PA-200 Launch:
Bringing “Context” to Firewall Policy for the Distributed Enterprise

This week we launched the PA-200 next-generation firewall and PAN-OS 4.1. This product launch really honed in on two key areas our enterprise customers need help with:

1. Achieving the same application visibility and control for users in branch offices and on the road. The PA-200 brings the full suite of next-generation firewall functionality to the enterprise branch office. The improvements to GlobalProtect (OS X and iOS support) extends the logical perimeter to a wider array of remote and mobile user
2. Defending themselves against “modern” malware – i.e., targeted, unique, and network-centric malware that isn’t caught by the existing set of technologies in the enterprise today. WildFire is a new capability that combines three really good ideas: the next-generation firewall, a sandbox analysis, and cloud-based scalability.

Our announcement was well received. Over the course of the launch, I spoke with a number of analysts and press, and a few key questions stuck out:

1. What makes something (e.g., a firewall, an IPS) “next-generation?”
2. Somewhat related: how is a branch office NGFW different than branch office UTM
3. How is this better than some of the existing sandbox technology out there?

When talking to Neil MacDonald, who has been a champion of bringing context to network security (e.g., bringing application and user into firewall policy decisions), he brought up the fact that the ability to bring CONTEXT into the firewall policy (i.e., not port 80 allow, but Skype or SharePoint allow) is what makes it next-generation. Similarly the IPS – if the IPS cannot incorporate context (an element of which is application), in its analysis of traffic, it’s not next-generation.

Somewhat related to that, I had a few reporters ask how this was different that a UTM box in the branch office, and the same applies – if the “allow” decision is made based on port, and then any application analysis is subsequent, it’s a UTM. UTM typically has cost savings as its primary design. NGFWs, per the comment above, focus on bringing context into that same decision.

Sandboxes have been around for a long time. Remember Finjan? The difficulty is deploying them in the network. More specifically, collection and enforcement tend to be challenges. First, it has to see all of the traffic/all ports. Second, it has to be able to decode all of the application protocols. Third, in order to do any enforcement, it has to be in line. TCP resets are not an enforcement mechanism, to quote a friend of mine. In-line sandboxes = latency. The NGFW, on the other hand, is in-line and sees all traffic, has application protocol decoders, and does enforcement – all at line speed with low latency. Combine that with the ability to send unknown executable content up to a cloud based sandbox and you have an enterprise-deployable capability. Which is in sharp contrast to previously conceived sandbox technology.

More on WildFire here.