Main Nav

Our current IPS is reaching EOS, so we would take this opportunity to look at alternatives to our existing Tipping Point unit.  I was looking to see what everyone else is using and how well it is working for them.

 

Thank you

Bruce Entwistle

University of Redlands

 

Comments

We had the same problem as you and we have replaced our Tipping Point with a Palo Alto.  The new box should arrive any day now.

 

We are having Palo Alto come out next week to begin discussions on replacing our Tipping Point units on our campus network.  We just placed the Cisco 5585s at the edge.

 

Stephen W. Bradley – CISSP SSCP GCIH GCFA GWAPT

Senior Security Engineer

Miami University

Information Technology

513-529-1809

bradlesw@miamioh.edu

 

+1 Palo Alto - It's been very solid for us for the last year and a half.

On 11/8/2012 2:27 PM, Entwistle, Bruce wrote:

Our current IPS is reaching EOS, so we would take this opportunity to look at alternatives to our existing Tipping Point unit.  I was looking to see what everyone else is using and how well it is working for them.

 

Thank you

Bruce Entwistle

University of Redlands

 

Same situation here- our Tipping Point was EOL, and we replaced it with Palo Alto Networks device. It's been working great, we're retiring the Tipping Point box next week, and expect to add more PANs in the near future.

Walter Petruska
University of San Francisco

All- Not to 'fork' the conversation thread, but we are considering a Palo Alto 5050 for a data center firewall solution. One concern we have is that in the not-too-distant future we may be doing a major infrastructure upgrade to Cisco's Nexus line, and we aren't sure how well a 'traditional' firewall appliance would play in that scenario. Anyone out there have experience with integrating Palo Altos into a Cisco Nexus environment? Any major show-stoppers or concerns? Thanks, Jeff Giacobbe Associate Vice President Enterprise Technology Services Montclair State University On 11/08/2012 04:55 PM, Dave Koontz wrote: > +1 Palo Alto - It's been very solid for us for the last year and a half. > > On 11/8/2012 2:27 PM, Entwistle, Bruce wrote: >> >> Our current IPS is reaching EOS, so we would take this opportunity to >> look at alternatives to our existing Tipping Point unit. I was >> looking to see what everyone else is using and how well it is working >> for them. >> >> >> >> Thank you >> >> Bruce Entwistle >> >> University of Redlands >> >> >>
Message from bzimmer@ucsc.edu

We demoed a PA box and were impressed, but I'm a bit concerned about using them to replace an IPS in a large environment. We do hope to get some some PA boxes for smaller environments around campus though. The biggest thing that bothered me was the inability to tune alerts. Say there's a rule that's alerting a lot and we want to tune it so that it only alerts on certain IP addresses, or doesn't alert on certain IP addresses. I don't remember the exact steps but it seemed like a very convoluted and non-scalable process to accomplish that. I'm no PA expert though.
What are the PA owners out there doing to tune their alerts?

----
Bryan Zimmer
Senior Security Analyst
UCSC Security Team


On Nov 8, 2012, at 1:57 PM, Walter Petruska <wpetruska@USFCA.EDU> wrote:

Same situation here- our Tipping Point was EOL, and we replaced it with Palo Alto Networks device. It's been working great, we're retiring the Tipping Point box next week, and expect to add more PANs in the near future.

Walter Petruska
University of San Francisco

Use of the 'exception' option in building the policy related to the threat or event activity.  You may then include or exclude particular IP addresses, ranges, MAC addresses, users, ports, protocols, applications, etc as you wish from the action prescribed by your policy.

Or create an entry which is more granular and specifies different behavior for a subset of rules, threats or systems and place the item higher in your policy.

You may also build the exception right from the alert view, should you decide you're getting too many and you wish to suppress them in the future.

On Nov 8, 2012 10:35 PM, "Bryan Zimmer" <bzimmer@ucsc.edu> wrote:
We demoed a PA box and were impressed, but I'm a bit concerned about using them to replace an IPS in a large environment. We do hope to get some some PA boxes for smaller environments around campus though. The biggest thing that bothered me was the inability to tune alerts. Say there's a rule that's alerting a lot and we want to tune it so that it only alerts on certain IP addresses, or doesn't alert on certain IP addresses. I don't remember the exact steps but it seemed like a very convoluted and non-scalable process to accomplish that. I'm no PA expert though.
What are the PA owners out there doing to tune their alerts?

----
Bryan Zimmer
Senior Security Analyst
UCSC Security Team


On Nov 8, 2012, at 1:57 PM, Walter Petruska <wpetruska@USFCA.EDU> wrote:

Same situation here- our Tipping Point was EOL, and we replaced it with Palo Alto Networks device. It's been working great, we're retiring the Tipping Point box next week, and expect to add more PANs in the near future.

Walter Petruska
University of San Francisco

We’re also looking at replacing our current IPS. I’m looking into Palo Alto and SourceFire at the moment – working on getting in some demo units for each. It looks like there’s a large number of people are happy with PA – anyone using or demoed the SourceFire NGIPS/FW and have feedback?

 

Thanks,

 

Matthew Gioia

Network Security Analyst

Technology and Educational Support Services

St. Louis Community College

 

We looked at SourceFire as well, and I liked it.  I think in the end we decided the PA was a little more mature, and I believe the cost was less as well.

 

We too have TippingPoint EOL equipment.  We purchased two Palo Alto firewalls and are very happy with them.  In fact, they caught a bug today that triggered further investigation.  Thanks to them, it was easy to ID the host with user ID that was attacking our server.  We had not considered them as an alternative to TippingPoint, but, with this conversation and recent events, well, let’s just say we are now open to the idea that we may already have our replacement.

 

Note: The PAN firewalls are Next Gen (NG).  I have learned that they aren’t the standard definition of a firewall.  The recommended way to create rules is based on the application rather than port.  The bug I mentioned earlier was over port 80, generally allowed for your internal hosts to talk out to port 80, but, much like an IPS, it triggered on a Trojan filter.  We have a rule set for one of our web servers to only allow applications “web-browsing” and “web-crawler” from the Internet.  With the ASAs we are moving from, we allowed anything on port 80.

 

+2 here.

 

Ronald King

Security Engineer

Norfolk State University

http://security.nsu.edu

 

A decade ago (more or less) we had a Cisco PIX firewall.  It had some IDS/IPS at the time, targeted at some of the threats of the time.  It did some things very well, but did not scale.

We had our first Cisco ASA firewalls right after their introduction.  They scaled much better than the PIX.  We also got the AIP-SSM IPS modules for them.  They were excellent at the time, directed at the threats at the time.  It did more things very well, but we're starting to approach it's scale of bandwidth.  The IPS modules were catching less and less (and subsequent things behind them picking up more and more), so I put them in bypass mode over the summer as they were a bottleneck running inline.

We have been doing Snort in IDS mode (passive) for some time.  It does some things very well.  (Detecting a pattern here?)  It might could do some more things well if we could afford the official commercial appliance offerings with the full Sourcefire enhancements, but as with most NextGeneration FireWall or Unified Threat Management solutions, it gets a little difficult separating the wheat from the chaff in the marketing claims.

We added a TippingPoint appliance a couple of years ago.  It could implement blocking inline what Snort was telling us after the fact.  We also have an N-series appliance which supports the reputation database, a feature which scales to incredible heights that we could not get out of other approaches.  It does some things very well.

We also have a Procera.  It can do some blocking (it can nail individual URLs), and does some things very well.  But it doesn't scale up well on that particular feature.

I'm not sure there is a 100% cure-all box you can simply plug in and everyone lives happily ever after.  We have tried to combine best-of-breed and get the cumulative benefits of each, and at the same time we can avoid their individual weaknesses and redirect them at something better suited for the job. 

And the more eggs you put into one basket, it appears the more expensive it is per megabit of traffic.  If you budget scales up to that, it's an option too.

Just another opinion :)

Jeff

On 11/9/2012 6:26 PM, King, Ronald A. wrote:

We too have TippingPoint EOL equipment.  We purchased two Palo Alto firewalls and are very happy with them.  In fact, they caught a bug today that triggered further investigation.  Thanks to them, it was easy to ID the host with user ID that was attacking our server.  We had not considered them as an alternative to TippingPoint, but, with this conversation and recent events, well, let’s just say we are now open to the idea that we may already have our replacement.

 

Note: The PAN firewalls are Next Gen (NG).  I have learned that they aren’t the standard definition of a firewall.  The recommended way to create rules is based on the application rather than port.  The bug I mentioned earlier was over port 80, generally allowed for your internal hosts to talk out to port 80, but, much like an IPS, it triggered on a Trojan filter.  We have a rule set for one of our web servers to only allow applications “web-browsing” and “web-crawler” from the Internet.  With the ASAs we are moving from, we allowed anything on port 80.

 

+2 here.

 

Ronald King

Security Engineer

Norfolk State University

http://security.nsu.edu

 

Interesting to note that Palo Alto just recently released PANOS5.  In the help file it mentions a new series of firewalls distributed as an OVF for use with vSphere.

 

Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org
D: 253.272.2216 | F: 253.572.3616 | Bob_Williamson@aw.org

Mission: Annie Wright's strong community cultivates individual learners to become well-educated, creative, and responsible citizens for a global society.

Find Annie Wright Schools on Facebook
Follow our Head of Schools on Twitter @AWShead

 

We are working with a product/service called MetaFlows – the primary drivers are 10Gbps capability and pricing.  The upsides are cost (very low compared to others), the primary detection engine is Snort (well known, documented, and straight forward to work with), and a modular design approach so we can scale it up from sub-gig to multi-gig.  The main downside is the interface is definitely an "engineers" interface – although you can produce lots of pretty reports, it is not designed for managers – we actually like that aspect since it is meant to be a security tool.

It also has some SIEM-like features, plus OSSEC, BotHunter, Ntop, and external vulnerability scanning.  So far so good with it – we are still working on the best way to use the features included.  The other upside regarding cost – we've been able to replace the old IPS and use the IDS capability to monitor more of the internal network, for about half the cost of a straight replacement of the existing IPS.

I'd love to have a Palo Alto, the latest Tipping Point, or some of the other tools out there – but going to 10Gbps the costs are just too high.

Robert Rudloff
AVC/CISO, UTS-Service Assurance
University of Denver
Office:  (303) 871-4030
Mobile: (303) 590-8770

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.