Palo Alto Networks is expanding into Europe with a product which acts as a multi-function security appliance designed to overcome the performance limitations of unified threat management devices. Although UTM boxes offer the convenience of an all-in-one device, the performance issue can be a distinct shortcoming. Thus Palo Alto’s “next-gen firewalls” have the potential to take some market share.
Traditional stateful firewalls are pretty much table stakes for network security by now, in that all companies have them, and they still represent a significant chunk of budgets allocated specifically to this area of activity (Palo Alto reckons as much as 80%). However, their shortcomings have been evident for a number of years, so much so that a bevy of specialist segments have grown up over the last decade, each with its own group of start-ups, offering additional functionality that a firewall per se cannot. Such additional features include anti-virus (AV), anti-spam (AS) and anti-spyware, often collectively referred to as anti-malware, intrusion detection and prevention systems (IDS/IPS) and content filtering.
All these functions followed the standard evolution path from being offered as software for loading onto a server by the customer, to preconfigured appliances and, in some cases, software-as-a-service. In parallel, there have also been moves to bundle multiple functions into a single device, which is what UTM is all about. The latter gained a considerable head of steam back in 2005-7, though UTM is not without its critics. They argue that UTM devices may boast multiple functions, but since they are often just commodity server hardware running the software, the reality is that as more and more functions are turned on, they place an increasing burden on the processor and performance takes a hit on most of these boxes.
There are, of course, exceptions, such as the UTM devices from companies like Crossbeam, which use a purpose-built switching backplane to address this issue. Yet, these are much more high-end boxes, a fact that is also reflected in their price.
Palo Alto seeks to overcome the performance issue of multi-function edge security devices by deploying silicon it developed itself to offload the more processor-intensive functions such as content filtering. It also does termination and re-encryption of SSL traffic in order to inspect it, which is something the IDS/IPS vendors had to add in their second phase of development, as use of that encryption technique grew and offered a bypass around inspection techniques.
Palo Alto also claims that its product addresses what it considers to be current firewalls’ most serious shortcoming of all, namely their inability to distinguish between standard Web browsing activity and peer-to-peer applications such as eMule, leaving corporate networks open to data leakage as a result. It does this by learning to recognize such apps, in some cases writing signatures for them and, where that is not appropriate, by relying on protocol decoders and heuristics. The next-generation firewall can currently identify around 750 such apps, and plans to reach 1,000 in the first half of next year.
Finally, the company has developed a series of patent-pending smarts to identify actual users on a corporate network in a transparent, agentless way, such that it can determine that person A is going to Facebook, which they’re allowed to do, but that they are not allowed to upload files there, for instance.
Because it relies on proprietary ASIC technology, Palo Alto offers its technology as appliances, currently offered in a range of SKUs, from an entry-level 100Mbps box with a US list price of $14,000 to one with four 10Gb and four GbE ports, listing at $93,000 in the US.