Educause Security Discussion mailing list archives
Re: Firewall Upgrade
From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Thu, 13 Feb 2014 14:41:37 -0600
DISCLAIMER: I *used* to work for a Check Point/Palo Alto/Fortinet/Juniper vendor. My personal preference is Palo Alto. I believe that in most cases they are easier to use, but they also require a slightly different way of thinking. Troubleshooting can become much more difficult if you don't take their differences into account. Packet flow is not always as you would expect. Packets you expect to be blocked may not be if you don't have your rules configured as recommended or if you don't consider application dependencies. I run a PA-200 at home with nearly every feature enabled and in-use. I haven't had any issues. The interface is pretty easy to understand and they are very flexible in being able to come up with non-standard solutions. App-ID, Vulnerability Protection, and IPSEC can slow the device down quite a bit. Proper tuning of rules can reduce the impact. Policy Based Forwarding can cause some major headaches if you don't understand how it works. It also gets a semi-pass grade when it comes to ISP redundancy. It's not supported in the same way as Check Point and others do. In PAN it is just another connection and you use Policy Based Forwarding to create the redundancy. It's more of a workaround. -- Nathaniel Hall, GSEC GPPA GCIA GCIH GCFA CNSE On 2/13/2014 2:09 PM, King, Ronald A. wrote:
We upgraded our Cisco ASAs to Palo Alto Networks' next-gen firewalls about a year ago. We are very happy with it. I guess the pros and cons will vary based on what your moving from. For us, we have greater granularity, application (beyond layer 4) detection and filtering, and more features including IPS, URL filtering and anti-malware. The biggest con is having to convert standard layer 3 and 4 firewall rules. As an example, we allowed ports 80 and 443 through to our web server. Now, we allow "web-browsing," "ssl," and "flash" as well as ports 80 and 443. In some cases, we create a policy allowing the ports and logging connections. We will review the rules after some time and add the applications to permit or deny. Ronald King -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russo, Dan Sent: Thursday, February 13, 2014 2:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Firewall Upgrade We are looking into upgrading our Firewall. I was wondering if anyone had anything to offer in regards to what you are using and the pros/cons associated to it. Thanks, Dan
Current thread:
- Firewall Upgrade Russo, Dan (Feb 13)
- Re: Firewall Upgrade King, Ronald A. (Feb 13)
- Re: Firewall Upgrade Ben Parker (Feb 13)
- Re: Firewall Upgrade Nathaniel Hall (Feb 13)
- Re: Firewall Upgrade Di Fabio, Andrea (Feb 13)
- Re: Firewall Upgrade Kevin Hayes (Feb 13)
- Re: Firewall Upgrade Michael Horne (Feb 14)
- Re: Firewall Upgrade Roger A Safian (Feb 14)
- Re: Firewall Upgrade Dennis Bohn (Feb 14)
- Re: Firewall Upgrade Roger A Safian (Feb 14)
- Re: Firewall Upgrade Nathaniel Hall (Feb 14)
- Re: Firewall Upgrade Matt Williams (Feb 14)
- Re: Firewall Upgrade Di Fabio, Andrea (Feb 14)
- Re: Firewall Upgrade Roger A Safian (Feb 14)
- Re: Firewall Upgrade King, Ronald A. (Feb 13)
- Re: Firewall Upgrade Mark Rogowski (Feb 14)