05-08-2012 04:25 PM
I guess it would be a bit biased to ask for Pros vs Cons of PAN in the supportforum of PAN 🙂 but I recently stumbled upon an article (which I wish to share) regarding PAN which I think might be of interrest for most of us in this forum:
Another link (or links) is from a presentation held at Defcon 19 last year made by Brad Woodberg (Security Product Line Engineer) at Juniper Networks.
DEFCON 19: Network Application Firewalls: Exploits and Defense
DEFCON 19: Network Application Firewalls: Exploits and Defense ( w speaker)
I think most of us will recognise that the product he is mostly speaking about and from which the screenshots are from is a PaloAlto unit.
I guess many of the claims is biased in some way or another (like not enabling threat preventation for the first occurance of rpc within a http request and ignoring results from NSS Labs regarding their IDP tests) but what caught my attention is around 25 minutes into the presentation.
Anyone in here with some more information regarding the claimed "application cache poisoning"?
Is it a particular configuration that Brad used to be able to accomplish the result (which should be avoided) or is it some bug or even specific hardware (like PA-500 or such) which will bring you the (undesired) result (and in case it was a bug, for which version was it fixed - to be compared to the AET bug discovered by NSS Labs which Brad just briefly mentioned has already been taken care of (after speaking about 5 minutes of that vuln which no longer exists in case of PAN but might exist for other vendors))?
05-10-2012 02:18 AM
This is very interesting , could someone from Palo comment on this post ? There is setting "set application cache no". I am not sure that the default setting is. I would expect application cache to be disabled after running this command and should cause it to identify the application shift. But I has assumed Palo did not do Apllication caching by default and would detect Application shifts by default. The other aspect about this video that concerns me is DNS over a random port being detected as unknown-UDP. I have just set application cache to "no" on my firewall and going to check the what kind of performance or cpu load on the dataplane is seen.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!