Educause Security Discussion mailing list archives

Re: Firewall Vendors

From: "Tornoe, Eric J." <EJTORNOE () STTHOMAS EDU>
Date: Fri, 14 Nov 2014 17:12:20 +0000

Thanks, I will keep that in mind as we move forward with the install. We're adding bandwidth as well so I think we will 
be able to evaluate how the Palo performs at rate shaping without it becoming a critical issue immediately.

We were concerned about the DRM implications of the PeerApp. They have a lot of language assuring us it's OK, and the 
way they lay it out makes sense- they check for a valid subscription each time before starting a stream by logging on 
to the service. NetFlix actually has a similar device they will give you to improve performance but you need to have at 
least 5Gb of traffic a month to qualify and we don't come close.

Functionally there are no issues. It won't cache Hulu because it is encrypted- they claim this will be supported in a 
future release- but we have no problems with Netflix or Amazon.

Eric

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Helman
Sent: Thursday, November 06, 2014 12:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall Vendors

Eric,

Just be aware that the Palo Alto devices rate-shape on the egress port.  That can be tricky depending on how your 
physical connections are laid out on PAN device.  We run a pair of 5050's, but still use a NetEqualizer device that 
Dennis mentions.

How does the PeerApp system work?  It was my understanding that Neflix couldn't be cached because the stream included 
DRM encoding which was specific to each player.  If that is not accurate, I'll have to take a closer look at the 
product!

-Brian

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Tornoe, Eric J. 
[EJTORNOE () STTHOMAS EDU]
Sent: Thursday, October 30, 2014 4:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall Vendors

Thanks Dennis, I'll look into that.

Our shaping needs are very minimal, such as swapping admin and dorm bandwidth during peak usage times for each so we 
are fairly confident the Palo will cover our needs. We recently implemented PeerApp, which caches Netflix and Amazon 
Prime Video, Windows and IOS updates, etc. and serves the content from the local network to take the load off the 
Internet pipe. This has effectively returned about 100Mbps of bandwidth. We run an average of 25% served from cache and 
occasionally we are serving more from the PeerApp than we are from the Internet. It nicely evens out the hit from 
things like the recent IOS 8 update because after the first three downloads the rest come from the local cache. You 
could see this in the PeerApp charts for 2-3 days after the release on September 17th with noticeably higher "served 
from cache" numbers.

Eric

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis 
Bohn
Sent: Thursday, October 30, 2014 12:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall Vendors

HI Eric,
Since you again mentioned bandwidth shaping, I wanted to let you know that we are pretty pleased with Net Equalizer.  
It's best feature is that most of the time it does no shaping :-) Until it is approaching a preset bandwidth threshold, 
and then throttles back the users with the highest number of flows/most bandwidth.  A few times a week I get an email 
that it has kicked into shaping, but most of the time it just sits there.  This does not have the precise reports of 
who is using what L7 protocol, but we stopped caring until there is a problem, and other tools work then.

best,
dennis

Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu<mailto:bohn () adelphi edu>
5168773327

On Thu, Oct 30, 2014 at 11:53 AM, Tornoe, Eric J. <EJTORNOE () stthomas edu<mailto:EJTORNOE () stthomas edu>> wrote:
We are considering a pair of PA 5060's and it is good to hear that everyone who has them has had a positive experience. 
It sounds like the PA would also meet our needs for P2P blocking and minimal bandwidth shaping, allowing us to 
eliminate our PacketShaper. We would plan to roll training into the initial purchase, which would be provided by our 
reseller.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Michael Horne
Sent: Thursday, October 30, 2014 10:30 AM

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Vendors

+1 for PaloAlto's
I really love these things compared to the older checkpoints we had running prior.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, 
Ronald A.
Sent: Wednesday, October 29, 2014 5:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Vendors

Palo Alto Networks.  We have had a pair of their next generation PA 5050s and have been very happy with them.

Got a Phish (email)? Forward it to abuse () nsu edu<mailto:abuse () nsu edu>!

Ronald King, CISSP
Interim CISO & Technical Services Director Norfolk State University http://security.nsu.edu<http://security.nsu.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kubb, 
Richard
Sent: Wednesday, October 29, 2014 5:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Firewall Vendors

Greetings,

At Maryville we currently use a Sonicwall firewall that is rapidly reaching end of life and are starting to explore 
alternative vendors.  Curious which vendors and models others are using for your firewall solution.  We also use 
Packetshaper as part of our solution and we would consider a single firewall device and eliminate the use of 
Packetshaper if we can find the right solution.

Regards,

Rick.

Rick Kubb
Director of Technology Services
Maryville University
314-529-9606<tel:314-529-9606>
Gander Hall, Room 215
rkubb () maryville edu<mailto:rkubb () maryville edu>

Current thread:

Re: Firewall Vendors, (continued)
- - - Re: Firewall Vendors Jason Cook (Oct 29)
    - Re: Firewall Vendors King, Ronald A. (Oct 30)
    - Re: Firewall Vendors Ben Parker (Oct 30)
  - Re: Firewall Vendors Jason Cook (Oct 29)
    - Re: Firewall Vendors David Escalante (Oct 30)
  - Re: Firewall Vendors Michael Horne (Oct 30)
    - Re: Firewall Vendors Tornoe, Eric J. (Oct 30)
    - Re: Firewall Vendors Dennis Bohn (Oct 30)
    - Re: Firewall Vendors Tornoe, Eric J. (Oct 30)
    - Re: Firewall Vendors Brian Helman (Nov 06)
    - Re: Firewall Vendors Tornoe, Eric J. (Nov 14)
    - Re: Firewall Vendors Dexter Caldwell (Nov 12)
    - Re: Firewall Vendors Tornoe, Eric J. (Nov 14)
- Re: Firewall Vendors Garmon, Joel (Oct 29)
  - Re: Firewall Vendors Jeremy Kurtz (Oct 29)
- Re: Firewall Vendors Walter Petruska (Oct 29)
- Re: Firewall Vendors Ramon Hermida (Oct 30)
- Re: Firewall Vendors Roger A Safian (Oct 30)
  - Re: Firewall Vendors Bob Williamson (Oct 30)
- Re: Firewall Vendors Kurtz, Eric (Oct 30)