I went to a Lunch n Learn last week sponsored by PaloAlto Networks and Fishnet Security talking about what PaloAlto calls the “next generation firewalls”. PaloAlto boasts having Nir Zuk, principal engineer at Check Point and one of the developers of stateful inspection technology, as it’s founder and CTO. Their product, the PA-4000, Series Firewall, takes an application centric approach to traffic classification and they claim that this helps it to more accurately identify both traditional and emerging applications. This enables it to facilitate true application access control and broad threat prevention. They claim that it is:

  • The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
  • The only firewall to identify, control and inspect SSL encrypted traffic and applications.
  • The only firewall to provide graphical visualization of applications on the network with detailed user, group, and network-level categorization by sessions, bytes, ports, threats and time.
  • The only firewall with real-time (line-rate, low latency) protection against viruses, spyware and application vulnerabilities based on a stream-based threat prevention engine.
  • The only firewall with line-rate, low latency performance for all services, even under load.
  • The only firewall to offer a true in-line transparent deployment option for seamless integration into an existing network infrastructure.

While the presentation itself tended to focus more on analyzing internal user’s connections outbound toward the internet and it seems to do that fairly well, it didn’t cover external users connecting inbound to web applications and things like that so I started asking questions about the firewall’s ability to act as a WAF (Web Application Firewall). I was told that it will do some things like inspection for XSS and SQL Injection, it does not function as a true WAF. I wasn’t even expecting that much so kudos to them.

All-in-all, I tend to believe the hype that this is the next generation of firewalls and while PaloAlto is the first player in the field, I’m sure others will soon follow. The firewall is one of the oldest network security devices out there and PaloAlto has definitely put forth a product that changes the way people will look at them. We think about protecting our networks on an application level and not on a port level so why should our firewalls do things any differently? That said, with this being such a new technology, I’m skeptical of how it works in the real world and am quite certain that it won’t be long before hackers find creative ways in and users find even more creative ways out.