Is Astaro considered a "Next Generation firewall" ? look at these attributes that are needed in the Next generation firewall Application Identification: The firewall must be able use deep packet inspection to look beyond the IP header 5- tuple into the payload of the packet to find application identifiers Extended Stateful Inspection: By tracking application sessions beyond the point where dynamic ports are selected, the firewall will have the ability to support the detection of application-level anomalies that signify intrusions or policy violations SSL Decryption/Re-encryption: The firewall will need the ability to decrypt SSL-encrypted payloads to look for application identifiers/signatures Control: Traditional firewalls work on a simple deny/allow model. In this model, everyone can access an application that is deemed to be good. Analogously, nobody can access an application that is deemed to be bad. This model had more validity at a time when applications were monolithic in design and before the Internet made a wide variety of applications available. Today’s reality is that an application that might be bad for one organization might well be good for another. On an even more granular level, an application that might be bad for one part of an organization might be good for other parts of the organization. Also, given today’s complex applications, a component of an application might be bad for one part of an organization but that same component might well be good for other parts of the organization. Multi-gigabit Throughput: In order to be deployed in-line as an internal firewall on the LAN or as an Internet firewall for high speed access lines, the next generation firewall will need to perform the above functions at multigigabit speeds. please check the attached file for more information

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Next Generation Firewall !!

Is Astaro considered a "Next Generation firewall" ?
look at these attributes that are needed in the Next generation firewall

Extended Stateful Inspection: By tracking application sessions beyond the point where dynamic ports are selected, the firewall will have the ability to support the detection of application-level anomalies that signify intrusions or policy violations
SSL Decryption/Re-encryption: The firewall will need the ability to decrypt SSL-encrypted payloads to look for application identifiers/signatures
Control: Traditional firewalls work on a simple deny/allow model. In this model, everyone can access an application that is deemed to be good. Analogously, nobody can access an application that is deemed to be bad. This model had more validity at a time when applications were monolithic in design and before the Internet made a wide variety of applications available. Today’s reality is that an application that might be bad for one organization might well be good for another. On an even more granular level, an application that might be bad for one part of an organization might be good for other parts of the organization. Also, given today’s complex applications, a component of an application might be bad for one part of an organization but that same component might well be good for other parts of the organization.
Multi-gigabit Throughput: In order to be deployed in-line as an internal firewall on the LAN or as an Internet firewall for high speed access lines, the next generation firewall will need to perform the above functions at multigigabit speeds.

please check the attached file for more information

This thread was automatically locked due to age.

0 Scott_Klassen over 15 years ago

"Next Generation Firewall" is a phrase used by PaloAlto Networks as a marketing hook, nothing more. Your showing us a three years old marketing pamphlet thinly disguised as a whitepaper to draw in the naive, not an ethical piece of fact based research.

Sorry, but misleading information in the interest of sales really gets under my skin.

Now to answer your question: no Astaro isn't based on all of the specific criteria in your post, but I doubt that PA completely lives up to its' hype either...no product does 100%. Here's how the stuff above correlates with what Astaro has:

Application Identification = Certain portions go into the payload based on need to do so.
Extended Stateful Inspection = The Astaro IPS catches the behavior based anomiles and intrusions.
SSL Decryption/Re-encryption = http/s proxy
Control = With Astaro you can be as granular as you wish based on the rules you set
Multi-gigabit Throughput = This is based almost entirely upon the hardware you run on. Since Astaro can be installed as software on many different systems using different components it's impossible to definitively say yes or no as both can potentially be true.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

However, outside of deep packet inspection, Astaro does address all the other issues. If you need help justifying Astaro to some higher-ups, please give us more detail about what they're challenging you with.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 techuser over 15 years ago

I didn't mean to promote for PA, I am using Astaro for over 4 years now and I love it, and Astaro is my #1 recommendation,
but that was sent to my mail, and they seem to have a lot of "phrases" that make many people think that they are different from many other Vendors.
could any of the moderator remove the attachment
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

I think you provided a service to everyone to post that here. Along with Scott's response, visitors here will be "innoculated" [;)] against this particular marketing jargon.

Cheers - Bob
PS If you do want to zap it, you can EDIT the post, Go Advanced and remove it yourself.
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 15 years ago in reply to techuser

I didn't mean to promote for PA, I am using Astaro for over 4 years now and I love it, and Astaro is my #1 recommendation,
but that was sent to my mail, and they seem to have a lot of "phrases" that make many people think that they are different from many other Vendors.
could any of the moderator remove the attachment

if that was sent to your mailbox then they are most likely spammers. I would never do business with nay company that directly or indirectly engages in spamming.
Cancel
Vote Up 0 Vote Down

Cancel
0 AngeloC over 15 years ago

Hiya Techuser,

With over 90 posts, I don't for a moment think you are here to promote anything [:)] However you raise a good point, often in this space companies can no longer differentiate themselves on a feature or what the other guy "can't" do. The market changes so fast, and most vendors are realistically within 5-10% of feature by feature comparisons. Unless it happens to be a single thing or so you really need and one company doesn't have it, then really that is a dead end way to buy a firewall.

By far, USABLE technology is the key; what good are hundreds of features if you have no real hope of configuring/using them, or dont have the knowledge and confidence in yourself to put you or your company on the line for a deployment, sale, installation etc, using it?

While PA does have a few neat things, they are far better at marketing: using the term Next-Generation and "its time to fix the firewall" is great, but they put a strong spin on using application ID or USER ID when really they do a sort of DNS; the product still makes decisions based on IP addresses, they just work very hard to hide it from the user so they can deal in terms they understand instead. It is a valid approach, as long as the customer understands its more of a shiny icing than a totally new cake recipe. As with many things in the security space, your experiences or demo/trial should dictate your purchase dollars, not promises, marketing datasheets, or fancy flash videos.

Just my 2 cents, hope it is of use.
Cancel
Vote Up 0 Vote Down

Cancel