Why Use Palo Alto?

Network security is job No. 1 for every enterprise today. It's no secret that cybersecurity threats are a significant danger to businesses, governments, and nations. Just watch the news and you'll see stories of so-called advanced persistent threats (APTs) — major incidents of ransomware, data breaches, denial of service, and other serious attacks.

Networking security technology and practices are key aspects of the enterprise response to these threats. Firewalls in various forms help protect against threats by monitoring and controlling traffic that comes in and out of the network. Initially, the notion was for the firewall to be a barrier between the trusted enterprise network and traffic from external, untrusted networks.

Early firewalls were physical devices and were often incorporated into the network routers, but as enterprise networks evolved, we started to see firewall functionality as part of the network.

An Evolving Security Landscape

The network security landscape evolved in recent years as new technologies and architectures emerged. For example, issues of scalability and security integration associated with virtual private networks (VPN) have led to an uptake in software-defined wide area networks (SD-WAN) with integrated security mechanisms.

Certainly, one major result of the relentless cybersecurity attacks has been the realization that the traditional security trust model was unworkable. It was clear that the notion of trusting everyone and everything within the organization's network did not make sense anymore. Hence the move toward the "Zero Trust" model, where credentials are never trusted, but always verified.

The goal is to prevent external infiltrators, or malicious inside users, from accessing one segment of the network and then moving freely to other areas of the enterprise. Zero Trust Architectures also introduce the concept of "protect surfaces." Rather than trying to protect everything in your enterprise, you focus security controls on the most critical and valuable data, assets, applications, and services (DAAS). Next Generation Firewalls (NGFW) are used to create a secure perimeter to control access to the protected DAAS.

NGFWs do everything that a traditional firewall does, plus a lot more. NGFWs are able to filter traffic based on application and can identify and block malware and are better able to counter advanced persistent threats. Additionally, NGFWs often include malware detection, threat management, antivirus, and other security applications, so they are more cost effective than traditional firewalls.

As the industry in general embraces software-defined and cloud-based functionality, it should be no surprise that firewalls are going the same way. Many enterprises are choosing to deploy software-defined firewalls rather than physical hardware variants. They are also moving their firewalls and network security to the cloud.

Why Palo Alto Firewalls?

One of the hottest vendors providing these new network security capabilities is Palo Alto Technologies. With significant acquisition and innovation in the last few years, Palo Alto has overhauled Cisco — the '800-pound gorilla' — as a leader in network security.

This post is the first in a series that will discuss Palo Alto, its technology, its position in the network security landscape, and the career opportunities afforded to Palo Alto-certified engineers and technicians.

With a broad range of network security products and services, Palo Alto Technologies has become the leading vendor for network security appliances and WAN edge infrastructure solutions.

Palo Alto's principal network security offering is their Next Generation Firewall (NGFW). They offer the firewall in a variety of forms:

• Physical Firewall Appliances: The PA-series comes in throughputs from 500 Mbps to 10Gbps and are designed to handle differing customer scenarios, including data centers, branch offices, etc.

• Virtual Firewall Editions: The VM-Series is engineered to handle throughputs from 200 Mbps to 16 Gbps catering for varying customer scenarios. VM-Series can be deployed as NFV functions to protect apps and data in public clouds (including AWS, Google, Oracle, and Azure), in virtualized environments (including VMware, Microsoft Hyper-V, and Nutanix), and in SDN solutions such as VMware NSX and Cisco ACI.

• Containerized Firewalls: The CN-Series protects premises or cloud-based Kubernetes environments used to automate software deployment and management. CN-Series firewalls can also protect Kubernetes cloud services from Google, Azure, and AWS.

• Firewall as a Service: The NGFW is also available through Palo Alto's Prisma Access cloud-based firewall-as-a-service (FWAAS). Prisma Access customers have access to the same complete set of protections—threat prevention, URL filtering, sandboxing, etc.—as premises-based customers.

Palo Alto Firewall Features

So, let's look at some of the stand-out features of Palo Alto's firewall offerings.

Extensible, Efficient Architecture

Palo Alto firewalls are based on a single-pass architecture that processes each packet just once for all security features or processes. This means that, unlike most other firewalls, Palo Alto NGFW performance does not degrade as more security features are enabled.

The architecture also allows new security features and firewall rules to be added to installed systems, thus helping extend the useful life of the customer's investment. For example, Palo Alto has introduced and deployed new capabilities such as IoT Security and the WildFire threat intelligence service.

Policy-Based Control

Combined with the single-pass architecture, Palo Alto's NGFWs use three unique traffic classification engines to enable policy-based control over applications, users, and content. The three classification IDs are:

• App-ID: Used to control good applications and block bad ones.

• User-ID: Integrates with Active Directory to allow monitoring and control of who is using each application.

• Content-ID: Limits unauthorized transfer of files and sensitive data, and blocks viruses, spyware, vulnerability exploits, unauthorized web surfing, etc.

Machine-Learning

Traditional firewalls are only able to react to known types of threats! But as we know, hackers and cybercriminals are continuously changing their mode of attack to bypass network defenses. Palo Alto's Next Generation Firewall technology is smart and proactive — employing machine learning (ML) to detect and respond to threats, automating security policy updates, and helping reduce human error in protecting the network.

Palo Alto claims that their ML-powered firewall prevents up to 95% of new threats — immediately stopping malicious scripts and files — and protects IoT devices without the need for additional hardware.

Palo Alto's machine learning technology is based on the following four mechanisms:

• Inline Machine Learning: Embedded in the firewall code, ML algorithms inspect files in-process and can block malicious ones immediately, thus avoiding annoying user delays.

• Zero-Delay Signatures: New threat signatures are pushed to the firewall as soon as they are discovered, thus stopping the threat at the first user and blocking further variants.

• ML-Powered IoT Visibility: IoT devices such as cameras, tablets, etc. are grouped with similar devices using ML-based classifications, rather than old-style device definitions. This allows the firewall to track and prevent harmful and unusual activities.

• Automated Policy Recommendations: ML-based analysis of traffic metadata helps establish normal behavior patterns, which are then used to automatically recommend policies, freeing network admins from time-consuming manual policy updates.

Advanced Threat Detection and Prevention

Enabled by the single-pass architecture and ML-based analysis of traffic data, Palo Alto firewall customers can select one or more of a set of threat detection and prevention capabilities to help protect against even the most advanced threats. These capability modules include:

• URL Filtering: In-line machine learning detects and blocks malicious websites — both known and new — preventing users from visiting them and falling prey to malware, phishing, and command-and-control (C2) attacks.

• DNS Security:  Integrated with the firewall, this feature uses predictive analytics and automation to block attacks via the Domain Name System (DNS). This prevents attacks that attempt to bypass security measures and eliminates the need for changes to DNS routing.

• WildFire Malware Prevention: Using inline ML modules on the NGFW, Wildfire identifies and prevents file-based threats. As Palo Alto's cloud-based malware analysis and detection service, Wildfire uses a unique real-time signature streaming capability to update your firewall on new threats as soon as they are first discovered.

• IoT Security: This ML-driven module discovers all unmanaged devices on the network and detects behavioral irregularities. It is then able to recommend risk-based policies and can automate enforcement without needing additional sensors or infrastructure.

• Threat Prevention: More advanced than traditional intrusion prevention solutions, this capability leverages the NGFW single-pass architecture to inspect all traffic for threats. It can then block known vulnerabilities, malware, exploits, spyware, and command-and-control (C2) attacks.

Final Thoughts

Palo Alto network security and security appliance offerings are scoring high marks with technology consultants and customers are voting with their dollars.

Palo Alto is on a hot streak, as enterprises of all sizes are opting for their next gen firewalls. This is reflected in the growing demand for security professionals with Palo Alto certifications. Let's not write off Cisco and other vendor offerings! As we'll see in a subsequent article, there's still plenty of career opportunities in that space and there is value in holding both Palo Alto and Cisco certifications!

If Palo Alto certification is on your career trajectory, then check out Keith Barker's new online training classes for the Palo Alto Networks Certified Network Security Administrator (PCNSA) and Certified Network Security Engineer (PCNSE). If you're looking for an entry into cybersecurity, then you should take a look at Keith's course for the Certified Cybersecurity Entry-level Technician (PCCET).