From The Labs: Palo Alto's Firewall Appliance

Does your firewall really stop all the traffic you want it to block? Given the spread of software that tunnels network traffic over HTTP or hops TCP/IP ports to evade firewalls, it's all too likely that the answer is no.

Palo Alto Networks' PA-4000 series firewall appliances use proprietary App-ID signature technology to determine the applications entering and leaving your network, even those encrypted via SSL. This enables IT to better enforce security policies stating which applications are allowed to enter and leave the network. What's more, Palo Alto offers integration with Microsoft Active Directory, so firewall rules can be applied to specific users. Add the beginnings of in-line antivirus and intrusion prevention, and Palo Alto is shaping up to be a very potent competitor in the unified threat management market.

Firewalls are supposed to act as network gatekeepers, allowing or denying traffic based on IT policy. However, it's no secret that almost every firewall allows Web traffic, leading software developers to game the system by sneaking their applications' traffic onto networks, using Web protocols. For instance, Microsoft's RPC over HTTP is frequently used to slip connections from Outlook clients to Exchange servers past firewalls.For security groups trying to protect against incursion and restrict unwanted applications, most of today's firewalls essentially lock the front door but leave the window wide open. The exception is application proxies, which essentially re-create applications inside the firewall, guaranteeing that only traffic generated by approved applications is allowed to pass. But proxies have their own problems, not least of which is the difficulty of keeping up with the rush of new apps and protocols. Even minor changes in an application can totally break a proxy's compatibility, cutting off users from the application.

Palo Alto says it solves this dilemma with a signature-based system that allows for matching network traffic against a database of more than 550 applications. The company also provides signatures to detect viruses in network traffic, and it's rapidly developing a comprehensive set of threat signatures to spot exploit attempts and other malicious traffic. Of course, all standard firewall actions can be taken, allowing IT the ability to choose exactly which applications are permitted.

The PA-4000 can also block viruses and send out alerts about or deny entry to potentially malicious traffic. In addition, using the same signature-matching routines, a partnership deal lets Palo Alto add SurfControl's Web site classification database, so that all network traffic control can be integrated into a single box and management interface.

We were intrigued, so we brought a PA-4050 into our University of Florida Real-World Labs. We set the device for transparent Virtual Wire mode, in which the firewall doesn't route, switch, or modify VLAN tags of packets passing through it, and placed it in between a router and an existing IDS, so that we could reuse our span port. After allowing the 4050 to observe traffic for a while, we dug into the App-Scope Web-based management GUI.

Network traffic graphs were impressive--applications were clearly shown, and we could drill down to charts of source and destination IP addresses and traffic counts by clicking on the colored boxes that represent particular apps. The company has released a management platform for multiple devices, which we were not able to test.

MALWARE SPOTTEDAfter the device was on our network for just a short time, we noticed spikes in network traffic that led us to a few computers infected with malicious software. App-Scope offers a plethora of other graphs and reports, allowing almost any question about your network traffic to be quickly answered.

We then moved the PA-4050 inline, still in Virtual Wire mode, to protect our lab network. The device precisely identified applications, particularly various types of Web traffic, and enabled us to quickly and granularly control usage; for example, we could allow access to Google search and read but block Google Mail and video. During our testing, classifications were generally very accurate, with only a few slipups; for example, YouTube video was identified as http-video, which is close. Palo Alto is constantly tuning its signatures and says a recent update now enables the appliances to, for example, identify YouTube videos specifically.

Of course, as with any signature technology, Palo Alto is always going to be behind the curve when it comes to identifying applications. For instance, the PA-4050 didn't recognize an uncommon security application used in our lab. The company stated that it does not charge for writing signatures for unrecognized apps, though if the software is proprietary and unique to a single customer, it encourages companies to use an app-override rule to map traffic based on destination IP and port. We took this route, and the process was as simple as entering the IP address and port of the server that the clients were communicating with. After that, the firewall recognized the traffic, but because it's not a true application signature, the firewall won't recognize the traffic if it hops ports or changes IP addresses.

The App-ID capability, while quite impressive, wouldn't be of much use without the PA-4050's other neat trick: SSL decryption. Using a man-in-the-middle attack for the power of good, the PA-4050 proxies SSL connections and generates a new certificate on the fly that it sends to the client, impersonating a secure server. Because the firewall has the network traffic in plain text in between decryption and re-encryption with its self-generated certificate, it can apply the full range of security policies to the traffic. In order for this to be transparent to users, IT will need to distribute the firewall's root certificate to all client computers, a process that could be automated.

Rounding out the device's feature set, Palo Alto supplies a small agent to run on an Active Directory Domain Controller (or any other server with read-only access to Active Directory) that maps user IDs to IP addresses, allowing the firewall to apply security controls to specific users, no matter which PC they happened to be using. However, because the agent maps users to IP addresses, you won't be able to apply individual policies if multiple users have a single address, such as with a Windows Terminal Server.0