Chris King, director, product marketing at Palo Alto Networks
SINGAPORE, 10 JUNE 2009 -- Traditional firewalls may be giving major enterprises a false sense of security, because they are failing to cope with ever-changing digital threats.
In a recent a study of 900,000 users, Silicon valley software firm Palo Alto found that 100 per cent of the organisations surveyed had firewalls and 87 per cent also had one or more firewall helpers (for example, a proxy, an IPS, URL filtering), yet they were unable to exercise control over the application traffic traversing the network.
Fairfax Business Media Asia managing editor Ross O. Storey, spoke to Chris King, director, product marketing at Palo Alto Networks, about the need for the next generation firewall.
What are the risks inherent with the current generation firewalls and why are they no longer up to the job? Where are their Achilles' heels?
Currently, port-based firewall technology has failed to address the evolution of the application and threat landscape, where threats target applications can run over any port, encrypt, evade and tunnel. IT organisations have tried to compensate for these deficiencies in legacy firewalls by surrounding them with proxies, intrusion detection/prevention systems, URL filtering and other costly and complex devices that are also ineffective in todays application and threat landscape. Palo Alto Networks believes that if we, as an industry, address the issues where we shouldat the firewall, we can fix the problem, and simplify enterprise security infrastructures.
Furthermore, existing firewalls and the aforementioned firewall helpers lack the sophistication to deal with Web 2.0 and cloud-based applications, having been developed in an era where there was only good and bad traffic. Applications arent threats, but they can carry risks, as well as benefits (productivity, cost reduction, customer intimacy, and so on).
What justifies these to be called 'next generation firewalls'. What do they have that the previous generation didn't? What makes them special?
Palo Alto Networks next-generation firewalls offer real innovation in the firewall, enabling enterprises to see and exercise policy control applications, users, and contentnot just ports, IP addresses, and packetsusing three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security policies, safely enabling organisations to adopt new applications instead of the all-or-nothing approach offered by traditional port-blocking firewalls.
Using next-generation firewalls, enterprises can for the first time embrace Web 2.0, yet still maintain complete visibility and control. Adding these computing-intensive features while retaining enterprise-grade performance is made possible also through Palo Alto Networks single pass parallel processing (SP3) architecturewhich couples a single pass packet path with specialised, function-specific hardware processing, enabling multi-gigabit, in-line deployment with no performance degradation.
Sign up for Computerworld eNewsletters.