Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Next-Gen Firewall To Offer Limited Data Loss Prevention Capabilities

Palo Alto Networks devices can detect credit card, Social Security numbers on the fly -- and stop them from leaving the corporate net

Upstart vendor Palo Alto Networks says it has developed a next-generation firewall feature that can do some of the same tasks as more complex and expensive data loss prevention (DLP) packages -- for free.

Palo Alto Networks, which offers a next-generation, application-level firewall, says it will announce next week a new feature that can identify and block the egress of personal information -- such as Social Security and credit card numbers -- to prevent such data from ever leaving the enterprise.

The application-level firewall also can block some unauthorized applications that may lead to internal data leaks, such as peer-to-peer apps, the company says.

The new capabilities, which are being offered as a free upgrade to Palo Alto's PA-2000 and PA-4000 series firewalls, essentially turn the boxes into a poor man's DLP tool, providing the means to detect Social Security and credit card numbers that are transmitted via any application -- including e-mail -- and block or quarantine the traffic before it can exit the corporate network. The firewalls can also be tuned to detect other sensitive data formats, such as customer account numbers.

"We're not saying we're a DLP vendor, or that we can do all the things a DLP package can do to protect data at rest or with complex intellectual property information," says Chris King, director of marketing at Palo Alto Networks. "What we're saying is that we've got a simple, fast way to do what 90 percent of companies want DLP for -- to keep customer, credit, or personal data from going out the door."

The Palo Alto package already has a few early customers that are using it in place of a more expensive, resource-intensive DLP solution. Sonesta Hotels, for example, is using the new feature to help filter credit card data out of its reservations application traffic, effectively preventing such data from passing beyond the hotel network.

"Like many organizations, we are increasingly concerned about safeguarding the personal information in our care," says Carol Campbell Beggs, vice president of technology for Sonesta Hotels. "By seeing and managing which applications are on our networks, and scanning those applications for confidential data or malicious content, we can ensure our data is managed appropriately. The fact that we can now do this in a firewall means that we can prevent issues, instead of potentially not finding out about a problem until months later."

The new Palo Alto technology can't do everything a DLP package can do, officials concede. It can't detect or filter complex or unstructured data, such as corporate secrets or marketing plans. It can't read files that are encrypted using proprietary keys, such as those that might pass as attachments through e-mail. And it can't detect access of data at rest, such as the information sitting on enterprise databases or storage arrays. It works only on data that is in transit through the network and which passes through the firewall.

"We intentionally tried to keep it stupid-simple," King says. "We're not trying to do everything that the DLP vendors can do. What we saw is that there are a lot of companies out there that, at least for the near term, are really only concerned about protecting personal data. But they don't have $300,000 and 18 months to deploy a full-blown DLP solution. For enterprises that only need to worry about those simple types of data, this is actually a more effective solution -- because it catches everything that comes through the network, from any application -- and it's free."

King concedes that the new feature won't necessarily help enterprises meet all of the regulatory requirements for handling personal or credit card data, such as those defined under the Payment Card Industry Data Security Standard (PCI-DSS) compliance mandate. "It supports the spirit of the PCI requirements, but not the letter of PCI," he said. "But if the PCI [Council] had known there would be a way to scan the network for credit card data, who knows? Maybe they'd have required it."

The new capabilities require the deployment of Palo Alto firewalls, which can be installed alongside standard firewalls or can replace them, officials say. The PA-4050 supports up to 10-Gbps throughput and lists at US$60,000; the PA-4020 supports up to 2-Gbps throughput and lists at US$35,000.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.