RealTime IT News

Palo Alto Networks Challenges Firewall Status Quo

For the past two decades, firewalls have represented the first line of defense in network security. But one startup is claiming that firewalls have been showing their age in recent years. Naturally, it has a solution.

That firm, Palo Alto Networks, next week is expected to release its Firewall product lineup, sporting transparent integration with Microsoft's ActiveDirectory. The move is aimed at providing greater user visibility and control, and comes by way of an upgrade to Palo Alto's firewall operating system PAN-OS.

"We're announcing a transparent integration in with ActiveDirectory what that will enable is a very seamless way to get visibility of who is doing what by user name as well as being able to set security policy based on users and user groups," Steve Mullaney, Palo Alto's vice president of marketing told InternetNews.com.

Mullaney argued that the traditional firewall doesn't recognize users, per se -- it only acts on IP addresses. Microsoft's ActiveDirectory, on the other hand, provides usernames and is linked to network resources access.

Policies for unauthenticated users can still be set based on IP address.

To achieve the ActiveDirectory integration, Palo Alto didn't partner with Microsoft, nor did it even license technology from the Redmond, Wash., software giant.

"We're not hooking into any proprietary or restricted API's in ActiveDirectory," said Lee Klarich, Palo Alto's vice president of product management. "We're simply looking at standard information that comes off an ActiveDirectory server, and using that information to provide the mapping information."

Though other vendors could potentially do the same thing, Klarich argued that it would require them to re-architect their solutions. "You can still define policies for unauthenticated users but then you're back to applying those by IP address," Klarich said. "Think of this as the first big step toward user visibility, picking up today what is the market share leader. You can expect future expansion of this technology."

He did concede that Palo Alto does not yet provide integration for other directory servers, like openLDAP, that compete against ActiveDirectory.

Beyond other directory stores, the Palo Alto solution also does not offer integration with network access control (NAC)-type frameworks. NAC can provides both "pre-admission" control -- which checks the health of a particular endpoint to make sure it has the proper patches -- and "post-admission" control, which ensures a user remains in compliance with network policy.

Both Juniper Networks and Cisco solutions currently provide users with some form of optional NAC integration.

NAC also has the potential to help ActiveDirectory as well in some cases. In its latest UAC 2.1 release for example, Juniper overlaid its NAC approach to provide application access as a supplement that can work in concert with ActiveDirectory.

Klarich defended Palo Alto's approach, however, arguing that it's still unclear whether pre-admission controls need to be based in the firewall.

"In terms of having a highly manageable scalable network, separating the two pieces makes a lot of sense [so] the firewall isn't trying to do everything the pre-admission guys are trying to do as well," Klarich said.

Palo Alto also took aim at Cisco and Juniper's modular approach to firewalls. Cisco's ISR offerings and Juniper's SSG product line provide modular plug-in slots, through which a user can add features to an appliance.

Palo Alto has no such hardware modularity in its platform.

According to Mullaney, the two networking titans need interface modularity because their base platforms lack the right hardware in the first place. Cisco and Juniper, on the other hand, have argued that modularity enables customer choice.

Palo Alto first emerged on the scene only earlier this year, when it came out of stealth mode. The company's chief technology officer, Nir Zuk, is well known in the network security community, having been one of the developers of the stateful inspection technology behind the first firewalls created by firewall pioneer Check Point.

Before joining Palo Alto, Zuk founded One-Secure, which has since been acquired by NetScreen Technologies. Juniper then acquired NetScreen in 2004.