Compare Palo Alto with Checkpoint from Checkpoint website based on NSS Labs results:
| Palo Alto | Check Point | |
|---|---|---|
| NSS Labs Results – Protects Against HTML Evasions* | 33% | 100% |
| NSS Labs Results – Overall Protection** | 93% | 98% |
| File Sharing Applications | 170 | 531 |
| Total Applications | 1,511 | 4,733 |
| Application Social Network Widgets | 0 | 240,000+ |
| URL Filtering | 20 million on box | 100 million cloud based |
| Data Loss Prevention | 9 file types and regular expression match | 532 file types plus file attributes, document templates, dictionaries, keywords and scripting language match |
| Anti-Bot | < 1 million protections (signatures/ DNS/ URLs/ IPs) | 250 million addresses analyzed for bot discovery |
| Reputation based protection | Unique multi-tier detection engine (reputation, signatures, mail activity and behavior based) with real-time security intelligence through ThreatCloud™ |
** NSS Labs IPS Test, 2012
————————————————————————————————————————————————-
PAN is focused on the
application layer
The seven layers of the Open Systems Interconnection model divide networking and security into discrete manageable components. The SANS Institute and other leading security organizations realize that we must comprehend all layers to deliver complete security.
Palo Alto Networks’ focus on the application layer can lead to more security exposures for their customers. Check Point’s balanced approach recognizes the importance of considering both the application and networks layers to assess all risks and deliver strong security.
components that we can adequately secure these levels.
———————————————————————————————————————————————————-
Why would you want to provide attackers an advantage as they prepare a targeted attack? Attackers scan ports to discover vulnerabilities. Because of Palo Alto’s focus on application inspection and App-ID™, it must first allow a connection to identify the application to enforce policy. This insecurity allows a port scan to divulge details to the attacker about your configurations, devices and security. App-ID™ focuses on identifying the application first, so it risks unnecessary security exposures.The Palo Alto approach requires that traffic be allowed to determine the application, something the Network World Clear Choice test noted “could easily result in unintended consequences and insecure configurations – a valid concern.”
——————————————————————————————————————————–
Palo Alto Networks’ focus on its next generation firewall and the application layer also raises a serious issue for compliance with the PCI Data Security Standard. Organizations spend enormous resources preparing for pass-or-fail PCI audits. One of the clearly stated requirements in the PCI DSS specification is for the organization to deploy “stateful inspection” in the firewall. According to Palo Alto, stateful inspection is being replaced with what they call “new core technology called App-ID™.” It would be very unfortunate for an organization to fail a PCI audit because it made a bad firewall choice.
| PCI DSS Requirements | Testing Procedures |
|---|---|
| 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.) | 1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a perviously established session.) |
—————————————————————————————————————————–
Palo Alto Networks is vulnerable to cache poisoning. For example, a Session Initiation Protocol (SIP) or any other protocol connection can be used as a channel for attacking a company’s internal networks. The SIP session could initially be blocked accurately, but by taking advantage of the cache poisoning vulnerability, the SIP session could bypass a Palo Alto firewall. The vulnerability could be exploited as follows:
- HTTP is allowed with firewall policy
- Opening a SIP session typically used with VoIP communications is correctly blocked
- Generating HTTP traffic that causes the cache to hit its threshold – meaning traffic continues going through the cache but is no longer inspected by the firewall
- Switching the HTTP connection to SIP, which is then allowed – and exposes you to risk
Strong security products do not allow cache poisoning, and a strong firewall will never stop inspecting network traffic.
Defcon 2011, Brad Woodberg, Juniper Networks
—————————————————————————————————————————
| Product | IP Packet Fragmentation | TCP Stream Segmentation | RPC Fragmentation | URL Obfuscation | HTML Evasion | FTP Evasion | Total |
|---|---|---|---|---|---|---|---|
| Check Point | 100% | 100% | 100% | 100% | 100% | 100% | 100% |
| Product | Client Protection | Server Protection | Overall Protection |
|---|---|---|---|
| Check Point | 99% | 97% | 98.3% |
NSS Labs has released the results of its 2012 IPS Group Test that reviewed Intrusion Prevention System products from eight vendors. Once again, the Check Point IPS performed exceptionally well in the tests, demonstrating top-ranked IPS protection. The Check Point 12600 Appliance IPS protected against 100% of the evasion techniques attempted by NSS Labs.
“Resistance to known evasion techniques was perfect… IP fragmentation, TCP stream segmentation, RPC fragmentation, URL obfuscation, HTML Evasion and FTP evasion all failed to trick the product into ignoring valid attacks. Not only were the fragmented and obfuscated attacks blocked successfully, but all of them were also decoded accurately.”
The Check Point IPS scored an overall protection rating of 98.3%, improving its 97.3% overall protection rating from the 2011 NSS Labs IPS test.
Highlights of Check Point’s performance in the NSS IPS Group Test include:
- Superior Security
- Top of the pack with overall protection score of 98.3%
- Strong security with 100% coverage of evasion techniques
- A top score for server protection, 97%
- Best in Class management system that is robust and granular
————————————————————————————————————————-
- Check Point tracks more than 531 file sharing apps (a critical application category for enterprises), Palo Alto tracks 170.
- Check Point tracks more than 4,733 total apps, Palo Alto tracks 1,511.
- Check Point tracks almost a quarter million widgets, Palo Alto tracks 0.
The numbers tell the story. Unfortunately, business owners using Palo Alto are left on their own to figure out what to do with untracked apps.
————————————————————————————————————————–
The Palo Alto solution provides incomplete visibility for protecting information and inspecting content. Its technology has limited abilities to deeply inspect a variety of file formats and data types beyond the basics. Why risk your critical corporate data or intellectual property with Palo Alto Networks? Check Point provides you with complete visibility and comprehensive protection.
August 2011
————————————————————————————————————————–
Obviously, the manual effort required by Palo Alto will make large deployments very difficult. As noted in its latest Next Generation Firewall product review by Network World: “Large VPN deployments will not want to move to Palo Alto…any large deployment would have to be built entirely by hand“.
Check Point offers 1-click VPN configuration, which automates the process and improves your productivity. With Check Point, there is no need to manually build and configure 870 individual VPN tunnels! And our SmartView Monitor provides complete visibility into online tunnel status and VPN counters.
August 2011
Hi сolleagueѕ, іtѕ impressіve post
concеrning teachingand fullу dеfined, keep it up all the tіme.
[url=http://fish4payday.co.uk]ρayday loаnѕ[/url]
payday loans
Also visit my homepage ; payday loan