Educause Security Discussion mailing list archives

Re: [External] [SECURITY] Border IPS replacement--feedback needed

From: "Adam T. Ferrero" <adam () TEMPLE EDU>
Date: Wed, 29 Apr 2020 04:49:07 +0000

  I'll share.


  *   What border firewall/IPS are you using?
  Palo Alto


  *   What made you decide on that solution?
  4 or 5 years ago we had Check Point.  We purposefully wanted something more hardware assisted than pure software.


  *   Where does it fit with your overall security architecture?
  Every server subnet is routed directly on the firewall as is the interfaces towards each VRF (student, staff, pci, 
hipaa, etc.).  It controls and inspects all the meaningful traffic for us.  Plus our default inbound policy is deny.  
We explicitly allow the necessary applications and block everything else.


  *   Does your solution integrate with endpoint protection? If so, how?
  No


  *   Did you integrate your solution with other technologies or vendor solutions (ex. Load Balancer, VMWare NSX, etc.)?
  No


  *   Do you have an Aruba Wireless Network? If so, how well does your solution integrate with Aruba Wireless?
  Yes.  Not integrated really.


  *   Do you have Aruba ClearPass? If so, did you integrate ClearPass with your solution? How well did it integrate?
  Yes.  We didn't integrate user-id type stuff.  We use Clearpass as for radius authentication for the admins only.


  *   How does it integrate with systems or services your institution has in the cloud?
  Smoothly.  We have a single management appliance that manages on prem hardware firewalls as well as cloud based 
software ones.


  *   Are you using it for multiple purposes (ex. WAF, VPN, etc.)?
  Threat/IPS, URL filtering, DNS sinkhole, and we are adding VPN site to site tunneling.


  *   Are you performing SSL inspection?
  No


  *   What would you do differently? Any gotcha's or lessons learned that you can share?
  We started with a pair of firewalls specifically for student and then bought another pair for everything else.  Had 
we realized all the power was in the line cards and all the licensing expense is in the chassis count, we'd have only 
bought two instead of four.  We've since eliminated two chassis.  Otherwise, I've been thrilled with Palo.

  Happy to comment further if you reach out off list.  Good luck.

  Adam



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Fugett, Julie C
Sent: Tuesday, April 28, 2020 5:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] Border IPS replacement--feedback needed

Colleagues-

We are replacing our current IPS solution and would like feedback on what other universities are using as their border 
firewall/IPS and how you arrived at the decision(s) you did. I would love to chat off list and/or via phone if you 
would prefer not to reply publicly.


  *   What border firewall/IPS are you using?


  *   What made you decide on that solution?


  *   Where does it fit with your overall security architecture?


  *   Does your solution integrate with endpoint protection? If so, how?


  *   Did you integrate your solution with other technologies or vendor solutions (ex. Load Balancer, VMWare NSX, etc.)?


  *   Do you have an Aruba Wireless Network? If so, how well does your solution integrate with Aruba Wireless?


  *   Do you have Aruba ClearPass? If so, did you integrate ClearPass with your solution? How well did it integrate?


  *   How does it integrate with systems or services your institution has in the cloud?


  *   Are you using it for multiple purposes (ex. WAF, VPN, etc.)?


  *   Are you performing SSL inspection?


  *   What would you do differently? Any gotcha's or lessons learned that you can share?


______________________________________
Julie C. Fugett, CISSP
Chief Information Security Officer
KU Information Technology
The University of Kansas
Email jcf () ku edu<mailto:jcf () ku edu>
Mobile +1 785 691 9023
Office +1 785 864 0490
She/Her/Hers

Complete your annual security awareness training today! https://go.ku.edu/tyYnU


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

Border IPS replacement--feedback needed Fugett, Julie C (Apr 28)
- Re: [External] [SECURITY] Border IPS replacement--feedback needed Adam T. Ferrero (Apr 28)
- <Possible follow-ups>
- Re: Border IPS replacement--feedback needed Keenan Martinez (Apr 29)