Re: Ports/applications permitted for Guest Access

[Robert Lau <rslau () USC EDU>]

We looked at Palo Alto but picked Fortinet instead.  There is paucity of options in the 10G (and above) space.  A 
blade/chassis solution better handled our multiple 10G links, multiple borders, and generally non-straightforward 
network topology.

Back to the original question, assuming you had the budget for an NG firewall (I can tell who is reading this email by 
listening for derisive laughter), would you switch?  Is the goal of port blocking to limit people to "web browsing" 
(which is not the same as "web browsing" from just 5 years ago.  People can live in a browser, Chromebooks come to 
mind) and deny "bad" applications, like...?  Or to prevent certain outbound attacks?  Or... ?

Thanks,

-robert

On Sep 11, 2011, at 10:11, Dave Koontz wrote:

> As you've discovered, port based firewalls are no longer adequate in today's world.  Any application can disguise 
> itself as web traffic (http or https), and many "bad" things do.
>
> You need a firewall that can understand applications regardless of ports used.
>
> Take a look at Palo Alto networks solutions or any other next generation firewalls.  I really believe Palo Alto has a 
> huge lead currently in this market. I am sure that Cisco, Foundry, Juniper and others will catch up in a couple of 
> years, but for now Palo Alto has a clear lead.  Take a look at the last Gartner's Firewall report to see what I mean.
>
> --
> Dave Koontz
> Mary Baldwin College
> Staunton, Virginia
>
> On 9/11/2011 10:39 AM, Robert Lau wrote:
> > Is anybody doing protocol/application inspection?  Once ports 80/443/22/etc are allowed, an app can pump any data 
> > through; it does not have to be http/https/ssh/etc.  In olden days, this would probably only be done by a clueful 
> > user, but many applications do this automatically now specifically to handle port restrictions.
> >
> > -robert