NSS Solutions

Well we’re putting in a couple of Nexus 7000′s and the big question is will they live up to the hype?  We’ve done some initial testing on them and the packet forwarding is incredibly fast.  Over the next two weeks we will be doing some extensive testing on the Nexus lines, to include the In Service Upgrade, power failures, and all the normal testing.  I will put our test results up here so that you can get an idea of how they preform.

Please feel free to add any tests you would like to see in the comments and we’ll be sure to add them.

If url filtering on a Check Point firewall is not working for you a basic step would be to see if you have DNS enabled on the firewall (it needs to do the lookup on where the url is going) and if you are getting a DNS response from the servers you have set in DNS?  You can do a nslookup from the firewall to see if it is getting the name resolution.

I get asked all the time what they best products on the market currently are.  To me that is not a straight forward question.  There are a lot of considerations for someone to take into account to make the best recommendation.  The size of the environment, throughput needed, features required, features that someone would like to see in a firewall (antivirus, url filtering, active directory integration, IPS/IDS), experience with products, and the ability to take on new technologies.  All of these play a big part in what recommendations we would make to a customer.

In our eye’s hands down Palo Alto is the best firewall on the market per dollar spent.  The integration into active directory, application controls, and url filtering is way beyond any other product that is currently out in the market.  While we know all the other vendors are working hard to catch up it will be at least 6 months to a year before they do.  To add on top of that we currently did some testing between the Palo Alto and Check Point products.  We tested IDS/IPS’s ability to catch intrusions, and application control outbound.

So what was our test?  A basic bittorrent connection outbound through a Palo Alto firewall and through a Check Point R71 firewall.

The results Palo Alto caught the bittorrent traffic, but the traffic was allowed out through the Check Point firewall.

As basic a test as this is, it still shows you where things currently stand.  Check Point is playing catch up and their products are being released without going through the whole QA cycle.

While we expect this to change within the next couple of years, be prepared for a lot of releases from Check Point to say that they’re caught up, and then a lot of HFA’s to go back and fix all the problems that they missed in getting the product out so quick.

I’ve recently been testing what Infoworld has just come out with.  While Infoworld has focused on the lower end of the market, I’ve been testing the Enterprise firewall.  I will be posting my results up here next week, but if you want to get a preview of the low end check out the article below.

http://infoworld.com/d/security-central/malware-fighting-firewalls-miss-mark-751

Networking giant Cisco has published a total of 7 security advisories for its Internetwork Operating System (IOS) software. Each advisory lists one or more vulnerabilities and includes information about the updates that correct them. The vulnerabilities relate to various functions and protocols, such as IPSec, NAT, SIP, MPLS, H.323 and TCP. A summary table has been published with links to additional documents with instructions on work arounds and classifications for each issue. The highest rated vulnerabilities (CVSS 10) allow the execution of injected code when parsing SIP packets and exposure to a denial of service in the SIP Message handling.

Since this has come up numerous times lately.  I thought it would be good to address what the thoughts are out there in regards to ASA versus Check Point.

The camp fighting for ASA says I don’t have to retrain my network staff to be able to make firewall changes.  I get a bigger discount if I purchase all my networking gear from one vendor (Cisco).

I understand these points, and for certain people it may make sense.

My point is that if you believe in security, you cannot have the same vendor that does your networking as the vendor that does your security.  One IOS flaw comes out and it affects routers, switches, and ASA’s.  From the way my phone has been going off in regards to Cisco flaws lately you are taking a huge chance.

I personally like a vendor that says their primary mission is Security.  That is why my recommendation has been Check Point.  Outside what I believe there are plenty of other good vendors to choose from.

Juniper, Palo Alto, and Mcafee are a few that come to mind.

The point of that I’m getting to is this, you can save the small amount of money now.  Or you can end up paying the bigger amount of money in the settlement later.  Defense in Depth is a tried and proven method of securing your network.

After upgrading to R70, you cannot edit the max_subnet_for_range parameter in $FWDIR/conf/user.def.NGX_R60

Check Point SK40886

There is a memory leak in R65 and R70 with the cpd process.  When a firewall is queried the memory leak occurs when cpd responds to that query.

This has been fixed in HFA_60 for those of you running R65.  There is no fix out yet for anyone running R70.

I won’t go into the Google story now, because I have a much more detailed piece I’m working on.

Hopefully we can all get this Microsoft patch shortly.

Microsoft Corp. raced to release a fix for a security hole in its Internet Explorer Web browser as the company sought to contain the fallout from governments urging users to switch to competing software.

The Redmond, Wash., company said it plans to issue a software update for Internet Explorer on Thursday to patch a security vulnerability first reported last week that could allow hackers to take over a computer that visits Web sites loaded with malicious code. While Internet Explorer has suffered numerous security vulnerabilities over the years, the latest flaw is especially high-profile because it is believed to have been used in attacks on Google Inc. and other companies that Google linked to China.