Professional Documents
Culture Documents
Abou
ut Palo Alto Netw
works:
About Check Po
oint:
S
Safe-application-e
enablement appro
oach to
network security is
s described as vis
sionary and
disruptive by Gartn
ner. All other vendors forced
to
o follow.
User-ID: Integra
ation with every major
m
directory
service: Active Directory, Open LDAP,
L
and
eDirectory; as well
w as with Citrix, and
Microsoft Termiinal Servers.
Application B
Blade is an IPS-likke bolt-on
component tto stateful inspecttion.
Thousands o
of loyal customerss, publically
traded with cconsistent earning
gs. Solid UI and
managemen
nt.
Y
Young, rapidly gro
owing company with
w 3,500
customers worldw
wide.
Content-ID: ach
hieved NSS rated
d 94%
effectiveness in
n IPS testing; 125
5% of rate
performance; gateway-based ma
alware
prevention; com
mprehensive URL
L filtering
database; all inttegrated into a single pass
engine to maxim
mize performance
e.
C
Cash flow positive
e the last 2 consecutive
quarters; on a $10
00 M annual sales
s run rate
(W
WSJ, 10/29/2010
0).
Applic
cation Visibility an
nd
Contrrol Challenge
Identify and inspect SS
SL;
contro
ol SSH usage.
Cannot iden
ntify and control trraffic hidden in SS
SL; unable to
control SSH
H.
First firewall to
o decrypt, inspectt and control SSL;; first firewall to
control SSH.
Pa
alo Alto Networks
N
s vs. Check Poin
nt
Compa
aring Palo Alto Netw
works next-generatio
on firewall and Chec
ck Points Applicatio
on Control Blade; a port-based
p
firewall aadd-on.
Applic
cation Visibility
and C
Control Challenge
Class
sify traffic on all
ports,, all the time.
Application
n Control Blade dep
pends on the applic
cation default port.
Application
n signatures can be
e manually enabled for non-std HTTP
ports (8080
0, 8000, etc), a very
y small subset of th
he 60,000+ ports on
n
a firewall.
Application
ns that aggressively
y hop ports, or use ranges of high portt
numbers may
m not be identified
d or controlled.
Application
ns designed to be evasive
e
like UltraSu
urf, Tor and
Hamachi will
w not be identified.
App-ID autom
matically looks at a
all traffic on all ports.
Provid
de a control
mechanism for
unkno
own traffic.
No way to man
nage unknown applications.
Unable to override
See App-ID
D in action.
Monittor changes in
applic
cation behavior.
Application
n Blade is an IPS-lik
ke bolt-on that is inflexible it
identifies only
o
what it has bee
en told to identify.
Application
ns changes such as
s Google Mail to Go
oogle Talk, or
Google Do
ocs or SharePoint Admin
A
to SharePoin
nt Docs are not
identified.
Pa
alo Alto Networks
N
s vs. Check Poin
nt
Compa
aring Palo Alto Netw
works next-generatio
on firewall and Chec
ck Points Applicatio
on Control Blade; a port-based
p
firewall aadd-on.
Applic
cation Visibility
and C
Control Challenge
Maxim
mize identification
n
accurracy/coverage;
minim
mize signature
management.
Approxima
ately 4,500 signaturres are available on
n the device.
The remain
ning 100,000 plus signatures,
s
primarily
y widget controls,
are in the cloud
c
(AppWiki).
Policies bu
uilt to control widgetts will rely on cloud-based signatures
(introducing
g significant latency
y). Is managing wh
ho is using Farmville
e
or playing Mafiawars
M
a priority
y for a security adm
ministrator?
A single A
App-ID can identify more application vvariants than a
single CP signature.
Controllingg Facebook-apps (g
games) can be acccomplished with a
single Appp-ID; not thousandss and thousands. W
Which is more
efficient?
Simpllify policy
management.
Firewall po
olicy (source, destin
nation, port, user, etc) is built first and
takes prece
edence (Allow port 80 or 443).
Opening po
ort 80 or 443 for all, then attempting to
o identify traffic
within mea
ans that significant segments
s
of that tra
affic will not be
identified.
Application
n Blade policy (also
o has source, destin
nation, port, user,
etc) is depe
endent on the firew
wall policy (allow Fa
acebook).
Dual policie
es will require continuous policy recon
nciliation, resulting
in a signific
cant increase in adm
ministrative overhe
ead.
Application
n Blade policy optio
ons are negative control in nature
(limited to allow
a
or deny).
There is no
o way to apply threa
at prevention or Qo
oS to the
application traffic that has bee
en identified.
Enabling F
Facebook and Face
ebook posting for m
marketing can be
accomplishhed in a single firew
wall policy rule.
Pa
alo Alto Networks
N
s vs. Check Poin
nt
Compa
aring Palo Alto Netw
works next-generatio
on firewall and Chec
ck Points Applicatio
on Control Blade; a port-based
p
firewall aadd-on.
Applic
cation Visibility
and C
Control Challenge
Securrely enable
applic
cation usage.
Application
n Blade is an IPS in
n disguise; it is designed to find the
application and block it. Nothing more. Applicatio
ons that are not
identified are
a allowed by default.
Blindly bloc
cking an application
n limits employee productivity
p
and can
n
hurt the company bottom line.
Maintain rated
perforrmance.
Check Poin
nt platforms are opttimized for stateful inspection fastpath, a mechanism where, on
nce traffic is classified it is untouched
nges.
until it chan
Check Poin
nt platforms are NO
OT optimized for ap
pplication level
classificatio
on for all traffic on all
a ports.
Performanc
ce impact of enabling Application Blad
de has shown to be
e
5-10% LES
SS than the datashe
eet rated IPS perfo
ormance levels.