About mikand

Regarding the stolen question: 1) Since the stolen box will setup a mandatory always on vpn during boot you can send a kill switch signal to it next time it connects to your infrastructure (that will overwrite the keys/certs and then start to overwrite the rest of the sensitive areas and finally reboot itself). 2) If you dont do the kill switch stuff then add the stolen box machine cert to your CRL so next time it tries to establish this VPN against your infrastructure the concentrator will just give the client a longfinger in return. ... View more

I guess the appid's regarding these findings were updated (but I agree would be nice with a reply from a PA representative on what happend in these particular cases). Today I would guess installing PANOS 5.0 (or newer) is the way to go to deal with dependencies. Because one of the new features with PANOS 5.0 is that it will handle dependencies when needed. For example allowing x number of packets for a dependency appid and unless the traffic is being identified as the appid you specified (within this range of x number of packets or so) the session will be closed/dropped. The part to worry about is how many packets will be allowed "under the radar" (and how to notify the admin what he/she is about to do when creating such security policy). Today if you wish to allow facebook you must also statically allow web-browsing (if im not mistaken). This doesnt mean that all http traffic are allowed (because other appids like youtube etc will trigger if identified since a session can only have one appid at a time) but it means that all http traffic which doesnt match any known appid will be allowed. This is of course somewhat bad (in most cases) and you need to add a custom url-filter to limit the http requests to only *.facebook.com (and which other domains facebook are using). Now with PANOS 5.0 (as I understand it) it will work if you just allow facebook and nothing more (still using url filtering is healthy but if we stick to appid's for now 🙂 When facebook is allowed in PANOS 5.0 it will in the background allow web-browsing but only for x number of packets. This is of course way better than in PANOS 4.1 and older where you had to statically allow web-browsing for all future but still I think education of the admins configuring PA-devices will be needed. In this case it would be great if PA could provide us (the customers 🙂 with a dependency list along with the limit list (like if I allow facebook, how many web-browsing packets will be allowed) - because as I see this (currently) this might open up for a logical evasion techniques (the admin thinks only facebook is allowed but this custom botnet will still be able to phone home 2 packets per session or such). ... View more

It is set for medium severity (https://threatvault.paloaltonetworks.com/Home/ThreatDetail/32332) which would mean that it will be blocked if you use a somewhat sane IPS setup of: critical: block high: block medium: block low: default informational: default What about if you block the traffic in your case - will the clients start to complain? Any specific clients like Win8 or Samba *nix clients or such (to narrow it down)? ... View more

How come only Intel CPU? Are there any specific assembler instructions which doesnt exist on AMD x86/x86-64 CPUs? ... View more

Also note that when you add dropbox to exclude list the PA will not be able to perform IPS/AV/DLP on the contents of the dropbox traffic. ... View more

Is it only user certs that will be used or can a machine cert be used aswell (or is this just semantics)? Im thinking that this feature can be used so the machine will have a tunnel setup automatically during boot (this way the box can be remotely administrated etc without user interaction) and when the user logins the same tunnel is used but userid will identify the particular user (through pan-agent like AD, WMI, Server logs etc). Which as a bonus question: What about using userid as machineid? For example how to accomplish if I want a particular or a group of particular machines be able to reach certain resources before the user is logged in on the device? Because "pre-logon" is to wide as definition... ... View more

Seems to be officially presented at the Ignite conference next week, "my" sales engineer showed me some slides of it a few weeks ago but I dont recall that much (the thing that got sticky in my mind was that there now will be a solution for VMware boxes aswell mainly to protect the VMware boxes). One major difference is of course performance since VMware doesnt have any FPGA/ASIC's to play around with. My guess is that it will be similar to PA-200 which is also a x86-only solution. ... View more

Well unless PA broke the private keys of Skype thats the security problem you will face if you choose to allow Skype to traverse through your network and into the Internet. Simply because Skype uses encryption and various ways to avoid being detected. For example not using a static ssl certificate or such. Same goes with windowsupdate which is a similar problem. But in this case windowsupdate uses dedicated server certificates which if the ssl doesnt match the client will refuse to download anything from the ssl terminated server. ... View more

Most likely because various protocols ("applications") are similar to other protocols and by that more packets must be let through before the NGFW can make a positive identification (with low false positive rate). As a start you need at least 2 packets in one direction and 1 in the other just for the tcp handshake to complete. On top of that identifying a general web-browsing should be fairly easy because the request should look like: METHOD URI HTTP/VERSION and some other headers. Thats one of the reasons for why you should never use "service:any" but rather "service:application-default" or even better specify which PROTO/PORT you wish to allow. ... View more

Ok, so if the local PA device says "0" as threat db version in the gui I can trust this (which would mean that this device never got any threat db deployed)? ... View more

Yes but the signature could for example be something like (just guessing but as an example): If skype-probe detected using dstip X and dstport Y and unknown-tcp shows up within Z minutes of initial connection towards the same dstip and dstport identify this as skype-message else identify as unknown-tcp. ... View more

Yeah thats what I meant, sorry for the confusion 🙂 ... View more

Speaking of which... how long to wait until you take the leap for a new major version? Looking at the release notes for 5.0.0 there are except for the regular "new features" also a list of fixed bugs, so would 4.1.9 be a better option to update to instead of 5.0.0 and why? I mean because 4.1.9 will most likely have its bugs aswell so the reason of new features might not be that well documented regarding bugs doesnt really count. ... View more