Firewall and application control vendor Palo Alto Networks announced this week a few first-to-market features for its PA-4000 Series firewalls that allow organizations to identify and control applications and user behaviour.
“Within enterprise IT, security and network professionals are lost about what applications are on the network,” said Chris King, Palo Alto’s director of product marketing. “Enterprise users do whatever they want. They actively circumvent controls, whether it’s by tunnel or proxy—they get around the firewall.”
Users are getting around browser-stopping ports by using Web mail and instant messaging.
“We’re no longer able to control applications with network ports,” King said.
Infractions can come from a variety of bandwidth-guzzlers, he said, including video, peer-to-peer and audio streaming. But, King said, the Web 2.0 applications can make it difficult to discern which are being used for legitimate collaboration.
“It’s not to say that we’re a better Big Brother,” said King, “People want to bring in more applications, but we want to do it safely.”
Educating users about Web 2.0 security issues is a “significant uphill battle,” said James Quin, senior research analyst with the London, Ont.-based Info-Tech Research Group.
“The content filtering market is huge right now, as enterprise shoppers have to deal with the big, amorphous mass of Web 2.0,” Quin said. “So many new (Web 2.0) ventures are put up quickly for the security perspective to come into it.”
According to Dave Senf, a research analyst with IDC Canada, IT managers need to be wary of any sudden filtering moves.
“In a Web 2.0 world, it’s important for organizations to get a better handle on what applications are running in and through their environment,” Senf said. “But they need to be mindful of the impact of switching off employee access to this or that applications. Yes, it is an employer’s right to say that only these five or ten or what-have-you applications can be run by employees. But there is the right and the wrong way to go about disabling what employees have become used to—you need to think about morale.”
Version 2.0 of PAN-OS enhances visibility and control, said King, through App-ID technology, which can better identify and classify applications, and describe their business value.
Improvements include more dynamic application filters, according to King, who said, “You can turn on and off applications and groups, but also expose more of the attributes, such as blocking just the P2P with malware, or all high-risk media.
The product’s reporting capabilities have also been enhanced. Administrators can generate a reader-friendly one-page summary of the results, or visual traffic report, for execs with little expertise who still want to track network activity. Portability has also been jacked up, with the results capable of being ported out to PDFs or e-mail.
Even this might not get the message to management, according to Senf. He said, “Many firms do not properly use or even consult log files. In fact, many managers in this country can’t take the time to act on reports from IT. This is not because they are lazy, but because they don’t yet see the value in it. Looking back to IDC data from 2003 we can see that this needle hasn’t moved much in a positive direction: management in Canadian firms is not taking enough time to review security reports from IT. And a lot has happened in the last five years that should have pushed that along more.” Deeper user support is also there, said King. “We already have support with Active Directory, but now it’s even more enhanced,” he said.
These factors—and the firewall/content filter combo—make the product unique in an already crowded market, said Quin. “Although I don’t know how many people are looking for (such a mixed solution),” he said.