Educause Security Discussion mailing list archives
Re: Firewall Upgrade
From: Ben Parker <BParker () CHICORPORATION COM>
Date: Thu, 13 Feb 2014 15:31:21 -0500
Before I moved to the dark side of reselling when I was at the University of Mount Union, we had also gone the Palo Alto Networks route after doing a bake off. From my current experience as a SE, of our Next-Gen/UTM products it is my preference to sell Palo Alto because it wins the technical product competitions every time. They also will let you do a 30 day eval, that you can put in place with 0 downtime so see how it works and what you are missing on your current environment. To address Ronald's concern, your Palo Alto SE or partner SE has access to tools that can automatically translate l3 and l4 rules to app rules. It isn't perfect but will get you 90% of the way. Alternatively you can install it in what is called a vwire mode to start and gradually move the rules over at a slower pace so you can understand and verify what is going on. Since you asked about the Pros and Con's the best way I can describe it when comparing Palo Alto to some of the other less expensive UTMs like Sonicwall or Sophos is. UTMs are generally harder to manage, with less detail and perform more poorly when services are enabled to decrease the cost of the device. You need to choose whether this lower cost outweighs the functionality, manageability or performance from a Palo Alto box. Checkpoints and Cisco devices should be pretty close to above the Palo Alto pricewise. The exception is if you are looking it doing a network refresh with Cisco they may practically give you a new ASA. That is my 2 cents. If you any other questions I would be happy to answer them. Ben Parker System Engineer Chi Corporation 440-498-2300 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Thursday, February 13, 2014 3:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Firewall Upgrade We upgraded our Cisco ASAs to Palo Alto Networks' next-gen firewalls about a year ago. We are very happy with it. I guess the pros and cons will vary based on what your moving from. For us, we have greater granularity, application (beyond layer 4) detection and filtering, and more features including IPS, URL filtering and anti-malware. The biggest con is having to convert standard layer 3 and 4 firewall rules. As an example, we allowed ports 80 and 443 through to our web server. Now, we allow "web-browsing," "ssl," and "flash" as well as ports 80 and 443. In some cases, we create a policy allowing the ports and logging connections. We will review the rules after some time and add the applications to permit or deny. Feel free to contact me directly. Got a Phish (email)? Forward it to abuse () nsu edu! Ronald King Security Engineer Norfolk State University http://security.nsu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russo, Dan Sent: Thursday, February 13, 2014 2:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Firewall Upgrade We are looking into upgrading our Firewall. I was wondering if anyone had anything to offer in regards to what you are using and the pros/cons associated to it. Thanks, Dan
Current thread:
- Firewall Upgrade Russo, Dan (Feb 13)
- Re: Firewall Upgrade King, Ronald A. (Feb 13)
- Re: Firewall Upgrade Ben Parker (Feb 13)
- Re: Firewall Upgrade Nathaniel Hall (Feb 13)
- Re: Firewall Upgrade Di Fabio, Andrea (Feb 13)
- Re: Firewall Upgrade Kevin Hayes (Feb 13)
- Re: Firewall Upgrade Michael Horne (Feb 14)
- Re: Firewall Upgrade Roger A Safian (Feb 14)
- Re: Firewall Upgrade Dennis Bohn (Feb 14)
- Re: Firewall Upgrade Roger A Safian (Feb 14)
- Re: Firewall Upgrade Nathaniel Hall (Feb 14)
- Re: Firewall Upgrade Matt Williams (Feb 14)
- Re: Firewall Upgrade Di Fabio, Andrea (Feb 14)
- Re: Firewall Upgrade Roger A Safian (Feb 14)
- Re: Firewall Upgrade King, Ronald A. (Feb 13)