Sneaky Web Apps to Get The Stealth Treatment

Try telling your IT manager that you’re going to put another security device in his datacenter; he’ll probably give you a murderous stare.

That pretty much sums up what some companies are proposing for enterprises, banking on concerns and vulnerabilities over a rising mass of Internet applications, including peer-to-peer software, Web mail and video conferencing that bypass traditional firewalls.

Startup Palo Alto Networks is one such vendor. And it’s not blinking on this offering. The company plans to come out of stealth mode Monday with new firewall devices intended to first complement and ultimately replace traditional firewalls from Cisco Systems, Check Point and other incumbents. The company is eyeing a $4 billion security industry grappling with emerging Web threats.

Palo Alto CEO Dave Stevens said the 2 gigabit-per-second PA-4020 and the 10 gigabit-per-second PA-4050 use the company’s App-ID classification technology to identify more than 400 applications — friends or foes — that typically pass undetected though traditional firewalls.

The problem is that newer applications and threats use HTTP , or they evade detection through hopping ports, emulating other applications or SSL  encryption. Traditional firewalls fail to identify applications because they assume fixed and unique ports per application as designed through stateful inspection.

Those instant messaging, P2P file-sharing, CRM applications like or a WebEx Web conferencing applications we love so much? They all run over one port, so businesses no longer can control applications based on port number. Moreover, older firewalls just can’t see encrypted traffic.

“Application developers have written applications that deliberately don’t behave well on the network in an attempt to bypass existing security infrastructure,” Stevens said.

In short, legacy firewalls lack a granular level of visibility and control to help manage more than 90 percent of the applications zipping through pipes.

This makes it difficult to enforce application usage policies and can lead to information leaks through via uncontrolled applications. Stevens said this is one of the reasons why some enterprises have taken to buying an appliance to guard every application.

“If the firewall doesn’t see it, you go buy yourself an appliance to control instant messaging,” Stevens said.

The App-ID software on Palo Alto’s PA-4000 machines detects all application traffic across all ports, including SSL encrypted traffic and software-as-a-service, instant messaging, Web mail, P2P and other software types. Moreover, the software can view the application’s profile to track usage, source, destination and risk level.

The PA-4000 machines are either deployed in-line behind existing security infrastructure where customers can have total visibility and execute policy control on the application or hang off a span port, which also offers total visibility though no policy control). Available now, the PA-4050 costs $60,000, while the PA-4020 lists at $35,000.

To date, Palo Alto has netted $28 million in venture capital funding from Globespan Capital Partners, Greylock Partners and Sequoia Capital. App-ID was created thanks to the security predigree of CTO Nir Zuk, who helped create the stateful inspection technology behind the first firewalls.

Zuk founded One-Secure, which was acquired by NetScreen Technologies. Juniper then bagged NetScreen in 2004 to better compete with Cisco in the firewall market. Other Palo Alto executives hail from McAfee, Cisco and Peribit.

News Around the Web