Re: Firewall Upgrade

[Mark Rogowski <m.rogowski () UWINNIPEG CA>]

P.S. Apologies for the thread tangent.

Now I don’t feel so bad…  ;-)


Mark Rogowski  CISSP, CISM
IT Security / Information Security Office
University of Winnipeg
Ph: 204-786-9034


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Osterman
Sent: Friday, February 14, 2014 4:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall Upgrade

Thanks, Ben. This is perfect. It runs counter to what we were told, but it makes good sense and is obviously a 
configuration that is effective in some configurations as evidenced by its existence in the tech note.

Cheers,
Mike

P.S. Apologies for the thread tangent.

On Feb 14, 2014, at 2:06 PM, Ben Parker <BParker () CHICORPORATION COM<mailto:BParker () CHICORPORATION COM>> wrote:


Mike,
First to clear up what I had meant, I was referring to inbound smtp. I have seen it done in 2 different ways depending 
on what was being asked for and what licensing was purchased. With the free version, you just turn it on to forward 
appropriate file types, and it basically gives you insight to see what is making its way through the mail SPAM/AV 
gateway that is not being recognized by signatures. You then get the rollup’s from wildfire in the daily AV update. 
With this in place you need to react to remediate users who open everything they get no matter how much you say please 
don’t.

For people who pay for wildfire you in the AV profile you can set separate actions for the AV updates and the Wildfire 
updates. This is where we have seen the value of wildfire shine through because you can set it to block the SMTP 
transaction here. Per the documentation IMAP and POP3 are what you shouldn’t set to BLOCK. Setting SMTP to BLOCK 
generates a 5.4.1. to the connecting server. Here is the tech note and relevant sections.

https://live.paloaltonetworks.com/servlet/JiveServlet/downloadBody/3094-102-5-15962/Threat%20Prevention%20Deployment%20Tech%20Note%20-%20Version%201.2%20RevA.pdf

Recommendations
The default Antivirus profile can be used in most situations where dedicated SMTP, POP3 and/or IMAP-scanning
solutions are also present.

If no dedicated Antivirus gateway solution is present for SMTP, it is possible to define a custom Antivirus profile
and apply the BLOCK action to infected attachments. In such case, a 541 response will be sent back to the sending
SMTP server to prevent it from resending the blocked message.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Osterman
Sent: Friday, February 14, 2014 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Upgrade

Touché, Ian. :) I should have been more explicit.

We were advised by a PA trainer to not block SMTP inbound for threats as it would cause problematic behavior in the MTA 
trying to relay the message in question. Ben implied that he's done this with a PA, and I wanted to hear a differing 
opinion on the recommendation we got.

-Mike

On Feb 14, 2014, at 11:20 AM, Ian McDonald <iam () ST-ANDREWS AC UK<mailto:iam () ST-ANDREWS AC UK>> wrote:



access-list OUTBOUND extended deny ip any any eq 25 log :)

Well, you did ask :)

Thanks

--
ian

Sent from my phone, please excuse brevity and misspelling.
________________________________
From: Mike Osterman<mailto:ostermmg () WHITMAN EDU>
Sent: ‎14/‎02/‎2014 19:18
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Upgrade
Ben,

How exactly are you blocking SMTP effectively? We were advised that setting SMTP to "block" would be a bad idea as it 
would keep retrying.

-Mike

On Feb 14, 2014, at 10:19 AM, Ben Parker <BParker () CHICORPORATION COM<mailto:BParker () CHICORPORATION COM>> wrote:



Disclaimer: reseller
Where I have seen the largest impact from places we have put wildfire is blocking zero day viruses coming in via smtp. 
An amazing amount of those things are now seen as new threats by a lot of antivirus vendors. Basically all the fax or 
shipping report type of stuff.


Sent from my Verizon Wireless 4G LTE Smartphone


-------- Original message --------
From: Mark Rogowski
Date:02/14/2014 11:55 AM (GMT-05:00)
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Upgrade
Interesting conversation and good feedback for sure.  And yes, CST, although it is daylight right now…  ;-)

The reason I bring this up is we are just beginning to deploy a PA and only have the AV/AM service running right now.  
Initial observations is that it is picking up Conficker just fine but nothing else.  Obviously things need to be 
tweaked, but I honestly was expecting to see more action out of it from the get-go.  Looking at the Spyware signatures 
they don’t seem to get updated very often.

Our ISP deployed a FireEye appliance on a 30 day trial last year.  For that month we observed a significant drop in 
malware infections.  So I was hoping the PA with the Wildfire service could be as effective.  We didn’t subscribe to 
the Wildfire service yet, and may request a trial before committing to said service.


Mark Rogowski  CISSP, CISM
IT Security / Information Security Office
University of Winnipeg
Ph: 204-786-9034



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf OfRoger A 
Safian
Sent: Friday, February 14, 2014 10:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Upgrade

I agree on wildfire, and URL filtering.  In fact, the URL filtering, which we primarily wanted as another layer to 
prevent phishing, was terrible.  My guess is it works great, in say a bank, but, in a university, the categories aren’t 
that useful.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf OfHall, Rand
Sent: Friday, February 14, 2014 10:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Upgrade

Like Roger said, YMMV. Most people have many layers of defense. No layer is magic. OpenDNS blocks some stuff for us. PA 
DNS anti-hijacking firewall rules block stuff. Threat Protection on PA blocks some stuff. Basic Wildfire alerts on some 
stuff. Desktop AV still blocks some stuff. PA Threat Protection blocks/alerts on post-infection C&C traffic.

The basic Wildfire service that comes with Threat Protection is pretty good for what it is. The premium service is 
overpriced, IMHO (as is URL filtering).


Rand

Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532
rand.hall () merrimack edu<mailto:rand.hall () merrimack edu>

If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – 
Einstein

On Fri, Feb 14, 2014 at 10:25 AM, Mark Rogowski <m.rogowski () uwinnipeg ca<mailto:m.rogowski () uwinnipeg ca>> wrote:
Forgive the derailing of this thread, but given all the chatter regarding Palo Alto, I am very curious to know how 
effective the product is at stopping malware.  PA touts they have strong anti malware protection - is this in fact 
true?  Have any of you noticed a drop in your end point infections?

Mark Rogowski  CISSP, CISM
IT Security / Information Security Office
University of Winnipeg
Ph: 204-786-9034<tel:204-786-9034>





-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Michael Horne
Sent: Friday, February 14, 2014 8:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Firewall Upgrade
I will also give a +1 to Palo Alto, We replaced a pair of aging Nortel branded check points with a pair of PA 5020's. 
We are very pleased with them and I personally would recommend them as well. A lot deeper view into what's happening on 
the network as well. Rule creation is not bad either once yopu get the mind shift changed to zone / application based 
vrs just a port based FW.


Michael Horne
Network Engineer
Olin College of Engineering
1000 Olin Way, Milas Hall, Suite LL18
Needham, MA 02492
1-781-292-2438<tel:1-781-292-2438>



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Russo, Dan
Sent: Thursday, February 13, 2014 2:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Firewall Upgrade

We are looking into upgrading our Firewall. I was wondering if anyone had anything to offer in regards to what you are 
using and the pros/cons associated to it.

Thanks,

Dan