Re: IPS Solution

[Benjamin Parker <parkerbc () MOUNTUNION EDU>]

For those who have Palo Alto's what additional features are you using and
do you think it is worth the added cost.

For example, we have been seeing some more encrypted botnet traffic here
that I can't detect because I have not wanted to use the SSL decryption
aspects because we don't have URL filtering so I have no way not to break
the chain on things like legitimate banking or shopping. Are you doing
things like this?  Also are you using the wildfire subscriptions, and are
there any metrics of how cost effective it has been in blocking malware? I
know their sales pitches are pretty spectacular regarding wildfire but is
that what real world edu's are seeing?


On Tue, Feb 5, 2013 at 10:58 AM, O'Callaghan, Daniel <
Daniel.OCallaghan () sinclair edu> wrote:

> We've been using PaloAlto since 2008.  We initially piloted in 'tap only'
> mode in conjunction with our primary CheckPoint FWs, and gradually turned
> on blocking rules and controls of the PA as threats were identified.  In
> 2010, we completely migrated to using the PA. They provide excellent
> visibility and control into Internet/network traffic and permit really
> granular control over applications and protocols, and they still support
> 'traditional' FW rules.
> The IPS features have significantly helped to reduce compromised machines,
> and the logging/reporting features are really useful to identify the few
> that do get compromised. We have had a couple of false positive threats
> detected over the years, but PA support has been easy to work with and very
> responsive.
> We have SIEM, NAC, Mail filtering, etc., but the PA visibility is such
> that it is where I start most days...power-up the PC, start the coffee,
> check the PA traffic and threat monitor.
>
> _________________________
> Dan O'Callaghan
> CISO, Sinclair Community College
> 937.512.2452
>
>
>
>
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> > Sent: Monday, February 04, 2013 11:46 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] IPS Solution
> >
> >
> >
> > We are about to begin investigating IPS solutions for our environment.
> > So far, we are considering Sourcefire and HP/TippingPoint (yes, we are
> > aware of the problems since the acquisition).  I would like to ask the
> > group for their suggestions for a solution that could be used for a
> > small to medium sized EDU with 10 gig backbone and 1 gig to the
> > internet.  If anyone would like to include their reasoning for their
> > choice, that would be helpful to us.
> >
> >
> >
> > I would also like to state that any responses from corporate or
> > reseller companies will automatically eliminate them from consideration.
> >
> >
> >
> > Thank you in advance.
> >
> >
> >
> >
> >
> > Ronald King
> >
> > Security Engineer
> >
> > Norfolk State University
> >
> > Marie V. McDemmond Center for Applied Research
> >
> > Suite 401
> >
> > 555 Park Ave.
> >
> > Norfolk, Virginia  23504
> >
> > Phone:  757-823-3918
> >
> > Fax: 757-823-2128
> >
> > Email: raking () nsu edu
> >
> > http://security.nsu.edu


-- 
Ben Parker
Senior Network Engineer
University of Mount Union
Phone: 330-829-2866
Twitter: @BenParker82