What is Wrong with Today's Perimeter Security Model?

Author: Kushal Patel, Senior Consultant

For the last 15 years port-blocking (stateful inspection) firewalls have been the cornerstone of network security. It’s no secret, however, that modern applications and threats easily circumvent the traditional network firewall. Attempts by security teams to bolt application awareness and control onto existing firewall products, or to consolidate “firewall helpers” with a Unified Threat Management (UTM) device have fallen short of the mark, or failed all together. Applications and threats are still making their way around these fragmented solutions, frustrating IT groups that have only managed to incur additional cost and complexity without fixing the problem.

The old model for network security was simple because everything was black and white. Business applications constituted good, low-risk traffic that should be allowed, while threats – and pretty much everything else – constituted bad traffic that should be stopped. The problems with this approach today are basically threefold:

• Applications have become increasingly gray – classifying types of applications as good or bad is not a straightforward exercise (i.e. Facebook, Gmail, Skype).
• Applications have become increasingly evasive (i.e. Instant Messengers, Proxy Avoidance).
• Applications have become the predominate target of today’s threat developers (i.e. SQL Injection, Cross Site Scripting).

To help mitigate these evolving risks, enterprises and vendors have tried to compensate for their firewall’s deficiencies by implementing a range of supplementary security solutions, often in the form of standalone appliances. A few common examples are intrusion prevention systems, antivirus gateways, web filtering products, and application-specific solutions – such as a dedicated platform for instant messaging security. The bottom line is that network security in most enterprises is fragmented and broken, exposing them to unwanted business risks and ever-rising costs. Traditional network security solutions have simply failed to keep pace with changes to applications, threats, users, and the network security landscape in general.

Enter Palo Alto Networks and Next Generation Firewalls

Next-generation firewalls are re-inventing network security. By focusing on Applications (App-ID®), Active Directory Users (User-ID®), and Content (Content-ID®) – not just ports and protocols – as the key elements to deliver visibility and control. Next-generation firewalls allow enterprises to safely enable modern applications, without taking on the unnecessary risks that accompany them, all the while delivering a substantial reduction in cost and complexity by eliminating the need for enterprises to deploy a wide variety of additional network security products.

Palo Alto Networks set out to restore the firewall as the cornerstone of enterprise network security infrastructure by “fixing the problem at its core.” Starting with a blank slate, its world-class engineering team took an application-centric approach to traffic classification in order to enable full visibility and control of all types of applications running on enterprise networks – new-age and legacy ones alike. The result of this effort is the Palo Alto Networks family of next-generation firewalls – the only solution that fully delivers on the essential functional requirements for a truly effective, modern firewall:

• The ability to identify applications regardless of port, protocol, evasive tactics or SSL encryption.
• The ability to provide extensive visibility of and granular, policy-based control over applications, including individual functions.
• The ability to accurately identify users and subsequently use identity information as an attribute for policy control.
• The ability to provide real-time protection against a wide array of threats, including those operating at the application layer.
• The ability to support multi-gigabit, in-line deployments with negligible performance degradation.

With the introduction of its family of next-generation firewalls, Palo Alto Networks began the process of re-inventing network security, of restoring effectiveness and simplifying security infrastructure. The result is a market-leading solution that allows CIOs to tackle a broad range of increasingly substantial challenges by:

• Enabling user-based visibility and control for all applications across all ports.
• Stopping malware and application vulnerability exploits in real time.
• Reducing the complexity of security infrastructure and its administration.
• Providing a high-speed solution capable of protecting modern applications without impacting their performance.
• Helping to prevent data leaks.

Considering matters from a business perspective, the Palo Alto Networks next-generation firewall also helps organizations:

• Better and more thoroughly manage risks and achieve compliance – by providing unmatched awareness and control over network traffic.
• Enable growth – by providing a means to securely take advantage of the latest generation of applications and new-age technologies.
• Reduce costs – by facilitating device consolidation, infrastructure simplification, and greater operational efficiency.

The net result is that Palo Alto Networks is providing today’s enterprises with precisely what they need to take back control of their networks, to stop making compromises when it comes to information security, to put an end to costly appliance sprawl, and to get back to the business of making money. By delivering unmatched visibility and control over applications and the threats that seek to exploit them, network security solutions from Palo Alto Networks are substantially raising the bar for effectiveness and efficiency while establishing a new foundation for enterprise security.