Next Generation Firewall (of Yesterday)

You probably have heard about Palo Alto Networks and their next generation firewall. They are doing a good job at promoting and marketing it. But is it really a ground breaking technology they claim to invent?

Let's take a look at what their product does:

1. AppID technology that doesn't use ports to identify applications.
2. Dynamic SSL decryption for outbound traffic.
3. User ID agent that tracks IP address assignment to users.
4. FlashMatch signature matching engine.
5. Custom hardware platform that provides high speed (upto 10Gbps) performance.

The core of the product is the AppID technology where applications are detected without relying on port numbers. This is why they call their product the next generation firewall. However, it turns out that Palo Alto Networks are not the ones who invented non-port-based application identification.

There are at least two open source projects that utilize the same port-less application identification concept. The first one is the Bro IDS and the second one is the Application Layer Classifier for Linux.

The Bro IDS has been originally developed by Vern Paxton, one of the authorities in the networking world, from the Lawrence Berkeley National Lab. Among many interesting features Bro IDS has the Dynamic Protocol Detection capability. They use this capability to detect applications on non-standard ports to accurately apply their application decoders. Take a look at the DPD wiki and if you want to know more take a look at the code that can be downloaded from the project website: http://www.bro-ids.org/wiki/index.php/DynamicProtocolDetection

There's also the Application Layer Classifier for Linux that can be found here: http://l7-filter.sourceforge.net/ They also detect applications regardless the port number used, but, unlike Bro IDS, they are doing it in the Linux kernel using Netfilter.

Open source projects are not the only ones why are using dynamic application identification concepts. A number of DLP vendors are using similar techniques to prevent data loss. DLP companies are not the only ones though. A company like Cymphonix (and a few others) have been using these techniques years before Palo Alto Networks started selling their next generation firewall.

This brings me to the main point of this blog... The concept of not relying on network ports and using deep content inspection to identify application and stop malicious traffic and is nothing new. It's been used in various shape or form for, at least, 5 years and in some cases even more. That said, I want to point out that Palo Alto Network is taking this and other existing concepts to a new level combining them into a product that stands out.

The combination of the application identification technology with the other four features makes it a good product where thanks to their high speed custom platform they are able to pull away from the pack. Of course, a good marketing spin has a lot to do with their success too :-)