Palo Alto Networks vs CheckPoint App Blade
January 8, 2017 | Author: techcw | Category: N/A
Short Description
Download Palo Alto Networks vs CheckPoint App Blade...
Description
Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.
Abou ut Palo Alto Netw works:
ey Palo Alto Netw works Differentia ators: Ke
About Check Po oint:
June 2007, first to market with a ne extgeneration firewall that classifies tra affic based on the application,, first and foremost.
Large, well kknown security ve endor; first to market with a stateful inspecttion port-based firewall.
S Safe-application-e enablement appro oach to network security is s described as vis sionary and disruptive by Gartn ner. All other vendors forced to o follow.
App-ID: Traffic classification thatt delivers application visib bility and control, irrespective of port, protocol, SSL S or evasive ta actic, as the basis of firewalll classification, no ot an add-on.
User-ID: Integra ation with every major m directory service: Active Directory, Open LDAP, L and eDirectory; as well w as with Citrix, and Microsoft Termiinal Servers.
Application B Blade is an IPS-likke bolt-on component tto stateful inspecttion.
Broad line off FW UTM add-on ns (“Blade Architecture””) sourced from a combination of developmentt and acquisitionss.
Thousands o of loyal customerss, publically traded with cconsistent earning gs. Solid UI and managemen nt.
Y Young, rapidly gro owing company with w 3,500 customers worldw wide.
Content-ID: ach hieved NSS rated d 94% effectiveness in n IPS testing; 125 5% of rate performance; gateway-based ma alware prevention; com mprehensive URL L filtering database; all inttegrated into a single pass engine to maxim mize performance e.
Purpose-built platform that uses four dedicated bank ks of function-spec cific processing to perform application identification, in nspection and con ntrol.
C Cash flow positive e the last 2 consecutive quarters; on a $10 00 M annual sales s run rate (W WSJ, 10/29/2010 0).
Key Points to Con nsider When Comparing C Pa alo Alto Netwo orks and Checck Point Appliication Contro ol Blade Applic cation Visibility an nd Contrrol Challenge Identify and inspect SS SL; contro ol SSH usage.
Check Point Application Blad de
Palo Alto Netw works
Cannot iden ntify and control trraffic hidden in SS SL; unable to control SSH H. No SSL decryption, inspec ction and control (in nbound or outboun nd). No way to verify SSH is be eing used for its inte ended purpose.
First firewall to o decrypt, inspectt and control SSL;; first firewall to control SSH. Policy conttrol over SSL provid des organizations w with a mechanism to improve security posture (id dentify, decrypt, insspect) while allowing peersonal use of appliications like Twitterr and Facebook. SSH controol means organizations can ensure tha at SSH is not being usedd to tunnel other app plications. Learn moree about SSL and SS SH control.
Compettitive data is generated frrom public information so ources (March 2011).
1
Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.
Applic cation Visibility and C Control Challenge
Check Point Application A Blade
Palo Alto Netw works
Class sify traffic on all ports,, all the time.
Unable to applly all application signatures s across s ALL ports. Application n Control Blade dep pends on the applic cation default port. Application n signatures can be e manually enabled for non-std HTTP ports (8080 0, 8000, etc), a very y small subset of th he 60,000+ ports on n a firewall. No other options for enabling classification acros ss all ports exists Application ns that aggressively y hop ports, or use ranges of high portt numbers may m not be identified d or controlled. Application ns designed to be evasive e like UltraSu urf, Tor and Hamachi will w not be identified.
App-ID autom matically looks at a all traffic on all ports. By default , App-ID uses as m many as four traffic classification mechanism ms to identify each application, on all ports, for all traffic. Traffic classsification based on n the application is the first task executed w when traffic hits the e firewall. No configuuration settings are e required to identifyy traffic that hops ports, usess non-standard porrts or other evasive e techniques. Learn morre about App-ID.
Provid de a control mechanism for unkno own traffic.
No way to man nage unknown applications. Unable to identify unknown ap pplications. The negative control model means m that unknown n is allowed by default. o or rename e the unknown application traffic. Unable to override No customizable application signatures s for custo om, internal application identification.
Unknown trafffic is managed sy ystematically. Positive coontrol model meanss unknown traffic ca an be blocked by policy. Unknown ttraffic category pro ovides visibility into key elements such h as source and destination. Internal orr custom application ns within unknown traffic can be renamed ((application override) or a custom App p-ID can be created. Commerciial applications with hin unknown traffic can be packet captured aand submitted for A App-ID creation. See App-ID D in action.
Monittor changes in applic cation behavior.
Does not see changes c in applica ation traffic. Application n Blade is an IPS-lik ke bolt-on that is inflexible – it identifies only o what it has bee en told to identify. Application ns changes such as s Google Mail to Go oogle Talk, or Google Do ocs or SharePoint Admin A to SharePoin nt Docs are not identified. The inabilitty to see behaviora al changes means many m commonly used applic cations, or application functions, will not n be identified; severely lim miting application control flexibility. Unidentified applications, by default, d are allows (negative ( control model).
App-ID is alwaays on; always mo onitoring traffic. All App-ID are always on, and d they are continua ally monitoring the state of thee application. Changes i n application state are identified by App-ID and fed into ACC, policcy editor, logging and reporting. Continuouus monitoring of app plication state enab bles function specific coontrols such as allow SharePoint, by b block use of SharePoinnt Admin. Learn morre about App-ID.
Compettitive data is generated frrom public information so ources (March 2011).
2
Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.
Applic cation Visibility and C Control Challenge
Check Point Application A Blade
Palo Alto Netw works
Maxim mize identification n accurracy/coverage; minim mize signature management.
100,000 plus application a signatu ures is a managem ment nightmare. Approxima ately 4,500 signaturres are available on n the device. The remain ning 100,000 plus signatures, s primarily y widget controls, are in the cloud c (AppWiki). Reliance on application signa atures dictates unique signatures for client versions, OS versions and a other variants which w means selecting many m signatures to try and control an application. a Policies bu uilt to control widgetts will rely on cloud-based signatures (introducing g significant latency y). Is managing wh ho is using Farmville e or playing Mafiawars M a priority y for a security adm ministrator?
App-ID: Less iis more. App-ID usees as many as fourr mechanisms to m monitor how an applicationn and user interact.. App-ID is cclient and OS agno ostic, which means one App-ID is equal to m many, many signatu ures used in other o offerings. A single A App-ID can “identify”” more application vvariants than a single CP signature. Example: tthe single BitTorren nt App-ID will see tthe equivalent to 50+ Checkk Point BitTorrent ssignatures. Controllingg Facebook-apps (g games) can be acccomplished with a single Appp-ID; not thousandss and thousands. W Which is more efficient? Learn morre about App-ID.
Simpllify policy management.
Two policy ediitors with duplicatte fields makes ru ule management significantly more m complex Firewall po olicy (source, destin nation, port, user, etc) is built first and takes prece edence (Allow port 80 or 443). Opening po ort 80 or 443 for all, then attempting to o identify traffic within mea ans that significant segments s of that tra affic will not be identified. Application n Blade policy (also o has source, destin nation, port, user, etc) is depe endent on the firew wall policy (allow Fa acebook). Dual policie es will require continuous policy recon nciliation, resulting in a signific cant increase in adm ministrative overhe ead. Application n Blade policy optio ons are negative control in nature (limited to allow a or deny). There is no o way to apply threa at prevention or Qo oS to the application traffic that has bee en identified.
A single, unifiied editor enables s rule-base reduction. Traditionall firewall elements (source, destination) are combined with next-ggeneration elementts (user identity, ap pplication and content insspection) in a single e unified graphical editor. Enabling F Facebook and Face ebook posting for m marketing can be accomplishhed in a single firew wall policy rule. Rules baseed on applications and users will dram matically reduce the numbeer of rule when com mpared to port-base ed rules. Learn morre about unified policy management.
Compettitive data is generated frrom public information so ources (March 2011).
3
Pa alo Alto Networks N s vs. Check Poin nt Compa aring Palo Alto Netw works next-generatio on firewall and Chec ck Point’s Applicatio on Control Blade; a port-based p firewall aadd-on.
Applic cation Visibility and C Control Challenge
Check Point Application A Blade
Palo Alto Netw works
Securrely enable applic cation usage.
Negative contrrol model limits po olicy responses to o allow or deny. Application n Blade is an IPS in n disguise; it is designed to find the application and block it. Nothing more. Applicatio ons that are not identified are a allowed by default. Blindly bloc cking an application n limits employee productivity p and can n hurt the company bottom line.
Positive contrrol model provides s flexible policy re esponse options “ allow but….”” Firewalls aare positive control model solutions; d deny all, except for the traffic tthat is allowed by p policy. App-ID, Usser-ID and Contentt-ID provide administrators with the ability to iddentify an applicatio on and: o A Allow it for users in marketing using AD D or LDAP o E Enable specific application functions likke Sharepoint A Admin o S Scan them for threa ats with IPS or AV o B Block entire groups of applications with h filters or groups o A Apply QoS to make sure business app plications are not st starved of required bandwidth. Learn morre about application n enablement.
Maintain rated perforrmance.
Check Point platforms are optim mized for Stateful inspection; not application control. Check Poin nt platforms are opttimized for stateful inspection fastpath, a mechanism where, on nce traffic is classified it is untouched nges. until it chan Check Poin nt platforms are NO OT optimized for ap pplication level classificatio on for all traffic on all a ports. Performanc ce impact of enabling Application Blad de has shown to be e 5-10% LES SS than the datashe eet rated IPS perfo ormance levels.
Purpose-built platform; optimizzed for application n visibility and control. Dedicated , high performance e processing for nettworking, security, gement threat prevvention, and manag Single passs software design touches traffic onlyy once, eliminating repetitive pprocesses and associated latency. The result : multi-Gbs through hput of application llevel inspection across all ports, on all traffic. Learn morre about high performance next-generration firewalls.
Compettitive data is generated frrom public information so ources (March 2011).
4
View more...
Comments