Re: Firewall Upgrade

[Pete Hickey <pete () SHADOWS UOTTAWA CA>]

Well, if you're blocking based on the contents, the connection was
already created, and the HELO, etc were already done, so you would
be blocking a connection mid-stream, although sending an RST to both
sides should eliminate much of the problem.

On Fri, Feb 14, 2014 at 07:44:07PM +0000, Roger A Safian wrote:
> Just out of curiosity, the problem you could be creating is for the external smtp server, yes?
>
> BTW, don?t most mailers give up after a while?72 hours or so?
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
> Osterman
> Sent: Friday, February 14, 2014 1:42 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Firewall Upgrade
>
> Touché, Ian. :) I should have been more explicit.
>
> We were advised by a PA trainer to not block SMTP inbound for threats as it would cause problematic behavior in the 
> MTA trying to relay the message in question. Ben implied that he's done this with a PA, and I wanted to hear a 
> differing opinion on the recommendation we got.
>
> -Mike
>
> On Feb 14, 2014, at 11:20 AM, Ian McDonald <iam () ST-ANDREWS AC UK<mailto:iam () ST-ANDREWS AC UK>> wrote:
>
>
> access-list OUTBOUND extended deny ip any any eq 25 log :)
>
> Well, you did ask :)
>
> Thanks
>
> --
> ian
>
> Sent from my phone, please excuse brevity and misspelling.
> ________________________________
> From: Mike Osterman<mailto:ostermmg () WHITMAN EDU>
> Sent: ?14/?02/?2014 19:18
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Firewall Upgrade
> Ben,
>
> How exactly are you blocking SMTP effectively? We were advised that setting SMTP to "block" would be a bad idea as it 
> would keep retrying.
>
> -Mike
>
> On Feb 14, 2014, at 10:19 AM, Ben Parker <BParker () CHICORPORATION COM<mailto:BParker () CHICORPORATION COM>> wrote:
>
>
> Disclaimer: reseller
> Where I have seen the largest impact from places we have put wildfire is blocking zero day viruses coming in via 
> smtp. An amazing amount of those things are now seen as new threats by a lot of antivirus vendors. Basically all the 
> fax or shipping report type of stuff.
>
>
> Sent from my Verizon Wireless 4G LTE Smartphone
>
>
> -------- Original message --------
> From: Mark Rogowski
> Date:02/14/2014 11:55 AM (GMT-05:00)
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Firewall Upgrade
> Interesting conversation and good feedback for sure.  And yes, CST, although it is daylight right now?  ;-)
>
> The reason I bring this up is we are just beginning to deploy a PA and only have the AV/AM service running right now. 
>  Initial observations is that it is picking up Conficker just fine but nothing else.  Obviously things need to be 
> tweaked, but I honestly was expecting to see more action out of it from the get-go.  Looking at the Spyware 
> signatures they don?t seem to get updated very often.
>
> Our ISP deployed a FireEye appliance on a 30 day trial last year.  For that month we observed a significant drop in 
> malware infections.  So I was hoping the PA with the Wildfire service could be as effective.  We didn?t subscribe to 
> the Wildfire service yet, and may request a trial before committing to said service.
>
>
> Mark Rogowski  CISSP, CISM
> IT Security / Information Security Office
> University of Winnipeg
> Ph: 204-786-9034
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf OfRoger A 
> Safian
> Sent: Friday, February 14, 2014 10:19 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Firewall Upgrade
>
> I agree on wildfire, and URL filtering.  In fact, the URL filtering, which we primarily wanted as another layer to 
> prevent phishing, was terrible.  My guess is it works great, in say a bank, but, in a university, the categories 
> aren?t that useful.
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf OfHall, 
> Rand
> Sent: Friday, February 14, 2014 10:04 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Firewall Upgrade
>
> Like Roger said, YMMV. Most people have many layers of defense. No layer is magic. OpenDNS blocks some stuff for us. 
> PA DNS anti-hijacking firewall rules block stuff. Threat Protection on PA blocks some stuff. Basic Wildfire alerts on 
> some stuff. Desktop AV still blocks some stuff. PA Threat Protection blocks/alerts on post-infection C&C traffic.
>
> The basic Wildfire service that comes with Threat Protection is pretty good for what it is. The premium service is 
> overpriced, IMHO (as is URL filtering).
>
>
> Rand
>
> Rand P. Hall
> Director, Network Services                 askIT!
> Merrimack College
> 978-837-3532
> rand.hall () merrimack edu<mailto:rand.hall () merrimack edu>
>
> If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. ? 
> Einstein
>
> On Fri, Feb 14, 2014 at 10:25 AM, Mark Rogowski <m.rogowski () uwinnipeg ca<mailto:m.rogowski () uwinnipeg ca>> wrote:
> Forgive the derailing of this thread, but given all the chatter regarding Palo Alto, I am very curious to know how 
> effective the product is at stopping malware.  PA touts they have strong anti malware protection - is this in fact 
> true?  Have any of you noticed a drop in your end point infections?
>
> Mark Rogowski  CISSP, CISM
> IT Security / Information Security Office
> University of Winnipeg
> Ph: 204-786-9034<tel:204-786-9034>
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
> LISTSERV EDUCAUSE EDU>] On Behalf Of Michael Horne
> Sent: Friday, February 14, 2014 8:48 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Firewall Upgrade
> I will also give a +1 to Palo Alto, We replaced a pair of aging Nortel branded check points with a pair of PA 5020's. 
> We are very pleased with them and I personally would recommend them as well. A lot deeper view into what's happening 
> on the network as well. Rule creation is not bad either once yopu get the mind shift changed to zone / application 
> based vrs just a port based FW.
>
>
> Michael Horne
> Network Engineer
> Olin College of Engineering
> 1000 Olin Way, Milas Hall, Suite LL18
> Needham, MA 02492
> 1-781-292-2438<tel:1-781-292-2438>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
> LISTSERV EDUCAUSE EDU>] On Behalf Of Russo, Dan
> Sent: Thursday, February 13, 2014 2:19 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] Firewall Upgrade
>
> We are looking into upgrading our Firewall. I was wondering if anyone had anything to offer in regards to what you 
> are using and the pros/cons associated to it.
>
> Thanks,
>
> Dan

-- 
Pete Hickey                      
The University of Ottawa         "There is no patch for stupidity."
Ottawa, Ontario                              - SQLSecurity.com
Canada