Recently I had lunch with a network manager from a large community hospital. As we were discussing security and the Palo Alto Network (PAN) firewalls, I realized that many people view them as only application firewalls. After reviewing Palo Alto marketing materials, I believe part of that misconception is due to their focus on their signature application engine more so than their security and additional features. This blog explains PAN firewall’s capabilities as they relate to security and the corporate network from a holistic perspective.
I’ve been a security engineer for almost 12 years, and my opinion is that PAN firewalls are leaps and bounds ahead of the competition in almost every category. Below are my observations on their security and design advantages.
- Undetectable: Other firewalls use layer 2 and layer 3 configuration, which allows hackers to detect and signature their presence. The Palo Alto firewall can be installed on tap or in Layer 1 configuration, which makes this device impossible to detect as it collects data on all packets from layer 1 through 7. This capability allows the security engineer to design a demilitarized zone and a honeypot in one, providing the ability to track and replay an attack at any time.
- Defense In-Depth: The Palo Alto firewall takes care of malware protection, spyware protection, virus protection, application protection and URL filtering in one device. This allows the firewall administrator a single, integrated device to manage and protect the network. Most other firewalls either require modules that are not integrated well with the management interface, or lack the ability to have a variety of configurations in any one box.
- Multiple Core Processors: In the Palo Alto line up of firewalls the data plane and the management interface utilize two different CPUs, allowing the firewall to function regardless of how busy the management interface gets. In addition, the bigger boxes have quad processors or greater allowing them to handle the extra SSL traffic and other processor intensive functions without delay.
- Single Pass Architecture: Speed is paramount when it comes to networks and firewalls by their nature of having to inspect every packet increase latency. Many firewall vendors cheat by inspecting only part of the header or the data field of the packets and/or make an assumption about a stream of data based on a single packet. Palo Alto addressed this problem by creating a single-pass architecture which inspects the packets and keeps them flowing continuously and in almost line speed.
- Application Inspection: If you manage a firewall and look at the traffic reports, you will see many ports with source/destination IPs. These are actually meaningless since most applications can use any port masking most attacks as normal Internet traffic. On the other hand, the PAN firewall inspects each data stream and decides conclusively the nature of each application. In addition, the firewall gives the administrator the security status (number from 0-5) that summarizes the level of security of the network.
In summary, Palo Alto firewall’s ability to filter packets by country, application, URL, threat, or direction creates a single, unified threat management device that is comprehensive in its security profile, extremely fast, and provides a holistic approach to what security is moving towards.
Learn more about Palo Alto Network firewalls and CrossRealm’s unique approach to IT solutions here.