Re: NGFW Usage Information

["Curtis, Bruce" <bruce.curtis () NDSU EDU>]

One way to save even more money is to adopt something like Google’s BeyondCorp philosophy.

At the end of this presentation at the RSA conference in the Q&A Google mentions at the 39 minute mark “that network 
based network intrusion detection wasn’t working anyway because we were moving everything to encrypted sessions, so it 
was inevitable."

https://www.youtube.com/watch?v=d90Ov6QM1jE


One thing to keep in mind is that deep packet inspection is the secret sauce for IPS and NGFW and about 50% of web 
traffic is encrypted so no deep packet inspection on that 50% of traffic.  And the trend will be towards 100% 
encryption.

10 years ago NGFW and IPS could inspect the content in most web traffic and email.  Today on our campus a device at the 
network border of our campus would see 100% of email traffic is encrypted and 50% of web traffic is encrypted (our 
email system is hosted in the cloud).




> On Apr 19, 2017, at 10:22 AM, Pardonek, Jim <jpardonek () LUC EDU> wrote:
>
> Much of it is money driven.  We currently have a deployment of tipping point IPS boxes fronted by ASA’s.  Our 
> networking folks want to upgrade our I2 connection to 10Gb which would force us to replace our TP box on that 
> connection at a cost of over 100k with almost 40k increase in maintenance.  The ASA at that location cannot handle 
> 10Gb either so there would be cash outlay there as well.  Since we have separate egress points at each of our 3 
> campuses in Chicago, it’s working out $$ wise to forklift it all.  We are looking to do at least as much or more than 
> the TP boxes and the ASA’s with a NGFW and keep our maintenance costs level.
>
>  
>
> Thanks,
>
>  
>
> Jim
>
>  
>
> James Pardonek, MS, CISSP, CEH
>
> Information Security Officer
> Loyola University Chicago 
> 1032 W. Sheridan Road | Chicago, IL  60660
>
> (: (773) 508-6086
> <image001.png>
>  
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam 
> Maynard
> Sent: Wednesday, April 19, 2017 8:55 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] NGFW Usage Information
>
>  
>
> We’re a Palo Alto shop, so I could dive in there.
>
>  
>
> I guess the question is: What are you looking to get out of a NGFW? or what is your business case for replacing you 
> IPS and ASA’s?
>
>  
>
>  
>
> -Adam
>
>  
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Pardonek, Jim
> Sent: Wednesday, April 19, 2017 9:46 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] NGFW Usage Information
>
>  
>
> I’ve finally been able to convince our leadership to pursue swapping out our IPS and ASA’s for a set of next gen 
> firewalls.  We are still in the evaluation phase and as a part of our evaluations we are asked by senior leadership 
> to quert other universities to get a barometer of what is being used.  If you would (and you can PM me) let me know 
> if you have a NGFW and what it is (not needing specifics)  It will help us with our decision.  The 3 we looked at 
> were Palo Alto, Check Point, and Cisco Firepower.
>
>  
>
> Appreciate any responses in advance!
>
>  
>
> Best,
>
>  
>
> Jim
>
>  
>
> James Pardonek, MS, CISSP, CEH
>
> Information Security Officer
> Loyola University Chicago 
> 1032 W. Sheridan Road | Chicago, IL  60660
>
> (: (773) 508-6086
> <image001.png>
>  

---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University