2 IntroductionPerimeter Security Solutions seem to fall into one of two camps - either a firewall withvarious point solutions or a Unified Threat Management (UTM) device. Both of theseinfrastructures have their own problems - the first requires multiple layers of technologiesand multiple systems to administer and manage whilst the second often struggles to retainthe desired performance and throughput the moment you enable the extra features. Well, itseems theres now a third option - Palo Alto have released their Next Generation Firewall.Palo Alto Networks was founded in 2005 by Nir Zuk with a mission to re-invent thefirewall’. They aim to provide visibility and control of all applications and content – by user,not just IP Address - at high speed with no performance degradation.Palo Alto Networks are able to start providing increased visibility and control through theuse of three technologies: App-ID, User-ID, and Content-ID. These technologies allow PaloAlto Networks users to configure their firewalls in line with business relevant elements suchas applications, users and content rather than ports and protocols that dont necessarilyrepresent or permit what theyre supposed to. These technologies are described brieflybelow:App-IDTraditional firewalls rely on a convention that a given port corresponds to a given service(e.g. TCP port 80 corresponds to HTTP) however, this isn’t always the case. As such, theyare often incapable of distinguishing between different applications that use the sameport/service. App-ID can identify more than 900 applications across five categories and 25sub categories and allow for security policies to be configured based upon application ratherthan just a port/service.User-IDPalo Alto Networks can integrate with an Active Directory infrastructure and then manageand enforce security policies based upon user and/or Active Directory Group. Users are nolonger defined solely by their IP addresses.Content-IDAs its name suggests, Content-ID can scan network traffic for a broad range of threats(including vulnerability exploits, viruses, and spyware) as well as controlling file transfers (byfile type) and scanning for other content such as credit card numbers. There is also anonboard URL database for categorized web filtering.This means that these devices will be doing quite a lot of work compared to a standardfirewall, so it begs the obvious question "How is it any different from a normal UTMdevice?”. The simple answer to this is through their Single-Pass Parallel Processing (SP3)Architecture. Whereas normal UTM firewalls will pass packets through multiple policies inseries, one after another, Palo Alto Networks SP3 is able to pass the packet through all ofits processes in parallel, using a single engine. This means the performance decreasenormally associated with running multiple functions on a firewall isn’t anywhere near as
3 significant with Palo Alto Networks. Typically, even with all policies and profiles turned on,impressive throughput speeds can still be achieved.This document sets out to discuss some of the features of the Palo Alto Networks solutionssupplemented by some of our thoughts.
4 Product RangeThere a 6 different models of appliance, split into 3 different categories:• The PA-4000 Series - available in three models. Suitable for large enterprise networks, with maximum throughput of up to 10Gbps.• The PA-2000 Series - available in two models. Suitable for the branch offices of large enterprises and for mid-sized organizations.• The PA-500 - ideal for mid-sized businesses and branch office environments.The diagram below shows the different models and their performance speeds. You can seethat even with all of the threat prevention protections turned on users can still expect toachieve high performance (up to 5Gbps).Deployment/InfrastructureNetworking OptionsPalo Alto Networks’ solution offers a flexible range of deployment options including an out-of-band ‘visibility-only’ mode, transparent in-line operation, and a fully active in-line firewallconfiguration. It also supports dynamic routing (OSPF, RIPv2), 802.1Q VLANs, and trunkedports. It utilises a concept of security zones which will be familiar to any Juniper/NetScreenusers.The visibility-only mode is particularly interesting as it allows users to become familiar withthe product and the visibility is provides without disrupting an existing networkinfrastructure.The box ships with vWire (Palo Altos Layer 2 mode) already configured with eth1 and eth2as vWire interface types in untrust and trust zones. This again allows for layer 2 deployment
5 in an existing network without causing disruption to existing infrastructure. This may be ofparticular interest to anyone looking to implement firewalling around a network segmentwithout having to change IP addresses - for example, protecting card payment networks aspart of a PCI project. Whilst other firewall solutions can operate at L2 many of them cannotfully integrate L2, high-availability and IDP functionality.One point to note though is that vWire is the only mode today in which multicast issupported. Palo Alto cannot route multicast and dont have any PIM Sparse/Dense modesupport (PIM Sparse mode is on the roadmap though).High AvailabilityPalo Alto Networks solutions offer an active/passive High Availability option. There is noactive/active load sharing option available. Two ports per appliance are dedicated toimplementing HA, one is used for synchronising session information and the other forconfiguration synchronisation. The configuration is set on one of the devices and is thensynchronised to the HA partner so the policy only needs to be defined once. The systemsissue a virtual MAC and IP address in a similar way to VRRP.LicensingPalo Alto offers a large range of functionality (including Firewall, SSL VPN, QoS, Antivirus,Anti-spyware, Vulnerability Protection, URL Filtering, File Blocking, and Data Filtering) butthankfully the licensing model appears relatively straightforward. The only components thatrequire licensing are the threat and URL filtering components (each licensed at 20% of thecost of the box per annum), virtual systems and the implementation of centralisedmanagement. All other functionality is available as part of the purchased solution.ManagementPalo Altos centralised management system is called Panorama. Only available as a VMappliance, Panorama looks and feels very similar (almost identical in fact) to the GUI usedfor administering standalone systems. It can reference up to 2TB of log data and manage upto 25 systems and is licensed according to how many systems it is managing.One can configure almost all the required configuration for a gateway from Panoramaalthough strangely it appears that this isn’t the case for NAT - this needs to be done on thegateway itself.UsabilityUser InterfaceThe systems are administered either from the CLI or a browser based UI (Widget basedusing AJAX). The administration is broken down into seven tabs (Dashboard, ACC,Monitor, Policies, Objects, Network, and Device) and feels pretty slick to navigate - it ispretty intuitive and it is easy to work out where to find what you are looking for. TheDashboard tab gives an overview of the system status and presents some useful information
6 such as the status of the device interfaces, the top applications being seen, system networksettings, etc.The appliances have full role-based user management configurability with profiles that can besetup to control CLI and GUI roles. Access on the GUI can be granularly controlled toenable, disable or permit read-only access to the different areas of the GUI.Policy BuildingThe operation of the firewall is controlled by several types of policies and profiles. Thepolicies include: • Security policies to block or allow a network session based on the application, the source and destination zones and addresses, and optionally the service (port and protocol). Zones identify the physical or logical interfaces that send or receive the traffic. • Network Address Translation (NAT) policies to translate addresses and ports, as needed. • SSL Decryption policies to specify the SSL traffic to be decrypted so that security policies can be applied. Each policy can specify the categories of URLs for the traffic you want to decrypt.Security policies can be built in the usual manner with a graphical interface listing all rules.Rules are created at the bottom of the rulebase and then have to be relocated to therelevant location in the rulebase. This is most easily done using an insert before/afteroption, but cut and paste cannot be used. Rules have the following fields which can bepopulated: • Name • Source Zone • Destination Zone • Source Address • Source User • Destination Address • Application • Service (can be set to Any, Application Default, or User Defined) • Action (can be set to Allow, Deny, Block or Alert) • Profile (where you can define which Security Profiles are to be applied to the rule) • Options (including logging options, scheduling, QoS Marking, etc)For users familiar with Check Point policies, there are a few things that might be missed.For example, an object list for dragging and dropping objects into the policy is not available,rules cannot be grouped with headings and objects cannot be negated. Despite this,creating a rulebase is still a relatively straightforward exercise.Logging/ReportingTraditional firewall logging is of course available but it is split into four different logs -Traffic, Threat, URL Filtering, and Data Filtering. Unfortunately, you cannot look at all ofthese logs in a single view. Whilst all the information a security administrator will expect is
7 available, the log viewers arent quite as mature as Check Point veterans will be used to. Forexample, logs arent colour coded differently for allowed or denied packets and columnscannot be dragged and dropped to different locations. However filters can be applied fairlyeasily using a filter expression tool which offers the expected options including logicaloperators.Where the product really does provide some impressive visibility is though the reporting. Itis here that you start to see all sorts of patterns and trends that your traditional firewalldoes not provide. Having such a range of functionally on one box allows the informationcollected to be combined and given real context. You can very quickly see whichapplications are consuming bandwidth, if any applications have increased their connectionusage significantly, which AD users are associated to the top talkers, and a whole range ofcustom reports. There are also some really useful summary reports that could be used togive a regular snapshot of an infrastructures security status. Reports can be scheduled andemailed to appropriate users.Regarding the log management, there are a few things worth noting. Firstly, the logs rollover at timed intervals - they can be forwarded off box to Panorama and (typically) a syslogserver but it doesnt appear possible to re-import logs back into the GUI for analysis. PaloAlto Networks work with Sawmill for off box reporting although I expect other SIEMsolutions could be used for a similar purpose.FunctionalityThe Application Command Center (ACC)The ACC tab provides details about the Application, URL Filtering, Threat Prevention, andData Filtering visibility and controls from the device. It gives at a glance visibility about thetypes of connections that the device can see. What is really nice is that most of the itemslisted on this tab can be clicked on for further contextualised detail. For example, clicking onthe top URL category takes you to a screen that lists the applications in which that categoryhas been seen as well as the top sources, destinations and users for that particular category.Clicking on an application from the ACC lists provides detail but also provides securityinformation relating to that application - for example, can it be used for file transfer? Is itprone to misuse? Does it have known vulnerabilities?
8 Palo Alto Networks can currently identify in excess of 900 applications and release supportfor new applications at a rate of approximately 5 applications per week. For thoseapplications it doesn’t recognise, it is possible for users to write their own identifiers(although this is currently only available for HTTP applications).NATNAT is configured from a separate section under the Policies tab and is relativelystraightforward to configure. It is configured in a similar way to the security policy, usingrules. The fields include: • Source Zone • Destination Zone • Source Address (for original and translated packets) • Destination Address (for original and translated packets) • ServiceProxy ARPs are automatically created when NATs are configured.QoSPalo Alto supports QoS settings for traffic upon egress from the firewall. QoS profiles areattached to physical interfaces to specify how traffic classes map to bandwidth (guaranteed,maximum) and priority. This is particularly nice when these profiles are associated withapplications in the security policy.VPNsAll of Palo Alto Networks platforms support site-to-site IPSec VPNs. There are workingexamples of site-to-site VPNs with most of the other major firewall vendors. One pointworth noting is that certificate based VPNs are not currently supported. Palo AltoNetworks do not provide any client to site VPN connectivity and are unlikely to everinclude this functionality.The platforms also function as SSL VPN endpoints. SSL VPNs are available for XP and Vistaclients only (MAC clients are not currently supported). Users can authenticate to either a
9 local user database or a profile for RADIUS authentication can be set up. There is no hostchecking available at present which may limit its use as a corporate solution, but the SSLVPN tool is an integrated part of the Palo Alto Networks solution - there is no additionallicense or cost.Security ProfilesEach security policy can specify one or more security and logging profiles. Security profilesdefend the network against viruses, spyware, and other known threats. The profiles include: • Antivirus profiles to protect against worms and viruses. • Anti-spyware profiles to block spyware downloads and attempts by spyware to access the network. • Vulnerability protection profiles to stop attempts to exploit system flaws or gain unauthorized access to systems. • URL filtering profiles to restrict access to specific web sites and web site categories. • File blocking profiles to block selected file types. • Data filtering profiles that help prevent sensitive information such as credit card or social security numbers from leaving the area protected by the firewall.AntivirusAntivirus profiles can be created and applied to different rules within a security policy.There are specific decoders for FTP, HTTP, IMAP, POP3, SMP and SMTP and within asecurity profile different actions (allow, alert or block) can be applied per decoder. Thereisnt any option to action either quarantining or cleaning of identified infections.The Antivirus engine is Palo Alto Networks’ own, they write their own signatures (theycurrently have circa 4 million) - 3rd party scanning engines cannot be used. Palo AltoNetworks use stream-based as opposed to file-based antivirus scanning. The main advantageto this approach is the ability to maintain high throughput. The disadvantage is that they canonly block files down to two levels of decompression. Beyond this, alerts can be issuedthough a virus infected file would be allowed through.The appliances currently receive AV updates weekly, although this frequency will beincreasing to daily in Q1 2010.Anti-SpywareThe Anti-spyware profile can be configured using the same decoders and actions as theantivirus security profile. Different actions can be applied for Adware and Spyware withinthe same profile. There is also a separate tab within the configuration of the profile thatallows for Phone Home Protection settings to be applied to stop any known applications orsoftware phoning home. One really nice touch here is that the Phone Home Protectionsettings can either be configured using a simple option or a granular, custom rule type.Exceptions can also be set up within a profile if required.
10 Vulnerability ProtectionThe Vulnerability Protection profile can also be configured using either a simple or customrule type. The simple rule type allows for the standard action options to be applieddepending on the criticality of the vulnerability and can be set on either the client or theserver. The custom rule option allows for more granular actions to be applied per CVE. Theadditional actions include options such as drop-all-packets, reset-client, reset-server, andreset-both.URL filteringPalo Alto Networks have OEMd the BrightCloud database (also recently selected byMicrosoft) for their URL filtering profile. They have circa 20million URLs on the box andaround 80 predefined categories ranging from hunting-and-fishing to open-http-proxies.Palo Alto Networks can cache URLs on box but also have a Dynamic URL Filtering optionwhich, if checked, dynamically checks a URL with a cloud based server for unknown URLs(similar to technologies such as Blue Coat WebPulse and Cisco IronPort Web UsageControlsThere are various actions that can be issued per category, these are given below: • Allow - allows, however allow does not log • Block - block • Continue - displays warning page and allows to continue • Override - can put in a one-time password to go through • Alert – allows and generates a logOne slight gripe is that youre not able to create your own custom categories. Weunderstand that Palo Alto are looking to introduce this functionality early in 2010, but in themean time, there is an option to create a white list and black list per profile so we can seethis as being able to address most of our customers URL filtering requirements.Some other points worth noting are that the URL filtering is licensed per box and not perseat, as with many web filtering vendors. By creating the necessary rule in the securitypolicy you can implement time based scheduling, for example allowing a particular user (orgroup) to visit a particular URL category (i.e. Games) between certain hours. You cannot,however, issue time based quota - i.e. to allow User A to visit Facebook for 1 hour per day.File BlockingThe File Blocking profile allows for file blocking rules to be created within a single profilewhich can then be associated to rules within the security policy. Rules can be configured tolook for nearly all common file types (truly identifying the file type rather than just lookingat the extension) within all known applications. The direction of the file transfer can also bespecified (upload or download) and the rule can be configured to either block the definedfile transfer or to generate an alert.
11 Data FilteringThe Data Filtering profile allows for pattern matches to be identified within data and thenweighted. Once certain weight thresholds have been hit, data can be blocked or alerts canbe issued. Patterns are defined and identified using regular expressions and patterns can beconfigured to look at specific applications and/or file types and in either (upload ordownload) or both directions.
12 SummaryWe agree with Palo Alto Networks’ idea that a change of attitude is needed when it comesto our firewalls. Implementing rules based on IP addresses and ports doesnt really offer theprotection that many people think and often leads to security policies that can grow beyondcontrol relatively quickly. The ability to create policies based upon users, applications andcontent seems to make sense - these are the things that the business understands. Whensecurity and the business are speaking the same language then that surely has to be a goodthing. If we can also do this with high performance speed on a single platform, then all thebetter.Some people of course, are going to want to retain best of breed solutions for performingthe various different functions of perimeter security - for example, Blue Coat for their URLfiltering, Sourcefire for IDP functionality and an SSL VPN from the likes of Juniper or F5.These solutions are specialists in their areas and have functionality above and beyond thatwhich Palo Alto Networks can provide in these areas. For many, the level of additionalfunctionality that a specialist solution can provide above and beyond Palo Alto Networksoffering may not be of relevance to them. There are also some other factors to consideraround the benefits that having these functions on one platform offers - a single platform toadminister; a single layer or technology means a simpler network infrastructure. There isalso the fact that Palo Alto can take the information gathered and give it context - forexample, it could take information from its URL filtering policy and then report upon it withcontext to users, applications and other content.There are definitely some areas for improvement in the product (which will inevitably comewith future version releases) but the visibility that Palo Alto Networks solutions can provideis impressive. Whilst we may not necessarily be seeing enterprise customers yet using PaloAlto Networks firewalls as their externally facing firewalls on their main Internetconnections, it is ideal for branch networks and for securing networks such as those hostingcredit card information. As future versions of the product are released and confidence inthe product grows, we may well see it deployed on enterprise gateways.