posted by: Matt on December 22, 2011 2:23 PM
filed in: Uncategorized
tagged: App-ID, application control, enterprise 2.0
Dropbox and iCloud: David vs Goliath?
Today I saw this article in Wired on Dropbox and found it very interesting based on the classic David vs Goliath comparison, where the small, innovative solution is pitted against the larger, more established solutions and vendors (Apple and their new iCloud offering). In this respect, the Dropbox vs. Apple story is similar to the Palo Alto Networks story of bringing new innovation to a very established market (firewall), against pretty tall odds, competing against large, established vendors.
Coverage Information for Adobe Security Bulletin (CVE-2011-2462)
Adobe has published a security bulletin (“Security Advisory for Adobe Reader and Acrobat”, CVE-2011-2462) regarding a vulnerability in Adobe Reader and Acrobat that can allow an attacker to perform remote code execution and gain control of vulnerable hosts. Complete information from Adobe is available at http://www.adobe.com/support/security/advisories/apsa11-04.html.
In response to this disclosure, Palo Alto Networks has released an emergency content update (version 281, released 12/7/11) that provides detection of attempted exploitation of the vulnerability described in this security bulletin. The following signatures have been added: Signature 34562 (“Adobe Reader U3D Memory Corruption Vulnerability”) and 34563 (“Adobe Reader U3D Memory Corruption Vulnerability”).
Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices. If you have any questions about coverage for this advisory, please contact support.
PA-200 Launch:
Bringing “Context” to Firewall Policy for the Distributed Enterprise
This week we launched the PA-200 next-generation firewall and PAN-OS 4.1. This product launch really honed in on two key areas our enterprise customers need help with:
- Achieving the same application visibility and control for users in branch offices and on the road. The PA-200 brings the full suite of next-generation firewall functionality to the enterprise branch office. The improvements to GlobalProtect (OS X and iOS support) extends the logical perimeter to a wider array of remote and mobile user
- Defending themselves against “modern” malware – i.e., targeted, unique, and network-centric malware that isn’t caught by the existing set of technologies in the enterprise today. WildFire is a new capability that combines three really good ideas: the next-generation firewall, a sandbox analysis, and cloud-based scalability.
- What makes something (e.g., a firewall, an IPS) “next-generation?”
- Somewhat related: how is a branch office NGFW different than branch office UTM
- How is this better than some of the existing sandbox technology out there?
Our announcement was well received. Over the course of the launch, I spoke with a number of analysts and press, and a few key questions stuck out:
When talking to Neil MacDonald, who has been a champion of bringing context to network security (e.g., bringing application and user into firewall policy decisions), he brought up the fact that the ability to bring CONTEXT into the firewall policy (i.e., not port 80 allow, but Skype or SharePoint allow) is what makes it next-generation. Similarly the IPS – if the IPS cannot incorporate context (an element of which is application), in its analysis of traffic, it’s not next-generation.
Somewhat related to that, I had a few reporters ask how this was different that a UTM box in the branch office, and the same applies – if the “allow” decision is made based on port, and then any application analysis is subsequent, it’s a UTM. UTM typically has cost savings as its primary design. NGFWs, per the comment above, focus on bringing context into that same decision.
Sandboxes have been around for a long time. Remember Finjan? The difficulty is deploying them in the network. More specifically, collection and enforcement tend to be challenges. First, it has to see all of the traffic/all ports. Second, it has to be able to decode all of the application protocols. Third, in order to do any enforcement, it has to be in line. TCP resets are not an enforcement mechanism, to quote a friend of mine. In-line sandboxes = latency. The NGFW, on the other hand, is in-line and sees all traffic, has application protocol decoders, and does enforcement – all at line speed with low latency. Combine that with the ability to send unknown executable content up to a cloud based sandbox and you have an enterprise-deployable capability. Which is in sharp contrast to previously conceived sandbox technology.
