Pa

alo Alto Networks

N
s vs. Check Poin
nt
Compa
aring Palo Alto Netw
works next-generatio
on firewall and Chec
ck Points Applicatio
on Control Blade; a port-based
p
firewall aadd-on.

Abou
ut Palo Alto Netw
works:

ey Palo Alto Netw

works Differentia
ators:
Ke

About Check Po
oint:

June 2007, first to market with a ne

extgeneration firewall that classifies tra
affic based
on the application,, first and foremost.

Large, well kknown security ve

endor; first to
market with a stateful inspecttion port-based
firewall.

S
Safe-application-e
enablement appro
oach to
network security is
s described as vis
sionary and
disruptive by Gartn
ner. All other vendors forced
to
o follow.

App-ID: Traffic classification thatt delivers

application visib
bility and control, irrespective of
port, protocol, SSL
S or evasive ta
actic, as the
basis of firewalll classification, no
ot an add-on.

User-ID: Integra
ation with every major
m
directory
service: Active Directory, Open LDAP,
L
and
eDirectory; as well
w as with Citrix, and
Microsoft Termiinal Servers.

Application B
Blade is an IPS-likke bolt-on
component tto stateful inspecttion.

Broad line off FW UTM add-on

ns (Blade
Architecture) sourced from a combination of
developmentt and acquisitionss.

Thousands o
of loyal customerss, publically
traded with cconsistent earning
gs. Solid UI and
managemen
nt.

Y
Young, rapidly gro
owing company with
w 3,500
customers worldw
wide.

Content-ID: ach
hieved NSS rated
d 94%
effectiveness in
n IPS testing; 125
5% of rate
performance; gateway-based ma
alware
prevention; com
mprehensive URL
L filtering
database; all inttegrated into a single pass
engine to maxim
mize performance
e.

Purpose-built platform that uses four

dedicated bank
ks of function-spec
cific
processing to perform application
identification, in
nspection and con
ntrol.

C
Cash flow positive
e the last 2 consecutive
quarters; on a $10
00 M annual sales
s run rate
(W
WSJ, 10/29/2010
0).

Key Points to Con

nsider When Comparing
C
Pa
alo Alto Netwo
orks and Checck Point Appliication Contro
ol Blade

Applic
cation Visibility an
nd
Contrrol Challenge
Identify and inspect SS
SL;
contro
ol SSH usage.

Check Point Application Blad

de

Palo Alto Netw

works

Cannot iden
ntify and control trraffic hidden in SS
SL; unable to
control SSH
H.

No SSL decryption, inspec

ction and control (in
nbound or
outboun
nd).

No way to verify SSH is be

eing used for its inte
ended purpose.

First firewall to
o decrypt, inspectt and control SSL;; first firewall to
control SSH.

Policy conttrol over SSL provid

des organizations w
with a mechanism
to improve security posture (id
dentify, decrypt, insspect) while
allowing peersonal use of appliications like Twitterr and Facebook.

SSH controol means organizations can ensure tha

at SSH is not
being usedd to tunnel other app
plications.

Learn moree about SSL and SS

SH control.

Compettitive data is generated frrom public information so

ources (March 2011).

Pa
alo Alto Networks
N
s vs. Check Poin
nt
Compa
aring Palo Alto Netw
works next-generatio
on firewall and Chec
ck Points Applicatio
on Control Blade; a port-based
p
firewall aadd-on.

Applic
cation Visibility
and C
Control Challenge

Check Point Application

A
Blade

Palo Alto Netw

works

Class
sify traffic on all
ports,, all the time.

Unable to applly all application signatures

s
across
s ALL ports.

Application
n Control Blade dep
pends on the applic
cation default port.

Application
n signatures can be
e manually enabled for non-std HTTP
ports (8080
0, 8000, etc), a very
y small subset of th
he 60,000+ ports on
n
a firewall.

No other options for enabling classification acros

ss all ports exists

Application
ns that aggressively
y hop ports, or use ranges of high portt
numbers may
m not be identified
d or controlled.

Application
ns designed to be evasive
e
like UltraSu
urf, Tor and
Hamachi will
w not be identified.

App-ID autom
matically looks at a
all traffic on all ports.

By default , App-ID uses as m

many as four traffic classification
mechanism
ms to identify each application, on all ports, for all traffic.

Traffic classsification based on

n the application is the first task
executed w
when traffic hits the
e firewall.

No configuuration settings are

e required to identifyy traffic that hops
ports, usess non-standard porrts or other evasive
e techniques.

Learn morre about App-ID.

Provid
de a control
mechanism for
unkno
own traffic.

No way to man
nage unknown applications.

Unable to identify unknown ap

pplications.

The negative control model means

m
that unknown
n is allowed by
default.
o
or rename
e the unknown application traffic.

Unable to override

No customizable application signatures

s
for custo
om, internal
application identification.

Unknown trafffic is managed sy

ystematically.

Positive coontrol model meanss unknown traffic ca

an be blocked by
policy.

Unknown ttraffic category pro

ovides visibility into key elements such
h
as source and destination.

Internal orr custom application

ns within unknown traffic can be
renamed ((application override) or a custom App
p-ID can be
created.

Commerciial applications with

hin unknown traffic can be packet
captured aand submitted for A
App-ID creation.

See App-ID
D in action.

Monittor changes in
applic
cation behavior.

Does not see changes

c
in applica
ation traffic.

Application
n Blade is an IPS-lik
ke bolt-on that is inflexible it
identifies only
o
what it has bee
en told to identify.

Application
ns changes such as
s Google Mail to Go
oogle Talk, or
Google Do
ocs or SharePoint Admin
A
to SharePoin
nt Docs are not
identified.

The inabilitty to see behaviora

al changes means many
m
commonly
used applic
cations, or application functions, will not
n be identified;
severely lim
miting application control flexibility.

Unidentified applications, by default,

d
are allows (negative
(
control
model).

App-ID is alwaays on; always mo

onitoring traffic.

All App-ID are always on, and

d they are continua
ally monitoring the
state of thee application.

Changes i n application state are identified by App-ID and fed into

ACC, policcy editor, logging and reporting.

Continuouus monitoring of app

plication state enab
bles function
specific coontrols such as allow SharePoint, by b
block use of
SharePoinnt Admin.

Learn morre about App-ID.

Compettitive data is generated frrom public information so

ources (March 2011).

Pa
alo Alto Networks
N
s vs. Check Poin
nt
Compa
aring Palo Alto Netw
works next-generatio
on firewall and Chec
ck Points Applicatio
on Control Blade; a port-based
p
firewall aadd-on.

Applic
cation Visibility
and C
Control Challenge

Check Point Application

A
Blade

Palo Alto Netw

works

Maxim
mize identification
n
accurracy/coverage;
minim
mize signature
management.

100,000 plus application

a
signatu
ures is a managem
ment nightmare.

Approxima
ately 4,500 signaturres are available on
n the device.

The remain
ning 100,000 plus signatures,
s
primarily
y widget controls,
are in the cloud
c
(AppWiki).

Reliance on application signa

atures dictates unique signatures for
client versions, OS versions and
a other variants which
w
means
selecting many
m
signatures to try and control an application.
a

Policies bu
uilt to control widgetts will rely on cloud-based signatures
(introducing
g significant latency
y). Is managing wh
ho is using Farmville
e
or playing Mafiawars
M
a priority
y for a security adm
ministrator?

App-ID: Less iis more.

App-ID usees as many as fourr mechanisms to m

monitor how an
applicationn and user interact..

App-ID is cclient and OS agno

ostic, which means one App-ID is
equal to m
many, many signatu
ures used in other o
offerings.

A single A
App-ID can identify more application vvariants than a
single CP signature.

Example: tthe single BitTorren

nt App-ID will see tthe equivalent to
50+ Checkk Point BitTorrent ssignatures.

Controllingg Facebook-apps (g
games) can be acccomplished with a
single Appp-ID; not thousandss and thousands. W
Which is more
efficient?

Learn morre about App-ID.

Simpllify policy
management.

Two policy ediitors with duplicatte fields makes ru

ule management
significantly more
m
complex

Firewall po
olicy (source, destin
nation, port, user, etc) is built first and
takes prece
edence (Allow port 80 or 443).

Opening po
ort 80 or 443 for all, then attempting to
o identify traffic
within mea
ans that significant segments
s
of that tra
affic will not be
identified.

Application
n Blade policy (also
o has source, destin
nation, port, user,
etc) is depe
endent on the firew
wall policy (allow Fa
acebook).

Dual policie
es will require continuous policy recon
nciliation, resulting
in a signific
cant increase in adm
ministrative overhe
ead.

Application
n Blade policy optio
ons are negative control in nature
(limited to allow
a
or deny).

There is no
o way to apply threa
at prevention or Qo
oS to the
application traffic that has bee
en identified.

A single, unifiied editor enables

s rule-base reduction.
Traditionall firewall elements (source, destination) are combined

with next-ggeneration elementts (user identity, ap

pplication and
content insspection) in a single
e unified graphical editor.

Enabling F
Facebook and Face
ebook posting for m
marketing can be
accomplishhed in a single firew
wall policy rule.

Rules baseed on applications and users will dram

matically reduce
the numbeer of rule when com
mpared to port-base
ed rules.

Learn morre about unified policy management.

Compettitive data is generated frrom public information so

ources (March 2011).

Pa
alo Alto Networks
N
s vs. Check Poin
nt
Compa
aring Palo Alto Netw
works next-generatio
on firewall and Chec
ck Points Applicatio
on Control Blade; a port-based
p
firewall aadd-on.

Applic
cation Visibility
and C
Control Challenge

Check Point Application

A
Blade

Palo Alto Netw

works

Securrely enable
applic
cation usage.

Negative contrrol model limits po

olicy responses to
o allow or deny.

Application
n Blade is an IPS in
n disguise; it is designed to find the
application and block it. Nothing more. Applicatio
ons that are not
identified are
a allowed by default.

Blindly bloc
cking an application
n limits employee productivity
p
and can
n
hurt the company bottom line.

Positive contrrol model provides

s flexible policy re
esponse options
allow but.

Firewalls aare positive control model solutions; d

deny all, except for
the traffic tthat is allowed by p
policy.

App-ID, Usser-ID and Contentt-ID provide administrators with the

ability to iddentify an applicatio
on and:
o A
Allow it for users in marketing using AD
D or LDAP
o E
Enable specific application functions likke Sharepoint
A
Admin
o S
Scan them for threa
ats with IPS or AV
o B
Block entire groups of applications with
h filters or groups
o A
Apply QoS to make sure business app
plications are not
st
starved of required bandwidth.

Learn morre about application

n enablement.

Maintain rated
perforrmance.

Check Point platforms are optim

mized for Stateful inspection; not
application control.

Check Poin
nt platforms are opttimized for stateful inspection fastpath, a mechanism where, on
nce traffic is classified it is untouched
nges.
until it chan

Check Poin
nt platforms are NO
OT optimized for ap
pplication level
classificatio
on for all traffic on all
a ports.

Performanc
ce impact of enabling Application Blad
de has shown to be
e
5-10% LES
SS than the datashe
eet rated IPS perfo
ormance levels.

Purpose-built platform; optimizzed for application

n visibility and
control.

Dedicated , high performance

e processing for nettworking, security,
gement
threat prevvention, and manag

Single passs software design touches traffic onlyy once, eliminating

repetitive pprocesses and associated latency.

The result : multi-Gbs through

hput of application llevel inspection
across all ports, on all traffic.

Learn morre about high performance next-generration firewalls.

Compettitive data is generated frrom public information so

ources (March 2011).