I admit to being a little tough on Palo Alto Networks (PAN). I called them a cult (see Cult of Palo Alto Networks) and criticized them (along with Gartner) for pointlessly creating the Next-Generation Firewall market segment (see UTM v NGFW – A Single Shade of Gray).
Now along comes some bad news for PAN. In the last week, the Internet has had numerous postings about a method to bypass Palo Alto’s Application Identification capabilities (called AppID). Allegedly, Check Point is behind this disclosure but the issue is actually over a year old. There are some nice videos posted that describe the vulnerability, which are allegedly from CheckPoint: PAN Security Bypass and a followup here PAN Security Bypass Take 2.
I spoke with technical people at Fortinet, WatchGuard and SonicWall about this issue. All of them were able to demonstrate that their products are not vulnerable to this issue. I was able to independently validate this on a Fortinet, but did not have other devices to test. I will have to take SonicWall and WatchGuard at their word. Juniper and Cisco do not do application filtering, so they are not part of this issue.
PAN responded to this with the following blog entry: AppIP Cache Pollution – Merry Christmas from CheckPoint.
On one hand, I feel badly for PAN. This issue is being blown out of proportion somewhat. It is a serious weakness, but not crippling. There are ways to configure their appliances to remedy this issue. As such, I have a modicum of sympathy for PAN. They make a very innovative product that has just experienced its first swat of reality. Welcome to the club PAN, you are now like every other technology company on earth who has had a beloved technology lose some of its luster from a flaw.
On the other hand, PAN asked for it. PAN has been arrogant to the market. They have repeatedly acted as if their products were simply “above” the fray and not worthy of comparison with others. They deftly got Gartner to go along with them on this charade and create a whole new market segment for them, NGFW.
CheckPoint may be behaving unfairly, but PAN kind of asked for it. PAN blazed on to the scene claiming revolutionary technology that upon deeper inspection has proven to be only moderately evolutionary. They have used marketing muscle to rewrite the history of security to suit their needs.
PAN painted a big red target on their backs. This is the outcome. Your competitors are going to shoot at you every chance they get. And CheckPoint is especially bitter. Their market share has been in free-fall for years. What do they have to lose at this point?
PAN has joined an illustrious crowd, however. They have become the market target. Much like Microsoft in the past, Apple today, and Google and Facebook are becoming. As such, PAN can congratulate themselves on being able to crack open the firewall market and quickly race to the top. However, the view from the top is not always rosy. Down below are a lot of angry companies who feel PAN’s race to the top was unwarranted.
They are partially correct. PAN got to the top mostly on their merits. While their product is only marginally innovative, their marketing is phenomenal. PAN should become a case study for business schools everywhere on the power of unified marketing and control of language. Everybody in the PAN marketing department should be awarded a lifetime achievement award. They took a good to okay product and made it look like a billion carat diamond.
However, marketing only goes so far. At some point, marketing must meet up with reality. And PAN just got a big dose of reality.
The reality is that this is a very serious flaw. Cache poisoning is a common attack tactic. It is a method many novice hackers use and their are ample tools out there to facilitate this attack. Moreover, this calls into question all of PAN’s performance numbers, since apparently all of their published performance statistics are based on having this “fast pass” feature enabled. What does turning this off, and thereby correcting this weakness, do to appliance performance? Moreover, this entire vulnerability calls into question PAN’s entire approach to security, casting off the tried and true use of stateful packet inspection for application identification.
Also, this problem has been around for a while. According to my research and what others have reported, this issue was first disclosed at CanSecWest in 2011. PAN just released a whole new operating system, why wasn’t this issue corrected? Is it even correctable?
There are a lot of disturbing questions that arise from this. I do not mean to be overly critical of PAN. I know many people cast me as a Fortinet-phile. While I do like Fortinet I also am the first to admit that Fortinet has plenty of weaknesses too. I actually think Fortinet and PAN are the pinnacle of the UTM market right now.
Advice to PAN
Be humble. Do not turn on CheckPoint and be rude or derisive. This Blog entry posted on December 28 should be taken down and promptly rewritten. Thank the industry for detecting this. Make it clear you understand the issue and are working with clients to remedy their concerns.
You come out swinging and acting tough, then we all know you got caught with your pants down. That blog post is arrogant and dismissive. Get rid of it. Call up McAfee and have a conversation with their management about how to handle a crisis. Call up Tim Cook at Apple, get a lesson from him in humility.
PAN is a good technology. It is innovative. It can be an integral part of a secure network. But nobody is going to see that if you let this become a schoolyard slap fight. Grow up and be humble. Those who made it to the top because they were good do not need to attack others when they make a mistake. Great people and great companies know when to admit they made a mistake.