Tag Archives: security

Too Silo’d to React, Now Respond.

Ever think what would happen if you ever got hacked? Maybe you are wondering if the IPS guys or the HIPS guys are really doing their jobs? In corporate America it is real easy to overlook a lot of precautions and security because you’re just too leveraged. Today’s threats are evolving as bad actors continue to find ways inside. They utilize social sites and technology, human frailty of being needed, and work their way through with some advanced IPS and IDS and Anit-X evasion techniques. So what are you to do?

Looking at the problem in your cube doing your work on your piece of the asset. Your mind tends to think “OK this is what I have to do and I move on to the next asset and service on that asset.” That is all you can touch. You’re ethical hacking group is looking too busy or not too busy to assist and maybe they can or cannot really find all the holes in your security posture. How about a resident hacker just for that client or span of control of clients that you have. Where one can check the security by reviewing the vulnerability report made with hacking tools. However, the key difference here is not to pay for a once a year penetration test but make it so that you test regularly. Red team vs. blue team and then provide results to management. Also, just testing monthly to make sure patches and firewall rules are in place would be great. I think this would be one of the best security practices a company could get into. RedSeal is a software solution that provides visibility into an organizations security by analysing configurations and building out the network diagram. It can then import vulnerability reports and host information to really give you the what if scenario that you have been thinking about in your cube. It will also give you your list of objectives to test and make sure you that the holes found are true and need to fix.

Security is not something you buy or do once in a while. It’s a practice built by defined policies and procedures that are completed over and over again. If you think you are failing to practice the right procedures every day or that your vigilance is intermittent, then I think you are a good candidate for some building security into everyday operations 101. Yes, a bit wordy there but think about it, its not rocket science the hurdle is time, the silo, and the recognized concept.

In conclusion, the best security is a resident security expert allowed to do their job by proving tools and processes. If you cannot get a resident hacker or spend time doing this allow me to make some suggestions. Get a requirement opened from HR to fill this role or hire a service from a firm that understands vulnerability assessments and penetration testing.  Allow them to practice regularly providing results to you and maybe you can stay out of the news. Security awareness and training also helps prevent attacks because users bring the risk in from their computers. The biggest tools to get in are Adobe Flash & Reader, Java, and spear phishing.

If you have any questions or comments or looking for advice on services and where to go, feel free to contact me kevin@netwerkguardian.com www.netwerkguardian.com

Palo Alto Firewalls – There is Nothing Else Left to Compete


I just finished up taking the PAN 201 and 205 classes. Had I known that these firewalls can do all that it does 2 years ago, I would have trained earlier. Where can you get a firewall that inspects traffic in real time, a single pass technology (Single Pass Parallel Processing), reviews packets up to 5 ways with App-ID before deciding what to do with it (worse case). This is just App-ID. There is still Content-ID and User-ID for policing traffic into and out of your network. Remember security is everyone’s job and watching what leaves your organization is just as important. You don’t want to be part of a botnet network. You don’t want your secret sauce leaving either.

App-ID Inspection
The traffic is classified based on IP and port, next for review the signatures are then applied to the allowed traffic (so that’s two) then if the App-ID determines that encryption SSL or SSH is used you can write a decryption policy (if legally allowed). The fourth inspection is known protocol decoders for additional context based signatures to see if applications are tunneling traffic inside. This helps avoid salami attacks or data diddling. When traffic leaves in small chunks back to C&C, this known decoders helps very well. When that does not work there is heuristics used to see if the behavior of packets are normal and then it passes.

There are three paths traffic can take even when being analyzed. We start with FW session setup/slowpath or we could use FW Fast path, or or Application Identification. It can decrypt SSL and SSH traffic (Not HIPAA, banking financial) to determine if the content inside is legitimate or not and then it can toss or re-encrypt and send it on to destination. The firewall allows for a subscription based service to Wildfire for malware and threat protection and ….analysis. Hands free administration right there folks. Brightcloud offers the url filtering service. Wildfire for threat protection and sandboxing. Upload files for review up to 10 MB. There is so much to say about this firewall. It even has packet capture capability right there on a policy or filter to aid in troubleshooting connectivity or an incident. No more running out to the data center floor or waiting for an approved change. It has App-ID to look at applications and that they behave as they should. No more ports open and let that traffic just ride on in there. It will lay the smackdown on any traffic not adhering to signature or behavioral patterns. Does your Cisco or Checkpoint do that? Really? How well does it do that? What buffer? Did you say lag to analyze your traffic? Well sorry to hear that. Palo Alto appliance have dedicated hardware multi-core security processor, network processor, signature match processor, to do all that security.

Control plane works with and independently of the data plane. Reboot one and not the other or both. Have visibility while rebooting or leave the traffic run and reboot the management. No more waiting for off hours to make changes. There are 15 steps in the flow logic that all traffic may go through.

Heck, we haven’t even touched Global Protect (VPN) which can extend the corporate borders anywhere and provide more protection. Think about security and what would you like to do. You want to be safe, see it when it happens if it does right? Guard against future incidents right? This is the firewall for you. I have worked with many firewalls Checkpoint (used to be favorite) Juniper, and Cisco ASA (I tested in and past). Nothing compares to Palo Alto. If I were the other vendors I’d start looking for another job if I were them.

More to come on this story. Check it out for yourselves. Palo Alto Networks

For a good start into how this technology works take a look at this from Palo Alto

© 2013 Palo Alto Networks
Page 3
Executive Summary: The Need for a Single-Pass Architecture
For many years, the goal of integrating threat preven
tion services into the firewall has been pursued as
a means of alleviating the need for additional devices
for functions such as IPS, network antivirus, and
more. The pursuit of integrating th
reat prevention functions into the firewall makes perfect sense – the
firewall is the cornerstone of
the security infrastructure.
Current integration iterations carr
y a variety of different labels – deep inspection, unified threat
management (UTM), deep packet
inspection, and others. Each of
these iterations share a common
problem, which is a lack of consistent and predictabl
e performance when security services are enabled.
Specifically, the firewall functions
are capable of performing at high
throughput and low latency, but
when the added security functions are enabled,
performance decreased while latency increased.
The Palo Alto Networks Single-Pass Parallel Proce
ssing (SP3) architecture addresses the integration and
performance challenges with a unique single-pass a
pproach to packet processing that is tightly
integrated with a purpose-built hardware platform.

Single-pass software:
By performing operations once per packet, the single-pass software
eliminates many redundant functions that plagu
e previous integration
attempts. As a packets
are processed, networking, policy lookup, a
pplication identification and decoding, and
signature matching for any and all threats
and content is only performed once. This
significantly reduces the amount of processing overhead required to perform multiple
functions in one security device. The single-pass software uses a stream-based, uniform
signature matching engine for content inspect
ion. Instead of using separate engines and
signature sets (requiring multi-
pass scanning) and instead of usin
g file proxies (requiring file
download prior to scanning), the single-pass arch
itecture scans traffic for all signatures once
and in a stream-based fashion to avoid the introduction of latency.

Parallel processing hardware:
The single-pass software is then integrated with a purpose-built
platform that uses dedicated processors and me
mory for the four key areas of networking,
security, content scanning and management. Th
e computing power within each platform has
been specifically chosen to perform the processi
ng intensive task of
full stack inspection at
multi-Gbps throughput.
The resulting combination delivers the horsepower
required to achieve consistent and predictable
performance at up to 20 Gbps of throughput, maki
ng the goal of integrated firewall and threat
prevention a realit

Netwerk Guardian’s Kevin Pescatello awarded Cisco Certified CCNA Security

Recently Kevin Pescatello past his CCNA Security exam yesterday 933/1000. He has been studying security and how it’s applied to the company to ensure assets are covered and processes are in place to stay secure. Kevin’s tip from his training “Get a dynamic policy written and enforced that helps keep IT staff and the company out of harms direct reach.” Rest assured he is a valued asset to the team and brings his razor sharp skills and tips online.

Also with passing the IINS 640-553 exam Kevin received recognition from NSA and CNSS 4011 training requirements. This means all Federal requirements for National Training Standard for Information Systems Security and INFOSEC is covered under this certification. Read the letter here.

From the end user to the corporate core and offsite locations, Netwerk Guardian has you covered.