Battlecard
Transcription
Battlecard
Battlecard Palo Alto Networks Palo Alto is a California-based company which is most well-known for driving the emergence of the term Next-Generation Firewall (NGFW). The company was formed by ex Check Point staff, some of them significant senior employees. They claim to re-invent the firewall by declaring that port-based protection (which secures the entire Internet) is irrelevant and take the stance that they invented the idea of identifying traffic at the application layer. While they have heavily marketed the technology, it is neither new, nor unique to them. Not a real UTM Small market landscape The Check Point approach Being a new company with a heavy focus on the large enterprise, Palo Alto does not have a large customer base. With only a couple of thousand boxes deployed, they do not have the same scope of visibility into the security landscape as Sophos. With an installation base of over 70,000 active installations as of January 2012 (growing massively quarter-over-quarter), we have a larger market from which to gather security data, collect feature requests and determine what businesses want to buy. With the founders’ history at Check Point, the Palo Alto configuration-style is reminiscent of the Check Point design. Administrators not familiar with this approach are frequently frustrated at the amount of steps required to achieve even basic operations. They dislike needing to touch many controls in various sections, review what has been inputted, and then finally commit the changes. The concept of enterprise style “trust” zones litters the entire configuration, further adding to the layers of complexity when trying to deploy a Palo Alto device. Not SMB friendly Not a UTM Palo Alto has openly claimed they “do not want SMB customers”. Their solution is built with the very large enterprise in mind. As such, their solution is complex and easily overwhelms administrators looking to deploy their solutions. Much confusion has been created by their “smaller” units, which are not designed to stand alone at a small or midsized company, but rather to connect branch offices back with a much larger Palo Alto device at the company headquarters. Palo Alto has a heavy reliance on their application control features. While they have some functionality in other areas, their lack of a true gateway design makes them almost exclusively deployed deeper in the network–and not at the perimeter. Customers are then using another product as their main firewall. They are criticized for their lackluster focus and implementation in non-application control features such as VPN and web content filtering. These areas take a clear back seat to their application control functionality, which seems vastly more developed in comparison. They have no web server security (WAF), mail filtering, are not able to retain logs and reports for long periods of times, and lack basic user VPN capabilities like L2TP and PPTP. A Sophos Battlecard Palo Alto Networks 2 Sophos UTM versus Palo Alto Networks Cost/features/numbers/statistics UTM 120 UTM 320 UTM 625 PA-200 PA-2050 PA-4050 1,835* 8,625* 34,935* 3,900** 28,760** 107,600** 595 2875 11,975 2,000 18,400 69,000 1,800 3,500 10,000 100 1,000 10,000 VPN throughput (Mbps) 188 700 1,400 50 300 2,000 IPS throughput (Mbps) 240 1,400 2,400 50 500 5,000 Number of interfaces 4 8 18 4 12 24 List price appliance 1 year UTM Additional cost for high availability Firewall throughput (Mbps) * Full Guard (with Wireless Protection, Email Protection and Platinum Support) ** Includes only firewall, IPS, URL filtering and Basic Support Questions for buyers Is your company a large Enterprise? If your business focuses its security efforts on keeping employees working with minimal impact while achieving the best protection for your available budget, Palo Alto is not for you. Sophos UTM is designed with the administrator in mind, allowing for even powerful features to be introduced and configured with ease. In comparison, Palo Alto is overly expensive for the features they provide, and their cumbersome design requires configuration in multiple sections with excessive overlap, making even simple operations take a lot of time to setup correctly. Do you only need an application firewall? Palto Alto is almost exclusively designed around their application control engine. While providing a capable firewall in this area, they fall behind Sophos UTM for web filtering, VPN, intrusion protection, and the other A Sophos Battlecard Palo Alto Networks areas which are part of a UTM both in feature depth and configuration ease. They have no mail filtering or wireless security products and cannot match the configurationless design and low, one-time price of RED at the branch office. Does your company use thousands of applications? By observing data from thousands of installations, we know that most businesses generate 95% of their traffic with less than 20 applications. Palo Alto’s application control has thousands of obscure and poorly labeled patterns, most of which are rare and never seen in an actual network. This focus on “pattern-racing” might yield bigger numbers for advertising, but leads to a convoluted library which makes it difficult to configure what is relevant. Sophos UTM by comparison includes patterns which are targeted at applications you really use. 3 Three reasons to choose Sophos UTM No imposed limits Palo Alto appliances have various limits within the configuration; Sophos lets you use your device freely. Unlike Palo Alto, we don’t place limits on the number of NAT rules, policy rules or security zones in our solutions. As long as you have free resources, you can configure your Sophos UTM as you like it. Not just an application firewall Application control is just one tool of many in network security. If you want to secure your web servers, filter email, or offer basic road warrior VPN services to your users, Palo Alto won’t be able to solve your problems. Even intrusion protection is a dedicated, separate subscription from their firewall. Sophos UTM offers complete security for your entire network. Affordable by mortals Bolstered by a marketing department that makes several claims about being unique in regards to several features, Palo Alto charges outrageous amounts of money for their solution. While this type of stratospheric pricing may have been justifiable early on when they had a lead in focusing on application control as “new”, today with many options for this technology available, it is unrealistic to expect that kind of price premium for their solutions. Find out more visit sophos.com/unified United Kingdom Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com Boston, USA | Oxford, UK © Copyright 2012. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. A Sophos Battlecard 02.12v1.dNA Australia & New Zealand Sales Tel: +61 2 9409 9100 Email: sales@sophos.com.au