Professional Documents
Culture Documents
NSS Labs
Results - Protects
33% 100%
Against HTML
Evasions*
NSS Labs
Results - Overall 93% 98%
Protection**
File Sharing
170 531
Applications
Application Social
0 240,000+
Network Widgets
9 file types and 532 file types plus file attributes, document
Data Loss
regular expression templates, dictionaries, keywords and
Prevention
match scripting language match
-------------------------------------------------------------------------------------------------------------------------------------------------
SANS Institute
----------------------------------------------------------------------------------------------------------------------------------------------------------
Palo Alto Networks' single pass architecture defaults to open all ports, leaving organizations
exposed to attacks. Why? Because its App-ID™ needs to interact with the application so it can be
identified and classified. For security, this is a big problem.
Why would you want to provide attackers
an advantage as they prepare a targeted
attack? Attackers scan ports to discover
vulnerabilities. Because of Palo Alto's
focus on application inspection and App-
ID™, it must first allow a connection to
identify the application to enforce policy.
This insecurity allows a port scan to
divulge details to the attacker about your
configurations, devices and security. App-
ID™ focuses on identifying the application
first, so it risks unnecessary security
exposures.
The Palo Alto approach requires that traffic
be allowed to determine the application, something the Network World Clear Choice test
noted "could easily result in unintended consequences and insecure configurations –
a valid concern."
--------------------------------------------------------------------------------------------------------------------------
------
1.3.6 Implement stateful inspection, also known 1.3.6 Verify that the firewall performs stateful inspection
as dynamic packet filtering. (That is, only (dynamic packet filtering). (Only established connections
"established" connections are allowed into the should be allowed in, and only if they are associated with a
network.) perviously established session.)
Palo Alto Networks is vulnerable to cache poisoning. For example, a Session Initiation
Protocol (SIP) or any other protocol connection can be used as a channel for attacking a
company's internal networks. The SIP session could initially be blocked accurately, but by
taking advantage of the cache poisoning vulnerability, the SIP session could bypass a Palo
Alto firewall. The vulnerability could be exploited as follows:
1. HTTP is allowed with firewall policy
2. Opening a SIP session typically used with VoIP communications is correctly
blocked
3. Generating HTTP traffic that causes the cache to hit its threshold – meaning
traffic continues going through the cache but is no longer inspected by the firewall
4. Switching the HTTP connection to SIP, which is then allowed – and exposes
you to risk
Strong security products do not allow cache poisoning, and a strong firewall will never stop
inspecting network traffic.
Source:
Defcon 2011, Brad Woodberg, Juniper Networks
--------------------------------------------------------------------------------------------------------------------------
-
IP Packet TCP Stream RPC URL HTML FTP
Product Fragmentation Segmentation Fragmentation Obfuscation Evasion Evasion
Total
-------------------------------------------------------------------------------------------------------------------------
Check Point tracks more than 531 file
sharing apps (a critical application category
for enterprises), Palo Alto tracks 170.
Check Point tracks more than 4,733
total apps, Palo Alto tracks 1,511.
Check Point tracks almost a quarter
million widgets, Palo Alto tracks 0.
Check Point tracks more apps, and provides extra granularity of protection because attacks
on widgets and configurations go after the individual or specific capabilities of some
applications. Palo Alto is supposed to be an "application security expert," so wouldn't you
expect its focus on the application layer to provide a complete solution? Consider three
prominent examples, such as Poison Ivy, Access Remote PC and Anyplace Control. Check
Point has application controls for all three; Palo Alto has none.
The numbers tell the story. Unfortunately, business owners using Palo Alto are left on their
own to figure out what to do with untracked apps.
--------------------------------------------------------------------------------------------------------------------------
We found that the file blocking was easily fooled. For example, putting
a file into a zip archive effectively hid the file type, as did changing the
first few bytes of the file (by adding blank lines) and, in one case,
changing the filename—which we didn't expect to work.
August 2011
Here's one example of a gap in Palo Alto's security management: its configuration and
management of Virtual Private Networks. When setting up VPNs, tunnels must be defined
for the VPN connectivity. When configuring Palo Alto VPNs, you are required to manually
configure gateways for each tunnel. For 30 security gateways, this would require 870
tunnels. You would need to manually configure each one and develop scripts to stitch them
together. Palo Alto does not have built-in centralized monitoring tools for VPN configuration.
Obviously, the manual effort required by Palo Alto will make large deployments very difficult.
As noted in its latest Next Generation Firewall product review by Network World: "Large
VPN deployments will not want to move to Palo Alto…any large deployment would
have to be built entirely by hand".
Check Point offers 1-click VPN configuration, which automates the process and improves
your productivity. With Check Point, there is no need to manually build and configure 870
individual VPN tunnels! And our SmartView Monitor provides complete visibility into online
tunnel status and VPN counters.