Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Next-Gen Firewall To Offer Limited Data Loss Prevention Capabilities

Palo Alto Networks devices can detect credit card, Social Security numbers on the fly -- and stop them from leaving the corporate net

Upstart vendor Palo Alto Networks says it has developed a next-generation firewall feature that can do some of the same tasks as more complex and expensive data loss prevention (DLP) packages -- for free.

Palo Alto Networks, which offers a next-generation, application-level firewall, says it will announce next week a new feature that can identify and block the egress of personal information -- such as Social Security and credit card numbers -- to prevent such data from ever leaving the enterprise.

The application-level firewall also can block some unauthorized applications that may lead to internal data leaks, such as peer-to-peer apps, the company says.

The new capabilities, which are being offered as a free upgrade to Palo Alto's PA-2000 and PA-4000 series firewalls, essentially turn the boxes into a poor man's DLP tool, providing the means to detect Social Security and credit card numbers that are transmitted via any application -- including e-mail -- and block or quarantine the traffic before it can exit the corporate network. The firewalls can also be tuned to detect other sensitive data formats, such as customer account numbers.

"We're not saying we're a DLP vendor, or that we can do all the things a DLP package can do to protect data at rest or with complex intellectual property information," says Chris King, director of marketing at Palo Alto Networks. "What we're saying is that we've got a simple, fast way to do what 90 percent of companies want DLP for -- to keep customer, credit, or personal data from going out the door."

The Palo Alto package already has a few early customers that are using it in place of a more expensive, resource-intensive DLP solution. Sonesta Hotels, for example, is using the new feature to help filter credit card data out of its reservations application traffic, effectively preventing such data from passing beyond the hotel network.

"Like many organizations, we are increasingly concerned about safeguarding the personal information in our care," says Carol Campbell Beggs, vice president of technology for Sonesta Hotels. "By seeing and managing which applications are on our networks, and scanning those applications for confidential data or malicious content, we can ensure our data is managed appropriately. The fact that we can now do this in a firewall means that we can prevent issues, instead of potentially not finding out about a problem until months later."

The new Palo Alto technology can't do everything a DLP package can do, officials concede. It can't detect or filter complex or unstructured data, such as corporate secrets or marketing plans. It can't read files that are encrypted using proprietary keys, such as those that might pass as attachments through e-mail. And it can't detect access of data at rest, such as the information sitting on enterprise databases or storage arrays. It works only on data that is in transit through the network and which passes through the firewall.

"We intentionally tried to keep it stupid-simple," King says. "We're not trying to do everything that the DLP vendors can do. What we saw is that there are a lot of companies out there that, at least for the near term, are really only concerned about protecting personal data. But they don't have $300,000 and 18 months to deploy a full-blown DLP solution. For enterprises that only need to worry about those simple types of data, this is actually a more effective solution -- because it catches everything that comes through the network, from any application -- and it's free."

King concedes that the new feature won't necessarily help enterprises meet all of the regulatory requirements for handling personal or credit card data, such as those defined under the Payment Card Industry Data Security Standard (PCI-DSS) compliance mandate. "It supports the spirit of the PCI requirements, but not the letter of PCI," he said. "But if the PCI [Council] had known there would be a way to scan the network for credit card data, who knows? Maybe they'd have required it."

The new capabilities require the deployment of Palo Alto firewalls, which can be installed alongside standard firewalls or can replace them, officials say. The PA-4050 supports up to 10-Gbps throughput and lists at US$60,000; the PA-4020 supports up to 2-Gbps throughput and lists at US$35,000.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...