Fundamental changes taking place in computer applications and threats, as well as in user behavior and network infrastructure, are leading to a gradual erosion of the protection formerly provided by traditional, port-based firewalls. In performing daily tasks, users use a variety of applications and operate a variety of devices. Meanwhile, the growth of data centers and virtualization, mobility and cloud technologies involves rethinking how to ensure that applications can be used and networks are protected at the same time.

Traditional methods, for example, involve trying to block all application traffic by using an ever-expanding list of point technologies that are add-ons to the firewall. Such a solution can hinder business operations. On the other hand, one may try to allow access to all applications, which is also unacceptable because of the associated business and security risks. The problem is that traditional port-based firewalls, even those that allow complete blocking of applications, offer no alternative to either method. In order to strike a balance between a total lockdown approach and an approach that allows fully unimpeded access, you need to use secure application usage features based on business-relevant elements such as application identity, application user data or content type as key criteria for firewall security policies.

the most important requirements for safe use of the application

Identify applications, not ports. Classify network traffic as soon as it arrives at the firewall to determine the identity of the application regardless of protocol, encryption or evasive tactics. Then using that identity as the basis for all security policies.

Tie application usage to users’ identities rather than IP addresses, regardless of location or device. Use user and group data from directory services and other user information resources to implement consistent application usage policies for all users regardless of location or device.

Protection against all threats – both known and unknown. Prevent known vulnerability exploitation techniques and the operation of malware and spyware, as well as malicious URLs, while analyzing traffic for the presence of highly targeted and previously unknown malware and automatically protecting against it.

Simplify the management of security policies. Secure application access and fewer administrative actions with easy-to-use graphical tools, a unified policy editor, templates and device groups.

Policies to ensure secure use of applications help enhance security regardless of where the application is deployed. The edge network can reduce the number of threats by blocking a number of unwanted applications, and then the applications allowed to scan for threats, both known and unknown. When it comes to the data center – whether traditional or virtualized – application usage technology means that data center applications can only be used by authorized users, thus protecting the center’s content from threats and addressing security concerns related to the dynamic nature of virtual infrastructure. Branch offices and remote users can be protected with the same set of application usage policies deployed at headquarters, ensuring policy consistency.

Using apps to drive the business forward

The secure application experience offered by Palo Alto Networks’ innovative firewalls helps manage operations and confront the security risks associated with the rapidly growing number of applications on the corporate network. Providing access to applications to users or groups of users, whether local, mobile or remote, and protecting network traffic from known and unknown threats allows you to increase security while growing your business.

Ability to permanently classify all applications on all ports

The secure application experience offered by Palo Alto Networks’ innovative firewalls helps manage operations and confront the security risks associated with the rapidly growing number of applications on the corporate network. Providing access to applications to users or groups of users, whether local, mobile or remote, and protecting network traffic from known and unknown threats allows you to increase security while growing your business.

Include users and devices in security policies, not just IP addresses

Creating and managing security policies based on the application and the user’s identity, regardless of device or location, is a more effective method of protecting a network than techniques using only port and IP address. Integration with a wide range of corporate user databases identifies the identities of Microsoft Windows, Mac OS X, Linux, Android and iOS users accessing applications. Mobile users and those working remotely are effectively protected with the same consistent policies that are applied to the local or corporate network. The combination of visibility and control of user activity regarding the application means that you can securely share Oracle, BitTorrent or Gmail and any other application on the network regardless of when and how the user accesses it

Protection against all threats, both known and unknown

To be able to protect today’s network, it is necessary to deal with all sorts of known breach methods, malware and spyware, as well as completely unknown and targeted threats. The beginning of this process is to reduce the exposed area of the network by allowing certain applications and rejecting all others, whether implicitly, using a “reject all others” strategy, or through explicit policies. Then, coordinated threat protection can be applied to all admitted traffic by blocking known malware sites, vulnerability exploiters, viruses, spyware and malicious DNS queries in a one-pass operation. Custom or other types of unknown malware are actively analyzed and identified by executing unknown files and directly observing more than 100 malicious behaviors in a virtualized sandbox environment. When new malware is discovered, the signature of the infected file and associated malware traffic is automatically generated and delivered to the user. All of this preventive analysis uses the full context of applications and protocols, which guarantees detection even of those threats that try to hide from security mechanisms in tunnels, compressed data or custom ports.

Flexibility of implementation and management

Secure application functionality is available on a custom-designed hardware platform or in virtualized form. If you are deploying multiple Palo Alto Networks firewalls, whether in hardware or virtualized form, you can use the Panorama tool, which is an optional centralized management solution that provides visibility into traffic patterns and allows you to deploy policies, generate reports and provide content updates from a central location.

Safe use of applications: a comprehensive approach

the use of applications requires a comprehensive approach to securing the network and growing the business, based on a thorough knowledge of the applications on the network: who the users are, regardless of platform or location, and what compactness, if any, the application contains. With a more complete knowledge of network activity, you can create more effective security policies based on application elements, users and content that matter to your business. The location of users, their platform and where they deploy security – a security perimeter, a traditional or virtualized data center, a branch office or a remote user – have minimal or no impact on how policies are created. Now you can safely share any application and content with any user.

Using applications and reducing risks

The secure application functionality uses policy-based decision criteria, including application/application function, users and groups, and content, to enable a balance between completely blocking all applications and a high-risk approach that allows completely free access.

At the security perimeter, such as at branch offices or mobile and remote users, application usage policies focus on identifying all traffic, then selectively allowing traffic based on user identity and scanning network traffic for threats. Sample security policies:

In data centers – whether traditional, virtualized or mixed – the functions of application usage are primarily to validate applications, look for malicious applications and protect data.

protection of shared applications

Using applications securely involves allowing access to specific applications, then applying specific policies to block known abuse, malware and spyware (known and unknown), and controlling file or data transfer and Internet browsing activity. Popular security bypass tactics, such as port hopping and tunneling, are combated with preventive policies that use the application and protocol context generated by decoders in the App-ID function. UTM solutions, on the other hand, use silo-based threat prevention methods that are applied to every function, firewall, IPS, antivirus, URL filtering, all network traffic without regard to context, making them more susceptible to evasive techniques.

continuous management and analysis

Experience with optimal security solutions indicates that administrators should strike a balance between proactively managing the firewall, whether for a single device or hundreds of devices, and responding by investigating, analyzing and reporting security incidents.

custom-designed hardware platform or virtualized platform

Palo Alto Networks offers a full range of custom-designed hardware platforms, from the PA-200, designed for remote corporate offices, to the PA-5060, designed for high-end data centers. The platforms architecture has been based on single-pass software and uses function-specific processing for network connectivity, security, threat prevention and management, distinguished by stable and efficient operation. The same firewall functionality that hardware platforms are equipped with is available in the VM Series Virtual Firewall, which secures virtualized and cloud-based computing environments with the same policies applied to edge network computers as firewalls in remote offices.