Palo Alto Extends Next-Gen Firewalls to Endpoints
Palo Alto Networks thinks it's got a way for extending the power of next-generation firewalls to the endpoint. Rather than pushing a resource-hogging client-side application or building a complex cloud infrastructure, Palo Alto is leveraging the power of its existing install base to provide endpoint protection to users regardless of their location.
In the conventional security paradigm, providing an array of protections - firewall, intrusion prevention, data loss prevention, etc. - is relatively easy since all the processing power is carried by the network (or network-based devices). Providing similar levels of security function and performance at the endpoint is more difficult - the more software you load on a client, the greater the performance hit.
The Palo Alto endpoint protection takes a novel approach to overcoming this problem. Palo Alto is developing a small agent that will operate persistently on the host, detecting whenever the client connects to a public or private network. Rather than doing the traffic inspection on the client, the agent will compel all traffic to route through the closest home network. This means that all traffic will be inspected and passed through the existing network-based next-generation firewall.
"It's sort of like a private cloud for distributed protection," says Chris King, Palo Alto's director of product management. "It's the same concept as [network access control], just applied to the application layer."
Palo Alto is one of the leaders in the emerging next-generation firewalls, which combine the functionality of application-centric traffic inspection with the classic protections of intrusion prevention, stateful firewalling and data loss prevention. The challenge with nearly all next-generation firewalls is that they're only effective when the endpoint is connected to the home network.
In theory, Palo Alto will be able to provide holistic application-layer security and data protection to any device - notebooks, netbooks, smartphones - regardless of where they are. On the surface, it seems a far simpler approach than building and deploying heavy client-side applications and more extensive in protections and functionality than some of the cloud-based security applications.
Consider how Palo Alto's approach differs from the existing cloud security model. The e-mail protection services currently offered by Symantec, Google, Cisco, Websense, McAfee and Trend Micro are primarily for e-mail and Web filtering. No one has effectively deployed DLP in the cloud, and those that have - such as ProofPoint - are only offering scanning for confidential data in e-mails. Further, nearly all of these offerings operate as the last hop in the line - meaning that traffic is routed through a private network that sits virtually in front of the network perimeter.
The Palo Alto approach is designed to cut down on potential latency by having traffic routed through the closest corporate network. This is a good proposition for enterprises with large distributed networks. How well it will work for midmarket companies that have mobile users but not the extensive corporate network remains unclear.
Palo Alto says the agent software will be free, but customers will have to buy the network-based application upgrade and ongoing service contract. The value sounds good, since it won't require a hardware refresh.
From a management perspective, the Palo Alto approach means security managers will only have to maintain the policies and configurations of its network-based devices. This should cut down on security overhead.
This same system should lend itself to managed service providers, too. Since the agent will point traffic to whatever network is designated, managed security service providers could leverage the approach to develop a next-gen firewall practice.
Obviously, the Palo Alto approach is only effective at providing protection to endpoints when they are connected to the Internet and the home network. It does nothing to provide protection to disconnected devices, which means endpoints are still subject to malware infections and data theft through mobile media such as USB memory sticks.
The technology isn't available today, but will be by the end of 2010. Palo Alto CEO Lane Bess says his company is "sending a message that we're moving beyond next-generation firewalls." Some people might say such a preannouncement is either an attempt to blunt the announcement of another rival or set a barrier to entry for competitors. Either way, Palo Alto is showing ingenuity for expanding its capabilities and core competencies.
