Tag Archives: Palo Alto

Palo Alto Firewalls – There is Nothing Else Left to Compete


I just finished up taking the PAN 201 and 205 classes. Had I known that these firewalls can do all that it does 2 years ago, I would have trained earlier. Where can you get a firewall that inspects traffic in real time, a single pass technology (Single Pass Parallel Processing), reviews packets up to 5 ways with App-ID before deciding what to do with it (worse case). This is just App-ID. There is still Content-ID and User-ID for policing traffic into and out of your network. Remember security is everyone’s job and watching what leaves your organization is just as important. You don’t want to be part of a botnet network. You don’t want your secret sauce leaving either.

App-ID Inspection
The traffic is classified based on IP and port, next for review the signatures are then applied to the allowed traffic (so that’s two) then if the App-ID determines that encryption SSL or SSH is used you can write a decryption policy (if legally allowed). The fourth inspection is known protocol decoders for additional context based signatures to see if applications are tunneling traffic inside. This helps avoid salami attacks or data diddling. When traffic leaves in small chunks back to C&C, this known decoders helps very well. When that does not work there is heuristics used to see if the behavior of packets are normal and then it passes.

There are three paths traffic can take even when being analyzed. We start with FW session setup/slowpath or we could use FW Fast path, or or Application Identification. It can decrypt SSL and SSH traffic (Not HIPAA, banking financial) to determine if the content inside is legitimate or not and then it can toss or re-encrypt and send it on to destination. The firewall allows for a subscription based service to Wildfire for malware and threat protection and ….analysis. Hands free administration right there folks. Brightcloud offers the url filtering service. Wildfire for threat protection and sandboxing. Upload files for review up to 10 MB. There is so much to say about this firewall. It even has packet capture capability right there on a policy or filter to aid in troubleshooting connectivity or an incident. No more running out to the data center floor or waiting for an approved change. It has App-ID to look at applications and that they behave as they should. No more ports open and let that traffic just ride on in there. It will lay the smackdown on any traffic not adhering to signature or behavioral patterns. Does your Cisco or Checkpoint do that? Really? How well does it do that? What buffer? Did you say lag to analyze your traffic? Well sorry to hear that. Palo Alto appliance have dedicated hardware multi-core security processor, network processor, signature match processor, to do all that security.

Control plane works with and independently of the data plane. Reboot one and not the other or both. Have visibility while rebooting or leave the traffic run and reboot the management. No more waiting for off hours to make changes. There are 15 steps in the flow logic that all traffic may go through.

Heck, we haven’t even touched Global Protect (VPN) which can extend the corporate borders anywhere and provide more protection. Think about security and what would you like to do. You want to be safe, see it when it happens if it does right? Guard against future incidents right? This is the firewall for you. I have worked with many firewalls Checkpoint (used to be favorite) Juniper, and Cisco ASA (I tested in and past). Nothing compares to Palo Alto. If I were the other vendors I’d start looking for another job if I were them.

More to come on this story. Check it out for yourselves. Palo Alto Networks

For a good start into how this technology works take a look at this from Palo Alto

© 2013 Palo Alto Networks
Page 3
Executive Summary: The Need for a Single-Pass Architecture
For many years, the goal of integrating threat preven
tion services into the firewall has been pursued as
a means of alleviating the need for additional devices
for functions such as IPS, network antivirus, and
more. The pursuit of integrating th
reat prevention functions into the firewall makes perfect sense – the
firewall is the cornerstone of
the security infrastructure.
Current integration iterations carr
y a variety of different labels – deep inspection, unified threat
management (UTM), deep packet
inspection, and others. Each of
these iterations share a common
problem, which is a lack of consistent and predictabl
e performance when security services are enabled.
Specifically, the firewall functions
are capable of performing at high
throughput and low latency, but
when the added security functions are enabled,
performance decreased while latency increased.
The Palo Alto Networks Single-Pass Parallel Proce
ssing (SP3) architecture addresses the integration and
performance challenges with a unique single-pass a
pproach to packet processing that is tightly
integrated with a purpose-built hardware platform.

Single-pass software:
By performing operations once per packet, the single-pass software
eliminates many redundant functions that plagu
e previous integration
attempts. As a packets
are processed, networking, policy lookup, a
pplication identification and decoding, and
signature matching for any and all threats
and content is only performed once. This
significantly reduces the amount of processing overhead required to perform multiple
functions in one security device. The single-pass software uses a stream-based, uniform
signature matching engine for content inspect
ion. Instead of using separate engines and
signature sets (requiring multi-
pass scanning) and instead of usin
g file proxies (requiring file
download prior to scanning), the single-pass arch
itecture scans traffic for all signatures once
and in a stream-based fashion to avoid the introduction of latency.

Parallel processing hardware:
The single-pass software is then integrated with a purpose-built
platform that uses dedicated processors and me
mory for the four key areas of networking,
security, content scanning and management. Th
e computing power within each platform has
been specifically chosen to perform the processi
ng intensive task of
full stack inspection at
multi-Gbps throughput.
The resulting combination delivers the horsepower
required to achieve consistent and predictable
performance at up to 20 Gbps of throughput, maki
ng the goal of integrated firewall and threat
prevention a realit

Cisco Bumbles Training Material for Exam – 642-648 Deploying VPN 2.0 Solutions

Justice is blind, but sweet in victory. The story goes after nearly two years to finish my masters degree I had one month left to prepare for a device exam to sustain my certifications. As such being the burdened with life, work, family, college etc you can see how I quickly prepared to succeed for this exam and keep my certifications current. I had purchased the Cisco Press text for Exam 642-648, my day time job purchased training from Ascolta, and then my personal private practice purchased CBT Nuggets training for Deploying VPN Solutions. I went for the exam and I took it. The exam was heavily weighted in three areas not really testing the candidate for a grasp of the material. In fact the Pearson Vue test questions were a great study and I think provided better training for the exam and made a better exam than the exam. As to not violate the NDA we are going to focus on one topic that cost me some points. Cisco Secure Desktop. Chapter 13 in the Cisco Press book. I studied and prepared but had a few questions that none of the vendors made clear in their lecture or web based training. Ascolta did mention it in the text but not in lecture. CBT Nuggets had one nugget covering two topics in which one was CSD and the other DAP. Not nearly enough time in the training videos to help you really nail the exam. I found a video online from a Mac user who did a real good job illustrating what Cisco Press failed to do. So the real big stink about this is that CSD is not real secure as they say because as a hacker there are many ways to spoof the parameters CSD is looking for if you know how root someone’s PC. Before we get into how to break CSD let’s look at where Cisco Press & Howard Hooper went wrong. Howard, if you write another book again, I am going to break your fingers. Finish the thought and stop being vague.

Here is the scoop I found shortly after March 11,2013.

Deprecation of Features: Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection

Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.
Deprecated features, the screens used to configure these features in the Adaptive Security Device Manager (ASDM), and the commands used to configure these features in the Adaptive Security Appliance (ASA) command line interface will not be removed from the packages in which they are delivered until the end of engineering support to address severity 1 and severity 2 defects.
After the features have been deprecated, they will continue to provide the functionality for which they were built but will eventually be incompatible with future releases of the ASA, ASDM, AnyConnect, or the operating system on which the endpoint runs.

Also note for my case is that on page 505 it mentions that in second paragraph up from the bottom, that “The Advanced Endpoint Assessment extension is available through the purchase of an additional license from Cisco….blah blah” How about saying the exact license? There are 3 different scan types which can be confusing. Basic host, Endpoint Assessment, and Advanced Endpoint Assessment. Which is covered in the license? We know remediation happens in Adv Endpoint Assessment. Looks like that chapter was pushed through with poor editing. Further stressing my point that when you go take the exam you better answer it the way Cisco has it in the Press Book, the following has been provided.

Why does question 6 in the Cisco Press book say “Which of the following are not valid prelogin assessment criteria? (Choose all that apply)
A) Certificate attributes
B) Local file
C) OS version
D) OS patch level
Answer from book: D Yet we find on page 467 item 2 says OS detection module downloads runs and reports back device’s OS and patch level to ASA. Next on page 497 says just an OS check in the bullet. Now back again to patch level support on page 504 says a Basic host scan can detect OS and patch level. Cisco, appears bipolar in this publication or schizophrenic.

As you can see I was quite ticked off ready to grenade and send my foot through some @$$. After pursuing with Cisco Training representative there was no movement. They just listened. No action no remorse until the above was presented in my case. Then that information kind of made Cisco think twice for INFOSEC professional holding their feet in the fire. They finally got the message and honored my case against their material. I made two statement “It would be wise for Cisco to reconsider” and “get me someone who speaks english natively”. Cisco extended my certifiacations til 2016. Considering the training material, Ascolta is a Cisco training outlet whose material is better than Cisco Press. Cisco provides the material to Ascolta, they just present it better. So hats off to Ascolta. Strike against CBT Nuggets, and Cisco Press Howard Hooper….dude go back to the data closet and just wrench.

As for as the disconnect from the Cisco test question writers and the Cisco training material depts….much to be desired. Looks like something is spinning out of control there. The key to remember is that there are three different scan types. Only the licensed Adv End Pt Assessment checks OS Patch level. CSD is not desirable as it only works on so many platforms. I have tested a Trustwave NAC appliance (blows the doors off the ASA for NAC) and I was able to spoof it with Virtual Box running on Linux with GTK-Macchanger. So Cisco don’t tell me I can’t take exams, don’t tell me I don’t know my stuff. I will stomp a whole in your platform to drive my will home.

More to come on this story as we all all know that Cisco has pulled the development of Cisco Secure Desktop and the ASA product line early this year. We will show where they went wrong (done) in the material, where they messed up in their device (partial), and who is taking lead.