Educause Security Discussion mailing list archives
Re: Ports/applications permitted for Guest Access
From: Robert Lau <rslau () USC EDU>
Date: Sun, 11 Sep 2011 14:49:14 -0700
We looked at Palo Alto but picked Fortinet instead. There is paucity of options in the 10G (and above) space. A blade/chassis solution better handled our multiple 10G links, multiple borders, and generally non-straightforward network topology. Back to the original question, assuming you had the budget for an NG firewall (I can tell who is reading this email by listening for derisive laughter), would you switch? Is the goal of port blocking to limit people to "web browsing" (which is not the same as "web browsing" from just 5 years ago. People can live in a browser, Chromebooks come to mind) and deny "bad" applications, like...? Or to prevent certain outbound attacks? Or... ? Thanks, -robert On Sep 11, 2011, at 10:11, Dave Koontz wrote:
As you've discovered, port based firewalls are no longer adequate in today's world. Any application can disguise itself as web traffic (http or https), and many "bad" things do. You need a firewall that can understand applications regardless of ports used. Take a look at Palo Alto networks solutions or any other next generation firewalls. I really believe Palo Alto has a huge lead currently in this market. I am sure that Cisco, Foundry, Juniper and others will catch up in a couple of years, but for now Palo Alto has a clear lead. Take a look at the last Gartner's Firewall report to see what I mean. -- Dave Koontz Mary Baldwin College Staunton, Virginia On 9/11/2011 10:39 AM, Robert Lau wrote:Is anybody doing protocol/application inspection? Once ports 80/443/22/etc are allowed, an app can pump any data through; it does not have to be http/https/ssh/etc. In olden days, this would probably only be done by a clueful user, but many applications do this automatically now specifically to handle port restrictions. -robert
Current thread:
- Ports/applications permitted for Guest Access Roger A Safian (Sep 09)
- Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 09)
- Re: Ports/applications permitted for Guest Access Derek Diget (Sep 09)
- Re: Ports/applications permitted for Guest Access Rowe, Ken (Sep 09)
- Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
- Re: Ports/applications permitted for Guest Access Dave Koontz (Sep 11)
- Re: Ports/applications permitted for Guest Access Shannon Roddy (Sep 11)
- Re: Ports/applications permitted for Guest Access Valdis Kletnieks (Sep 11)
- Re: Ports/applications permitted for Guest Access David Gillett (Sep 12)
- Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
- Re: Ports/applications permitted for Guest Access Robert Lau (Sep 11)
- Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 16)
- Re: Ports/applications permitted for Guest Access Kevin Wilcox (Sep 09)
- Re: Ports/applications permitted for Guest Access (deep packet inspection) Barron Hulver (Sep 11)
- Re: Ports/applications permitted for Guest Access Matthew Gracie (Sep 19)
- Re: Ports/applications permitted for Guest Access Ed Zawacki (Sep 20)
- Re: Ports/applications permitted for Guest Access Roger A Safian (Sep 20)
- <Possible follow-ups>
- Re: Ports/applications permitted for Guest Access Gioia, Matthew P. (Sep 12)
- FW: Ports/applications permitted for Guest Access Boyd, Daniel (Sep 19)