08-26-2010 05:47 AM
I received an email recently touting the results of the NSS Lab Report. After reading the report, I do have a question. What tuning measures did the engineer implement that made such a dramatic improvement in the effectivness that was reported in the report? It claims the effectiveness moved from the 40% range in the default configuration up to the 93.4% number.
I would like to know what those changes were so I can verify that I have already made the necessary changes or if I need to alter my configuration. I am close to moving my new unit into production and am very interested in seeing what they did.
Thanks.
08-26-2010 09:18 AM
Default and Tuned settings for the NSS Labs tests were as follows:
Default - Using a default vulnerability protection profile which sets
default actions for all severities of signatures.
Tuned - All severities of signatures set to block.
NSS Labs does not count alerting on an attack as being detected. It
must block. In the default profile, many of our signatures are set to
alert rather than block and were then not counted in the effectiveness.
Alfred
08-26-2010 10:44 AM
Thanks for the update!
08-27-2010 02:41 AM
Hi, using "show filter" button I can filter for any column but there is no way to filter which are the default enabled filter.
Have you any suggestion abot it? Is there a way to show the default enabled filter?
thank you
regards
Nando
08-27-2010 09:43 AM
Nando,
Thanks for your question. NSS Labs offers different types of testing.
We participated in the standalone public IPS test. The test results
are either given a rating of recommend, neutral, or caution. We
received the highest rating of recommend. The Gold, Approved, and
Tested awards are applied to their monthly testing service called
Security Update Monitor(SUM). Please refer to the NSS Labs page for
more details on the SUM testing and ratings: http://nsslabs.com/SUM.
The bottom of the page states, "Starting Q1, 2009, NSS Labs awards
participating IPS products at the end of each quarter. All vendors are
invited to test monthly, and the average of three months scores are
used to determine the award level. NSS Labs Gold will be awarded for
accuracy above 95%, Approved above 70% and Tested for all other
results."
Let me know if you have any other questions.
Thanks,
Alfred
08-28-2010 03:23 AM
I'm also interested in this.
So right now on our PAN, we're using the default profile for vulnerability, spyware and virus on various outbound and inbound rules.
The test set the default actions to block for everything, but can I confirm that even on the defaults that the various logs on the "Monitor" tab would show any and all incidents?
I just want to be sure that because an action/response is set to simply discard/reset that it is still going to be logged and obvious to us?
Thanks.
08-28-2010 01:27 PM
The NSS test was only for vulnerability protection (IPS), so they
didn't have any of the other security profiles set. The default
actions were set for all vulnerability protection signatures. In the
default profile, the critical, high and medium severity signatures are
turned on using the default action associated with each signature,
which is either block or alert. The low and informational signatures
are not turned on, meaning that they would not be logged. If you would
like to see those at least get alerted, simply create a new
vulnerability protection profile and select alert as the action for
low and informational severity signatures.
Alfred
08-29-2010 03:39 AM
Thanks Alfred. If I create a new profile, is there any reason not to set all levels to "default"?
I'm working on the theory that Palo Alto have set each vulnerability ID to perform the most suitable action so I guess I'm not sure why low/informational incidents aren't set to do anything by default?
08-29-2010 09:11 AM
You're right that we have set each vulnerability ID to perform the
most suitable action. So, they are essentially our recommended actions
for most networks. The low and informational severity attacks are not
turned on for the default profile because they may fire on more common
events like an HTTP options request, which in and of itself is
legitimate traffic, but could also indicate that someone is looking to
see what resources are available on a web server. This event could
precede an attack on a web server. So it depends on whether or not you
want to see these types of events or not. If you select default for
low and informational severity signatures, you will start to see these
types of events being logged.
Alfred
08-29-2010 09:17 AM
Thanks Alfred, makes sense.
What I'd be interested in perhaps seeing as a "jack of all trades" network admin is a best practise for outbound and inbound vuln profiles.
For example we obviously have our internal users/servers we want to protect from exploits, but we also have things such as an internal Outlook Web Access server which the Palo publishes - right now I have the default profile applied to that, but it would be nice at some point to perhaps see some guides on what kinds of profiles are recommended for different scenarios.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
