4. 2
Introduction
Perimeter Security Solutions seem to fall into one of two camps - either a firewall with
various point solutions or a Unified Threat Management (UTM) device. Both of these
infrastructures have their own problems - the first requires multiple layers of technologies
and multiple systems to administer and manage whilst the second often struggles to retain
the desired performance and throughput the moment you enable the extra features. Well, it
seems there's now a third option - Palo Alto have released their 'Next Generation Firewall'.
Palo Alto Networks was founded in 2005 by Nir Zuk with a mission to 're-invent the
firewall’. They aim to provide visibility and control of all applications and content – by user,
not just IP Address - at high speed with no performance degradation.
Palo Alto Networks are able to start providing increased visibility and control through the
use of three technologies: App-ID, User-ID, and Content-ID. These technologies allow Palo
Alto Networks users to configure their firewalls in line with business relevant elements such
as applications, users and content rather than ports and protocols that don't necessarily
represent or permit what they're supposed to. These technologies are described briefly
below:
App-ID
Traditional firewalls rely on a convention that a given port corresponds to a given service
(e.g. TCP port 80 corresponds to HTTP) however, this isn’t always the case. As such, they
are often incapable of distinguishing between different applications that use the same
port/service. App-ID can identify more than 900 applications across five categories and 25
sub categories and allow for security policies to be configured based upon application rather
than just a port/service.
User-ID
Palo Alto Networks can integrate with an Active Directory infrastructure and then manage
and enforce security policies based upon user and/or Active Directory Group. Users are no
longer defined solely by their IP addresses.
Content-ID
As its name suggests, Content-ID can scan network traffic for a broad range of threats
(including vulnerability exploits, viruses, and spyware) as well as controlling file transfers (by
file type) and scanning for other content such as credit card numbers. There is also an
onboard URL database for categorized web filtering.
This means that these devices will be doing quite a lot of work compared to a standard
firewall, so it begs the obvious question "How is it any different from a normal UTM
device?”. The simple answer to this is through their Single-Pass Parallel Processing (SP3)
Architecture. Whereas normal UTM firewalls will pass packets through multiple policies in
series, one after another, Palo Alto Networks' SP3 is able to pass the packet through all of
its processes in parallel, using a single engine. This means the performance decrease
normally associated with running multiple functions on a firewall isn’t anywhere near as
5. 3
significant with Palo Alto Networks. Typically, even with all policies and profiles turned on,
impressive throughput speeds can still be achieved.
This document sets out to discuss some of the features of the Palo Alto Networks solutions
supplemented by some of our thoughts.
6. 4
Product Range
There a 6 different models of appliance, split into 3 different categories:
• The PA-4000 Series - available in three models. Suitable for large enterprise networks,
with maximum throughput of up to 10Gbps.
• The PA-2000 Series - available in two models. Suitable for the branch offices of large
enterprises and for mid-sized organizations.
• The PA-500 - ideal for mid-sized businesses and branch office environments.
The diagram below shows the different models and their performance speeds. You can see
that even with all of the threat prevention protections turned on users can still expect to
achieve high performance (up to 5Gbps).
Deployment/Infrastructure
Networking Options
Palo Alto Networks’ solution offers a flexible range of deployment options including an out-
of-band ‘visibility-only’ mode, transparent in-line operation, and a fully active in-line firewall
configuration. It also supports dynamic routing (OSPF, RIPv2), 802.1Q VLANs, and trunked
ports. It utilises a concept of security 'zones' which will be familiar to any Juniper/NetScreen
users.
The visibility-only mode is particularly interesting as it allows users to become familiar with
the product and the visibility is provides without disrupting an existing network
infrastructure.
The box ships with vWire (Palo Alto's Layer 2 mode) already configured with eth1 and eth2
as vWire interface types in untrust and trust zones. This again allows for layer 2 deployment
7. 5
in an existing network without causing disruption to existing infrastructure. This may be of
particular interest to anyone looking to implement firewalling around a network segment
without having to change IP addresses - for example, protecting card payment networks as
part of a PCI project. Whilst other firewall solutions can operate at L2 many of them cannot
fully integrate L2, high-availability and IDP functionality.
One point to note though is that vWire is the only mode today in which multicast is
supported. Palo Alto cannot route multicast and don't have any PIM Sparse/Dense mode
support (PIM Sparse mode is on the roadmap though).
High Availability
Palo Alto Networks solutions offer an active/passive High Availability option. There is no
active/active load sharing option available. Two ports per appliance are dedicated to
implementing HA, one is used for synchronising session information and the other for
configuration synchronisation. The configuration is set on one of the devices and is then
synchronised to the HA partner so the policy only needs to be defined once. The systems
issue a virtual MAC and IP address in a similar way to VRRP.
Licensing
Palo Alto offers a large range of functionality (including Firewall, SSL VPN, QoS, Antivirus,
Anti-spyware, Vulnerability Protection, URL Filtering, File Blocking, and Data Filtering) but
thankfully the licensing model appears relatively straightforward. The only components that
require licensing are the threat and URL filtering components (each licensed at 20% of the
cost of the box per annum), virtual systems and the implementation of centralised
management. All other functionality is available as part of the purchased solution.
Management
Palo Alto's centralised management system is called Panorama. Only available as a VM
appliance, Panorama looks and feels very similar (almost identical in fact) to the GUI used
for administering standalone systems. It can reference up to 2TB of log data and manage up
to 25 systems and is licensed according to how many systems it is managing.
One can configure almost all the required configuration for a gateway from Panorama
although strangely it appears that this isn’t the case for NAT - this needs to be done on the
gateway itself.
Usability
User Interface
The systems are administered either from the CLI or a browser based UI (Widget based
using AJAX). The administration is broken down into seven tabs (Dashboard, ACC,
Monitor, Policies, Objects, Network, and Device) and feels pretty slick to navigate - it is
pretty intuitive and it is easy to work out where to find what you are looking for. The
Dashboard tab gives an overview of the system status and presents some useful information
8. 6
such as the status of the device interfaces, the top applications being seen, system network
settings, etc.
The appliances have full role-based user management configurability with profiles that can be
setup to control CLI and GUI roles. Access on the GUI can be granularly controlled to
enable, disable or permit read-only access to the different areas of the GUI.
Policy Building
The operation of the firewall is controlled by several types of policies and profiles. The
policies include:
• Security policies to block or allow a network session based on the application, the
source and destination zones and addresses, and optionally the service (port and
protocol). Zones identify the physical or logical interfaces that send or receive the
traffic.
• Network Address Translation (NAT) policies to translate addresses and ports, as
needed.
• SSL Decryption policies to specify the SSL traffic to be decrypted so that security
policies can be applied. Each policy can specify the categories of URLs for the traffic
you want to decrypt.
Security policies can be built in the usual manner with a graphical interface listing all rules.
Rules are created at the bottom of the rulebase and then have to be relocated to the
relevant location in the rulebase. This is most easily done using an 'insert before/after'
option, but cut and paste cannot be used. Rules have the following fields which can be
populated:
• Name
• Source Zone
• Destination Zone
• Source Address
• Source User
• Destination Address
• Application
• Service (can be set to Any, Application Default, or User Defined)
• Action (can be set to Allow, Deny, Block or Alert)
• Profile (where you can define which Security Profiles are to be applied to the rule)
• Options (including logging options, scheduling, QoS Marking, etc)
For users familiar with Check Point policies, there are a few things that might be missed.
For example, an object list for dragging and dropping objects into the policy is not available,
rules cannot be grouped with headings and objects cannot be negated. Despite this,
creating a rulebase is still a relatively straightforward exercise.
Logging/Reporting
'Traditional' firewall logging is of course available but it is split into four different logs -
Traffic, Threat, URL Filtering, and Data Filtering. Unfortunately, you cannot look at all of
these logs in a single view. Whilst all the information a security administrator will expect is
9. 7
available, the log viewers aren't quite as mature as Check Point veterans will be used to. For
example, logs aren't colour coded differently for allowed or denied packets and columns
cannot be dragged and dropped to different locations. However filters can be applied fairly
easily using a filter expression tool which offers the expected options including logical
operators.
Where the product really does provide some impressive visibility is though the reporting. It
is here that you start to see all sorts of patterns and trends that your traditional firewall
does not provide. Having such a range of functionally on one box allows the information
collected to be combined and given real context. You can very quickly see which
applications are consuming bandwidth, if any applications have increased their connection
usage significantly, which AD users are associated to the top talkers, and a whole range of
custom reports. There are also some really useful summary reports that could be used to
give a regular snapshot of an infrastructure's security status. Reports can be scheduled and
emailed to appropriate users.
Regarding the log management, there are a few things worth noting. Firstly, the logs roll
over at timed intervals - they can be forwarded off box to Panorama and (typically) a syslog
server but it doesn't appear possible to re-import logs back into the GUI for analysis. Palo
Alto Networks work with Sawmill for off box reporting although I expect other SIEM
solutions could be used for a similar purpose.
Functionality
The Application Command Center (ACC)
The ACC tab provides details about the Application, URL Filtering, Threat Prevention, and
Data Filtering visibility and controls from the device. It gives 'at a glance' visibility about the
types of connections that the device can see. What is really nice is that most of the items
listed on this tab can be clicked on for further contextualised detail. For example, clicking on
the top URL category takes you to a screen that lists the applications in which that category
has been seen as well as the top sources, destinations and users for that particular category.
Clicking on an application from the ACC lists provides detail but also provides security
information relating to that application - for example, can it be used for file transfer? Is it
prone to misuse? Does it have known vulnerabilities?
10. 8
Palo Alto Networks can currently identify in excess of 900 applications and release support
for new applications at a rate of approximately 5 applications per week. For those
applications it doesn’t recognise, it is possible for users to write their own identifiers
(although this is currently only available for HTTP applications).
NAT
NAT is configured from a separate section under the 'Policies' tab and is relatively
straightforward to configure. It is configured in a similar way to the security policy, using
rules. The fields include:
• Source Zone
• Destination Zone
• Source Address (for original and translated packets)
• Destination Address (for original and translated packets)
• Service
Proxy ARPs are automatically created when NATs are configured.
QoS
Palo Alto supports QoS settings for traffic upon egress from the firewall. QoS profiles are
attached to physical interfaces to specify how traffic classes map to bandwidth (guaranteed,
maximum) and priority. This is particularly nice when these profiles are associated with
applications in the security policy.
VPNs
All of Palo Alto Networks platforms support site-to-site IPSec VPNs. There are working
examples of site-to-site VPNs with most of the other major firewall vendors. One point
worth noting is that certificate based VPNs are not currently supported. Palo Alto
Networks do not provide any client to site VPN connectivity and are unlikely to ever
include this functionality.
The platforms also function as SSL VPN endpoints. SSL VPNs are available for XP and Vista
clients only (MAC clients are not currently supported). Users can authenticate to either a
11. 9
local user database or a profile for RADIUS authentication can be set up. There is no host
checking available at present which may limit its use as a corporate solution, but the SSL
VPN tool is an integrated part of the Palo Alto Networks solution - there is no additional
license or cost.
Security Profiles
Each security policy can specify one or more security and logging profiles. Security profiles
defend the network against viruses, spyware, and other known threats. The profiles include:
• Antivirus profiles to protect against worms and viruses.
• Anti-spyware profiles to block spyware downloads and attempts by spyware to
access the network.
• Vulnerability protection profiles to stop attempts to exploit system flaws or gain
unauthorized access to systems.
• URL filtering profiles to restrict access to specific web sites and web site categories.
• File blocking profiles to block selected file types.
• Data filtering profiles that help prevent sensitive information such as credit card or
social security numbers from leaving the area protected by the firewall.
Antivirus
Antivirus profiles can be created and applied to different rules within a security policy.
There are specific decoders for FTP, HTTP, IMAP, POP3, SMP and SMTP and within a
security profile different actions (allow, alert or block) can be applied per decoder. There
isn't any option to action either quarantining or cleaning of identified infections.
The Antivirus engine is Palo Alto Networks’ own, they write their own signatures (they
currently have circa 4 million) - 3rd party scanning engines cannot be used. Palo Alto
Networks use stream-based as opposed to file-based antivirus scanning. The main advantage
to this approach is the ability to maintain high throughput. The disadvantage is that they can
only block files down to two levels of decompression. Beyond this, alerts can be issued
though a virus infected file would be allowed through.
The appliances currently receive AV updates weekly, although this frequency will be
increasing to daily in Q1 2010.
Anti-Spyware
The Anti-spyware profile can be configured using the same decoders and actions as the
antivirus security profile. Different actions can be applied for Adware and Spyware within
the same profile. There is also a separate tab within the configuration of the profile that
allows for 'Phone Home Protection' settings to be applied to stop any known applications or
software phoning home. One really nice touch here is that the 'Phone Home Protection'
settings can either be configured using a simple option or a granular, custom rule type.
Exceptions can also be set up within a profile if required.
12. 10
Vulnerability Protection
The Vulnerability Protection profile can also be configured using either a simple or custom
rule type. The simple rule type allows for the standard action options to be applied
depending on the criticality of the vulnerability and can be set on either the client or the
server. The custom rule option allows for more granular actions to be applied per CVE. The
additional actions include options such as drop-all-packets, reset-client, reset-server, and
reset-both.
URL filtering
Palo Alto Networks have OEM'd the BrightCloud database (also recently selected by
Microsoft) for their URL filtering profile. They have circa 20million URLs on the box and
around 80 predefined categories ranging from 'hunting-and-fishing' to 'open-http-proxies'.
Palo Alto Networks can cache URLs on box but also have a 'Dynamic URL Filtering' option
which, if checked, dynamically checks a URL with a cloud based server for unknown URLs
(similar to technologies such as Blue Coat WebPulse and Cisco IronPort Web Usage
Controls
There are various actions that can be issued per category, these are given below:
• Allow - allows, however allow does not log
• Block - block
• Continue - displays warning page and allows to continue
• Override - can put in a one-time password to go through
• Alert – allows and generates a log
One slight gripe is that you're not able to create your own custom categories. We
understand that Palo Alto are looking to introduce this functionality early in 2010, but in the
mean time, there is an option to create a white list and black list per profile so we can see
this as being able to address most of our customers' URL filtering requirements.
Some other points worth noting are that the URL filtering is licensed per box and not per
seat, as with many web filtering vendors. By creating the necessary rule in the security
policy you can implement time based scheduling, for example allowing a particular user (or
group) to visit a particular URL category (i.e. Games) between certain hours. You cannot,
however, issue time based quota - i.e. to allow User A to visit Facebook for 1 hour per day.
File Blocking
The File Blocking profile allows for file blocking rules to be created within a single profile
which can then be associated to rules within the security policy. Rules can be configured to
look for nearly all common file types (truly identifying the file type rather than just looking
at the extension) within all known applications. The direction of the file transfer can also be
specified (upload or download) and the rule can be configured to either block the defined
file transfer or to generate an alert.
13. 11
Data Filtering
The Data Filtering profile allows for pattern matches to be identified within data and then
'weighted'. Once certain weight thresholds have been hit, data can be blocked or alerts can
be issued. Patterns are defined and identified using regular expressions and patterns can be
configured to look at specific applications and/or file types and in either (upload or
download) or both directions.
14. 12
Summary
We agree with Palo Alto Networks’ idea that a change of attitude is needed when it comes
to our firewalls. Implementing rules based on IP addresses and ports doesn't really offer the
protection that many people think and often leads to security policies that can grow beyond
control relatively quickly. The ability to create policies based upon users, applications and
content seems to make sense - these are the things that the business understands. When
security and the business are speaking the same language then that surely has to be a good
thing. If we can also do this with high performance speed on a single platform, then all the
better.
Some people of course, are going to want to retain best of breed solutions for performing
the various different functions of perimeter security - for example, Blue Coat for their URL
filtering, Sourcefire for IDP functionality and an SSL VPN from the likes of Juniper or F5.
These solutions are specialists in their areas and have functionality above and beyond that
which Palo Alto Networks can provide in these areas. For many, the level of additional
functionality that a specialist solution can provide above and beyond Palo Alto Networks'
offering may not be of relevance to them. There are also some other factors to consider
around the benefits that having these functions on one platform offers - a single platform to
administer; a single layer or technology means a simpler network infrastructure. There is
also the fact that Palo Alto can take the information gathered and give it context - for
example, it could take information from its URL filtering policy and then report upon it with
context to users, applications and other content.
There are definitely some areas for improvement in the product (which will inevitably come
with future version releases) but the visibility that Palo Alto Networks solutions can provide
is impressive. Whilst we may not necessarily be seeing enterprise customers yet using Palo
Alto Networks firewalls as their externally facing firewalls on their main Internet
connections, it is ideal for branch networks and for securing networks such as those hosting
credit card information. As future versions of the product are released and confidence in
the product grows, we may well see it deployed on enterprise gateways.
