In The News
Network Firewall
Information Security Magazine,
March 2008
PA-4050 REVIEW by Phoram Mehta
Unlike traditional firewalls that identify applications only by protocol and port number, Palo Alto Networks' next-generation PA-4050 uses packet inspection and a library of application signatures to distinguish between applications that use the same protocols and ports, and to identify potentially malicious apps that use nonstandard ports.
Installation/Setup
Although the PA-4050 offers a command-line interface, the Web GUI is much simpler, at least for the initial setup. The appliance can be run in three modes: virtual wire, Layer 2 or Layer 3. Virtual wire, best known as transparent mode or inline mode, is the default configuration and does not require many changes. In Layer 2 mode, the appliance, which is equipped with 24 interfaces--16 10/100/1000 and eight SFP ports--can act as a firewall and address switching needs. This is useful for networks divided into multiple VLANs, each with their own security requirements. Layer 3 is most like the traditional firewalls that operate on the network layer.
Controls
The policy rule interface has a very familiar look with a couple of extra parameters. In addition to the typical source/destination zone/IP/service fields, administrators can also set application rules as an added control, such as P2P, IM and multimedia apps that use dynamically assigned ports or well-known ports such as port 80 or 443.
Additional options provide real-time threat prevention with add-on components such as antivirus, antispyware, vulnerability protection, URL filtering and file blocking profiles. User/group-based firewall rules can be customized through Active Directory integration. Maintaining a 5 Gbps throughput with all options running sets the PA-4050 apart from other firewalls.
Effectiveness
The App-ID accurately identifies applications, irrespective of the ports used. This enables enterprises to address security evasion tactics such as the use of nonstandard ports, dynamically changing ports and protocols, emulating other applications, and tunneling to bypass existing firewalls.
The PA-4050, which can decrypt SSL traffic without revealing data content, identifies the protocol structure and the overall traffic pattern to flag anomalies. The signature engine identifies the exact application based on more than 450 definitions, with occasional updates downloaded manually.
Administration/Monitoring
The customizable dashboard displays general device information and up to 10 of the most recent entries in the threat, configuration and system logs. Real-time on-box logging, in addition to the graphs, can be filtered on 17 different fields, including source/destination, user/ group, application and usage. In addition to tracking user and traffic activities, the log viewer provides visibility into administrative changes to the firewall. Traffic logs can be sent remotely to a syslog server or as email notifications.
The application command center provides a detailed multilayer graphical representation of the application activity at any given time.
Also, about 25 predefined reports provide a good summary of all the major activities, threats and traffic patterns. Reports cannot be exported to PDF, XML or any other format.
PA-4050 supports high-availability configuration, and Palo Alto's central management system, Panorama, can be used to manage multiple devices.
Verdict
Palo Alto's application-centric approach, add-on threat prevention components and real-time graphical reports make the PA-4050 a coveted security solution for organizations requiring high firewall throughput, while consolidating security devices.
Testing methodology: We tested the PA-4050 by using well-known and custom P2P and IM applications to send and receive traffic through the firewall along with attacks, suspicious URLs and worm downloads.
Corporate Backgrounder
Literature Download