Re: Firewall Upgrade

[Mike Osterman <ostermmg () WHITMAN EDU>]

Randy--I think there was a misunderstanding. The thread was (meant to be) about blocking of inbound SMTP, which some of 
us had some technical concerns about, specifically with regard to the with the Palo Alto implementation. The scenario 
would be to keep something like CryptoLocker from ever reaching your users.

On Feb 14, 2014, at 11:50 AM, randy <marchany () VT EDU> wrote:

> I know this is a silly question but from what I'm reading on this thread, we're talking about putting an SMTP block 
> on ALL outbound email? I hope that's not the case because that doesn't make any sense. How do you distinguish between 
> legit and bad outbound traffic?
>
>  IMHO, the only value a FW has these days is to block unsolicited inbound connections. Using a combo of devices like 
> PA, FireEye(my favorite), Stonesoft, Snort, etc in combo with subscribing to some sort of threat intelligence 
> services (Fireeye, secureworks, etc.) to monitor outbound traffic is more effective. 
>
> SMTP servers are embedded in all sorts of devices ranging from printers, copiers and scanners. Effective patch mgt 
> solutions like BigFix etc are proving to be more effective in halting malware infections that manage to make it past 
> the IDS/IPS sensors. Yes, the malware got loaded on the target but it needs to exploit a hole in a software component 
> and if that hole was patched effectively, the net result is the machine wasn't compromised. Blocking the outbound 
> communication to a controller is key. It's hard but the technology is getting better.
>
> Network Security Monitoring aka Continuous Monitoring of outbound traffic seems to be the more effective solution.
>
> -Randy Marchany
> VA Tech IT Security Office and Lab.