NAC-like server firewalls
Unlike traditional firewalls, which rely on port numbers to differentiate traffic, Palo Alto's appliance is like NAC in that it can see up to Layer 7. It filters traffic based on application and user role via Microsoft's Active Directory, a tactic that becomes useful as more applications run over the single superhighway of Port 80.
The vendor, however, hasn't integrated some of the higher-end capabilities that users, such as Mercy Medical's Rein, hope it one day will for even better server-level protection. These include intrusion-prevention systems (IPS) and data-leakage-prevention services.
Nir Zuk, CTO of Palo Alto, agrees that functions such as these are important and says the company is working on developing them."You want the firewall to do the IPS function and make sure people don't hack the servers. You also want to make sure that it looks for data leaking out of the data center, things like Social Security numbers," he says, adding that speed is a prevailing issue. "Nobody has those pieces yet at the speeds required in a data-center box."
Server-focused firewalls would need to run at a minimum of 10Gbps to support typical performance levels, experts say. Such firewalls also would need to support rich per-server policies that ensure safe traffic, such as backups, gets fast-tracked, and malicious traffic is checked and discarded. In addition, management -- something Snyder says could be a "total nightmare" -- must be easy.
"Lots of firewall companies have centralized management, but the ability to control dozens of firewalls with hundreds of rules all in a single data center is a rare product," Snyder says. "In this case, I'd take a weaker firewall with a better management tool."
Firewall vendors Check Point Software, Cisco and Juniper Networks are working to address the IPS, management and other issues. While they may not have the high level of application- and user-awareness of a Palo Alto device, data-center performance and scalability are big focuses. These vendors caution, however, that such capabilities come with performance hits that might not be acceptable to many enterprises.
Users who want to separate data-center servers must pick a firewall that not only is very fast, but also has robust management, policy and virtualization capabilities, says Tom Russell, Cisco senior product manager. The vendor recently rolled out an example of this with the ASA-5580, a firewall-VPN product that has 20Gbps throughput and supports as many as 10,000 remote users, 75,000 policies and 150,000 connections per second.