- 10 Microsoft research projects
- 10 kitchen gadgets for the geek gourmet
- Verizon trounces competition
- Smartphone smackdown: Storm vs. iPhone
- FBI warns of holiday cyber scams
Palo Alto Networks' PA-4020 is not just another firewall.
Yes, it has what you'd expect in a basic firewall: 24 ports, divided into16 gigabit Ethernet ports and eight SFP ports. It has a rule base, some basic VPN capabilities, and a Web-based management interface. If the description ended there, Palo Alto would not likely make any headway into the enterprise firewall business which is already carved up between Check Point, Cisco, and Juniper (Compare products).
Palo Alto's secret sauce lies in the visibility it provides. Most firewalls do what they do, and provide little information (other than logs) about what they're seeing. The Palo Alto PA-4020 has a much greater focus on exposing the actual application-layer traffic, and then giving the network manager visibility into the traffic and threats in the network.
In this Clear Choice, we found the Palo Alto Networks PA-4020 to be an innovative turn on the traditional firewall (see Is Palo Alto's firewall a firewall or not?). By looking at application data streams, rather than TCP/IP port numbers, the PA-4020 is able to provide a finer-grained control over end-user Internet usage than has previously been available in any firewall. The PA-4020 also leverages this application knowledge to provide unprecedented (for a firewall, that is) levels of visibility into network traffic.
That said, we found the PA-4020 to still be a work in progress. Weaknesses in areas such as bandwidth management and virus scanning mean that it can't fully replace the combination of a firewall and Web security gateway — yet.
The Palo Alto PA-4020 (like all Palo Alto's firewalls) claims to do something that no other firewall can do: control based on application, rather than on port number. For traffic coming into an enterprise, that's not very interesting, because most network managers know for which applications they're opening holes in the firewall. However, when it comes to outbound traffic, network managers haven't had that vital visibility.
The alternatives, up to now, have been slim. Either run with a "default outbound allow" policy and have no idea what people are really doing. Or, block all outgoing traffic and force users through proxies that can control and log what's happening.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment