SlideShare a Scribd company logo

Fact v fiction_competing_with_checkpoint_applicationblade

Chandan Munshi
Chandan Munshi
Technology
1 of 4
Download to read offline
Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. About Check Point: CP Fiction: Stateful inspection + Application Blade will do what Palo Alto Networks does. • Large, well known security vendor; first to Check Point’s port-based stateful inspection FW with UTM-style add-on blades will not deliver the safe Fact: market with a stateful inspection port-based application enablement that Palo Alto Networks does. firewall. Additional • Application Blade is an IPS engine with application signatures; it uses a negative control model to • Broad line of FW UTM add-ons (“Blade only block recognized applications on standard ports. Architecture”) sourced from a combination of supporting development and acquisitions. details: • With Application Blade, there will be two completely separate policy tables (and management tabs) for application controls – one for the firewall and one for the Application Blade. This means that the • Thousands of loyal customers, publically traded application and user control is NOT part of the firewall policy. with consistent earnings. Solid UI and management. • Administrators will need to configure the Application Blade to look for applications (it is not enabled About Palo Alto Networks: by default); expanding classification to non-standard ports is an added configuration step. • First to market with a next-generation firewall • The add-on Blade approach and tab-based integration means there is no way to positively enable that classifies traffic based on the application, applications (e.g., allow and apply QoS, allow and scan for viruses, allow at specific times). first and foremost. • Application Blade cannot inspect SSL traffic; it does not include common protocols and is unable to • Safe-application-enablement approach to FW enable key application functions such as file transfer within an application. security is described as visionary and disruptive by Gartner. All other vendors forced to follow. Palo Alto Networks App-ID is THE traffic classification mechanism; it classifies all traffic, on all ports, all the time – by application. The resulting application information is used as the basis for all firewall security • Young, rapidly growing company with 2,500 policy decisions – allow, deny, inspect, shape, schedule, etc. customers worldwide. • Cash flow positive the last 2 consecutive Q) Which traffic classification mechanism will the Application Blade execute first – stateful inspection, or Questions to quarters; on a $100 M annual sales run rate L7 (application) classification? ask: (WSJ, 10/29/2010). App-ID is THE Palo Alto Networks traffic classification mechanism; it looks at all ports, all traffic to FIRST Key Palo Alto Networks Differentiators: determine the application identity. • App-ID: Traffic classification that delivers Q) Are all of the Application Blade identification techniques across all ports enabled by default? application visibility and control, irrespective of All four of the mechanisms in Palo Alto Networks App-ID are always on, always looking across all ports, port, protocol, SSL or evasive tactic, as the at all traffic to identify applications. basis of firewall classification, not an add-on. Q) If the Application Blade classifies traffic AFTER the FW, where is policy enforcement determined and • User-ID: Integration with every major directory executed – in the FW or the Blade? service: Active Directory, Open LDAP, and eDirectory; as well as with Citrix, and Microsoft App-ID is the basis of Palo Alto Networks FW and the application identity is determined first and is then Terminal Servers. used as the basis of all policies – allow, deny, allow and scan, allow and shape, etc. • Content-ID: the only firewall to achieve NSS Q) What makes this different from previous attempts at Application Control? rated 94% effectiveness in IPS testing; gateway- based malware prevention; comprehensive URL This will be Check Point’s third attempt at the application identification issue – AI, SmartDefense, and filtering database; all integrated into a single now an OEM database from Facetime – why will this effort succeed? pass engine to maximize performance. • Purpose-built platform that uses four dedicated banks of function-specific processing to perform application identification, inspection and control. Competitive data is generated from public information sources. 1
Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. CP Fiction: Stateful inspection + Application Blade = Next Generation Check Point’s application signature database is the largest in Firewall (NGFW) the world. Gartner defines a NGFW as a firewall with full stack visibility – not a port-based More is not better. More, in the network security world, is inefficient and risky. Fact: FW with UTM-style add-ons. More importantly, port-based classification cannot More creates management and performance headaches. Many of the 50,000 are accurately ID the application traffic, making reliable control over those widgets (45,000+), and many “core applications” are specific client and OS applications impossible. variants, making control efforts a management nightmare. Additional • Application control needs to be done in the FW, the heart of your security • App-ID is how Palo Alto Networks classifies traffic. App-ID uses as many as infrastructure. Control over what goes in and out of your network is what a four mechanisms to monitor how an application and user interact. supporting FW is designed to do. Attempting to accomplish this goal with a UTM-style details: add-on is ineffective. • App-ID is client and OS agnostic, which means one App-ID is equal to many, many signatures used in other offerings. • App-ID is how Palo Alto Networks classifies traffic. App-ID uses as many as four mechanisms to determine the identity of the application, irrespective of • A single App-ID can “identify” more application variants than a single CP port, protocol, SSL or evasive tactic. signature. • App-ID is always enabled, and is automatically applied to all traffic, across • Example: the single BitTorrent App-ID will see the equivalent to 40+ CP all ports. BitTorrent signatures. • Positive enforcement model firewall policies are based on the application identity, not the port. Q) How will CP identify an application that has already been (mis)classified by Q) What is the most efficient use of your administrator’s time – managing Questions the port it came in on? signatures for widgets and obscure client applications, or enabling application to ask: usage for your user community? The VERY first task Palo Alto Networks executes with App-ID is the identification of the application, which becomes the basis of all security policy decisions. Visibility into all applications, across all ports is automatic. Enabling applications, irrespective of port, protocol, SSL, client version, OS or rev level is done through Q) Did Check Point re-write their FW with the Application Blade or is it an add-on a unified, easy-to-use policy editor. to their existing FW? Q) Can the Application Blade inspect inbound and outbound SSL? Palo Alto Networks is the only FW to deliver full stack visibility through our FW traffic classification mechanism; Check Point still uses port-based stateful Palo Alto Networks is the only FW to identify and control inbound and outbound inspection to perform its initial traffic classification, which eliminates the ability to SSL – traffic can be decrypted, inspected, re-encrypted and forwarded. securely enable applications. Q) How will your internal, custom applications be identified and managed? Palo Alto Networks enables you to address custom applications in two ways (1) an application override; (2) by writing your own custom application signature. Q) How are application false positives and application updates managed? An OEM relationship + well-known internal bureaucracy will hinder responses to application false positives and application updates. And what about evasive applications like UltraSurf that change every week? Palo Alto Networks understands these challenges and has a proven team and infrastructure in place to address them. Competitive data is generated from public information sources. 2
Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. CP Fiction: Palo Alto Networks User-ID requires an agent on every desktop, Application Blade will run on any gateway. our user control is agentless. CP User control requires a significant client on the network for management The Application Blade may run on every gateway, but the performance impact Fact: (SmartCenter) with ties directly into AD. Check Point UserCheck will require an will be significant and may require unplanned (and un-budgeted) platform agent on every desktop for “user involvement”. upgrades. Additional • Palo Alto Networks User-ID requires a single agent deployed on the • CP platforms are optimized for stateful inspection fast-path, a mechanism network, talking to Active Directory, Open LDAP, and eDirectory; as well as where, once traffic is classified it is untouched until it changes. supporting with Citrix, and Microsoft Terminal Servers. details: • CP platforms are NOT optimized for level classification for all traffic on all • User-ID does not rely on centralized management infrastructure. ports. • Palo Alto Networks “user involvement” is accomplished through flexible and • The impact of enabling all 50,000 signatures for all traffic, on all ports will customizable comfort (block) pages for all elements, applications, URLs, file result in IPS-level or worse performance. downloads and more. User involvement does not require an agent deployed Palo Alto Networks platforms utilize dedicated, high performance processing for to individual desktops. networking, security, threat prevention, and management to delivers multi-Gbs throughput of application level inspection across all ports, on all traffic. Q) Can Check Point see and control applications for LDAP, eDirectory, Citrix, Q) Think seriously about this question: what will happen to the performance Questions TSE users as well as Active Directory? of your existing gateway when you enable all 50,000 application signatures for all to ask: traffic? Now in its 4th iteration, Palo Alto Networks User-ID integrates with the widest range of directory services in the FW market. In addition, it also supports an XML Remember what happened when you enabled AI on Check Point? Or IPS on API for custom integration with other user repositories. some other FW platform? L7 inspection is processing intensive – Palo Alto Networks recognized that and built a platform to address the requirements. Our Q) Can Check Point present the user with comfort pages when something is performance is measured with App-ID (application inspection) enabled, on all blocked or violates policy – without requiring agent deployment? ports, for all traffic, for all 1,100+ App-IDs. Our performance is proven. Check Palo Alto Networks allows administrators to present the user with fully Point’s Application Blade is unproven. customizable block pages for all elements (applications, URLs, files, etc) without Q) Has the platform been built specifically to perform port-based classification or a desktop agent, to inform, warn or coach a user about policy violations. application-based classification? The Palo Alto Networks platform has been developed with the express purpose of identifying applications (L7) on all ports, for all traffic, all of the time. Q) What performance metrics do they have when application control is enabled on all traffic? The Palo Alto Networks performance metrics are based on application identification, not port-based classification. Competitive data is generated from public information sources. 3
Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. CP Fiction: Palo Alto Networks is an unproven, niche’ vendor with limited Palo Alto Networks cannot support a large scale deployment. customers. Our experience, a rapidly growing customer base and recognition by Gartner Palo Alto Networks has a full line of support, education, and professional Fact: indicate Palo Alto Networks is more than a ‘niche” player. No other vendor has services delivered by a worldwide network of partners. Large scale references deployed more NGFWs as defined by Garner, than Palo Alto Networks. available on request. Additional • First customer ship in June of 2007; 2,500+ customers to date growing at Palo Alto Networks is already supporting many, many large scale deployments 25% Qtr-over-Qtr. with the following key elements. Supporting Details: • Palo Alto Networks is approaching the 4th major release and the 9th feature • Support: In-seat level 3 engineers 24/7 in the US, EMEA and APAC; 1,000s release of PAN-OS. of trained (ACE) SEs - partner and Palo Alto Networks – around the world. • Every customer is using the application visibility and control in our NGFW – • Education: Basic and advanced accreditation training (ACE) delivered by a it is the core of what Palo Alto Networks does. worldwide network of partners. • Recognized as “disruptive” and a “visionary” vendor by Gartner in most • Services: Design and planning best practices based on thousands of recent Enterprise FW Magic Quadrant. deployments, and automated policy migration tools for Check Point, Juniper and Cisco – all delivered by Palo Alto Networks and a worldwide network of • Cash flow positive the last 2 consecutive quarters; on a $100 M annual partners. sales run rate (WSJ, 10/29/2010). Q) How long have they been shipping their Application Blade? Q) How many customers do they have using application control? Questions to ask: Check Point has had zero releases! WHY WAIT? Palo Alto Networks has more than 2,500; growing on average at 25% Qtr-over- Qtr. Many are WW deployments with many, many devices. Q) How many customers do they have using application control? Q) How many application control references do they have? Palo Alto Networks has more than 2,500; growing on average at 25% QoQ. Why Wait? EVERY customer using our solution uses App-ID, our traffic classification to identify and control the applications on the network. Q) How many application control references do they have? Q) How many CP FW add-ons have you bought, and implemented, only to be EVERY customer using our firewall uses App-ID, our traffic classification disappointed in their functionality, performance or stability? mechanism. It is the core of our firewall, just as port-based classification is the core of Check Point’s FW. Palo Alto Networks has many references you can speak with regarding any functionality, performance, reliability, or support concerns you may have. Q) How confident are you that Check Point will execute successfully? The Check Point track record for FW add-ons has been poor (AI, SmartDefense, IPS, SSL VPN). Q) How many CP FW add-ons have you bought, and implemented, only to be disappointed in the functions, performance or stability? Palo Alto Networks has many references you can speak with regarding any functionality, performance, reliability, or support concerns you may have. Competitive data is generated from public information sources. 4

Recommended

Breakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) ProgramBreakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) Program
Ixia
 
Signify Software Tokens
Signify Software TokensSignify Software Tokens
Signify Software Tokens
pjpallen
 
Datasheet stonegate ips-allinone
Datasheet stonegate ips-allinoneDatasheet stonegate ips-allinone
Datasheet stonegate ips-allinone
Multibyte Consultoria
 
Datasheet stonegate fw-allinone
Datasheet stonegate fw-allinoneDatasheet stonegate fw-allinone
Datasheet stonegate fw-allinone
Multibyte Consultoria
 
Air defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheetAir defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheet
Advantec Distribution
 
Nx9500 datasheet
Nx9500 datasheetNx9500 datasheet
Nx9500 datasheet
Advantec Distribution
 
System Center Mobile Device Manager
System Center Mobile Device ManagerSystem Center Mobile Device Manager
System Center Mobile Device Manager
John Rhoton
 
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
Erol TOKALACOGLU
 

Recommended

Breakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) ProgramBreakingpoint Application Threat and Intelligence (ATI) Program
Breakingpoint Application Threat and Intelligence (ATI) Program
Ixia
 
Signify Software Tokens
Signify Software TokensSignify Software Tokens
Signify Software Tokens
pjpallen
 
Datasheet stonegate ips-allinone
Datasheet stonegate ips-allinoneDatasheet stonegate ips-allinone
Datasheet stonegate ips-allinone
Multibyte Consultoria
 
Datasheet stonegate fw-allinone
Datasheet stonegate fw-allinoneDatasheet stonegate fw-allinone
Datasheet stonegate fw-allinone
Multibyte Consultoria
 
Air defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheetAir defense advanced forensics module spec sheet
Air defense advanced forensics module spec sheet
Advantec Distribution
 
Nx9500 datasheet
Nx9500 datasheetNx9500 datasheet
Nx9500 datasheet
Advantec Distribution
 
System Center Mobile Device Manager
System Center Mobile Device ManagerSystem Center Mobile Device Manager
System Center Mobile Device Manager
John Rhoton
 
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
Erol TOKALACOGLU
 
Introducing ThinkPhone
Introducing ThinkPhoneIntroducing ThinkPhone
Introducing ThinkPhone
Richard Marshall
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
DSS ITSEC Conference 2012 - Radware WAF Tech
DSS ITSEC Conference 2012 - Radware WAF TechDSS ITSEC Conference 2012 - Radware WAF Tech
DSS ITSEC Conference 2012 - Radware WAF Tech
Andris Soroka
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
Tyler Shields
 
G01.2013 magic quadrant for endpoint protection platforms
G01.2013 magic quadrant for endpoint protection platformsG01.2013 magic quadrant for endpoint protection platforms
G01.2013 magic quadrant for endpoint protection platforms
Satya Harish
 
12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_a12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_a
Advantec Distribution
 
Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"
GeneXus
 
License Management Overview
License Management OverviewLicense Management Overview
License Management Overview
Dominic Haigh
 
Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-short
Ten Sistemas e Redes
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
INSPIRIT BRASIL
 
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
Report Gartner Magic Quadrant For Security Web Gateway 2011 EnReport Gartner Magic Quadrant For Security Web Gateway 2011 En
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
RiccardoPelliccioli
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
Anthony Daniel
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
Ali Kapucu
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewall
vfmindia
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
kkhhusshi
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
Jimmy Saigon
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
Advantec Distribution
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
CA Nimsoft Monitor for Vblock
CA Nimsoft Monitor for VblockCA Nimsoft Monitor for Vblock
CA Nimsoft Monitor for Vblock
CA Nimsoft
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
美兰 曾
 
Comparison Review Forticlient x Kaspersky.pdf
Comparison Review Forticlient x Kaspersky.pdfComparison Review Forticlient x Kaspersky.pdf
Comparison Review Forticlient x Kaspersky.pdf
ImamBahrudin5
 

More Related Content

What's hot

PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"
GeneXus
 

What's hot (8)

Introducing ThinkPhone
Introducing ThinkPhoneIntroducing ThinkPhone
Introducing ThinkPhone
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
DSS ITSEC Conference 2012 - Radware WAF Tech
DSS ITSEC Conference 2012 - Radware WAF TechDSS ITSEC Conference 2012 - Radware WAF Tech
DSS ITSEC Conference 2012 - Radware WAF Tech
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
G01.2013 magic quadrant for endpoint protection platforms
G01.2013 magic quadrant for endpoint protection platformsG01.2013 magic quadrant for endpoint protection platforms
G01.2013 magic quadrant for endpoint protection platforms
 
12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_a12 wireless ips-ss_12-17-10_a
12 wireless ips-ss_12-17-10_a
 
Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"Monitoreo y análisis de aplicaciones "Multi-Tier"
Monitoreo y análisis de aplicaciones "Multi-Tier"
 
License Management Overview
License Management OverviewLicense Management Overview
License Management Overview
 

Similar to Fact v fiction_competing_with_checkpoint_applicationblade

Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-short
Ten Sistemas e Redes
 
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
Report Gartner Magic Quadrant For Security Web Gateway 2011 EnReport Gartner Magic Quadrant For Security Web Gateway 2011 En
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
RiccardoPelliccioli
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewall
vfmindia
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
Jimmy Saigon
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
Advantec Distribution
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
Tom Kopko
 
WHGFeatures_BuyersGuide
WHGFeatures_BuyersGuideWHGFeatures_BuyersGuide
WHGFeatures_BuyersGuide
Eugene Yu
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
Jimmy Saigon
 

Similar to Fact v fiction_competing_with_checkpoint_applicationblade (20)

Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-short
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
 
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
Report Gartner Magic Quadrant For Security Web Gateway 2011 EnReport Gartner Magic Quadrant For Security Web Gateway 2011 En
Report Gartner Magic Quadrant For Security Web Gateway 2011 En
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewall
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
CA Nimsoft Monitor for Vblock
CA Nimsoft Monitor for VblockCA Nimsoft Monitor for Vblock
CA Nimsoft Monitor for Vblock
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
 
Comparison Review Forticlient x Kaspersky.pdf
Comparison Review Forticlient x Kaspersky.pdfComparison Review Forticlient x Kaspersky.pdf
Comparison Review Forticlient x Kaspersky.pdf
 
Palo Alto Networks K-12
Palo Alto Networks K-12Palo Alto Networks K-12
Palo Alto Networks K-12
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
 
WHGFeatures_BuyersGuide
WHGFeatures_BuyersGuideWHGFeatures_BuyersGuide
WHGFeatures_BuyersGuide
 
Watchguard security proposal 2012
Watchguard security proposal 2012Watchguard security proposal 2012
Watchguard security proposal 2012
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a
 
NUVX Technologies general solutions
NUVX Technologies general solutionsNUVX Technologies general solutions
NUVX Technologies general solutions
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Paige Cruz
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
Overkill Security
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

Recently uploaded (20)

ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 

Fact v fiction_competing_with_checkpoint_applicationblade

  • 1. Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. About Check Point: CP Fiction: Stateful inspection + Application Blade will do what Palo Alto Networks does. • Large, well known security vendor; first to Check Point’s port-based stateful inspection FW with UTM-style add-on blades will not deliver the safe Fact: market with a stateful inspection port-based application enablement that Palo Alto Networks does. firewall. Additional • Application Blade is an IPS engine with application signatures; it uses a negative control model to • Broad line of FW UTM add-ons (“Blade only block recognized applications on standard ports. Architecture”) sourced from a combination of supporting development and acquisitions. details: • With Application Blade, there will be two completely separate policy tables (and management tabs) for application controls – one for the firewall and one for the Application Blade. This means that the • Thousands of loyal customers, publically traded application and user control is NOT part of the firewall policy. with consistent earnings. Solid UI and management. • Administrators will need to configure the Application Blade to look for applications (it is not enabled About Palo Alto Networks: by default); expanding classification to non-standard ports is an added configuration step. • First to market with a next-generation firewall • The add-on Blade approach and tab-based integration means there is no way to positively enable that classifies traffic based on the application, applications (e.g., allow and apply QoS, allow and scan for viruses, allow at specific times). first and foremost. • Application Blade cannot inspect SSL traffic; it does not include common protocols and is unable to • Safe-application-enablement approach to FW enable key application functions such as file transfer within an application. security is described as visionary and disruptive by Gartner. All other vendors forced to follow. Palo Alto Networks App-ID is THE traffic classification mechanism; it classifies all traffic, on all ports, all the time – by application. The resulting application information is used as the basis for all firewall security • Young, rapidly growing company with 2,500 policy decisions – allow, deny, inspect, shape, schedule, etc. customers worldwide. • Cash flow positive the last 2 consecutive Q) Which traffic classification mechanism will the Application Blade execute first – stateful inspection, or Questions to quarters; on a $100 M annual sales run rate L7 (application) classification? ask: (WSJ, 10/29/2010). App-ID is THE Palo Alto Networks traffic classification mechanism; it looks at all ports, all traffic to FIRST Key Palo Alto Networks Differentiators: determine the application identity. • App-ID: Traffic classification that delivers Q) Are all of the Application Blade identification techniques across all ports enabled by default? application visibility and control, irrespective of All four of the mechanisms in Palo Alto Networks App-ID are always on, always looking across all ports, port, protocol, SSL or evasive tactic, as the at all traffic to identify applications. basis of firewall classification, not an add-on. Q) If the Application Blade classifies traffic AFTER the FW, where is policy enforcement determined and • User-ID: Integration with every major directory executed – in the FW or the Blade? service: Active Directory, Open LDAP, and eDirectory; as well as with Citrix, and Microsoft App-ID is the basis of Palo Alto Networks FW and the application identity is determined first and is then Terminal Servers. used as the basis of all policies – allow, deny, allow and scan, allow and shape, etc. • Content-ID: the only firewall to achieve NSS Q) What makes this different from previous attempts at Application Control? rated 94% effectiveness in IPS testing; gateway- based malware prevention; comprehensive URL This will be Check Point’s third attempt at the application identification issue – AI, SmartDefense, and filtering database; all integrated into a single now an OEM database from Facetime – why will this effort succeed? pass engine to maximize performance. • Purpose-built platform that uses four dedicated banks of function-specific processing to perform application identification, inspection and control. Competitive data is generated from public information sources. 1
  • 2. Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. CP Fiction: Stateful inspection + Application Blade = Next Generation Check Point’s application signature database is the largest in Firewall (NGFW) the world. Gartner defines a NGFW as a firewall with full stack visibility – not a port-based More is not better. More, in the network security world, is inefficient and risky. Fact: FW with UTM-style add-ons. More importantly, port-based classification cannot More creates management and performance headaches. Many of the 50,000 are accurately ID the application traffic, making reliable control over those widgets (45,000+), and many “core applications” are specific client and OS applications impossible. variants, making control efforts a management nightmare. Additional • Application control needs to be done in the FW, the heart of your security • App-ID is how Palo Alto Networks classifies traffic. App-ID uses as many as infrastructure. Control over what goes in and out of your network is what a four mechanisms to monitor how an application and user interact. supporting FW is designed to do. Attempting to accomplish this goal with a UTM-style details: add-on is ineffective. • App-ID is client and OS agnostic, which means one App-ID is equal to many, many signatures used in other offerings. • App-ID is how Palo Alto Networks classifies traffic. App-ID uses as many as four mechanisms to determine the identity of the application, irrespective of • A single App-ID can “identify” more application variants than a single CP port, protocol, SSL or evasive tactic. signature. • App-ID is always enabled, and is automatically applied to all traffic, across • Example: the single BitTorrent App-ID will see the equivalent to 40+ CP all ports. BitTorrent signatures. • Positive enforcement model firewall policies are based on the application identity, not the port. Q) How will CP identify an application that has already been (mis)classified by Q) What is the most efficient use of your administrator’s time – managing Questions the port it came in on? signatures for widgets and obscure client applications, or enabling application to ask: usage for your user community? The VERY first task Palo Alto Networks executes with App-ID is the identification of the application, which becomes the basis of all security policy decisions. Visibility into all applications, across all ports is automatic. Enabling applications, irrespective of port, protocol, SSL, client version, OS or rev level is done through Q) Did Check Point re-write their FW with the Application Blade or is it an add-on a unified, easy-to-use policy editor. to their existing FW? Q) Can the Application Blade inspect inbound and outbound SSL? Palo Alto Networks is the only FW to deliver full stack visibility through our FW traffic classification mechanism; Check Point still uses port-based stateful Palo Alto Networks is the only FW to identify and control inbound and outbound inspection to perform its initial traffic classification, which eliminates the ability to SSL – traffic can be decrypted, inspected, re-encrypted and forwarded. securely enable applications. Q) How will your internal, custom applications be identified and managed? Palo Alto Networks enables you to address custom applications in two ways (1) an application override; (2) by writing your own custom application signature. Q) How are application false positives and application updates managed? An OEM relationship + well-known internal bureaucracy will hinder responses to application false positives and application updates. And what about evasive applications like UltraSurf that change every week? Palo Alto Networks understands these challenges and has a proven team and infrastructure in place to address them. Competitive data is generated from public information sources. 2
  • 3. Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. CP Fiction: Palo Alto Networks User-ID requires an agent on every desktop, Application Blade will run on any gateway. our user control is agentless. CP User control requires a significant client on the network for management The Application Blade may run on every gateway, but the performance impact Fact: (SmartCenter) with ties directly into AD. Check Point UserCheck will require an will be significant and may require unplanned (and un-budgeted) platform agent on every desktop for “user involvement”. upgrades. Additional • Palo Alto Networks User-ID requires a single agent deployed on the • CP platforms are optimized for stateful inspection fast-path, a mechanism network, talking to Active Directory, Open LDAP, and eDirectory; as well as where, once traffic is classified it is untouched until it changes. supporting with Citrix, and Microsoft Terminal Servers. details: • CP platforms are NOT optimized for level classification for all traffic on all • User-ID does not rely on centralized management infrastructure. ports. • Palo Alto Networks “user involvement” is accomplished through flexible and • The impact of enabling all 50,000 signatures for all traffic, on all ports will customizable comfort (block) pages for all elements, applications, URLs, file result in IPS-level or worse performance. downloads and more. User involvement does not require an agent deployed Palo Alto Networks platforms utilize dedicated, high performance processing for to individual desktops. networking, security, threat prevention, and management to delivers multi-Gbs throughput of application level inspection across all ports, on all traffic. Q) Can Check Point see and control applications for LDAP, eDirectory, Citrix, Q) Think seriously about this question: what will happen to the performance Questions TSE users as well as Active Directory? of your existing gateway when you enable all 50,000 application signatures for all to ask: traffic? Now in its 4th iteration, Palo Alto Networks User-ID integrates with the widest range of directory services in the FW market. In addition, it also supports an XML Remember what happened when you enabled AI on Check Point? Or IPS on API for custom integration with other user repositories. some other FW platform? L7 inspection is processing intensive – Palo Alto Networks recognized that and built a platform to address the requirements. Our Q) Can Check Point present the user with comfort pages when something is performance is measured with App-ID (application inspection) enabled, on all blocked or violates policy – without requiring agent deployment? ports, for all traffic, for all 1,100+ App-IDs. Our performance is proven. Check Palo Alto Networks allows administrators to present the user with fully Point’s Application Blade is unproven. customizable block pages for all elements (applications, URLs, files, etc) without Q) Has the platform been built specifically to perform port-based classification or a desktop agent, to inform, warn or coach a user about policy violations. application-based classification? The Palo Alto Networks platform has been developed with the express purpose of identifying applications (L7) on all ports, for all traffic, all of the time. Q) What performance metrics do they have when application control is enabled on all traffic? The Palo Alto Networks performance metrics are based on application identification, not port-based classification. Competitive data is generated from public information sources. 3
  • 4. Palo Alto Networks vs. Check Point Clarifying the differences between Palo Alto Networks next-generation firewall and Check Point’s Application Control Blade; a port-based firewall add-on. CP Fiction: Palo Alto Networks is an unproven, niche’ vendor with limited Palo Alto Networks cannot support a large scale deployment. customers. Our experience, a rapidly growing customer base and recognition by Gartner Palo Alto Networks has a full line of support, education, and professional Fact: indicate Palo Alto Networks is more than a ‘niche” player. No other vendor has services delivered by a worldwide network of partners. Large scale references deployed more NGFWs as defined by Garner, than Palo Alto Networks. available on request. Additional • First customer ship in June of 2007; 2,500+ customers to date growing at Palo Alto Networks is already supporting many, many large scale deployments 25% Qtr-over-Qtr. with the following key elements. Supporting Details: • Palo Alto Networks is approaching the 4th major release and the 9th feature • Support: In-seat level 3 engineers 24/7 in the US, EMEA and APAC; 1,000s release of PAN-OS. of trained (ACE) SEs - partner and Palo Alto Networks – around the world. • Every customer is using the application visibility and control in our NGFW – • Education: Basic and advanced accreditation training (ACE) delivered by a it is the core of what Palo Alto Networks does. worldwide network of partners. • Recognized as “disruptive” and a “visionary” vendor by Gartner in most • Services: Design and planning best practices based on thousands of recent Enterprise FW Magic Quadrant. deployments, and automated policy migration tools for Check Point, Juniper and Cisco – all delivered by Palo Alto Networks and a worldwide network of • Cash flow positive the last 2 consecutive quarters; on a $100 M annual partners. sales run rate (WSJ, 10/29/2010). Q) How long have they been shipping their Application Blade? Q) How many customers do they have using application control? Questions to ask: Check Point has had zero releases! WHY WAIT? Palo Alto Networks has more than 2,500; growing on average at 25% Qtr-over- Qtr. Many are WW deployments with many, many devices. Q) How many customers do they have using application control? Q) How many application control references do they have? Palo Alto Networks has more than 2,500; growing on average at 25% QoQ. Why Wait? EVERY customer using our solution uses App-ID, our traffic classification to identify and control the applications on the network. Q) How many application control references do they have? Q) How many CP FW add-ons have you bought, and implemented, only to be EVERY customer using our firewall uses App-ID, our traffic classification disappointed in their functionality, performance or stability? mechanism. It is the core of our firewall, just as port-based classification is the core of Check Point’s FW. Palo Alto Networks has many references you can speak with regarding any functionality, performance, reliability, or support concerns you may have. Q) How confident are you that Check Point will execute successfully? The Check Point track record for FW add-ons has been poor (AI, SmartDefense, IPS, SSL VPN). Q) How many CP FW add-ons have you bought, and implemented, only to be disappointed in the functions, performance or stability? Palo Alto Networks has many references you can speak with regarding any functionality, performance, reliability, or support concerns you may have. Competitive data is generated from public information sources. 4