New DNS security service a major highlight of PAN-OS 9.0 release

Another key software addition is a new Policy Optimizer, that uses network intelligence to find and remove legacy firewall rules that create security issues.

The PA-7080 firewall

Palo Alto Networks has announced the new PAN-OS 9.0 release for its next-generation firewall. While it has over 60 new features, security improvements top the list, with the expansion of DNS protection through a cloud-based security service, and a new Policy Optimizer feature designed to eliminate the problems created by old legacy firewall rules. Other announcements include updated  network processing cards in the PA-7000 Series, and the availability of the K2-Series, a 5G-ready next-generation firewall.

A major element of the PAN-OS 9.0 release is added security – and specifically against DNS attacks – that are now available as a new DNS security service.

“Palo Alto Networks’ Unit 42 researchers found that nearly 80 per cent of all malware uses DNS – the Yellow Pages of the Internet – to establish command and control, said Navneet Singh, Product Marketing Director for Next-Generation Firewalls at Palo Alto Networks. “The attackers use domain generation algorithms to create an unlimited number of domains to do this. We have had DNS protection before bundled as part of our Threat Prevention License. However, we have responded to these tactics by taking DNS protection to the cloud and enhancing it. It now has infinite scale, so that it is no longer limited by the number of signatures that can be stored in a small firewall.”

Other new protection against DNS attacks has been added through machine learning capabilities.

“We have added additional predictive capabilities to identify new malicious domains,” Singh said. “We are now able to predict them even before the domains are generated. We can now also use heuristics to figure out if traffic also uses tunneling – which is essentially an attacker hitchhiking with DNS. We can see the tunneling attempts and block them.”

Another new security feature is implemented by a new Policy Optimizer, which is designed to eliminate old legacy firewall rules that leave security gaps and are harder to manage.

“The Policy Optimizer is an entirely new tool that we have added,” Singh said. “We know that customers have been running legacy firewalls for 5 years, 10 years or more, and they add new rules over that time. It’s not uncommon to find firewalls with 10,000 rules or more. It can be hard to figure out what apps they go with, or even if those apps have been retired. We believe that all these legacy rules leave customers vulnerable and with policy gaps. Policy Optimizer uses the intelligence that Palo Alto Networks has gathered about the network to match applications to rules, Now they can replace rules with the right ones, and remove ones they no longer want. In addition, they can move from port-based rules to application based ones. Port 80 and Port 443 are typically open, and customers may not realize hundreds of applications use them. The Policy Optimizer tells customers that if a rule matches these applications, they can choose what they want to allow and lock out everything else. Customers can start reducing the number of rules, and they are easier to manage.”

In addition to these security software features, Palo Alto Networks is also announcing new network processing cards in the PA-7000 firewall series .

“This has been a very successful product for us, which has been used by larger customers in data centres and in large Internet edge deployments,” Singh said. “It comes in two models, the PA-7050 and the PA-7080, with one taking six cards and the other ten cards.” The latter increased the decryption output by 3x over the previous version, and offers a 25x encryption session capacity increase.

“We are also adding 100 GB and 40 GB connectivity options for these, in addition to 1 and 10 GB,” Singh said. “We also provide investment protection for customers with cards, as we make sure they are fully compatible with the existing cards and chassis.”

In addition, the VM-Series virtualized form factor of the Palo Alto Networks firewall has had its support extended for new public private cloud environments. They have added support for Oracle Cloud and Alibaba Cloud for public clouds, and Cisco Enterprise Network Compute System [ENCS] and Nutanix for private clouds.  Firewall throughput performance improvements for AWS and Azure have also been enhanced by up to 2.5X.

Finally, for service providers looking to begin future-proofing for 5G, Palo Alto Networks has announced the general availability of the K2-Series, the industry’s first 5G-ready next-generation firewall.

“What we are seeing in the U.S. around 5G is that as some pilot have been done, service providers want to plan in advance to ensure they have the time to roll 5G out fully and make sure they have the right security systems in place,” Singh said. “We want to make sure that as they deploy from pilot to production, they can plan with security in mind. We are the only vendor now who can correlate threats with subscribers and devices in 5G. That’s a great opportunity.”

For channel partners, Singh said the attraction in the news announcements will be the opportunity to offer the new enhancements to their install base.

“We think this is an amazing opportunity for the channel to sell to their install base,” he stated. “It’s always easier to sell to satisfied customers. With the PAN-OS 9.0, they can go back and sell the new DNS security service, and the Policy Optimizer tool lets them sell services to customers who want help with best practices. The new network processing cards will let them sell new hardware, and it will be an easier sale because the customers already have the chassis, and typically room to add to it, which is why they buy a chassis. Partners can fell confident in upselling to existing customers with these enhancements.”