Today’s threat prevention solutions suffer from two problems that tend to limit their effectiveness. First off they are unable to identify and therefore inspect a new generation of applications used to deliver threats.
Intrusion Prevention Systems (IPS)
Today’s threats increasingly use newer applications that are invisible to most firewalls and threat detection solutions. Applications such as IM, P2P, Skype, Webmail all use security evasion tactics of one type or another. Evasive applications will dynamically hop ports, re-use other ports, emulate other applications or tunnel inside SSL, thereby going undetected and therefore avoid inspection.
Existing Intrusion Prevention System's (IPS) do a relatively good job of looking for threats in traditional protocols like FTP and POP3, but fail at scanning the new class of applications because of their evasive tactics. The fact of the matter is most IPS still use port and protocol as the initial traffic classification mechanism and as such, may miss the threat carrying application.
The second problem that IPS suffer from is one of performance. Searching out application vulnerability exploits means looking deep into the application traffic and the payload to find and remove the threat. This process is very computationally intensive, typically resulting in low throughput, high latency, or security for performance tradeoffs.
Palo Alto Networks' Next-Generation Firewalls
Palo Alto Networks next-generation firewalls address both of these issues with a two pronged solution to threat prevention. First, identify and control the applications traversing the network to reduce the threat footprint, then inspect the permitted traffic for application vulnerability exploits using a single pass software architecture that is accelerated in hardware.
Learn more about Palo Alto Networks’ high speed IPS.
