Palo Alto Networks Introduces Next-Generation Firewalls For Branch Offices, Apple Devices

Palo Alto Networks, which earlier this year launched the PA-5000 series of next-generation firewalls, has introduced the PA-200, which protects branch offices and home offices as well as the bigger models. It has also upgraded its GlobalProtect technology for secure remote access to specifically protect Apple computers and mobile devices and is also launching a new service called WildFire that protects against the latest versions of malware that threaten enterprise IT.

The technology all runs on the company’s newly upgraded operating system, PAN-OS 4.1. The new PA-200 series firewall provides at the branch office the same application-, user- and content-based security that the PA-5000 series does at headquarters, says Chris King, director of product marketing for Palo Alto Networks.

At the head office of a company, the best practice firewall, such as the 5000 series, is deployed because the company has the budget, the operational expertise and the demand for the high-end equipment, King says. At the branch office, budgets are smaller and deploying firewalls there typically involves a trade-off between functionality and price. "What the PA-200 does is it really takes all of the functions that we do on our next-generation firewall on the bigger boxes and delivers them in a branch office form factor. You get to see every application that’s on the network, you set policy by user, user group and application," he says.

There are differences in capacity, though, he added. The PA-200 delivers data throughput of up to 100 M bps compared to the 5000 series and its 20-Gbps capacity. The PA-200 is cheaper, too, starting at $2,000 versus the 5000 series' starting price of $40,000. Palo Alto Networks says the next-generation firewalls protect network devices whether on the corporate network or beyond it, and digs deeper into network traffic to spot suspicious activity better than first-generation firewalls can.

Gartner defines a next-generation firewall as one designed to search for botnets infiltrating a network through applications rather than ports, as first-generation firewalls do. "More communications are going through fewer ports [such as HTTP and HTTPS] and via fewer protocols, meaning port/protocol-based policy has become less relevant and less effective," Gartner stated in a research report.

While intrusion prevention systems that do deep packet inspection can protect operating systems and software, "they cannot effectively identify and block the misuse of applications, let alone specific features within applications," the report stated. Garter forecasts that by 2014, 60% of firewalls sold from vendors such as Cisco Systems, CheckPoint, Juniper Networks, Palo Alto Networks and others will be of this next-generation type.

The GlobalProtect technology extends the same security control to remote workers. New this week is specific GlobalProtect support for Apple iPads, iPhones and desktop/laptop computers running the Apple OS X operating system. It already protects devices running Microsoft Windows. GlobalProtect creates a secure tunnel, similar to a VPN, between the remote worker and the nearest next-generation firewall.

The difference between GlobalProtect and a VPN is that a VPN tunnels only to and from the corporate network, whole GlobalProtect also secures connections between remote end points. "This is kind of how people designed mass transit systems in the '70s--this hub-and-spoke to an urban core. The reality today is that people are commuting between suburbs," King says.

The WildFire service adds protection from malware attacks, which are getting more sophisticated all the time. Lately, malware has become specifically targeted at an individual using social engineering. For example, information about the recipient is culled from social networking sites to personalize an email, which the recipient may be more likely to open, thus downloading malware. The WildFire service takes suspicious packets and executes them in a virtual cloud-based environment to see if they actually are malware. Executing them in the cloud prevents the malware from actually infecting the network.

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Security via Compliance (subscription required).