Striking a Balance Between Control and Protection

Matt Keil

Category: Uncategorized

Since we began shipping our firewall, we have heard from a small but vocal contingent that they should be allowed to do what they want at work. We see it in the comments on some of the articles about us and we have heard it from our customers once they have deployed our platform. The somewhat self-righteous responses are pretty funny, if you ask me. The employer is paying you to do a job and most likely it does not involve using P2P, watching 30 Rock on hulu, or chatting with friends or relatives in Italy via IM and/or VoIP. Granted, no one, including me, works 100% of the time.

As a reminder, our firewall, like all firewalls, defaults to deny all. It is up to the administrator to determine what to allow. The BIG difference of course is the fact that our firewall provides visibility into more than 800 applications. No one else can do this. What the customers do with the visibility into the applications is entirely up to them. The policy options are far greater than the traditional allow or deny. Some examples include:

• Allow or deny
• Allow but scan for threats
• Allow based on schedule
• Decrypt and inspect
• Apply traffic shaping
• Allow for certain users or groups
• Allow certain application functions
• Any combination of the above

Many of our customers are using our product to block the applications that pose obvious threats (P2P, circumventors, external proxies) and then establishing policies to enable the use of other applications that may not be corporate approved but do provide business benefits. A great example is Haworth Corporation, a $1.65 Billion manufacturer that wanted its employees to embrace social networking sites such as Facebook, LinkedIn, Twitter and others, the company didn’t want to accept unnecessarily the security risks that go with them.

Today’s employees assume they can use any application they want, irrespective of the risks they pose. Haworth, like many other Palo Alto Networks customers recognize this fact and are striking a balance between control and safe application usage.

3 Reader Comments

  1. Great post! I’ll subscribe right now wth my feedreader software!

  2. Hi, Matt
    I have one question about Application identification in Palo Alto networks products that is there any risk of leaking packet due to app identification? For example, the first packet has been identified as App X and along with others information this traffic matched policy 1# with allow action. So the 1st packet passed through the firewall. Then the second packet comes in firewall and being identified as App Y and it supposed may match policy 2# with deny action. So looks the 1st packet leaked to wrong destination which might be dropped at first time. Is it right? Thanks for your any feedback!


  3. mkeil

    we monitor the state of the sessions so we know which is which and only when that state changes do we re-apply the policy.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.