Palo Alto Networks Virtualizes Firewall, Adds New Hardware
November 19, 2012
Palo Alto Networks has unleashed a slew of security products, including VM-Series, a next-generation firewall platform for virtualized data centers. The company has also introduced mid-range firewall hardware platform, the PA-3000 Series, and the M-100, a dedicated management appliance, as well as enhanced its Wildfire malware prevention subscription service. All four of these products work with the newly released PAN-OS 5.0, which Palo Alto said has 60 new features, including increased control for managing SSL traffic and enhanced IPv6 support.
Palo Alto is positioning this portfolio of products as a comprehensive approach to addressing network security for virtualized datacenters, including visibility into east-west traffic, tracking virtual machines and keeping pace with automated workflows.
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Technical Debt: Asset or Liability
White PapersMore >>
- Best Practices: 6 Security Services Every Small Business Must Have
- Best Practices: Using Apple's Global Proxy to Boost Mobile Security
The VM-Series virtual firewall runs on VMware's ESXi hypervisor and can control traffic to and from virtual machines. The virtual firewall also includes a feature called dynamic objects that lets security policies follow virtual machines even if they change hosts.
The VM-Series comes in three flavors: The VM-100 supports 50,000 sessions, 250 rules and 10 security zones; the VM-200 supports 100,000 sessions, 2,000 rules and 20 security zones; and the VM-300 supports 250,000 sessions, 5,000 rules and 40 security zones. All three versions support IPSec and SSL VPNs. Pricing for the VM-Series starts at $2,700.
Even as the company introduced its first virtual firewall platform, it also updated its physical firewall product line by adding the PA-3000 Series, which includes the PA-3020 and PA-3050. The former delivers 2 Gbps of throughput while the latter delivers 4 Gbps. Pricing for the PA-3000 Series starts at $14,000.
Also on the hardware front, Palo Alto's new M-100 is a dedicated appliance for its Panorama centralized management system. The appliance comes in a 1U form factor, has multiple 1-Gbps Ethernet interfaces and up to 4 Tbytes of RAID1 storage for logs, with 120 Gbytes of SSD system disk.
Finally, Palo Alto enhanced its WildFire cloud-based subscription service. The service will deliver updated malware prevention signatures within an hour to its subscriber customers, according to the company.
Greg Young, Gartner research VP and analyst of network security, says Palo Alto is "rounding off the corners" of what the company already offers. It had to address virtualization as other vendors such as Check Point and Cisco Systems already have these products. "As you get into larger deals, you need these types of options; otherwise it's easier to get excluded," he says.
However, while there's a lot of hype around virtualized firewalls, only a small percentage of firewalls are used in virtualized environments. "Purpose-built appliances are where 95% of firewall sales are today," he says.
Young notes there's already a stand-alone market for services such as Palo Alto's WildFire, including FireEye, or other vendors that include similar services as part of a bigger product offering, such as SourceFire. The challenge, he says, is not just preventing known threats using IPS but anticipating new threats. "All of the firewall vendors are stepping into this area."
John Kindervag, principal analyst at Forrester Research, says the value of Palo Alto's WildFire service is that it spreads the cost and capacity with everyone who subscribes. If one customer is affected by malware or a botnet, that leads to a remedy for all subscribers. "Now you're getting patched against that much more quickly than you might have than if you were waiting for it to happen to you."
He says the combination of next-gen firewall platforms combined with services such as WildFire is a direction security vendors must take. "The lifespan of these stand-alone advanced malware detection products is pretty short because it's fairly trivial for any vendor to build them into their existing gateway-based and file-based solutions."