Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

From The Labs: Palo Alto's Firewall Appliance: Page 3 of 4

After the device was on our network for just a short time, we noticed spikes in network traffic that led us to a few computers infected with malicious software. App-Scope offers a plethora of other graphs and reports, allowing almost any question about your network traffic to be quickly answered.

We then moved the PA-4050 inline, still in Virtual Wire mode, to protect our lab network. The device precisely identified applications, particularly various types of Web traffic, and enabled us to quickly and granularly control usage; for example, we could allow access to Google search and read but block Google Mail and video. During our testing, classifications were generally very accurate, with only a few slipups; for example, YouTube video was identified as http-video, which is close. Palo Alto is constantly tuning its signatures and says a recent update now enables the appliances to, for example, identify YouTube videos specifically.

Of course, as with any signature technology, Palo Alto is always going to be behind the curve when it comes to identifying applications. For instance, the PA-4050 didn't recognize an uncommon security application used in our lab. The company stated that it does not charge for writing signatures for unrecognized apps, though if the software is proprietary and unique to a single customer, it encourages companies to use an app-override rule to map traffic based on destination IP and port. We took this route, and the process was as simple as entering the IP address and port of the server that the clients were communicating with. After that, the firewall recognized the traffic, but because it's not a true application signature, the firewall won't recognize the traffic if it hops ports or changes IP addresses.

The App-ID capability, while quite impressive, wouldn't be of much use without the PA-4050's other neat trick: SSL decryption. Using a man-in-the-middle attack for the power of good, the PA-4050 proxies SSL connections and generates a new certificate on the fly that it sends to the client, impersonating a secure server. Because the firewall has the network traffic in plain text in between decryption and re-encryption with its self-generated certificate, it can apply the full range of security policies to the traffic. In order for this to be transparent to users, IT will need to distribute the firewall's root certificate to all client computers, a process that could be automated.

Rounding out the device's feature set, Palo Alto supplies a small agent to run on an Active Directory Domain Controller (or any other server with read-only access to Active Directory) that maps user IDs to IP addresses, allowing the firewall to apply security controls to specific users, no matter which PC they happened to be using. However, because the agent maps users to IP addresses, you won't be able to apply individual policies if multiple users have a single address, such as with a Windows Terminal Server.