Re: Secure Web Gateway

[Ben Parker <BParker () CHICORPORATION COM>]

As an addendum to Ron's analysis.

It can do SSL or SSH decryption, they are not additional expenses themselves but you basically have to buy URL 
filtering to take full advantage of them so you can not decrypt ms-updates, shopping and bank sites.

Wildfire is starting to be their go to enhancement for IPS/IDS. The way it works is by sending a hash of any Portable 
Executable (PE) file to the cloud and check it against virus total to see if it has been identified. If so return value 
if not, upload the file and execute it in an XP sandbox looking for malware characteristics. If it sees them it submits 
the new file to virus total and adds the changes to the wildfire signature feed, and any PAN-DB url filtering malware 
categories as needed.

The basic form of wildfire is free. It gives you 24 hour signatures, and automatic file uploads to the sandbox as well 
as access to wildfire.paloaltonetworks.com URL to look at your submissions for viruses/malware.

The paid version gives 15-30 minute wildfire signature updates and feeds the results back into a log file in the PA so 
you can create automated reports and notifications if malware is seen as soon as a user downloads it.


I believe Checkpoint now also has a feature similar to wildfire for their UTM device.


The other solution that I had heard many schools were using last year from the educause security conference was DNS 
blackhole sites like OpenDNS.

Thanks,
Ben Parker
System Engineer - Palo Alto Networks CNSE
Chi Corporation
(former Network Engineer - Mount Union)

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, 
Ronald A.
Sent: Monday, September 30, 2013 11:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Secure Web Gateway

Palo Alto Networks' firewalls have three layers that can be used for http.  SSL decryption capabilities can be added.  
I believe all are at an additional cost:


*         Threat protection: Antivirus, anti-spyware and vulnerability protection

*         URL filtering to include malware and phishing categories.

*         Wildfire: Similar to Fireeye used for uploading exe files into a virtual environment to evaluate for 
malicious activity.  PDFs are coming soon.

If the firewall permits it, then the IPS usually takes action.

While we do not have specific statistics, we see that we have better visibility and thus, better responses to threats.

Now if we can get users to stop using Dropbox to share their malware, we would be in good shape.

Got a Phish (email)? Forward it to abuse () nsu edu<mailto:abuse () nsu edu>!

Ronald King
Security Engineer
Norfolk State University
Marie V. McDemmond Center for Applied Research
Suite 401
555 Park Ave.
Norfolk, Virginia  23504
Phone:  757-823-3918
Fax: 757-823-2128
Email: raking () nsu edu<mailto:raking () nsu edu>
http://security.nsu.edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bohlk, 
Christopher J.
Sent: Monday, September 30, 2013 10:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Secure Web Gateway

Hi All,

I was wondering what secure web gateway solutions universities are using to help mitigate/block web sites that contain 
malware?

What solution do you use and what has been your experience?  Has this substantially reduced the amount of computers 
infected with malware associated with web browsing?

Thanks,
Chris

Chris Bohlk, CISSP, C|EH
Pace University
Information Security Officer
Information Technology Services (ITS)
235 Elm Road, West Hall 212A
Briarcliff Manor, NY 10510
(914)923-2649  Office