Before we start finishing each other's sentences I think it's important to clarify right up front, this isn't an article about next generation firewalls . That post belongs in 2008, a time when the world was coming to terms with the uselessness (real word) of filtering ports.
But even that definition "NGFW" is dated. Most people believe Palo Alto Networks makes a firewall. They don't. I don't think they ever did. The word firewall conjures a virtual gateway in which information cannot be accessed unless permitted over a network. It can do that, but I don't think that was ever the intent.
They do one thing: Prevent Threats. I think what's clear here is that a small part of that includes inspecting traffic in order to prevent access.
Which brings me to how to do that, the ABC's of threat prevention. A litmus test for whether you can prevent threats is to take a common one, say "Malware" and think Crypto-Locker. There's a few ways in and a few things to infect See Diagram for a gross over simplification of your IT environment:
A) Data Center: Your Off network Files (Cloud) or Datacenter Systems You can go home, connect to 3G access the cloud and download malware all you want.
B) Endpoint: Get out the USBs pre-infected with malware, the lateral movement on flat networks and the ever present list of services on Microsoft laptops which allow full control of your machine over the network.
C) Network: Flat, Dense and accessible by everyone, your network is a breading ground for malware. I would know I work in product management for IntelliGO Network Access control, most people don't even authorize devices to their network. So anything goes and so does the malware. Most people also still don't even conceive of VMware as a network, nope, just a bunch of servers sitting side by side. Anyway. Security researchers have thought about this, heavily. This isn't a futurist network. This is your network. These are your threats. So, to keep you up to date Palo Alto Networks has invested heavily in building endpoint, cloud and virtual tools that help you protect these together.
You can't UTM your way to a Platform. You are either Best of Breed or You're Not.
You want a Firewall you invite Palo Alto Networks, Checkpoint and Cisco.
You think about URL Filtering you're going to invite Palo Alto Networks, Websense.
You want IPS you invite Palo Alto Networks, SourceFire.
You want APT protection you invite Palo Alto Networks and FireEye.
But if you want to be a platform you need to be best of breed in all these categories or you won't get used for it.
- Nir Zuk Founder or Palo Alto Network at Ignite 2015. (DISCLAIMER: Serious paraphrasing and liberties taken).
Since their IPO I think few realize this. See update Graphic:
A) Data Center: Includes the cloud, Aperture helps secure files in drop-box, onedrive etc. It's about preventing threats, the data breach and that can happen with Shadow IT not just sanctioned apps heading out the corporate egress. For most people this is called a CASBY, but most don't understand how the market leader in safe application enablement has security for apps off-network as well.
B) Endpoint: includes Windows, Mac, Linux etc and is server and workstation and blocks threats in coordination with the other tools. This is called traps, and the coordination story allows you to protect your endpoints, wherever they are from getting exploited by malware.
C) Network: Includes VMware, Cloud and East-West Traffic. If your network only remind you of a switch then this article isn't for you. Everywhere traffic is, network inspection needs to be: Yes: the SSL protected traffic in your VM environment needs to be inspected.
In summary: The market has redefined what a firewall can be today. These terms still don't define the Platform story of Palo Alto Networks.
To enable this platform is our mission so that we can prevent attacks and change point solution thinking for organizations.
So the next time you have a "Firewall" "Content Filtering" "NAC" "CASBY" "Endpoint Security" project, I suggest you take the litmus test.
Given the malware infections above would these tools stop an attack across A, B and C? If the answer is no then you're likely still looking for a platform.
Adam Mansour CTO: IntelliGO Networks Inc.