Firewall pioneer Nir Zuk discusses next-generation security

Quocirca was recently invited to talk to the CTO of Palo Alto Networks, Nir Zuk – a video of the interview can be viewed here.

Palo Alto Networks was founded by Nir back in 2005 to address what he perceived as shortfalls in most existing firewalls. He should know, having helped to build one of the earliest, Firewall-1, at Check Point back in the mid-1990s.

Firewall-1, and others that were built to compete with it, are generally referred to as stateful inspection firewalls. The main aim was simply to limit the network ports that could be used to connect to the internet and keep an eye on the traffic that was flowing through them. The “stateful” bit means that the firewall understands how one packet of information relates to others, i.e. it is not looking at network packets in isolation but monitoring the overall traffic. Such firewalls keep unauthorised users out and try to spot and block traffic that does not meet certain criteria. To this end over the years, complex rules have been programmed into firewalls.

One of the problems soon found with these early firewalls was that they were not so good at detecting and blocking attempts by the writers of malware to circumnavigate the rules. So, another market grew for intrusion detection/prevention systems that could identify these attempts and could do that job across all ports.

As the use of the internet grew the bad guys looked at other means of attack. Duping employees via email, either crudely by attaching malware to it or, using more sophistication to persuade them to download malware via the web, led to two more types of content filtering being put in place for corporate email and monitoring URLs (web addresses) to control web-based activity (the latter is also used for productivity purposes).

Web-based activity has now become one of the most dominant threat vectors, with users accessing such a wide range of internet-based tools for all manner of interactions; “Web 2.0” as it has been labelled. Here, URL filtering is not sufficient, many such tools are not browser based (e.g. Skype) and others such a Facebook host a wide range of applications behind a single URL – some considered useful, some not. This has led to another set of filters being developed from vendors such as FaceTime.

The sheer number of communications tools now available to employees has led to another problem businesses have been struggling to cope with; data leakage. This has led to yet another round of filtering, to monitor network traffic both internally and externally to see who is sharing what with whom and blocking content where necessary; so-called data loss prevention (DLP).

Now back to Palo Alto Networks; it has bought to market what the industry is now calling a next-generation firewall. Nir Zuk claims, in Quocirca’s interview with him, that such firewalls can achieve all of the above by monitoring traffic at the application level. The Palo Alto Networks firewall can identify thousands of different applications from malware, through email to ERP and CRM. It blocks what is known to be bad and allows what a given business accepts to be good. The stuff in-between can be questioned.

The point here is that everything is being looked at regardless of the network port and protocol. Most network filtering products are fixed on single ports/protocols (e.g. ports 80 and 143 for internet traffic and port 125 for SMTP email). Palo Alto Networks looks at everything and will not overlook attempts to fool filtering products by malware writers such as port-hopping and network tunnelling.

Palo Alto Networks’ firewall does enable URL filtering, which can be important for managing user productivity and blocking known unwanted categories of web content such as porn and gambling and spots users trying to mask their activity through the use of anonymising web proxies. But with the ability to spot applications it also allows the safer use of all those “Web 2.0” tools that are not URL based or provide access to many applications from a single URL.

Palo Alto Networks next move is to bring mobile users into the picture through the release of an addition to its product call Global Protect. This will force users of Windows, Linux and Mac PCs to access the internet by the nearest authorised Palo Alto Networks firewall and therefore be subject to the same protection and restrictions as internal users.

Of course, there are things the Palo Alto Networks firewall does not do. Its end point protection is limited, no support from smartphones (as yet) and PC end point protection may still be needed to control what users do, for example with USB devices. It is only looking at traffic at the network edge, not internal use as DLP products do. And of course there are organisations out there, like the Jericho Forum, that say all security should be at the device and content level – the days of the firewall are over. They may have a point, but Nir was happy to answer this in the interview.

Bob Tarzey, Analyst and Director, Quocirca