Search This Blog

Friday, October 09, 2009

firewall-wizards Digest, Vol 42, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: asa 5505 vpn ipsec l2l problem (craig.wilson@redtray.co.uk)
2. Palo Alto Networks (Paul Hutchings)
3. Re: Palo Alto Networks (Francois Yang)
4. Re: Palo Alto Networks (Paul Hutchings)
5. Re: Palo Alto Networks (ArkanoiD)
6. Re: Palo Alto Networks (ArkanoiD)


----------------------------------------------------------------------

Message: 1
Date: Thu, 8 Oct 2009 19:05:03 +0000
From: craig.wilson@redtray.co.uk
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<895569053-1255025125-cardhu_decombobulator_blackberry.rim.net-825122493-@bda105.bisx.produk.on.blackberry>

Content-Type: text/plain; charset="Windows-1252"

If you have tunnel interfaces setup on each end can you ping those addresses? They should work even if your not passing anything into the tunnel.

Sent from my BlackBerry? wireless device

-----Original Message-----
From: Eric Gearhart <eric@nixwizard.net>
Date: Mon, 5 Oct 2009 21:45:33
To: Firewall Wizards Security Mailing List<firewall-wizards@listserv.icsalabs.com>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

------------------------------

Message: 2
Date: Thu, 8 Oct 2009 18:00:54 +0100
From: Paul Hutchings <paul@spamcop.net>
Subject: [fw-wiz] Palo Alto Networks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <C19E82A3-4924-416D-A312-8142D94B7820@spamcop.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Getting one of their boxes on eval for a couple of weeks. Quite a
broad and generic question I know, but does anyone have any experience
(s) they wish to share?

Cheers,
Paul


------------------------------

Message: 3
Date: Thu, 8 Oct 2009 14:47:20 -0500
From: Francois Yang <francois.y@gmail.com>
Subject: Re: [fw-wiz] Palo Alto Networks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7a3963cb0910081247s2e479521k5a3b65a3bb5968d@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

I've worked with them before and they're pretty good.
easy setup and maintenance, good integration with Active Directory,
good application detection engine.
Over all it's a good product, but you have to test it in your own
environment to see if it fits.
here are the draw backs that I can remember. all firewalls have some
kind of issues.
here are the issues I see and maybe they have been fixed by now. I
don't know it's been a while.
I remember it didn't have a central management, so having a few of
those boxes may be ok, but when you're looking at 20+ clusters, it
becomes time consuming to manage.
Application detection engine would automatically drop the traffic of
unknown apps into a low priority pool. So if you have home grown apps
which requires alot of bandwidth, you need to make sure you find it
and give it a definition or work with their team to create custom rule
otherwise it will crawl.
I'm sure there's more pros and cons, but that's all I can think of.
Let me know if you have more questions.

Frank

On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <paul@spamcop.net> wrote:
> Getting one of their boxes on eval for a couple of weeks. ?Quite a broad and
> generic question I know, but does anyone have any experience(s) they wish to
> share?
>
> Cheers,
> Paul
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. ? White House Cybersecurity
Advisor, Richard Clarke


------------------------------

Message: 4
Date: Thu, 8 Oct 2009 20:48:44 +0100
From: Paul Hutchings <paul@spamcop.net>
Subject: Re: [fw-wiz] Palo Alto Networks
To: "Cassell, Damon Z." <dcassell@mitre.org>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1FFA71EA-711F-4F88-85F4-E106D627E817@spamcop.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Fair question. At present we have an application aware firewall,
technically it is a proxy but it doesn't cache/we have no need to
cache. Of course whilst it's smart enough to know whether what's
passing through it is valid/rfc compliant http/ftp/https and so on,
it has no idea if it's Skype, MSN Messenger, Webex and so on. That's
the key area that I'm interested in, combined with the integrated
spyware/malware/virus filtering.

As for other vendors, in a nutshell no, as from what I can the PA kit
seems kind of unique once you go above where we are now i.e. protocol
aware proxy.

My plan is to configure the loan unit with the rules we need and put
it in and see how it goes, but of course feedback from those more
familar with the product is always a bonus.

Paul

On 8 Oct 2009, at 20:19, Cassell, Damon Z. wrote:

> What you are trying to accomplish? Firewall replacement? Proxy
> replacement? DLP? The Palo Alto tries to hit a lot of areas. What
> features are most important to you? Are you looking at other vendors?
>
> Test carefully (with real world traffic if you can) before you buy,
> and it would help to benchmark against another product in your
> testing.
>
> My experience with the product was prior to the release of PanOS 3
> so I am not sure my observations would apply now.
>
> Damon
>
>
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.cybertrust.com
> [mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf
> Of Paul Hutchings
> Sent: Thursday, October 08, 2009 1:01 PM
> To: Firewall Wizards Security Mailing List
> Subject: [fw-wiz] Palo Alto Networks
>
> Getting one of their boxes on eval for a couple of weeks. Quite a
> broad and generic question I know, but does anyone have any experience
> (s) they wish to share?
>
> Cheers,
> Paul
>


------------------------------

Message: 5
Date: Fri, 9 Oct 2009 00:09:46 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Palo Alto Networks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20091008200946.GA18418@eltex.net>
Content-Type: text/plain; charset=koi8-r

The idea itself is quite good for some cases (do not rely on port numbers, use
traffic signatures *instead*). Though it sounds much as "giving up application control" ;-)

The marketing bullshit is awful, though. There is a dozen whitepapers with amazingly little
useful technology details but too many buzzwords about "next generation".

Despite that, it seems to be quite decent product with (still DPI-driven) L7 inspection,
(quite basic) DLP functionality builtin
(still much better than nothing), data fingerprinting and reasonable performance
(though i am strongly against justifying firewalls by performance).


On Thu, Oct 08, 2009 at 06:00:54PM +0100, Paul Hutchings wrote:
> Getting one of their boxes on eval for a couple of weeks. Quite a
> broad and generic question I know, but does anyone have any experience
> (s) they wish to share?
>
> Cheers,
> Paul
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>

------------------------------

Message: 6
Date: Fri, 9 Oct 2009 00:12:24 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Palo Alto Networks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20091008201224.GB18418@eltex.net>
Content-Type: text/plain; charset=koi8-r

Ah, and it does SSL MITM as well. I do not have any hands-on experience, though.

(going to publish a whitepaper on "benevolent" SSL MITM proxy soon which fixes several
SSL security problems ;-)

On Thu, Oct 08, 2009 at 06:00:54PM +0100, Paul Hutchings wrote:
> Getting one of their boxes on eval for a couple of weeks. Quite a
> broad and generic question I know, but does anyone have any experience
> (s) they wish to share?
>
> Cheers,
> Paul
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 42, Issue 7
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)