Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Next-Gen Firewall To Offer Limited Data Loss Prevention Capabilities

Palo Alto Networks devices can detect credit card, Social Security numbers on the fly -- and stop them from leaving the corporate net

Upstart vendor Palo Alto Networks says it has developed a next-generation firewall feature that can do some of the same tasks as more complex and expensive data loss prevention (DLP) packages -- for free.

Palo Alto Networks, which offers a next-generation, application-level firewall, says it will announce next week a new feature that can identify and block the egress of personal information -- such as Social Security and credit card numbers -- to prevent such data from ever leaving the enterprise.

The application-level firewall also can block some unauthorized applications that may lead to internal data leaks, such as peer-to-peer apps, the company says.

The new capabilities, which are being offered as a free upgrade to Palo Alto's PA-2000 and PA-4000 series firewalls, essentially turn the boxes into a poor man's DLP tool, providing the means to detect Social Security and credit card numbers that are transmitted via any application -- including e-mail -- and block or quarantine the traffic before it can exit the corporate network. The firewalls can also be tuned to detect other sensitive data formats, such as customer account numbers.

"We're not saying we're a DLP vendor, or that we can do all the things a DLP package can do to protect data at rest or with complex intellectual property information," says Chris King, director of marketing at Palo Alto Networks. "What we're saying is that we've got a simple, fast way to do what 90 percent of companies want DLP for -- to keep customer, credit, or personal data from going out the door."

The Palo Alto package already has a few early customers that are using it in place of a more expensive, resource-intensive DLP solution. Sonesta Hotels, for example, is using the new feature to help filter credit card data out of its reservations application traffic, effectively preventing such data from passing beyond the hotel network.

"Like many organizations, we are increasingly concerned about safeguarding the personal information in our care," says Carol Campbell Beggs, vice president of technology for Sonesta Hotels. "By seeing and managing which applications are on our networks, and scanning those applications for confidential data or malicious content, we can ensure our data is managed appropriately. The fact that we can now do this in a firewall means that we can prevent issues, instead of potentially not finding out about a problem until months later."

The new Palo Alto technology can't do everything a DLP package can do, officials concede. It can't detect or filter complex or unstructured data, such as corporate secrets or marketing plans. It can't read files that are encrypted using proprietary keys, such as those that might pass as attachments through e-mail. And it can't detect access of data at rest, such as the information sitting on enterprise databases or storage arrays. It works only on data that is in transit through the network and which passes through the firewall.

"We intentionally tried to keep it stupid-simple," King says. "We're not trying to do everything that the DLP vendors can do. What we saw is that there are a lot of companies out there that, at least for the near term, are really only concerned about protecting personal data. But they don't have $300,000 and 18 months to deploy a full-blown DLP solution. For enterprises that only need to worry about those simple types of data, this is actually a more effective solution -- because it catches everything that comes through the network, from any application -- and it's free."

King concedes that the new feature won't necessarily help enterprises meet all of the regulatory requirements for handling personal or credit card data, such as those defined under the Payment Card Industry Data Security Standard (PCI-DSS) compliance mandate. "It supports the spirit of the PCI requirements, but not the letter of PCI," he said. "But if the PCI [Council] had known there would be a way to scan the network for credit card data, who knows? Maybe they'd have required it."

The new capabilities require the deployment of Palo Alto firewalls, which can be installed alongside standard firewalls or can replace them, officials say. The PA-4050 supports up to 10-Gbps throughput and lists at US$60,000; the PA-4020 supports up to 2-Gbps throughput and lists at US$35,000.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.