Palo Alto Check Point

NSS Labs
Results - Protects
33% 100%
Against HTML
Evasions*

NSS Labs
Results - Overall 93% 98%
Protection**

File Sharing
170 531
Applications

Total Applications 1,511 4,733

Application Social
0 240,000+
Network Widgets

URL Filtering 20 million on box 100 million cloud based

9 file types and 532 file types plus file attributes, document
Data Loss
regular expression templates, dictionaries, keywords and
Prevention
match scripting language match

< 1 million protections

250 million addresses analyzed for bot
(signatures/ DNS/
discovery
URLs/ IPs)
Anti-Bot
Unique multi-tier detection engine (reputation,
Reputation based signatures, mail activity and behavior based)
protection with real-time security intelligence through
ThreatCloud™

* NSS Labs NGFW Test, 2012

** NSS Labs IPS Test, 2012

-------------------------------------------------------------------------------------------------------------------------------------------------

PAN is focused on the

application layer
The seven layers of the Open Systems Interconnection model divide networking and security into
discrete manageable components. The SANS Institute and other leading security organizations
realize that we must comprehend all layers to deliver complete security.
Palo Alto Networks' focus on the application layer can lead to more security exposures for their
customers. Check Point's balanced approach recognizes the importance of considering both the
application and networks layers to assess all risks and deliver strong security.
It is only when we can see our networks as individual
components that we can adequately secure these levels.

SANS Institute

----------------------------------------------------------------------------------------------------------------------------------------------------------

Palo Alto Networks' single pass architecture defaults to open all ports, leaving organizations
exposed to attacks. Why? Because its App-ID™ needs to interact with the application so it can be
identified and classified. For security, this is a big problem.
Why would you want to provide attackers
an advantage as they prepare a targeted
attack? Attackers scan ports to discover
vulnerabilities. Because of Palo Alto's
focus on application inspection and App-
ID™, it must first allow a connection to
identify the application to enforce policy.
This insecurity allows a port scan to
divulge details to the attacker about your
configurations, devices and security. App-
ID™ focuses on identifying the application
first, so it risks unnecessary security
exposures.
The Palo Alto approach requires that traffic
be allowed to determine the application, something the Network World Clear Choice test
noted "could easily result in unintended consequences and insecure configurations –
a valid concern."

--------------------------------------------------------------------------------------------------------------------------
------

Palo Alto Networks' focus on its next

generation firewall and the application
layer also raises a serious issue for
compliance with the PCI Data Security
Standard. Organizations spend
enormous resources preparing for pass-
or-fail PCI audits. One of the clearly stated requirements in the PCI DSS specification is for
the organization to deploy "stateful inspection" in the firewall. According to Palo Alto,
stateful inspection is being replaced with what they call "new core technology called App-
ID™." It would be very unfortunate for an organization to fail a PCI audit because it made a
bad firewall choice.
PCI DSS Requirements Testing Procedures

1.3.6 Implement stateful inspection, also known 1.3.6 Verify that the firewall performs stateful inspection
as dynamic packet filtering. (That is, only (dynamic packet filtering). (Only established connections
"established" connections are allowed into the should be allowed in, and only if they are associated with a
network.) perviously established session.)

Stateful inspection is being replaced with our new core technology

called App-ID, which identifies and classifies applications on the
network regardless of port, protocol, evasive tactic or SSL encryption.

CTO, Palo Alto Networks

--------------------------------------------------------------------------------------------------------------------------
---

Palo Alto Networks is vulnerable to cache poisoning. For example, a Session Initiation
Protocol (SIP) or any other protocol connection can be used as a channel for attacking a
company's internal networks. The SIP session could initially be blocked accurately, but by
taking advantage of the cache poisoning vulnerability, the SIP session could bypass a Palo
Alto firewall. The vulnerability could be exploited as follows:
1. HTTP is allowed with firewall policy
2. Opening a SIP session typically used with VoIP communications is correctly
blocked
 3. Generating HTTP traffic that causes the cache to hit its threshold – meaning
traffic continues going through the cache but is no longer inspected by the firewall
4. Switching the HTTP connection to SIP, which is then allowed – and exposes
you to risk
Strong security products do not allow cache poisoning, and a strong firewall will never stop
inspecting network traffic.
Source:
Defcon 2011, Brad Woodberg, Juniper Networks

--------------------------------------------------------------------------------------------------------------------------
-
 IP Packet TCP Stream RPC URL HTML FTP
Product Fragmentation Segmentation Fragmentation Obfuscation Evasion Evasion
Total

Check Point 100% 100% 100% 100% 100% 100% 100%

Source: NSS Labs NGFW Test, 2012

Product Client Protection Server Protection Overall Protection

Check Point 99% 97% 98.3%

Source: NSS Labs IPS Test, 2012
NSS Labs has released the results of its 2012 IPS Group Test that reviewed Intrusion
Prevention System products from eight vendors. Once again, the Check Point IPS
performed exceptionally well in the tests, demonstrating top-ranked IPS protection. The
Check Point 12600 Appliance IPS protected against 100% of the evasion techniques
attempted by NSS Labs.
"Resistance to known evasion techniques was perfect... IP fragmentation, TCP stream
segmentation, RPC fragmentation, URL obfuscation, HTML Evasion and FTP evasion all
failed to trick the product into ignoring valid attacks. Not only were the fragmented and
obfuscated attacks blocked successfully, but all of them were also decoded accurately."
The Check Point IPS scored an overall protection rating of 98.3%, improving its 97.3%
overall protection rating from the 2011 NSS Labs IPS test.
Highlights of Check Point's performance in the NSS IPS Group Test include:
 Superior Security
 Top of the pack with overall protection score of 98.3%
 Strong security with 100% coverage of evasion techniques
 A top score for server protection, 97%
 Best in Class management system that is robust and granular

-------------------------------------------------------------------------------------------------------------------------


Check Point tracks more than 531 file
sharing apps (a critical application category
for enterprises), Palo Alto tracks 170.
 Check Point tracks more than 4,733
total apps, Palo Alto tracks 1,511.
 Check Point tracks almost a quarter
million widgets, Palo Alto tracks 0.
Check Point tracks more apps, and provides extra granularity of protection because attacks
on widgets and configurations go after the individual or specific capabilities of some
applications. Palo Alto is supposed to be an "application security expert," so wouldn't you
expect its focus on the application layer to provide a complete solution? Consider three
prominent examples, such as Poison Ivy, Access Remote PC and Anyplace Control. Check
Point has application controls for all three; Palo Alto has none.
The numbers tell the story. Unfortunately, business owners using Palo Alto are left on their
own to figure out what to do with untracked apps.

Palo Alto's limited application coverage is a visibility and security issue.

--------------------------------------------------------------------------------------------------------------------------

NO examination of data in PDF—only 9 file formats are supported

NO identification of non-English characters in .docx (Office 2007 and above documents)
NO protection for customer list or any dictionary larger than 350 items
NO protection for personally identifiable information other than US SSN & CCN
NO protection for HIPAA, GLBA, SEC filings
NO protection for source code, CAD-CAM, ASIC or FPGA designs, patent filings
NO validation for IBAN, tax numbers, service request numbers, etc.
The Palo Alto solution provides incomplete visibility for protecting information and inspecting
content. Its technology has limited abilities to deeply inspect a variety of file formats and
data types beyond the basics. Why risk your critical corporate data or intellectual property
with Palo Alto Networks? Check Point provides you with complete visibility and
comprehensive protection.

We found that the file blocking was easily fooled. For example, putting
a file into a zip archive effectively hid the file type, as did changing the
first few bytes of the file (by adding blank lines) and, in one case,
changing the filename—which we didn't expect to work.

August 2011

PAN's promised functionality does not translate to reality in real-world

deployments.

Leading Online Investment Firm

PAN's solution is full of holes.

International Film School

--------------------------------------------------------------------------------------------------------------------------
 Palo Alto Networks has no
built-in central monitoring
tools for VPN configuration.
With Palo Alto Networks,
each tunnel is configured
separately.
A mesh of 30 gateways
requires manual set-up of
870 tunnels!

Here's one example of a gap in Palo Alto's security management: its configuration and
management of Virtual Private Networks. When setting up VPNs, tunnels must be defined
for the VPN connectivity. When configuring Palo Alto VPNs, you are required to manually
configure gateways for each tunnel. For 30 security gateways, this would require 870
tunnels. You would need to manually configure each one and develop scripts to stitch them
together. Palo Alto does not have built-in centralized monitoring tools for VPN configuration.
Obviously, the manual effort required by Palo Alto will make large deployments very difficult.
As noted in its latest Next Generation Firewall product review by Network World: "Large
VPN deployments will not want to move to Palo Alto…any large deployment would
have to be built entirely by hand".
Check Point offers 1-click VPN configuration, which automates the process and improves
your productivity. With Check Point, there is no need to manually build and configure 870
individual VPN tunnels! And our SmartView Monitor provides complete visibility into online
tunnel status and VPN counters.