Battlecard

Battlecard
Palo Alto Networks
Palo Alto is a California-based company which is
most well-known for driving the emergence of the
term Next-Generation Firewall (NGFW). The
company was formed by ex Check Point staff, some
of them significant senior employees.
They claim to re-invent the firewall by declaring that
port-based protection (which secures the entire
Internet) is irrelevant and take the stance that they
invented the idea of identifying traffic at the
application layer. While they have heavily marketed
the technology, it is neither new, nor unique to them.
Not a real UTM
Small market landscape
The Check Point approach
Being a new company with a heavy focus on the large
enterprise, Palo Alto does not have a large customer
base. With only a couple of thousand boxes deployed,
they do not have the same scope of visibility into the
security landscape as Sophos. With an installation base
of over 70,000 active installations as of January 2012
(growing massively quarter-over-quarter), we have a
larger market from which to gather security data, collect
feature requests and determine what businesses want
to buy.
With the founders’ history at Check Point, the Palo Alto
configuration-style is reminiscent of the Check Point
design. Administrators not familiar with this approach
are frequently frustrated at the amount of steps required
to achieve even basic operations. They dislike needing to
touch many controls in various sections, review what has
been inputted, and then finally commit the changes. The
concept of enterprise style “trust” zones litters the entire
configuration, further adding to the layers of complexity
when trying to deploy a Palo Alto device.
Not SMB friendly
Not a UTM
Palo Alto has openly claimed they “do not want SMB
customers”. Their solution is built with the very large
enterprise in mind. As such, their solution is complex
and easily overwhelms administrators looking to deploy
their solutions. Much confusion has been created by their
“smaller” units, which are not designed to stand alone
at a small or midsized company, but rather to connect
branch offices back with a much larger Palo Alto device
at the company headquarters.
Palo Alto has a heavy reliance on their application
control features. While they have some functionality
in other areas, their lack of a true gateway design
makes them almost exclusively deployed deeper in the
network–and not at the perimeter. Customers are then
using another product as their main firewall. They are
criticized for their lackluster focus and implementation
in non-application control features such as VPN and
web content filtering. These areas take a clear back seat
to their application control functionality, which seems
vastly more developed in comparison. They have no web
server security (WAF), mail filtering, are not able to retain
logs and reports for long periods of times, and lack basic
user VPN capabilities like L2TP and PPTP.
A Sophos Battlecard Palo Alto Networks
2
Sophos UTM versus Palo Alto Networks
Cost/features/numbers/statistics
UTM 120
UTM 320
UTM 625
PA-200
PA-2050
PA-4050
1,835*
8,625*
34,935*
3,900**
28,760**
107,600**
595
2875
11,975
2,000
18,400
69,000
1,800
3,500
10,000
100
1,000
10,000
VPN throughput (Mbps)
188
700
1,400
50
300
2,000
IPS throughput (Mbps)
240
1,400
2,400
50
500
5,000
Number of interfaces
4
8
18
4
12
24
List price appliance 1 year UTM
Additional cost for high availability
Firewall throughput (Mbps)
* Full Guard (with Wireless Protection, Email Protection and Platinum Support)
** Includes only firewall, IPS, URL filtering and Basic Support
Questions for buyers
Is your company a large Enterprise?
If your business focuses its security efforts on keeping
employees working with minimal impact while achieving
the best protection for your available budget, Palo
Alto is not for you. Sophos UTM is designed with the
administrator in mind, allowing for even powerful
features to be introduced and configured with ease. In
comparison, Palo Alto is overly expensive for the features
they provide, and their cumbersome design requires
configuration in multiple sections with excessive overlap,
making even simple operations take a lot of time to setup
correctly.
Do you only need an application firewall?
Palto Alto is almost exclusively designed around their
application control engine. While providing a capable
firewall in this area, they fall behind Sophos UTM for
web filtering, VPN, intrusion protection, and the other
A Sophos Battlecard Palo Alto Networks
areas which are part of a UTM both in feature depth
and configuration ease. They have no mail filtering
or wireless security products and cannot match the
configurationless design and low, one-time price of RED
at the branch office.
Does your company use thousands of
applications?
By observing data from thousands of installations, we
know that most businesses generate 95% of their traffic
with less than 20 applications. Palo Alto’s application
control has thousands of obscure and poorly labeled
patterns, most of which are rare and never seen in an
actual network. This focus on “pattern-racing” might
yield bigger numbers for advertising, but leads to a
convoluted library which makes it difficult to configure
what is relevant. Sophos UTM by comparison includes
patterns which are targeted at applications you really
use.
3
Three reasons to choose Sophos UTM
No imposed limits
Palo Alto appliances have various limits within the configuration; Sophos
lets you use your device freely. Unlike Palo Alto, we don’t place limits on the
number of NAT rules, policy rules or security zones in our solutions. As long
as you have free resources, you can configure your Sophos UTM as you like it.
Not just an application firewall
Application control is just one tool of many in network security. If you want to
secure your web servers, filter email, or offer basic road warrior VPN services
to your users, Palo Alto won’t be able to solve your problems. Even intrusion
protection is a dedicated, separate subscription from their firewall. Sophos
UTM offers complete security for your entire network.
Affordable by mortals
Bolstered by a marketing department that makes several claims about being
unique in regards to several features, Palo Alto charges outrageous amounts
of money for their solution. While this type of stratospheric pricing may have
been justifiable early on when they had a lead in focusing on application
control as “new”, today with many options for this technology available, it is
unrealistic to expect that kind of price premium for their solutions.
Find out more
visit sophos.com/unified
United Kingdom Sales:
Tel: +44 (0)8447 671131
Email: sales@sophos.com
North American Sales:
Toll Free: 1-866-866-2802
Email: nasales@sophos.com
Boston, USA | Oxford, UK
© Copyright 2012. Sophos Ltd. All rights reserved.
All trademarks are the property of their respective owners.
A Sophos Battlecard 02.12v1.dNA
Australia & New Zealand Sales
Tel: +61 2 9409 9100
Email: sales@sophos.com.au