We use both the NG and VM series of Palo Alto firewalls. We sell and install them for clients to provide the best security that money can buy. Additionally, adding SD WAN on the same edge device has made an all-in-one, security-edge-intelligent routing solution possible without sacrificing performance or a secure environment.
The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so these features are valuable to us.
An example of a very valuable feature behind Palo Alto is the application-aware identifiers that help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example, you can block an application, or all unknown applications. On one occasion, I was alerted by Palo Alto that something unusual was happening through a particular port at a client location. I blocked the port access because I didn't know what exactly was going on and alerted the client. Then the client called me up and said, "Hey, I need the port that was blocked because [of this]." We could then test what was going on in a secure environment where it couldn't affect anything else to be sure the behavior was not something to be concerned about. In this case, Palo Alto kept the client totally safe. That is a fantastic capability.
Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.
Palo Alto is a little expensive compared to every other solution, but you get what you pay for. The question I have been asking customers since I became a solutions architect is what the best in security is worth. The problem with people seeking security solutions is thinking that all solutions are the same, thinking the newest technology solutions are best and thinking cost-first. A better way to think about it would be how expensive a break-in is.
If I am shopping around for a firewall solution and I see I have to pay a lot per year for Palo Alto and I see Meraki is a much lower price, I might be attracted by the less expensive product. When it is deployed, we get broken into and lose $10 million worth of design documents. It may be quite possible that break-in could have been avoided by paying more for a better security solution. Because I went the cheap route, I lost many times what I 'saved.' For possibilities like this alone, it is hard to put a price on security.
Take a deeper look at what happens when you try to save money on security. Meraki does SD-WAN (Software-defined Wide Area Network). That is touted as fantastic because the client is going to save a whole lot of money because they don't need MPLS (Multi-Protocol Label Switching) anymore. But the reality behind it is, there is absolutely no application acceleration, no data deduplication, and no forward error correction. Forward error correction is extremely important when you're using a device between points. But Meraki sells its devices for nickels or pennies on the dollar in comparison to other security solutions. Only then you only learn the lesson of what happens when you go cheap. Your network gets broken into more easily because of the inherent exposure in SD-WAN and it goes down a lot.
If you have sales offices and those sales offices have Meraki firewalls, the device may observe a problem out on the internet. When it does, the Meraki's failover results in an outage. With Meraki, failover to a better link takes 30-seconds. Whether it is a 30-minute failover or 30-second failover, you can drop a call. If you are cold calling and you dropped a call, you don't get a second chance. It is impossible to say how much money you might lose. For example, if my company sells microchips and that call was going to develop into a $40 million sale, that sale is gone. It is gone because of the small comparative cost savings in security and the instability of the solution you chose to use. But a 30-second outage every single time a route is withdrawn across the internet means your phone is going to ring if you are the IT Director, and you will eventually lose your job.
The costs for Palo Alto are structured in a similar way to other products. With Palo Alto you can do one, two, three and five years contracts. It is the same thing with Fortinet and Meraki. Hardware cost is very different than the application license. The hardware maintenance agreement is separate. With all of the firewall solutions, you will pay for a hardware maintenance agreement. That protects the hardware itself. That is an annual billing and separate from the software in all cases. Nobody bills for firewalls on a monthly basis. Even the VM version of the Palo Alto is billed per year. Using that license, you can build up a VPN that forces all default traffic to a particular device before it goes out to the internet. It is comparatively pretty cheap in practice, and it works. It works well because you only need one piece of hardware. Build the server and start slicing out VMs. Then it becomes possible for everybody in a network to be protected by Palo Altos security at a lower cost.
As a solutions architect group, we are what you would call "vendor-agnostic." We evaluate any solution that seems like it may be viable to provide clients with some advantages. I will never go to a customer and say that these are the only products that we are going to support. However, if there is something that a client wants to use which I feel would be detrimental to their business or that doesn't fit their needs, I will encourage them to look at other solutions and explain why the choice they were leaning towards may not be the best. When a solution they want to use means that no matter what we do they are going to get broken into, I'll let them know. It isn't good for their business or ours.
That said, some of the most requested or considered firewall solutions by clients beside Palo Alto are Fortinet, Firepower, and Meraki. Looking at each provides a background into how we look at solutions and how we evaluate options for clients. You have to look at the benefits and disadvantages.
Cisco Firepower NGFW (Next-Generation Firewall)
I think that Firepower can be simplified and can be made into a more viable product in the Cisco line. I think that Cisco has the ability to get into the Firepower management platform and trim it, doing so by breaking down all of the different areas of concern and configuration and categorizing them into overviews, implementation across the board, and steady-state management. If they were to do that, then users could start at the top layer and drill down more as they see fit to customize to their needs. I believe that Cisco can do that with Firepower and make it a much better security tool.
Firepower is not just a firewall, it is an SD-WAN. It is an application that Cisco sells that gets loaded onto an ASA 5500 series appliance (the appliance has to be the X platform). It is not a bad solution. I can use it to get into your network and protect a lot of your customers who will be running traffic through it. But a problem that you are going to get into as a result of using Firepower is that it is extremely difficult to configure. Security engineers that I have handed the setup after a sale came back from the service and asked me never to sell it again because it was very difficult for them to set up. However, it is also very secure. The difficulty is in using the GUI, which is the console that you would log into to set up your rules and applications. It can take about 10 times as long as Meraki to set up, and that is no exaggeration. Palo Alto is easier to set up than Firepower, but not as easy to set up as Meraki. But, the security in Palo Alto is phenomenal compared to Meraki. Firepower is pretty secure. If it was a little easier to operate, I'd be recommending it up one side and down the next, but ease-of-use also comes into play when it comes to recommending products.
I'll support what Firepower has to offer considering the quality of the security. But I can't take anyone seriously who is proud of themselves just because they think their firewall is next generation. It might have that capability but it might not be 'next generation' if it is set up wrong. Some vendors who sell firewall solutions that I've spoken to admit to dancing their customers around the 'next generation' promise and they make amazing claims about what it can do. Things like "This firewall will protect the heck out of your network," or "This firewall has built-in SD-WAN and can save you lots of money." These things are true, perhaps, depending on the clients' needs and the likelihood that they will be able to properly manage the product.
Firepower is a capable solution but it is difficult to set up and manage.
Cisco Meraki NGFW (Next-Generation Firewall)
Meraki was a horrible acquisition by Cisco and it is harming their name. All of us who are familiar enough with the firewall know how bad that firewall is and we know that Cisco needs to make changes. The acquisition is almost funny. The logic seemed to be something like "Let's buy an inferior security solution and put our name on it." That is a textbook case on how not to run a company.
If Cisco wanted to improve Meraki, the first thing they need to do is simply activate the ability to block an unknown application. Start with that and then also improve utility by blocking every threat by default like other products so that users can open up traffic only to what they need to. That saves innumerable threats right there.
There are situations where Meraki works very well as is. One example is at a coffee shop. What the coffee shop needed for their firewall solution was to have a firewall at every location for guests. The guests go there to eat their donuts, drink their coffee, and surf the internet. The company's need was simply to blockade a VLAN for guest access to the internet while maintaining a VLAN for corporate access. They need corporate access because they need to process their transactions and communications. All corporate devices can only communicate through a VPN to headquarters or through a VPN to the bank. For example, they need to process transactions when somebody uses their debit card at a POS station. It works great at the coffee shop.
It works great at department stores as well. All employees have a little device on their hip that enables them to find what aisle a product is in when a customer asks them. If the store doesn't have the product on hand, the employee can do a search for another store that does have it in stock right on the device. They can do that right on the spot and use that service for that device. For that reason, they are not going across the internet to find the information they are searching for. They are forced into a secure tunnel for a specific purpose. That is something you can do with Meraki. If you don't let employees surf the web on the device, then Meraki will work.
I can actually give you the methodologies in which hackers are able to completely hack into a Cisco customer's network and steal extremely valuable information. Meraki is the most simple of all firewalls to infiltrate in the industry. It is an extremely dangerous piece of hardware. What comes into play is that Meraki, by default, does the opposite of what all of the other firewalls do. Every firewall not called Meraki will block every means of attack until you start saying to permit things. The Meraki solution is the opposite. Meraki, by default, blocks nothing, and then you have to go in and custom key everything that you want to block. This is dangerous because most people don't know everything in the world that they need to block. With Meraki, you have to get hacked in order to be able to find out. Now, tell me who really wants that.
An example of this is that Meraki cannot block an application it doesn't know about, which means that all unknown applications are forever allowed in by Meraki. If I am a hacker and I know that you are using a Meraki firewall, I can write an application to use for an attack. When I do, it is unknown because I just wrote it today. If I load it up on a website, anybody that goes to that website using a Meraki firewall has this application loaded onto their computer. Meraki can't block it. That application I wrote is designed to copy everything from that person's computer and everything across the network that he or she has access to, up to a server offshore in a non-extradition country. I will have your data. Now I can sell it or I can hold you for ransom on it.
Customers love it because it is simple to configure. I don't even need to be a security architect to sit down at a Meraki console and configure every device across my network. It is an extremely simple device and it's extremely cheap. But you get what you pay for. You are generally going to suffer because of the simplicity. You are going to suffer because of the low cost and "savings."
All I can say about Meraki is that it is cheap and easy to use and fits well in niche situations. If you need broader security capabilities, spend a few bucks on your network and get a better security solution.
Fortinet FortiGate NGFW (Next-Generation Firewall)
I'm supportive of Fortinet because it is a decent next-generation firewall solution. While not as secure as Palo Alto, it is a cost-effective and reasonably reliable product. I have customers choose it over Palo Alto. But if they decide to use this solution, I want to charge them to manage it for them. The reason for that is, if anything goes wrong in the network and they get hacked, my client will likely get fired and replaced. If anything goes wrong in the network and I am paid to manage their firewall, I am the one in trouble if they get hacked — not the client. I apply my services to the network, make sure everything is working as it should and give them my business card. I tell them that they can give the business card to their boss if anything goes wrong because the guy on the card is the one to blame. That way I remain sure that nothing will go wrong because of poor administration, and my client contact sleeps better at night.
Fortinet is sort of middle-of-the-road as a solution. It has a relative simplicity in setup and management, it has a lower price and provides capable security. Fortinet FortiGate still gets some of my respect as a viable alternative to Palo Alto.
Comparing the Complexity of Setup
Firepower is the most complex to set up. The second most complex is Palo Alto. The third is Fortinet. The fourth is Meraki as the simplest.
Rating the Products
On a scale from one to ten with ten being the best, I would rate each of these products like this:
- Meraki is a one out of ten (if I could give it a zero or negative number I would).
- Fortinet is seven out of ten because it is simple but not so secure.
- Firepower is seven out of ten because it is more secure, but not so simple.
- Palo Alto is a ten out of ten because the security side of it is fantastic, and the gui is not a nightmare.
An Aside About Cisco Products
It is interesting to note that the two offerings by Cisco are on completely opposite ends of the spectrum when it comes to the learning curve. Firepower is on one end of the spectrum as the most difficult to configure and having the worst learning curve, and Meraki is on the other as the easiest to configure and learn. Both are owned by Cisco but Cisco did not actually develop either of product. They got them both by acquisition.
Palo Alto is my number one choice for firewalls. I support and utilize more Palo Alto firewalls throughout my company and with my customers than any other device. Number two would be Fortinet. I don't really like Fortinet that that much because it is not as secure as Palo Alto, but I have customers who want to use it because it is a lot less expensive. Number three is Cisco Meraki, which I obviously don't like, but people request that because the Cisco name is very popular and a lot of other people are using it. I couldn't recommend against choosing a device more than choosing it by name instead of functionality.
Palo Alto invented the method of looking at the application identifier in each packet and making a decision. For instance, many companies may want to do something like prohibiting all chat applications with the exclusion of whatever application the company is choosing to use. Let's say the company is using IP Communicator for customers and for employees to chat with each other, but the company wants to block Skype. The reason why might be because they don't want anybody bringing up a Skype call, sharing information via that Skype call, or maybe turning on a Skype call and letting other people see inside the facility. Skype has a very interesting platform in which you block one IP address on the Skype server and it allows another one. You block Skype.com and it creates another URL. Skype loves to get in and around simple security steps. Palo Alto is phenomenal because it takes a look at the application identifier within each packet and will find that it is Skype and block it. If you want to block AOL Instant Messenger, you just block it. Anything out there you don't want employees to use can just be blocked by referencing the identifier.
Netflix is another one that seems to find it's way into corporate networks. It is normal not to want employees sitting around watching movies. The Palo Alto will find out that someone is trying to access a Netflix movie and block it. Then it can also send an email to alert different people of the activity. You could set it up so that when something like that happens, an email goes to the director of IT to say, "Hey, this person may be trying to access Netflix." You may want it to just block the access type and forgo the alert. Or you can block the activity and alert anyone you want that someone appears to have tried to subvert security. The idea of this type of security measure isn't just to lay blame and get people fired, it is to identify different types of breaches and why they occur. It could be that a potential breach requires a sit-down conversation with the persons involved. But the truth is that many malicious sites — like adult related websites, platforms like gambling sites, obviously hacking-related sites, violence or gore — are loaded with malware. You don't want that on your computer, and your employer doesn't want it on the network either. It is just as bad as bringing a device to work and allowing that device to be connected to the network without protection as that is just another potential malware exposure.
Another beautiful thing with Palo Alto is that they have Wildfire. Wildfire can prohibit malware in either direction. Malware is not going to get into the network via a customer or a user surfing and it is not going to get out and affect the network and spread around via a user's BYOD (Bring Your Own Device) that got infected while he was working at home.