After quitting Juniper in 2005 — leaving behind millions in unvested stock options — Nir Zuk co-founded the fast growing network security firm Palo Alto Networks. Earlier this month, Zuk sat down with us in Manhattan to discuss security virtualization, cloud security, and why chief information security officers (CISOs) might soon rethink their dedication to Cisco.
Palo Alto has been expanding its product line from hardware firewalls to software-only virtual firewalls. What are the limitations with a virtualized firewall?
Zuk: In my opinion — by the way, if you talk to VMware, they’ll have the same opinion — protecting north-to-south traffic is going to continue to be physical-firewall based. We’re talking about tens of gigabits per second. The most cost-effective way of doing that is with physical firewalls.
Now, east-to-west traffic is a different thing. The most efficient way you can see traffic running east-to-west in the data center is using virtualized firewalls. The challenge with that traditionally has been performance. The more modern firewalls and the other security devices, they deal with content. To deal with content efficiently, you need hardware usually, so that’s been my challenge.
How fast can the best virtual firewall get today?
Zuk: With all our functionality turned on, running on appropriate number of Intel CPU cores, we can achieve about 1 Gb/s, which is good, by the way. If you take a hardware device from one of our competitors — without mentioning any names, the one that that’s based in Israel — and you take a third rack device, it’s called the 61000, fully populated it’s probably $500,000 to $1 million and if you turn on all the functionality on it, it will run at 400 Mb/s.
So our virtual firewalls are faster than some of our competitors’ physical firewalls. That still doesn’t help the customer if they need more than a gigabit or two, which is relatively rare. Usually if you look at east-to-west traffic coming out of a single VM, it’s usually not in a 10-Gb/s level.
Are those speed limitations a problem as enterprises shift to the cloud?
Zuk: Most enterprises haven’t shifted to cloud, not even internally. Meaning, not even to a private cloud. Today, everyone that builds a virtual data center calls it a private cloud. It’s not a cloud. For me, a cloud, a private cloud or a public cloud, is a virtualized data center where each CPU, each core, can run any software at any time, and it’s the controller that decides what one wears and all the cores and all the memory and all the storage is available at any given time to run anything.
Most enterprises are not there. Most enterprises that I talk to are still, mostly because of security, running their data centers in a way where hardware is still dedicated for different functions. It’s running in VMs, but still Oracle will always run on the same physical servers. The web servers will always run on the same server and their SAP will always run on the same server.
You released the new VM-Series firewall for Amazon Web Services in October, though, so you must see that shift to public cloud coming. Is that a threat or opportunity for your market share?
Zuk: When you secure a public cloud you need to do the same thing. You need to look at your east-to-west traffic in the public cloud. You need to look at your north-to-south traffic in the public cloud. I think the only difference between the public cloud and private cloud is going to be the north to south traffic has to be done in in virtual firewalls or virtual security devices as well, because Amazon and others are not going to let you deploy a physical device. But the way we price things, we don’t care that much if you buy a physical firewall for your private cloud, or a bunch of virtual firewalls for your public north-to-south. You still need them.
How is demand so far for the AWS firewall?
Zuk: The AWS has been released very, very recently, so I don’t think we can talk about trends there. I know that other vendors that have been trying to sell on AWS for a long time haven’t been doing well.
Is that because they have junky products or because the market’s not there?
Zuk: We don’t know yet. We’ll see. It’s either because of the product, or maybe because most customers on AWS are still not the large enterprises that are willing to spend money on security. Time will tell.
We are seeing a good demand for our virtual firewall running on VMware NSX in private cloud deployment.
About that VMware partnership — they have put a lot of focus on microsegmentation, which seems like it does some of the things that Palo Alto would normally do. Are you almost in competition with their microsegmentation?
Zuk: No. VMware’s microsegmentation is based mostly on network segmentation and very rudimentary access control. Our solution is segmenting things at the security level. When I say network segmentation, what I mean is that A cannot talk to B or A can talk to B. You do this using VLANs, right? You put different VMs on different VLANs, and if they’re on the same VLAN, they can talk to each other. If they’re not on the same VLAN, there’s access control at least. VMware has been doing it forever, and I think what they heard from their customers is that their customers wanted much more. What they wanted to do is segment things using a security device, meaning not just segment them on whether A can talk to B or A cannot talk to B, but more about when A talks to B, what’s okay for A and B to be talking about?
So, a more granular level of control.
Zuk: More granular control, and also looking at the content and making sure that the content is not harmful. That’s not something that VMware solutions were doing, which is why they partnered with us and why they’re selling our our virtual firewall to their customers as part of NSX.
The PA-7050 is your new high-performance hardware firewall. Is that something that can handle these hyperscale data centers, the Googles and Facebooks?
Zuk: That product is not aimed at that market, not because of scale but because of functionality. If you look at what Internet-facing data centers require, they usually require very, very basic security at the network level. If you are a Google or you are a Facebook, or you are much smaller company with Internet presence, what you really want to do is to allow outside clients to access your web servers and only your web servers. You don’t need a sophisticated firewall to do that, and they don’t buy sophisticated firewalls to do that.
The 7050 and our other products are aimed more at the corporate data center, which is, by the way, a much bigger market than those mega data centers, because almost every company has a corporate data center — whether internally, or, some of them now may be moving to the cloud, but you still have a corporate data center.
You’ve quit two jobs, at Check Point and Juniper, to go your own way and start your own company. What’s been the biggest surprising frustration of having your own company?
Zuk: I think we’re doing well. We just announced a $240 million billing quarter, growing 50% year-over-year. Check Point is at what, $330 million or so, so do the math.
When you went public in 2012, was there any feeling of giving up control, feeling like the pension fund managers are your bosses now?
Zuk: Not yet. I think that as long as the company’s doing well and it’s growing, and the financials are good, then they’re happy. We went public at $42. We did a secondary at $63, I think. And we’re at a hundred and … I don’t know. I didn’t check this morning, it’s not open yet. Here you have to wait, on the east coast. [The stock was at $116.93 late Monday.]
So the shareholders are happy — I would hope so.
What are the biggest changes you think we’ll see in the security field next year?
Zuk: I think 2015 is going to be probably the year when the rubber hits the road, in the sense that we’re going to find out what works and what doesn’t work in terms of products.
I am finding myself more and more involved in conversations with security professionals, or maybe “professionals” with quotes, who insist on sticking to their existing security solutions that they’ve had for 20 years without any real rationale behind it. I think that worked okay in 2014. You cannot get fired for using Cisco.
I think in 2015 you’ll be fired for using Cisco. If you get hacked, I don’t think that’s going to work.
That’s what I mean when I say that I think that the rubber is going to hit the road. I think that IT security organizations will have to start securing their networks, not just make it appear as if they are securing their networks.