NSS Lab Report

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NSS Lab Report

L1 Bithead

I received an email recently touting the results of the NSS Lab Report.  After reading the report, I do have a question.  What tuning measures did the engineer implement that made such a dramatic improvement in the effectivness that was reported in the report?  It claims the effectiveness moved from the 40% range in the default configuration up to the 93.4% number.

I would like to know what those changes were so I can verify that I have already made the necessary changes or if I need to alter my configuration.  I am close to moving my new unit into production and am very interested in seeing what they did.

Thanks.

10 REPLIES 10

L4 Transporter

Default and Tuned settings for the NSS Labs tests were as follows:

Default - Using a default vulnerability protection profile which sets

default actions for all severities of signatures.

Tuned - All severities of signatures set to block.

NSS Labs does not count alerting on an attack as being detected. It

must block. In the default profile, many of our signatures are set to

alert rather than block and were then not counted in the effectiveness.

Alfred

Thanks for the update!

Hi, using "show filter" button I can filter for any column but there is no way to filter which are the default enabled filter.

Have you any suggestion abot it? Is there a way to show the default enabled filter?

thank you

regards

Nando

L1 Bithead

Hi, the NSS labs certify its tests in 3 categories:

NSS Gold Award

NSS Approved

NSS Tested

the lab report indicate the results NSS tested is the a specific reason for this?

Regards

Nando

Nando,

Thanks for your question. NSS Labs offers different types of testing.

We participated in the standalone public IPS test. The test results

are either given a rating of recommend, neutral, or caution. We

received the highest rating of recommend. The Gold, Approved, and

Tested awards are applied to their monthly testing service called

Security Update Monitor(SUM). Please refer to the NSS Labs page for

more details on the SUM testing and ratings: http://nsslabs.com/SUM.

The bottom of the page states, "Starting Q1, 2009, NSS Labs awards

participating IPS products at the end of each quarter. All vendors are

invited to test monthly, and the average of three months scores are

used to determine the award level. NSS Labs Gold will be awarded for

accuracy above 95%, Approved above 70% and Tested for all other

results."

Let me know if you have any other questions.

Thanks,

Alfred

L4 Transporter

I'm also interested in this.

So right now on our PAN, we're using the default profile for vulnerability, spyware and virus on various outbound and inbound rules.

The test set the default actions to block for everything, but can I confirm that even on the defaults that the various logs on the "Monitor" tab would show any and all incidents?

I just want to be sure that because an action/response is set to simply discard/reset that it is still going to be logged and obvious to us?

Thanks.

The NSS test was only for vulnerability protection (IPS), so they

didn't have any of the other security profiles set. The default

actions were set for all vulnerability protection signatures. In the

default profile, the critical, high and medium severity signatures are

turned on using the default action associated with each signature,

which is either block or alert. The low and informational signatures

are not turned on, meaning that they would not be logged. If you would

like to see those at least get alerted, simply create a new

vulnerability protection profile and select alert as the action for

low and informational severity signatures.

Alfred

Thanks Alfred.  If I create a new profile, is there any reason not to set all levels to "default"?

I'm working on the theory that Palo Alto have set each vulnerability ID to perform the most suitable action so I guess I'm not sure why low/informational incidents aren't set to do anything by default?

You're right that we have set each vulnerability ID to perform the

most suitable action. So, they are essentially our recommended actions

for most networks. The low and informational severity attacks are not

turned on for the default profile because they may fire on more common

events like an HTTP options request, which in and of itself is

legitimate traffic, but could also indicate that someone is looking to

see what resources are available on a web server. This event could

precede an attack on a web server. So it depends on whether or not you

want to see these types of events or not. If you select default for

low and informational severity signatures, you will start to see these

types of events being logged.

Alfred

Thanks Alfred, makes sense.

What I'd be interested in perhaps seeing as a "jack of all trades" network admin is a best practise for outbound and inbound vuln profiles.

For example we obviously have our internal users/servers we want to protect from exploits, but we also have things such as an internal Outlook Web Access server which the Palo publishes - right now I have the default profile applied to that, but it would be nice at some point to perhaps see some guides on what kinds of profiles are recommended for different scenarios.

  • 6231 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!