Options

Palo Alto Networks as an IPS

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
in Off-Topic
I know there are at least a few Palo Alto users here, so I'd like to get your opinion. How are these next-gen firewalls in terms of their IPS capabilities? Aside from the convenience of having such functionality in the same box, how do you feel they perform compared to solutions by Sourcefire, McAfee, HP TippingPoint, etc.?
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
· Share on FacebookShare on Twitter

Comments

  • Options
    Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I obviously don't have as much as experience as you but I feel they are decent boxes. I am actually using the virtual wire feature to test some of its ids functionality. The application identification is very thought provoking to say the least.
    · Share on FacebookShare on Twitter
  • Options
    docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The whole application-awareness feature makes it a great potential solution which spills into the IPS area. However, I've never done any hands-on where I could make direct comparisons to dedicated IPS appliances. I'm trying to wrap up some evals and wondering if I should include Palo Alto Networks for consideration, assuming their IPS capability is on par with the big boys.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
  • Options
    unclericounclerico Member Posts: 237 ■■■■□□□□□□
    I would definitely look at them. I'm assuming you'll be looking at 4000 series? I don't know how I lived without my PAN box in the past, it is such an excellent device. As for how it compares to the other guys, I can't say for sure since the only other vendor I've worked with is Tipping Point.
    Preparing for CCIE Written
    · Share on FacebookShare on Twitter
  • Options
    Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    docrice wrote: »
    The whole application-awareness feature makes it a great potential solution which spills into the IPS area. However, I've never done any hands-on where I could make direct comparisons to dedicated IPS appliances. I'm trying to wrap up some evals and wondering if I should include Palo Alto Networks for consideration, assuming their IPS capability is on par with the big boys.

    You could test them using something like the tools found in the security onion distro and compare results:

    Security Onion
    · Share on FacebookShare on Twitter
  • Options
    NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    They make a great firewall, but UTM/IPS...not so much. There is nothing wrong with them, they just have issues when being run at the same time on the same box. When you run IPS along side the firewall functionality there is a significant performance hit to the box. We have seen this at work in various implementations through out the US. I don't think they have a bad product, I just think they are still in their infancy when it comes to delivering a "full" solution on a single appliance.
    Modular Learning - Learn Something New

    SE Notebook
    · Share on FacebookShare on Twitter
  • Options
    SilverGeniusSilverGenius Member Posts: 56 ■■□□□□□□□□
    Bl8ckr0uter wrote: »
    You could test them using something like the tools found in the security onion distro and compare results:

    Security Onion

    Security Onion looks interesting. Do you have hands on experience with it?
    · Share on FacebookShare on Twitter
  • Options
    docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'm guessing that while great as a firewall, Palo Alto isn't prime-time yet when it comes to being a dedicated IPS? Where I work, I have access to a couple of guys who are very IDS / IPS specialized from a research perspective and they like to do testing on evasion techniques, etc. so while the Security Onion distro is certainly appealing (and I may be leveraging it for other functions), I think having the right content to pass through an inline device is also important to properly test these kinds of appliances ... not to mention the right kind of skill set as well.

    I will definitely be looking at Palo Alto when it comes to augmenting our firewall systems in the future, but for right now I need to make sure I'm looking at the right vendors for dedicated IPS functions, and not just for checkbox reasons either.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
  • Options
    Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    SilverGenius wrote: »
    Security Onion looks interesting. Do you have hands on experience with it?

    I mean I am working with it now. I am trying to learn the tools but honestly there is a large amount of tools. I am starting off with a few and building from there.
    · Share on FacebookShare on Twitter
  • Options
    NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    docrice wrote: »
    I will definitely be looking at Palo Alto when it comes to augmenting our firewall systems in the future, but for right now I need to make sure I'm looking at the right vendors for dedicated IPS functions, and not just for checkbox reasons either.

    +1 I agree that a non-checkbox approach is extremely important in IT. For other IDS/IPS vendors you might want to consider the following:
    Snort
    Sourcefire
    Juniper

    Each of them has/is a great product.
    Modular Learning - Learn Something New

    SE Notebook
    · Share on FacebookShare on Twitter
  • Options
    docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Following up on this old thread, seeing if anyone else has any IPS experience on the Palo Alto devices. I've looked at Sourcefire, HP TippingPoint, and McAfee. They all have their strong and weak sides. I'm primarily looking at PAN for the firewall, but I get a somewhat reduced impression about their IPS capabilities. Can one view the IPS rules or create them on the PAN? If you can create custom signatures, are they as granular as Snort rules? Do they provide packet details? How flexible is the reporting?

    That said, nothing compares in day-to-day operational experience to full-content capture, complete session data, and Snort event correlation via Sguil - a la Security Onion or other Network Security Monitoring (NSM) platform. With commercial solutions (and Snort by itself), it's nice to get the details of the single packet which triggered the alert, but being able to go back in time a few minutes to see what else might have been involved or look through which hosts a particular machine talked to throughout the day makes an investigation much easier to rule out false positives, builds a more solid case, and reinforces confidence in the results. The drawback to such a solution is the amount of disk space necessary to support traffic captures for at least a few days worth of traffic.

    But if a user denies using P2P applications on the corporate network, you have all the evidence you need to prove your case.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
Sign In or Register to comment.