Since we began shipping our firewall, we have heard from a small but vocal contingent that they should be allowed to do what they want at work. We see it in the comments on some of the articles about us and we have heard it from our customers once they have deployed our platform. The somewhat self-righteous responses are pretty funny, if you ask me. The employer is paying you to do a job and most likely it does not involve using P2P, watching 30 Rock on hulu, or chatting with friends or relatives in Italy via IM and/or VoIP. Granted, no one, including me, works 100% of the time.
As a reminder, our firewall, like all firewalls, defaults to deny all. It is up to the administrator to determine what to allow. The BIG difference of course is the fact that our firewall provides visibility into more than 800 applications. No one else can do this. What the customers do with the visibility into the applications is entirely up to them. The policy options are far greater than the traditional allow or deny. Some examples include:
• Allow or deny
• Allow but scan for threats
• Allow based on schedule
• Decrypt and inspect
• Apply traffic shaping
• Allow for certain users or groups
• Allow certain application functions
• Any combination of the above
Many of our customers are using our product to block the applications that pose obvious threats (P2P, circumventors, external proxies) and then establishing policies to enable the use of other applications that may not be corporate approved but do provide business benefits. A great example is Haworth Corporation, a $1.65 Billion manufacturer that wanted its employees to embrace social networking sites such as Facebook, LinkedIn, Twitter and others, the company didn’t want to accept unnecessarily the security risks that go with them.
Today’s employees assume they can use any application they want, irrespective of the risks they pose. Haworth, like many other Palo Alto Networks customers recognize this fact and are striking a balance between control and safe application usage.