One customer currently trialling Palo Alto's technology is Reed Specialist Recruitment. "With 'Generation Y' coming into the workforce you want to allow Web 2.0, but you don't want to waste productivity. How do you do that without blocking or restricting access?" said Sean Whetstone, head of IT services at the company.

Most companies think their network is clean, Whetstone added, "but put one of these devices on the network and you find it's a different story".

The appliances are available in four sizes based on the volume of traffic they can handle, ranging from 500Mbit/s up to 10Gbit/s, with prices from €14,000 (£11,980) up to €93,000 (A$182,218). Palo Alto also charges a maintenance fee of 16 per cent per annum, while options such as URL filtering also cost extra.