Palo Alto Networks vs CheckPoint App Blade

Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.

Abou ut Palo Alto Netw works:

ey Palo Alto Netw works Differentia ators: Ke

About Check Po oint:



June 2007, first to market with a ne extgeneration firewall that classifies tra affic based on the application,, first and foremost.





Large, well kknown security ve endor; first to market with a stateful inspecttion port-based firewall.



S Safe-application-e enablement appro oach to network security is s described as vis sionary and disruptive by Gartn ner. All other vendors forced to o follow.

App-ID: Traffic classification thatt delivers application visib bility and control, irrespective of port, protocol, SSL S or evasive ta actic, as the basis of firewalll classification, no ot an add-on.





User-ID: Integra ation with every major m directory service: Active Directory, Open LDAP, L and eDirectory; as well w as with Citrix, and Microsoft Termiinal Servers.

Application B Blade is an IPS-likke bolt-on component tto stateful inspecttion.



Broad line off FW UTM add-on ns (“Blade Architecture””) sourced from a combination of developmentt and acquisitionss.



Thousands o of loyal customerss, publically traded with cconsistent earning gs. Solid UI and managemen nt.

 

Y Young, rapidly gro owing company with w 3,500 customers worldw wide.



Content-ID: ach hieved NSS rated d 94% effectiveness in n IPS testing; 125 5% of rate performance; gateway-based ma alware prevention; com mprehensive URL L filtering database; all inttegrated into a single pass engine to maxim mize performance e.



Purpose-built platform that uses four dedicated bank ks of function-spec cific processing to perform application identification, in nspection and con ntrol.

C Cash flow positive e the last 2 consecutive quarters; on a $10 00 M annual sales s run rate (W WSJ, 10/29/2010 0).

 

Key Points to Con nsider When Comparing C Pa alo Alto Netwo orks and Checck Point Appliication Contro ol Blade   Applic cation Visibility an nd Contrrol Challenge Identify and inspect SS SL; contro ol SSH usage.

Check Point Application Blad de

Palo Alto Netw works

Cannot iden ntify and control trraffic hidden in SS SL; unable to control SSH H.  No SSL decryption, inspec ction and control (in nbound or outboun nd).  No way to verify SSH is be eing used for its inte ended purpose.

First firewall to o decrypt, inspectt and control SSL;; first firewall to control SSH.  Policy conttrol over SSL provid des organizations w with a mechanism to improve security posture (id dentify, decrypt, insspect) while allowing peersonal use of appliications like Twitterr and Facebook.  SSH controol means organizations can ensure tha at SSH is not being usedd to tunnel other app plications.  Learn moree about SSL and SS SH control.

Compettitive data is generated frrom public information so ources (March 2011).

1

Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.

Applic cation Visibility and C Control Challenge

Check Point Application A Blade

Palo Alto Netw works

Class sify traffic on all ports,, all the time.

Unable to applly all application signatures s across s ALL ports.  Application n Control Blade dep pends on the applic cation default port.  Application n signatures can be e manually enabled for non-std HTTP ports (8080 0, 8000, etc), a very y small subset of th he 60,000+ ports on n a firewall.  No other options for enabling classification acros ss all ports exists  Application ns that aggressively y hop ports, or use ranges of high portt numbers may m not be identified d or controlled.  Application ns designed to be evasive e like UltraSu urf, Tor and Hamachi will w not be identified.

App-ID autom matically looks at a all traffic on all ports.  By default , App-ID uses as m many as four traffic classification mechanism ms to identify each application, on all ports, for all traffic.  Traffic classsification based on n the application is the first task executed w when traffic hits the e firewall.  No configuuration settings are e required to identifyy traffic that hops ports, usess non-standard porrts or other evasive e techniques.  Learn morre about App-ID.

Provid de a control mechanism for unkno own traffic.

No way to man nage unknown applications.  Unable to identify unknown ap pplications.  The negative control model means m that unknown n is allowed by default. o or rename e the unknown application traffic.  Unable to override  No customizable application signatures s for custo om, internal application identification.

Unknown trafffic is managed sy ystematically.  Positive coontrol model meanss unknown traffic ca an be blocked by policy.  Unknown ttraffic category pro ovides visibility into key elements such h as source and destination.  Internal orr custom application ns within unknown traffic can be renamed ((application override) or a custom App p-ID can be created.  Commerciial applications with hin unknown traffic can be packet captured aand submitted for A App-ID creation.  See App-ID D in action.

Monittor changes in applic cation behavior.

Does not see changes c in applica ation traffic.  Application n Blade is an IPS-lik ke bolt-on that is inflexible – it identifies only o what it has bee en told to identify.  Application ns changes such as s Google Mail to Go oogle Talk, or Google Do ocs or SharePoint Admin A to SharePoin nt Docs are not identified.  The inabilitty to see behaviora al changes means many m commonly used applic cations, or application functions, will not n be identified; severely lim miting application control flexibility.  Unidentified applications, by default, d are allows (negative ( control model).

App-ID is alwaays on; always mo onitoring traffic.  All App-ID are always on, and d they are continua ally monitoring the state of thee application.  Changes i n application state are identified by App-ID and fed into ACC, policcy editor, logging and reporting.  Continuouus monitoring of app plication state enab bles function specific coontrols such as allow SharePoint, by b block use of SharePoinnt Admin.  Learn morre about App-ID.

Compettitive data is generated frrom public information so ources (March 2011).

2

Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.

Applic cation Visibility and C Control Challenge

Check Point Application A Blade

Palo Alto Netw works

Maxim mize identification n accurracy/coverage; minim mize signature management.

100,000 plus application a signatu ures is a managem ment nightmare.  Approxima ately 4,500 signaturres are available on n the device.  The remain ning 100,000 plus signatures, s primarily y widget controls, are in the cloud c (AppWiki).  Reliance on application signa atures dictates unique signatures for client versions, OS versions and a other variants which w means selecting many m signatures to try and control an application. a  Policies bu uilt to control widgetts will rely on cloud-based signatures (introducing g significant latency y). Is managing wh ho is using Farmville e or playing Mafiawars M a priority y for a security adm ministrator?

App-ID: Less iis more.  App-ID usees as many as fourr mechanisms to m monitor how an applicationn and user interact..  App-ID is cclient and OS agno ostic, which means one App-ID is equal to m many, many signatu ures used in other o offerings.  A single A App-ID can “identify”” more application vvariants than a single CP signature.  Example: tthe single BitTorren nt App-ID will see tthe equivalent to 50+ Checkk Point BitTorrent ssignatures.  Controllingg Facebook-apps (g games) can be acccomplished with a single Appp-ID; not thousandss and thousands. W Which is more efficient?  Learn morre about App-ID.

Simpllify policy management.

Two policy ediitors with duplicatte fields makes ru ule management significantly more m complex  Firewall po olicy (source, destin nation, port, user, etc) is built first and takes prece edence (Allow port 80 or 443).  Opening po ort 80 or 443 for all, then attempting to o identify traffic within mea ans that significant segments s of that tra affic will not be identified.  Application n Blade policy (also o has source, destin nation, port, user, etc) is depe endent on the firew wall policy (allow Fa acebook).  Dual policie es will require continuous policy recon nciliation, resulting in a signific cant increase in adm ministrative overhe ead.  Application n Blade policy optio ons are negative control in nature (limited to allow a or deny).  There is no o way to apply threa at prevention or Qo oS to the application traffic that has bee en identified.

A single, unifiied editor enables s rule-base reduction. Traditionall firewall elements (source, destination) are combined  with next-ggeneration elementts (user identity, ap pplication and content insspection) in a single e unified graphical editor.  Enabling F Facebook and Face ebook posting for m marketing can be accomplishhed in a single firew wall policy rule.  Rules baseed on applications and users will dram matically reduce the numbeer of rule when com mpared to port-base ed rules.  Learn morre about unified policy management.

Compettitive data is generated frrom public information so ources (March 2011).

3

Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.

Applic cation Visibility and C Control Challenge

Check Point Application A Blade

Palo Alto Netw works

Securrely enable applic cation usage.

Negative contrrol model limits po olicy responses to o allow or deny.  Application n Blade is an IPS in n disguise; it is designed to find the application and block it. Nothing more. Applicatio ons that are not identified are a allowed by default.  Blindly bloc cking an application n limits employee productivity p and can n hurt the company bottom line.

Positive contrrol model provides s flexible policy re esponse options “ allow but….””  Firewalls aare positive control model solutions; d deny all, except for the traffic tthat is allowed by p policy.  App-ID, Usser-ID and Contentt-ID provide administrators with the ability to iddentify an applicatio on and: o A Allow it for users in marketing using AD D or LDAP o E Enable specific application functions likke Sharepoint A Admin o S Scan them for threa ats with IPS or AV o B Block entire groups of applications with h filters or groups o A Apply QoS to make sure business app plications are not st starved of required bandwidth.  Learn morre about application n enablement.

Maintain rated perforrmance.

Check Point platforms are optim mized for Stateful inspection; not application control.  Check Poin nt platforms are opttimized for stateful inspection fastpath, a mechanism where, on nce traffic is classified it is untouched nges. until it chan  Check Poin nt platforms are NO OT optimized for ap pplication level classificatio on for all traffic on all a ports.  Performanc ce impact of enabling Application Blad de has shown to be e 5-10% LES SS than the datashe eet rated IPS perfo ormance levels.

Purpose-built platform; optimizzed for application n visibility and control.  Dedicated , high performance e processing for nettworking, security, gement threat prevvention, and manag  Single passs software design touches traffic onlyy once, eliminating repetitive pprocesses and associated latency.  The result : multi-Gbs through hput of application llevel inspection across all ports, on all traffic.  Learn morre about high performance next-generration firewalls.

Compettitive data is generated frrom public information so ources (March 2011).

4