eWeek CIO Insight Baseline Channel Insider Web Buyer's Guide Microsoft Watch Linux Watch Security Watch Ziff Davis Enterprise My Profile My Contacts My Community My Media My Groups Hot Blogs All Blogs Communicate Polls Ziff Davis IT Link Click here for help
Ziff Davis IT Link

Log In

Member Name

Password

Forgot Your Password?

Masked Intentions Blog by mikevizard

A discussion of the underlying trends driving the news events of the day

Posts: 44 | Created on April 10, 2007 |  

Now Might Be A Good Time to Fire Your Firewall

By mikevizard in Masked Intentions on Monday, August 06, 2007 12:48 PM  
Tags: networking security | 2 Comments Post a Comment

With all the focus on security these days it’s pretty amazing when you think about how little attention people are paying to firewalls these days. In fact, you could argue that the industry as a whole has pretty much spent the last 10 years creating “firewall helpers” that has resulted in a proliferation of security appliances that today conspire to increase security management costs in disproportion to that actual threats faced by most companies.
The one lone voice in the wilderness these days that seems to be questioning much of the conventional wisdom of the security industry these days is Nir Zuk, who is the founder and chief technology officer for Palo Alto Networks, a startup company that is dedicated to overhauling the firewall has we know it. Zuk, who prior to joining Palo Alto Networks was the CTO of Netscreen Technologies when it was acquired by Juniper Networks, argues that the problem with firewalls today is that they are based on a concept of securing ports that may be no longer relevant.
The purpose of a firewall circa the 1990s was to secure ports based on the assumption that specific applications were assigned to specific ports. But in today’s world, a vast array of different types of applications can now be using a specific port. And as long as that port is open, then any application programmed to access that port can get by the firewall regardless of whether that application is a video or sound file, a Web application leveraging a Web service protocol or a piece of malware.
Palo Alto Networks is arguing that today’s environments require a new approach to deep packet inspection that allows the firewall to specifically identify what types of applications are actually moving through the firewall, which in turn will allow IT organizations to build security policies based on types of applications rather than just relying on what ports are suppose to be open or closed. Other potential side benefits of this approach is that IT organizations would be able to more easily see what types of applications are also consuming the most amount of bandwidth.
There’s nothing new about deep packet inspection per se. The issue is that its use has been limited to a small set of applications being run through an intrusion prevention system. What Palo Alto Networks seems to be talking about is applying the concept of deep packet inspection broadly on firewall devices that are priced between $35,000 and $65,000.
It’s not likely that Palo Alto Networks is going to upend the entire firewall market over night, but after 10 years of watching security infrastructure costs spiral out of control it’s nice to see somebody talking about not only an improved firewall design but also a more efficient approach to the whole security model.
Comments 

Thank you, Mike, for the comprehensive description of where the next generation firewall is headed. It's important to note too that deep inspection is not a traffic classification technology but rather a content security technology, specifically a poor man's IPS... I think that the similarity between the terms stateful inspection, which is a traffic classification technology, and deep inspection, which is a content security technology, is creating some confusion in the market. This confusion is amplified by traditional security vendors that try to position deep inspection as the solution to the challenges of today's firewalls even though the technical details behind deep inspection do not support that.

Data gleaned from DPI/IPS cannot be used to make ongoing security decisions outside of block or allow. What Palo Alto Networks is doing is fundamentally different in that the very first thing we do is determine what the application is, and then we can use that to build a security policy that controls and inspects the app.

Nir Zuk.

Thursday, August 16, 2007 11:51 AM

What a stupid fucken PR!!! Go fuck off!

Thursday, February 28, 2008 8:46 PM

Log in to post a comment!


Create, Communicate, Collaborate
 
Ziff Davis Enterprise

Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
RSS Feeds | White Papers | ROI Calculators | Tech Jobs | Tech Podcasts | Tech Video |

Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
eWEEK | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
Publish | eWeek Security | Strategic Partner | Web Buyer's Guide | Windows for Devices

Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | IT Marketplace | igrep

Use of this site is governed by our Terms of Use and Privacy Policy

Copyright ©1996-2007 Ziff Davis Enterprise Inc. All Rights Reserved. Ziff Davis IT Link is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise, Inc. is prohibited.