https://live.paloaltonetworks.com/t5/general-topics/pros-vs-cons-with-pan/m-p/50482#M37170 <HTML><HEAD></HEAD><BODY><P>I guess it would be a bit biased to ask for Pros vs Cons of PAN in the supportforum of PAN <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but I recently stumbled upon an article (which I wish to share) regarding PAN which I think might be of interrest for most of us in this forum:</P><P></P><P><A class="jive-link-external-small" href="http://www.cymbel.com/blog/a-response-to-stiennon-analysis-of-palo-alto-networks/">http://www.cymbel.com/blog/a-response-to-stiennon-analysis-of-palo-alto-networks/</A></P><P></P><P></P><P>Another link (or links) is from a presentation held at Defcon 19 last year made by Brad Woodberg (Security Product Line Engineer) at Juniper Networks.</P><P></P><P>www.youtube.com/watch?v=s2cz--bzZRE<BR />DEFCON 19: Network Application Firewalls: Exploits and Defense</P><P></P><P><A class="jive-link-external-small" href="http://www.youtube.com/watch?v=G8U-1J4SI4o">http://www.youtube.com/watch?v=G8U-1J4SI4o</A><BR />DEFCON 19: Network Application Firewalls: Exploits and Defense ( w speaker)</P><P></P><P>I think most of us will recognise that the product he is mostly speaking about and from which the screenshots are from is a PaloAlto unit.</P><P></P><P>I guess many of the claims is biased in some way or another (like not enabling threat preventation for the first occurance of rpc within a http request and ignoring results from NSS Labs regarding their IDP tests) but what caught my attention is around 25 minutes into the presentation.</P><P></P><P>Anyone in here with some more information regarding the claimed "application cache poisoning"?</P><P></P><P>Is it a particular configuration that Brad used to be able to accomplish the result (which should be avoided) or is it some bug or even specific hardware (like PA-500 or such) which will bring you the (undesired) result (and in case it was a bug, for which version was it fixed - to be compared to the AET bug discovered by NSS Labs which Brad just briefly mentioned has already been taken care of (after speaking about 5 minutes of that vuln which no longer exists in case of PAN but might exist for other vendors))?</P></BODY></HTML> Tue, 08 May 2012 23:25:49 GMT mikand 2012-05-08T23:25:49Z https://live.paloaltonetworks.com/t5/general-topics/pros-vs-cons-with-pan/m-p/50482#M37170 <HTML><HEAD></HEAD><BODY><P>I guess it would be a bit biased to ask for Pros vs Cons of PAN in the supportforum of PAN <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but I recently stumbled upon an article (which I wish to share) regarding PAN which I think might be of interrest for most of us in this forum:</P><P></P><P><A class="jive-link-external-small" href="http://www.cymbel.com/blog/a-response-to-stiennon-analysis-of-palo-alto-networks/">http://www.cymbel.com/blog/a-response-to-stiennon-analysis-of-palo-alto-networks/</A></P><P></P><P></P><P>Another link (or links) is from a presentation held at Defcon 19 last year made by Brad Woodberg (Security Product Line Engineer) at Juniper Networks.</P><P></P><P>www.youtube.com/watch?v=s2cz--bzZRE<BR />DEFCON 19: Network Application Firewalls: Exploits and Defense</P><P></P><P><A class="jive-link-external-small" href="http://www.youtube.com/watch?v=G8U-1J4SI4o">http://www.youtube.com/watch?v=G8U-1J4SI4o</A><BR />DEFCON 19: Network Application Firewalls: Exploits and Defense ( w speaker)</P><P></P><P>I think most of us will recognise that the product he is mostly speaking about and from which the screenshots are from is a PaloAlto unit.</P><P></P><P>I guess many of the claims is biased in some way or another (like not enabling threat preventation for the first occurance of rpc within a http request and ignoring results from NSS Labs regarding their IDP tests) but what caught my attention is around 25 minutes into the presentation.</P><P></P><P>Anyone in here with some more information regarding the claimed "application cache poisoning"?</P><P></P><P>Is it a particular configuration that Brad used to be able to accomplish the result (which should be avoided) or is it some bug or even specific hardware (like PA-500 or such) which will bring you the (undesired) result (and in case it was a bug, for which version was it fixed - to be compared to the AET bug discovered by NSS Labs which Brad just briefly mentioned has already been taken care of (after speaking about 5 minutes of that vuln which no longer exists in case of PAN but might exist for other vendors))?</P></BODY></HTML> Tue, 08 May 2012 23:25:49 GMT https://live.paloaltonetworks.com/t5/general-topics/pros-vs-cons-with-pan/m-p/50482#M37170 mikand 2012-05-08T23:25:49Z https://live.paloaltonetworks.com/t5/general-topics/pros-vs-cons-with-pan/m-p/50483#M37171 <HTML><HEAD></HEAD><BODY><P>This is very interesting , could someone from Palo comment on this post ?&nbsp; There is setting "set application cache no". I am not sure that the default setting is. I would expect application cache to be disabled after running this command and should cause it to identify the application shift. But I has assumed Palo did not do Apllication caching by default and would detect Application shifts by default. The other aspect about this video that concerns me is DNS over a random port being detected as unknown-UDP. I have just set application cache to "no" on my firewall and going to check the what kind of performance or cpu load on the dataplane is seen.</P></BODY></HTML> Thu, 10 May 2012 09:18:33 GMT https://live.paloaltonetworks.com/t5/general-topics/pros-vs-cons-with-pan/m-p/50483#M37171 sunilsadanandan 2012-05-10T09:18:33Z