Palo Alto Networks devices can detect credit card, Social Security numbers on the fly -- and stop them from leaving the corporate net

Tim Wilson, Editor in Chief, Dark Reading, Contributor

December 9, 2008

4 Min Read

Upstart vendor Palo Alto Networks says it has developed a next-generation firewall feature that can do some of the same tasks as more complex and expensive data loss prevention (DLP) packages -- for free.

Palo Alto Networks, which offers a next-generation, application-level firewall, says it will announce next week a new feature that can identify and block the egress of personal information -- such as Social Security and credit card numbers -- to prevent such data from ever leaving the enterprise.

The application-level firewall also can block some unauthorized applications that may lead to internal data leaks, such as peer-to-peer apps, the company says.

The new capabilities, which are being offered as a free upgrade to Palo Alto's PA-2000 and PA-4000 series firewalls, essentially turn the boxes into a poor man's DLP tool, providing the means to detect Social Security and credit card numbers that are transmitted via any application -- including e-mail -- and block or quarantine the traffic before it can exit the corporate network. The firewalls can also be tuned to detect other sensitive data formats, such as customer account numbers.

"We're not saying we're a DLP vendor, or that we can do all the things a DLP package can do to protect data at rest or with complex intellectual property information," says Chris King, director of marketing at Palo Alto Networks. "What we're saying is that we've got a simple, fast way to do what 90 percent of companies want DLP for -- to keep customer, credit, or personal data from going out the door."

The Palo Alto package already has a few early customers that are using it in place of a more expensive, resource-intensive DLP solution. Sonesta Hotels, for example, is using the new feature to help filter credit card data out of its reservations application traffic, effectively preventing such data from passing beyond the hotel network.

"Like many organizations, we are increasingly concerned about safeguarding the personal information in our care," says Carol Campbell Beggs, vice president of technology for Sonesta Hotels. "By seeing and managing which applications are on our networks, and scanning those applications for confidential data or malicious content, we can ensure our data is managed appropriately. The fact that we can now do this in a firewall means that we can prevent issues, instead of potentially not finding out about a problem until months later."

The new Palo Alto technology can't do everything a DLP package can do, officials concede. It can't detect or filter complex or unstructured data, such as corporate secrets or marketing plans. It can't read files that are encrypted using proprietary keys, such as those that might pass as attachments through e-mail. And it can't detect access of data at rest, such as the information sitting on enterprise databases or storage arrays. It works only on data that is in transit through the network and which passes through the firewall.

"We intentionally tried to keep it stupid-simple," King says. "We're not trying to do everything that the DLP vendors can do. What we saw is that there are a lot of companies out there that, at least for the near term, are really only concerned about protecting personal data. But they don't have $300,000 and 18 months to deploy a full-blown DLP solution. For enterprises that only need to worry about those simple types of data, this is actually a more effective solution -- because it catches everything that comes through the network, from any application -- and it's free."

King concedes that the new feature won't necessarily help enterprises meet all of the regulatory requirements for handling personal or credit card data, such as those defined under the Payment Card Industry Data Security Standard (PCI-DSS) compliance mandate. "It supports the spirit of the PCI requirements, but not the letter of PCI," he said. "But if the PCI [Council] had known there would be a way to scan the network for credit card data, who knows? Maybe they'd have required it."

The new capabilities require the deployment of Palo Alto firewalls, which can be installed alongside standard firewalls or can replace them, officials say. The PA-4050 supports up to 10-Gbps throughput and lists at US$60,000; the PA-4020 supports up to 2-Gbps throughput and lists at US$35,000.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights