They don’t like me,” says Nir Zuk of his old bosses. As one of the earliest employees at Check Point Software Technologies in the 1990s, he wrote parts of the world’s ﬁrst commercial ﬁrewall. He later built essential chunks of the ﬁrewall sold by Juniper Networks. But at both companies, Zuk ended up quitting in a huff—and, in one case, walking away from millions of dollars in unvested stock options. Why? The Israeli engineer felt his best ideas were being blocked by incompetence and office politics. All he ever wanted, he insists, was to build new things.
Zuk’s revenge is Palo Alto Networks, which sells the ﬁrst new class of ﬁrewall in 11 years. The company IPOed in July 2012, bringing in $260 million. Its products are crushing the competition. Palo Alto has only 4 percent of the $10 billion network security market, but it is rapidly gaining share. In the most recent quarter, its revenue was up 70 percent to $96 million, an increase of $40 million, equal to the entire revenue gain for all other ﬁrewall companies. Check Point, which has 15 percent of the market, grew by $12 million, up only 3 percent.
With a chip on his shoulder the size of Mount Sinai, Zuk never misses an opportunity to poke fun. He pulls out his iPhone and shows me a photo of a Palo Alto billboard just outside of Check Point’s offices in Tel Aviv. In Hebrew, it reads: “You just passed Check Point. So have we. Palo Alto Networks.” At a March investor conference in New York, Zuk led a live demonstration to prove the speed and ease of updating his ﬁrewall. While Palo Alto’s product took ﬁve seconds to update, Zuk was able to brew and drink a double espresso in the time it took to update Check Point’s. The rivalry goes deeper than stunts. Palo Alto’s board has two major defectors: Shlomo Kramer, a Check Point co-founder, and Asheem Chandna, a former Check Point vice president who bankrolled Palo Alto as a partner at venture capital ﬁrm Greylock.
The ﬁrewall battle has never been more relevant. The past few years have brought an acceleration in the number and sophistication of cyber attacks. In 2011, a US government report accused China and Russia of trying to build their economies on stolen intellectual property. The job of protecting a network has grown more complicated as employees demand to use their iPads and smartphones at work, and clamour for external web applications like Dropbox, Skype, Google Docs and Salesforce. These devices and apps are common entry points for hackers and thieves. Quantifying the IP and research losses from cyber-raids is difficult, but the damage could be as high as $400 billion annually. Attacks come from the inside, too. At Valspar, an employee downloaded paint formulas that he planned to take to China. That theft was valued at $20 million, one-eighth of Valspar’s annual proﬁt.
Firewalls are designed to keep this sort of thing from happening. They prevent malware from getting into a network, and sensitive data from getting out. The problem is that traditional ﬁrewall software, like the kind sold by Check Point, Juniper and Cisco, relies on stateful inspection, which speciﬁes the kinds of data packets it will accept or drop. Everything is either ‘good’ or ‘bad’.
This presents a tough choice to ﬁrms that have become dependent on web apps. Stateful inspection offers only two options: Block the apps to mitigate risk exposure, or let them in and hope for the best.
Palo Alto’s next-generation ﬁrewall cuts through the impasse. It can parse all the components of a web application like Facebook to selectively allow, for instance, news feeds while blocking chat and games. Employees can read Twitter feeds but not tweet; they can share Dropbox documents without worrying about attached malware. Conversations between IT security and other departments no longer have to begin and end with “No”.
“Our competitors agree on the problem,” Zuk says. “They agree that Dropbox is dangerous. Their solution to Dropbox being dangerous is to block Dropbox. Our solution is to make Dropbox safe.”
Palo Alto, founded in 2005, has 11,000 customers, including 500 among the Global 2000. More than 60 percent of its customers use Palo Alto as its primary ﬁrewall. Independent analysts conﬁrm Zuk’s claim of being out in front. “All their competitors are stuck in a rut, and they tend to drop their pants,” Forrester Research analyst John Kindervag says. “They are several years away from catching up. Some are bringing next-generation ﬁrewalls to market. Some are good. Some are more marketing than reality. They discount signiﬁcantly.”
How’s all this sitting with Check Point, the Israeli ﬁrm whose billionaire co-founders, Gil Shwed and Marius Nacht, invented the original commercial ﬁrewall? Check Point declined to comment for this story, but when Forbes talked to Shwed in November, he avoided mentioning both Zuk and Palo Alto by name: “I think it’s sad that good people try and do things like that. This person was a disgruntled employee from Check Point—a very smart guy, I’m not trying to take that away,” he continued. “They’ve got good things, too. I like to think that we have much, much better things, much better technology.”
There was a time when Zuk and Shwed were brothers-in-arms. Three years Zuk’s elder, Shwed began his required service in the Israeli Defense Forces (IDF) in 1986. He entered Unit 8200, an elite electronic intelligence arm, at age 18. There he built the world’s ﬁrst packet-ﬁltering device that screened traffic based on Internet Protocol address. Zuk was a natural for Unit 8200. He learned to read and write before entering school. He got his ﬁrst pair of glasses in the third grade after years of fooling school nurses by memorising the vision chart. In the sixth grade, he became chess champion of Israel’s eighth-grade-and-under division. Zuk begged his parents to get him a Dragon 64 computer for his bar mitzvah. He went on to create some of the world’s ﬁrst computer viruses. “Just for fun,” he insists.