Re: Firewall Upgrade

[Ben Parker <BParker () CHICORPORATION COM>]

Before I moved to the dark side of reselling when I was at the University of Mount Union, we had also gone the Palo 
Alto Networks route after doing a bake off. From my current experience as a SE, of our Next-Gen/UTM products it is my 
preference to sell Palo Alto because it wins the technical product competitions every time.  They also will let you do 
a 30 day eval, that you can put in place with 0 downtime so see how it works and what you are missing on your current 
environment.

To address Ronald's concern, your Palo Alto SE or partner SE has access to tools that can automatically translate l3 
and l4 rules to app rules. It isn't perfect but will get you 90% of the way.  Alternatively you can install it in what 
is called a vwire mode to start and gradually move the rules over at a slower pace so you can understand and verify 
what is going on.

Since you asked about the Pros and Con's the best way I can describe it when comparing Palo Alto to some of the other 
less expensive UTMs like Sonicwall or Sophos is.
 
 UTMs are generally harder to manage, with less detail and perform more poorly when services are enabled to decrease 
the cost of the device. You need to choose whether this lower cost outweighs the functionality, manageability or 
performance from a Palo Alto box. 

Checkpoints and Cisco devices should be pretty close to above the Palo Alto pricewise. The exception is if you are 
looking it doing a network refresh with Cisco they may practically give you a new ASA.

That is my 2 cents. If you any other questions I would be happy to answer them.

Ben Parker
System Engineer
Chi Corporation
440-498-2300

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, 
Ronald A.
Sent: Thursday, February 13, 2014 3:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall Upgrade

We upgraded our Cisco ASAs to Palo Alto Networks' next-gen firewalls about a
year ago.  We are very happy with it.  I guess the pros and cons will vary
based on what your moving from.  For us, we have greater granularity,
application (beyond layer 4) detection and filtering, and more features
including IPS, URL filtering and anti-malware.  

The biggest con is having to convert standard layer 3 and 4 firewall rules.
As an example, we allowed ports 80 and 443 through to our web server.  Now,
we allow "web-browsing," "ssl," and "flash" as well as ports 80 and 443.  In
some cases, we create a policy allowing the ports and logging connections.
We will review the rules after some time and add the applications to permit
or deny.

 Feel free to contact me directly.

Got a Phish (email)? Forward it to abuse () nsu edu!

Ronald King
Security Engineer
Norfolk State University
http://security.nsu.edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russo, Dan
Sent: Thursday, February 13, 2014 2:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Firewall Upgrade

We are looking into upgrading our Firewall. I was wondering if anyone had
anything to offer in regards to what you are using and the pros/cons
associated to it.

Thanks,

Dan