Re: Firewall Upgrade

[Mike Osterman <ostermmg () WHITMAN EDU>]

Thanks, Ben. This is perfect. It runs counter to what we were told, but it makes good sense and is obviously a 
configuration that is effective in some configurations as evidenced by its existence in the tech note.

Cheers,
Mike

P.S. Apologies for the thread tangent.

On Feb 14, 2014, at 2:06 PM, Ben Parker <BParker () CHICORPORATION COM> wrote:

> Mike,
> First to clear up what I had meant, I was referring to inbound smtp. I have seen it done in 2 different ways 
> depending on what was being asked for and what licensing was purchased. With the free version, you just turn it on to 
> forward appropriate file types, and it basically gives you insight to see what is making its way through the mail 
> SPAM/AV gateway that is not being recognized by signatures. You then get the rollup’s from wildfire in the daily AV 
> update. With this in place you need to react to remediate users who open everything they get no matter how much you 
> say please don’t.
>  
> For people who pay for wildfire you in the AV profile you can set separate actions for the AV updates and the 
> Wildfire updates. This is where we have seen the value of wildfire shine through because you can set it to block the 
> SMTP transaction here. Per the documentation IMAP and POP3 are what you shouldn’t set to BLOCK. Setting SMTP to BLOCK 
> generates a 5.4.1. to the connecting server. Here is the tech note and relevant sections.
>  
> https://live.paloaltonetworks.com/servlet/JiveServlet/downloadBody/3094-102-5-15962/Threat%20Prevention%20Deployment%20Tech%20Note%20-%20Version%201.2%20RevA.pdf
>  
> Recommendations
> The default Antivirus profile can be used in most situations where dedicated SMTP, POP3 and/or IMAP-scanning
> solutions are also present.
>  
> If no dedicated Antivirus gateway solution is present for SMTP, it is possible to define a custom Antivirus profile
> and apply the BLOCK action to infected attachments. In such case, a 541 response will be sent back to the sending
> SMTP server to prevent it from resending the blocked message.
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
> Osterman
> Sent: Friday, February 14, 2014 2:42 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Firewall Upgrade
>  
> Touché, Ian. :) I should have been more explicit.
>  
> We were advised by a PA trainer to not block SMTP inbound for threats as it would cause problematic behavior in the 
> MTA trying to relay the message in question. Ben implied that he's done this with a PA, and I wanted to hear a 
> differing opinion on the recommendation we got.
>  
> -Mike
>  
> On Feb 14, 2014, at 11:20 AM, Ian McDonald <iam () ST-ANDREWS AC UK> wrote:
>
>
> access-list OUTBOUND extended deny ip any any eq 25 log :)
>
> Well, you did ask :)
>
> Thanks 
>
> --
> ian 
>
> Sent from my phone, please excuse brevity and misspelling.
> From: Mike Osterman
> Sent: ‎14/‎02/‎2014 19:18
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Firewall Upgrade
>
> Ben,
>  
> How exactly are you blocking SMTP effectively? We were advised that setting SMTP to "block" would be a bad idea as it 
> would keep retrying.
>  
> -Mike
>  
> On Feb 14, 2014, at 10:19 AM, Ben Parker <BParker () CHICORPORATION COM> wrote:
>
>
> Disclaimer: reseller
> Where I have seen the largest impact from places we have put wildfire is blocking zero day viruses coming in via 
> smtp. An amazing amount of those things are now seen as new threats by a lot of antivirus vendors. Basically all the 
> fax or shipping report type of stuff.
>  
>  
> Sent from my Verizon Wireless 4G LTE Smartphone
>
>
> -------- Original message --------
> From: Mark Rogowski 
> Date:02/14/2014 11:55 AM (GMT-05:00) 
> To: SECURITY () LISTSERV EDUCAUSE EDU 
> Subject: Re: [SECURITY] Firewall Upgrade 
>
> Interesting conversation and good feedback for sure.  And yes, CST, although it is daylight right now…  ;-)
>  
> The reason I bring this up is we are just beginning to deploy a PA and only have the AV/AM service running right now. 
>  Initial observations is that it is picking up Conficker just fine but nothing else.  Obviously things need to be 
> tweaked, but I honestly was expecting to see more action out of it from the get-go.  Looking at the Spyware 
> signatures they don’t seem to get updated very often.
>  
> Our ISP deployed a FireEye appliance on a 30 day trial last year.  For that month we observed a significant drop in 
> malware infections.  So I was hoping the PA with the Wildfire service could be as effective.  We didn’t subscribe to 
> the Wildfire service yet, and may request a trial before committing to said service.
>  
>  
> Mark Rogowski  CISSP, CISM
> IT Security / Information Security Office
> University of Winnipeg
> Ph: 204-786-9034
>  
>  
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf OfRoger A 
> Safian
> Sent: Friday, February 14, 2014 10:19 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Firewall Upgrade
>  
> I agree on wildfire, and URL filtering.  In fact, the URL filtering, which we primarily wanted as another layer to 
> prevent phishing, was terrible.  My guess is it works great, in say a bank, but, in a university, the categories 
> aren’t that useful.
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf OfHall, 
> Rand
> Sent: Friday, February 14, 2014 10:04 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Firewall Upgrade
>  
> Like Roger said, YMMV. Most people have many layers of defense. No layer is magic. OpenDNS blocks some stuff for us. 
> PA DNS anti-hijacking firewall rules block stuff. Threat Protection on PA blocks some stuff. Basic Wildfire alerts on 
> some stuff. Desktop AV still blocks some stuff. PA Threat Protection blocks/alerts on post-infection C&C traffic.
>  
> The basic Wildfire service that comes with Threat Protection is pretty good for what it is. The premium service is 
> overpriced, IMHO (as is URL filtering).
>
>            
> Rand
>  
> Rand P. Hall
> Director, Network Services                 askIT!
> Merrimack College
> 978-837-3532
> rand.hall () merrimack edu
>  
> If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – 
> Einstein
>  
> On Fri, Feb 14, 2014 at 10:25 AM, Mark Rogowski <m.rogowski () uwinnipeg ca> wrote:
> Forgive the derailing of this thread, but given all the chatter regarding Palo Alto, I am very curious to know how 
> effective the product is at stopping malware.  PA touts they have strong anti malware protection - is this in fact 
> true?  Have any of you noticed a drop in your end point infections?
>
> Mark Rogowski  CISSP, CISM
> IT Security / Information Security Office
> University of Winnipeg
> Ph: 204-786-9034
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Michael Horne
> Sent: Friday, February 14, 2014 8:48 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Firewall Upgrade
>
> I will also give a +1 to Palo Alto, We replaced a pair of aging Nortel branded check points with a pair of PA 5020's. 
> We are very pleased with them and I personally would recommend them as well. A lot deeper view into what's happening 
> on the network as well. Rule creation is not bad either once yopu get the mind shift changed to zone / application 
> based vrs just a port based FW.
>
>
> Michael Horne
> Network Engineer
> Olin College of Engineering
> 1000 Olin Way, Milas Hall, Suite LL18
> Needham, MA 02492
> 1-781-292-2438
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russo, 
> Dan
> Sent: Thursday, February 13, 2014 2:19 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Firewall Upgrade
>
> We are looking into upgrading our Firewall. I was wondering if anyone had anything to offer in regards to what you 
> are using and the pros/cons associated to it.
>
> Thanks,
>
> Dan