Tearing Away the Veil of Hype from Palo Alto Networks’ IPO

Tuesday, April 24, 2012

Richard Stiennon

924ce315203c17e05d9e04b59648a942

At long last the much hyped Palo Alto Networks (PAN) has filed its S-1 in preparation for an IPO.

Now that we have some visibility into PAN’s real finances it is time to address some of their claims, and perhaps throw cold water on the exuberance being expressed in some circles.

There is certainly cause for excitement whenever a new firewall vendor goes public. Network security is a booming space and the firewall is the core of the network security industry.

That is why companies like SourceFire and F5 have announced their own firewalls. The opportunity for new vendors in the space is enhanced by the fact that two of the incumbents, Cisco and Juniper, have taken their eye off the ball.

PAN has claimed that the legacy stateful inspection firewall is dead, they even created a cheesy video depicting a funeral for the firewall held in their offices with founder Nir Zuk as the savior. The funeral for the firewall video has since been taken down.

Stateful inspection is a core functionality of firewalls introduced by Check Point Software over 15 years ago. It allows an inline gateway device to quickly determine, based on a set policy, if a particular connection is allowed or denied. Can someone in accounting connect to Facebook? Yes or no. Can a user in Russia connect to internal SCADA controls? Yes or no. 

The stateful part is that the decision to allow or block packets for the duration of the session is made only once. It was an innovation that changed the firewall market in a time when the first firewalls, based on proxying every session, were struggling to keep up with increased bandwidth and connection requirements.

As firewalls evolved and attacks became more sophisticated it became necessary for additional protections: IPS, anti-malware, VPNs, and URL filtering.  At first these were each provided by stand alone products from specialized vendors. Nir Zuk created one such, an IPS vendor, OneSecure, after leaving Check Point Software. The trend today is to incorporate these capabilities in a single high power appliance such as those from Fortinet, SonicWall, and SourceFire.

But, inspecting 100% of traffic to implement these advanced capabilities is extremely stressful to the appliance, all of them still use stateful inspection to keep track of those connections that have been denied. That way the traffic from those connections does not need to be inspected, it is just dropped, while approved connections can still be filtered by the enhanced capability of these Unified Threat Management (UTM) devices (sometimes called Next Generation Firewalls (NGFW), a term coined by Palo Alto Networks).

But PAN really has abandoned stateful inspection, at a tremendous cost to their ability to establish connections fast enough to address the needs of large enterprises and carriers.  Bob Walder, Chief Research Officer, NSS Labs, Inc., had this to say about PAN’s technology:

“Low connection rates due to application fingerprinting and single-pass integrated engine design may pose a problem for large enterprises that are considering deploying Palo Alto Networks firewalls as replacements for traditional firewalls. Protection is designed with default deployment in mind, including IPS. For those that wish to deploy as firewall only, protection may be weakened in certain areas compared to traditional firewall deployments, and the same low connection rates apply to the firewall even when IPS is disabled.”

In other words, an enterprise deploying PAN’s NGFW is getting full content inspection all the time with no ability to turn it off. That makes the device performance unacceptable as a drop-in replacement for Juniper, Cisco, Check Point, or Fortinet firewalls.

So how did PAN acquire the 6,500 customers they reveal in their S-1 filing? (Fortinet had 75,000 customers at their IPO and reports 125,000 customers today.) It’s the application awareness feature. This is where PAN’s R&D spending is going. All the other features made possible by their hardware acceleration and content inspection ability are supported by third parties who provide malware signatures and URL databases of malicious websites and categorization of websites by type. 

While anecdotal, the reports I get from enterprise IT professionals are that PAN is being deployed behind existing firewalls. If that is the general case PAN is not the Next Generation Firewall, it is a stand alone technology that provides visibility into application usage. 

Is that new? Not really. Flow monitoring technology has been available for over a decade from companies like Lancope and Arbor Networks that provides this visibility at a high level. Application fingerprinting was invented by SourceFire and is the basis of their RNA product.

While I will agree that application identification and the ability to enforce policies that control what applications can be used within the enterprise is important I contend that application awareness is ultimately a feature that belongs in a UTM appliance or stand alone device behind the firewall. Like other UTM features it must be disabled for high connection rate environments such as large corporate gateways, data centers, and within carrier networks.

Now lets take a look at PAN’s incredible growth rates. As the S-1 prominently declares, and this Forbes contributor is overly excited about, PAN grew revenue at the year over year rate of 109%.  But looking at quarter to quarter growth a different story comes out.

Every technology vendor fights to level their sales within each quarter. Yet, because of the incentive plans for direct and channel sales forces they all experience an end of quarter spike. Some of them close more than half their sales in the last two weeks of the quarter.

PAN points this out in their S-1 as a risk, and rightly so, because that end of quarter scramble to close deals (and ship product) can lead to misses that slip into the next quarter. But you will notice that PANs fiscal year is nicely staggered from the calendar year by one month.

It’s fiscal year ends July 31 and most importantly the critical quarter that encompasses the last quarter of the calendar year ends January 31 of the next year. This is a valid strategy to address spikey quarters. Customers have long recognized that companies are most anxious to cut favorable deals at the end of quarter and take advantage of that.

The fourth quarter is the busiest for most tech vendors. By delaying the reporting quarter until January 31st PAN buys themselves time to protect their margins, relieve the last minute effort to ship between Christmas and New Years, and gives their financial department breathing room to close the books in February instead of the first weeks of the new year.

So let’s compare PAN’s quarterly revenue for the last six reported quarters (click image to enlarge):

PAN IPO

See that?  In the three months ending Jan. 31 2012 PAN’s revenue is off from the previous quarter. The fourth quarter is usually the best quarter for technology vendors. There may be some extraordinary situation that accounts for that, but it is not evident in the S-1. Was there a general market downturn last year?

Look at the competition in the pure play security business. (Juniper and Cisco are predominantly switch and router vendors so I left them out.)  They all had respectable gains in revenue in Q4.

There is no denying that year-over-year PAN has been on a tear, almost doubling its revenue from Q4 2010 to Q4 2011. But the glaring fact is that PAN’s revenue growth has completely stalled out in what was a great quarter for the industry.

Possibly Related Articles:
5190
Enterprise Security
Service Provider
Firewalls IDS/IPS Network Security Monitoring vendors Deep Packet Inspection Stateful Inspection IPO Palo Alto Networks Unified Threat Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.