Educause Security Discussion mailing list archives
Re: ROI on stateful and deep-packet-inspection firewalls
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Fri, 3 Feb 2012 21:32:15 +0000
We've been using Palo Alto firewalls for ~5 years now. They are comprehensive application-layer (ie deep-packet inspection) firewalls with IDS/IPS. These are the units that Gartner rated highest in their Magic Quadrant ratings a couple months ago. They are less complicated that the Checkpoint FW's we stopped using at that time, once you get out of the port-specific mindset for controlling traffic. I have no experience with the Juniper FW, but the PA's are far easier to work with than Cisco. They have higher-end models, that we may consider in a couple years, but the 4020's have carried our traffic well. As far as ROI, I'm not usually a fan of lumping functions into single boxes, creating single points of failure. But we run a pair of PA-4020's in High Availability. I'm not sure I want to buy "2 of everything" to engineer redundancy, so in this case, I think it is worth some convergence. -Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Green Sent: Friday, February 03, 2012 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ROI on stateful and deep-packet-inspection firewalls The ROI is hard to capture but I generally am in favor of it AND hardening end-points . There are several factors involved in the space. Complexity Often does go up. When going inline with Firewalls & IPS activities, we've generally had an A and a B path with L2 redundancy between them. Some scenarios worth considering both policy and technically: - If you are experiencing a mass-virus infection targeting end-point software through drive-by downloads, how do you respond and prevent? - How do you identify traffic abuse causing network issues? - Who do you rely on for finding out new attacks and mitigating issues? Most IPS/DPI/IDS/etc. all have some sort of rules base involved. At some level, the "inspection" part is a commodity (snort v. bro v. TippingPoint v. Juniper v. ....) but the results of the specific team you are paying for monitoring varies. - Do the vendors capture full packet data or just an event report? Can you get to the packets in a reasonable amount of time and meet your performance characteristics? - Can you realistically put in your own situational rules? - Do you have a policy governing your DPI efforts? Full packet is MUCH more useful in figuring out "hey, this drive by worked because it was JRE 1.3.1"; Even better is a packet/url proxy history you can go recall if you need to. I've never heard a very good opinion of the tools that lump it all in to the FW but someone will get it right one day (and may already have) -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Seth Hall Sent: Friday, February 03, 2012 8:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ROI on stateful and deep-packet-inspection firewalls On Jan 31, 2012, at 4:16 PM, Andrew Daviel wrote:
Do you see a big dropoff in downtime and trouble tickets, or extra work creating and tuning rules ?
I would love to see the answers to this question in particular. My expectation is that downtime increases (solely due to increased inline complexity), trouble tickets remain fairly stable, and there is almost certainly going to be considerable time spent tuning rules but that's completely unavoidable. For anyone that knows me I certainly can't pretend to not be biased, but a suggestion that I tend to give people with these questions is to pay attention to the benefits that the money you spend would provide you. Would your security analysts (incident hunters!) be able to understand the network better? Would they be able to respond to problems more quickly? Would it become a tool in their toolbox or would it become a box of magic? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/
Current thread:
- ROI on stateful and deep-packet-inspection firewalls Andrew Daviel (Jan 31)
- Re: ROI on stateful and deep-packet-inspection firewalls Seth Hall (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Chris Green (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Brian Helman (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Chris Green (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Seth Hall (Feb 03)