Main Nav

I would also like to know about Palo Alto. My next demo in house is Enterasys then Sourcefire, Tipping Point declined to even participate in our testing for new IPS'.

Comments

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Feb 04, 2013 at 12:11:01PM -0500, Bradley, Stephen wrote: > I would also like to know about Palo Alto. My next demo in house is > Enterasys then Sourcefire, Tipping Point declined to even participate > in our testing for new IPS'. I'll +1 info about Palo Alto. If the SourceFire solution is something like FireAMP, I *definitely* want to know how that goes! kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlEP8vEACgkQsKMTOtQ3fKGt+wCgtsG3buefg+R1FRGbuQN191rB wlQAoJ5YZVId8Nu5v/mWcMU2rChqpNEU =hBRy -----END PGP SIGNATURE-----
Added cost as in the added cost of Palo Alto options like Threat Protection and URL Filtering? Or, added cost of Palo Alto versus their competitors?

As for the latter, we found Palo Alto to generally be a cheaper solution. For the former, URL Filtering would be a nice luxury but Threat Protection is great.

Yes, you might miss some encrypted C&C but you may hit on the traffic in other ways (known malware domains, fast flux heuristics, etc). Additionally, you'll get them at bot update time with Wildfire. Wildfire is great. You can watch people get 0wned in real-time as file after file gets pulled down. Palo Alto's User-ID makes it a snap to ID the former owner. (User-ID also makes DMCA takedown notices a 15  second problem...a godsend.)


           
Rand
 
Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532

If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein


+1 to Palo Alto

We installed a Palo Alto this summer as FW/IPS and are crazy happy.

           
Rand
 
Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532

If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein


We have been running a PaloAlto for over a year and are very happy with it!

 

We are using HP Tipping Points and are relatively pleased with their performance. We also use SourceFire IDS. Best Regards, Stan Waddell, CISSP, C|CISO, PMP, ABD University of North Carolina at Chapel Hill ISO and Executive Director ITS Security wk 919-445-9397 2800 ITS Manning 211 Manning Dr Chapel Hill NC 27599 Remember, UNC-CH will not ask you to reveal your account password via the phone or email. If you receive an email or phone request for that information, the request is a phishing attempt.

Here is my two cents, and I am hoping to stir up some good conversation with respect to IPS solutions. We haven been using TippingPoint for many year. After much testings, we recently deployed PaloAlto firewalls into production. I must say that am EXTREMELY impressed with the FW performance, ease of management, and suprisingly with its IPS feature and with WildFire. I feel as if we were almost blind with respect to IPS, and now we have gotten LASIK and we have gained much more visibility into what’s going on on our network. I have been a proponent of TippingPoint ealy in the days, and I was very impressed with it, but I must say that TP is blind compared to PA. I feel they are lacking a bit behind. I understand that TP is for heavy duty IPS only, but what good is it, if it is almost blind?

 

As we revisit our IPS solution again, we are are looking to find dedicated IPS hardware that comes close to the PA IPS features and visibility. Your feedback is very much appreciated and your point of view very helpful. We try to find solutions to augment our PA border firewalls with some dedicated IPS with ‘better that 20/40 vision’ J

 

I find it interesting you put it that way. We were pleasantly surprised by how the PA worked right out of the box during the demo. I like the way it classifies traffic and doesn't focus on a port.

Andrea,

  I am just curious. Since you are so happy with PA’s IPS features, why are you still looking for dedicated IPS’s instead of more PA’s. What are they missing or what do you want to get from a dedicated IPS that you are not getting from your PA devices?

 

  We are also now looking for alternatives to TP and are leaning towards PA.

 

Thanks,

Jim

 

> I find it interesting you put it that way. We were pleasantly surprised by how the > PA worked right out of the box during the demo. > I like the way it classifies traffic and doesn't focus on a port. For me, I think this is the critical point about IPS. A next generation, application aware, system, such as Palo Alto, is a giant leap forward when compared to systems that rely strictly on port information. When we did our testing (Fall 2012) the Palo Alto was the clear winner. We saw traffic, and we're able to act to stop that traffic, all within the first few minutes. Their competitors did not equal those results.
We've been using PaloAlto since 2008. We initially piloted in 'tap only' mode in conjunction with our primary CheckPoint FWs, and gradually turned on blocking rules and controls of the PA as threats were identified. In 2010, we completely migrated to using the PA. They provide excellent visibility and control into Internet/network traffic and permit really granular control over applications and protocols, and they still support 'traditional' FW rules. The IPS features have significantly helped to reduce compromised machines, and the logging/reporting features are really useful to identify the few that do get compromised. We have had a couple of false positive threats detected over the years, but PA support has been easy to work with and very responsive. We have SIEM, NAC, Mail filtering, etc., but the PA visibility is such that it is where I start most days...power-up the PC, start the coffee, check the PA traffic and threat monitor. _________________________ Dan O'Callaghan CISO, Sinclair Community College 937.512.2452 >

Jim,

 

You have a very good point, but I am a firm believer in not putting all my eggs in one basket, and especially in trying to introduce new technology into my environment. PA brought us UID, and Application Awareness, which wasn’t available in our ASA’s. Additionally it brought features similar to FireEye, when we were demoing a FireEye box J Overall, we were able to bring true new technology into our environment with budget that was allocated to replace our ASA’s. Now that we have budget to replace our older TP IPS hardware, I am exploring solutions that can truly bring new IPS technology into the mix, if such new technologies exist and can augment what PA can do.

 

Message from millerj@uakron.edu

We have been using the Juniper 8200 series w/10Gb interfaces for the last year or so and have had excellent results.

 

Jim Miller

CISSP,CCSP

Lead Network Engineer

The University of Akron

(330) 972-7958

millerj@uakron.edu

 

 

For those who have Palo Alto's what additional features are you using and do you think it is worth the added cost. 

For example, we have been seeing some more encrypted botnet traffic here that I can't detect because I have not wanted to use the SSL decryption aspects because we don't have URL filtering so I have no way not to break the chain on things like legitimate banking or shopping. Are you doing things like this?  Also are you using the wildfire subscriptions, and are there any metrics of how cost effective it has been in blocking malware? I know their sales pitches are pretty spectacular regarding wildfire but is that what real world edu's are seeing?


Message from rob_biddle@mail.msj.edu

I’m happy with our PaloAlto purchase.  I was able to move user data from Cisco NAC into PaloAlto via the UserID API to get user visibility for BYOD users, which makes tracking down issues much easier.

The only additional feature we’ve purchased is the full GlobalProtect license, which I’m also very happy with so far.  Initially I was just going to deploy GlobalProtect for users who specifically needed remote access.  I later decided that a persistent VPN connection (forcing the internet traffic through PA) for college owned devices should significantly reduce (no metrics yet) the likelihood of those devices downloading known malware when they leave campus, as well as allowing for easier remote management.

_____________________________

Rob Biddle

Network Systems Engineer / Administrator College of Mount St. Joseph

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Benjamin Parker
Sent: Tuesday, February 05, 2013 11:30 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] IPS Solution

 

For those who have Palo Alto's what additional features are you using and do you think it is worth the added cost. 

 

For example, we have been seeing some more encrypted botnet traffic here that I can't detect because I have not wanted to use the SSL decryption aspects because we don't have URL filtering so I have no way not to break the chain on things like legitimate banking or shopping. Are you doing things like this?  Also are you using the wildfire subscriptions, and are there any metrics of how cost effective it has been in blocking malware? I know their sales pitches are pretty spectacular regarding wildfire but is that what real world edu's are seeing?

 

+1 to Palo Alto

We installed a Palo Alto this summer as FW/IPS and are crazy happy.

           
Rand
 
Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532

If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein


We have been running a PaloAlto for over a year and are very happy with it!

 

We are using HP Tipping Points and are relatively pleased with their performance. We also use SourceFire IDS. Best Regards, Stan Waddell, CISSP, C|CISO, PMP, ABD University of North Carolina at Chapel Hill ISO and Executive Director ITS Security wk 919-445-9397 2800 ITS Manning 211 Manning Dr Chapel Hill NC 27599 Remember, UNC-CH will not ask you to reveal your account password via the phone or email. If you receive an email or phone request for that information, the request is a phishing attempt.

Here is my two cents, and I am hoping to stir up some good conversation with respect to IPS solutions. We haven been using TippingPoint for many year. After much testings, we recently deployed PaloAlto firewalls into production. I must say that am EXTREMELY impressed with the FW performance, ease of management, and suprisingly with its IPS feature and with WildFire. I feel as if we were almost blind with respect to IPS, and now we have gotten LASIK and we have gained much more visibility into what’s going on on our network. I have been a proponent of TippingPoint ealy in the days, and I was very impressed with it, but I must say that TP is blind compared to PA. I feel they are lacking a bit behind. I understand that TP is for heavy duty IPS only, but what good is it, if it is almost blind?

 

As we revisit our IPS solution again, we are are looking to find dedicated IPS hardware that comes close to the PA IPS features and visibility. Your feedback is very much appreciated and your point of view very helpful. We try to find solutions to augment our PA border firewalls with some dedicated IPS with ‘better that 20/40 vision’ J

 

I find it interesting you put it that way. We were pleasantly surprised by how the PA worked right out of the box during the demo. I like the way it classifies traffic and doesn't focus on a port.

Andrea,

  I am just curious. Since you are so happy with PA’s IPS features, why are you still looking for dedicated IPS’s instead of more PA’s. What are they missing or what do you want to get from a dedicated IPS that you are not getting from your PA devices?

 

  We are also now looking for alternatives to TP and are leaning towards PA.

 

Thanks,

Jim

 

> I find it interesting you put it that way. We were pleasantly surprised by how the > PA worked right out of the box during the demo. > I like the way it classifies traffic and doesn't focus on a port. For me, I think this is the critical point about IPS. A next generation, application aware, system, such as Palo Alto, is a giant leap forward when compared to systems that rely strictly on port information. When we did our testing (Fall 2012) the Palo Alto was the clear winner. We saw traffic, and we're able to act to stop that traffic, all within the first few minutes. Their competitors did not equal those results.
We've been using PaloAlto since 2008. We initially piloted in 'tap only' mode in conjunction with our primary CheckPoint FWs, and gradually turned on blocking rules and controls of the PA as threats were identified. In 2010, we completely migrated to using the PA. They provide excellent visibility and control into Internet/network traffic and permit really granular control over applications and protocols, and they still support 'traditional' FW rules. The IPS features have significantly helped to reduce compromised machines, and the logging/reporting features are really useful to identify the few that do get compromised. We have had a couple of false positive threats detected over the years, but PA support has been easy to work with and very responsive. We have SIEM, NAC, Mail filtering, etc., but the PA visibility is such that it is where I start most days...power-up the PC, start the coffee, check the PA traffic and threat monitor. _________________________ Dan O'Callaghan CISO, Sinclair Community College 937.512.2452 >

Jim,

 

You have a very good point, but I am a firm believer in not putting all my eggs in one basket, and especially in trying to introduce new technology into my environment. PA brought us UID, and Application Awareness, which wasn’t available in our ASA’s. Additionally it brought features similar to FireEye, when we were demoing a FireEye box J Overall, we were able to bring true new technology into our environment with budget that was allocated to replace our ASA’s. Now that we have budget to replace our older TP IPS hardware, I am exploring solutions that can truly bring new IPS technology into the mix, if such new technologies exist and can augment what PA can do.

 

Message from millerj@uakron.edu

We have been using the Juniper 8200 series w/10Gb interfaces for the last year or so and have had excellent results.

 

Jim Miller

CISSP,CCSP

Lead Network Engineer

The University of Akron

(330) 972-7958

millerj@uakron.edu

 

 

For those who have Palo Alto's what additional features are you using and do you think it is worth the added cost. 

For example, we have been seeing some more encrypted botnet traffic here that I can't detect because I have not wanted to use the SSL decryption aspects because we don't have URL filtering so I have no way not to break the chain on things like legitimate banking or shopping. Are you doing things like this?  Also are you using the wildfire subscriptions, and are there any metrics of how cost effective it has been in blocking malware? I know their sales pitches are pretty spectacular regarding wildfire but is that what real world edu's are seeing?


Message from rob_biddle@mail.msj.edu

I’m happy with our PaloAlto purchase.  I was able to move user data from Cisco NAC into PaloAlto via the UserID API to get user visibility for BYOD users, which makes tracking down issues much easier.

The only additional feature we’ve purchased is the full GlobalProtect license, which I’m also very happy with so far.  Initially I was just going to deploy GlobalProtect for users who specifically needed remote access.  I later decided that a persistent VPN connection (forcing the internet traffic through PA) for college owned devices should significantly reduce (no metrics yet) the likelihood of those devices downloading known malware when they leave campus, as well as allowing for easier remote management.

_____________________________

Rob Biddle

Network Systems Engineer / Administrator College of Mount St. Joseph

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Benjamin Parker
Sent: Tuesday, February 05, 2013 11:30 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] IPS Solution

 

For those who have Palo Alto's what additional features are you using and do you think it is worth the added cost. 

 

For example, we have been seeing some more encrypted botnet traffic here that I can't detect because I have not wanted to use the SSL decryption aspects because we don't have URL filtering so I have no way not to break the chain on things like legitimate banking or shopping. Are you doing things like this?  Also are you using the wildfire subscriptions, and are there any metrics of how cost effective it has been in blocking malware? I know their sales pitches are pretty spectacular regarding wildfire but is that what real world edu's are seeing?

 

+1 to Palo Alto

We installed a Palo Alto this summer as FW/IPS and are crazy happy.

           
Rand
 
Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532

If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein


We have been running a PaloAlto for over a year and are very happy with it!

 

We are using HP Tipping Points and are relatively pleased with their performance. We also use SourceFire IDS. Best Regards, Stan Waddell, CISSP, C|CISO, PMP, ABD University of North Carolina at Chapel Hill ISO and Executive Director ITS Security wk 919-445-9397 2800 ITS Manning 211 Manning Dr Chapel Hill NC 27599 Remember, UNC-CH will not ask you to reveal your account password via the phone or email. If you receive an email or phone request for that information, the request is a phishing attempt.

Here is my two cents, and I am hoping to stir up some good conversation with respect to IPS solutions. We haven been using TippingPoint for many year. After much testings, we recently deployed PaloAlto firewalls into production. I must say that am EXTREMELY impressed with the FW performance, ease of management, and suprisingly with its IPS feature and with WildFire. I feel as if we were almost blind with respect to IPS, and now we have gotten LASIK and we have gained much more visibility into what’s going on on our network. I have been a proponent of TippingPoint ealy in the days, and I was very impressed with it, but I must say that TP is blind compared to PA. I feel they are lacking a bit behind. I understand that TP is for heavy duty IPS only, but what good is it, if it is almost blind?

 

As we revisit our IPS solution again, we are are looking to find dedicated IPS hardware that comes close to the PA IPS features and visibility. Your feedback is very much appreciated and your point of view very helpful. We try to find solutions to augment our PA border firewalls with some dedicated IPS with ‘better that 20/40 vision’ J

 

I find it interesting you put it that way. We were pleasantly surprised by how the PA worked right out of the box during the demo. I like the way it classifies traffic and doesn't focus on a port.

Andrea,

  I am just curious. Since you are so happy with PA’s IPS features, why are you still looking for dedicated IPS’s instead of more PA’s. What are they missing or what do you want to get from a dedicated IPS that you are not getting from your PA devices?

 

  We are also now looking for alternatives to TP and are leaning towards PA.

 

Thanks,

Jim

 

> I find it interesting you put it that way. We were pleasantly surprised by how the > PA worked right out of the box during the demo. > I like the way it classifies traffic and doesn't focus on a port. For me, I think this is the critical point about IPS. A next generation, application aware, system, such as Palo Alto, is a giant leap forward when compared to systems that rely strictly on port information. When we did our testing (Fall 2012) the Palo Alto was the clear winner. We saw traffic, and we're able to act to stop that traffic, all within the first few minutes. Their competitors did not equal those results.
We've been using PaloAlto since 2008. We initially piloted in 'tap only' mode in conjunction with our primary CheckPoint FWs, and gradually turned on blocking rules and controls of the PA as threats were identified. In 2010, we completely migrated to using the PA. They provide excellent visibility and control into Internet/network traffic and permit really granular control over applications and protocols, and they still support 'traditional' FW rules. The IPS features have significantly helped to reduce compromised machines, and the logging/reporting features are really useful to identify the few that do get compromised. We have had a couple of false positive threats detected over the years, but PA support has been easy to work with and very responsive. We have SIEM, NAC, Mail filtering, etc., but the PA visibility is such that it is where I start most days...power-up the PC, start the coffee, check the PA traffic and threat monitor. _________________________ Dan O'Callaghan CISO, Sinclair Community College 937.512.2452 >

Jim,

 

You have a very good point, but I am a firm believer in not putting all my eggs in one basket, and especially in trying to introduce new technology into my environment. PA brought us UID, and Application Awareness, which wasn’t available in our ASA’s. Additionally it brought features similar to FireEye, when we were demoing a FireEye box J Overall, we were able to bring true new technology into our environment with budget that was allocated to replace our ASA’s. Now that we have budget to replace our older TP IPS hardware, I am exploring solutions that can truly bring new IPS technology into the mix, if such new technologies exist and can augment what PA can do.

 

Message from millerj@uakron.edu

We have been using the Juniper 8200 series w/10Gb interfaces for the last year or so and have had excellent results.

 

Jim Miller

CISSP,CCSP

Lead Network Engineer

The University of Akron

(330) 972-7958

millerj@uakron.edu

 

 

For those who have Palo Alto's what additional features are you using and do you think it is worth the added cost. 

For example, we have been seeing some more encrypted botnet traffic here that I can't detect because I have not wanted to use the SSL decryption aspects because we don't have URL filtering so I have no way not to break the chain on things like legitimate banking or shopping. Are you doing things like this?  Also are you using the wildfire subscriptions, and are there any metrics of how cost effective it has been in blocking malware? I know their sales pitches are pretty spectacular regarding wildfire but is that what real world edu's are seeing?


Message from rob_biddle@mail.msj.edu

I’m happy with our PaloAlto purchase.  I was able to move user data from Cisco NAC into PaloAlto via the UserID API to get user visibility for BYOD users, which makes tracking down issues much easier.

The only additional feature we’ve purchased is the full GlobalProtect license, which I’m also very happy with so far.  Initially I was just going to deploy GlobalProtect for users who specifically needed remote access.  I later decided that a persistent VPN connection (forcing the internet traffic through PA) for college owned devices should significantly reduce (no metrics yet) the likelihood of those devices downloading known malware when they leave campus, as well as allowing for easier remote management.

_____________________________

Rob Biddle

Network Systems Engineer / Administrator College of Mount St. Joseph

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Benjamin Parker
Sent: Tuesday, February 05, 2013 11:30 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] IPS Solution

 

For those who have Palo Alto's what additional features are you using and do you think it is worth the added cost. 

 

For example, we have been seeing some more encrypted botnet traffic here that I can't detect because I have not wanted to use the SSL decryption aspects because we don't have URL filtering so I have no way not to break the chain on things like legitimate banking or shopping. Are you doing things like this?  Also are you using the wildfire subscriptions, and are there any metrics of how cost effective it has been in blocking malware? I know their sales pitches are pretty spectacular regarding wildfire but is that what real world edu's are seeing?

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.