Firewall upgrade can ID bad outbound traffic

LONDON  — Palo Alto Networks is upgrading its firewall products with a capability to precisely identify outbound traffic generated by malware, a technique that the company said will help if the malware is undetected at first and starts running on a computer.

The company calls the technology WildFire, and it will be distributed as a free upgrade for Palo Alto’s firewall products. It is aimed at halting targeted attacks, where the malware is not widely distributed and designed to evade front-line detection methods.

Palo Alto’s firewalls run suspicious-looking files in a virtualized sandbox and examine how the files behave. If a piece of malware does suspicious actions such as altering registry settings, injecting itself into processes or other bad behaviors, it will be blocked.

But if a piece of malware does escape that examination, eventually it will start sending traffic out of the computer, and that is what WildFire is designed to detect even if it is encrypted, said Wade Williamson, a senior security analyst for Palo Alto Networks.

[Is a next-generation firewall in your future?] 

WildFire examines the traffic, and if it is bad, will generate a signature to identify the traffic flow and stop it in the future. It may mean a machine may get infected one time with the malware, but the computer can be then be isolated and reimaged, Williamson said.

“The big issue is to make sure that you only let that infecting file by once,” Williamson said.

Palo Alto Networks firewalls were detecting strange outbound traffic before, “but we didn’t have a good answer for what caused that to start happening,” Williamson said.

In beta tests, WildFire picked up malware that hadn’t been entered yet into VirusTotal, which allows people to see if malicious software is detected by a range of security vendors, Williamson said.

WildFire is part of Pan OS 4.1, the latest operating system upgrade for the company’s firewalls.

 

The company also released on Monday the PA-200, a physically smaller firewall targeted at high speed Internet gateway deployments in branch offices. It offers 100 Mbps firewall throughput,  50 Mbps threat prevention throughput and can handle up to 64,000 sessions. It can be configured to run up to 25 IPSec virtual private network tunnels for 25 users at a time.

 

Finally, on Monday the company also extended its access and application control software, GlobalProtect, for Apple’s OSX and iOS operating systems.