back to article Cloudy admin? Here's how to ward off Call of Duty-playing teens

Palo Alto Network has gone virtual with the latest version of its next-generation firewall, the VM-Series. The tech, launched last week, is designed to protect virtual and cloud environments and comes as part of a wider industry push to market virtual security appliances. Analysts Infonetics Research says the booming market …

COMMENTS

This topic is closed for new posts.
  1. K
    Happy

    Palo Alto are like Marmite..

    You'll either love them, or you'll hate them..

    I can understand the appeal of a Virtual Firewall, but personally I would only ever deploy one in a test or development environment.. for everything else I'll stick with the tin thanks.

  2. Shaun 2

    Call me lazy

    Call me lazy, but where's the link to the new PAN-OS features?

  3. Craig 8
    WTF?

    > looked at the identity of an application

    How's it do that then?

  4. Anonymous Coward
    Anonymous Coward

    John Leyden: "UUUUUUUUUHHHHHHHHHHHH"

    "application like SSH always normally need to be allowed for remote administration"

    Plurals, John? "Always normally"?

    "Traditional firewall assume traffic" - I don't suspect for a moment that this is a case of a missing [sic].

    John, you may find it useful to understand that in English we make a distinction between when we are talking about one thing and when we are talking about many things.

    "The technology allows enterprise to..." again John, when we mean more than one enterprise, we put an 's' on the end. And if we mean only one, which would fit equally well, then we use the indefinite article to indicate such: 'an'.

    Sorry, I used a technical term - which I'm sure will exceed your capacity for comprehension.

    You must be a world-class brown-noser to be demanding payment for this tripe. You are a life form of inferior evolutionary progress. Go back to your cave.

    1. Sorry, "Sorry that handle is already taken" is already taken.

      Re: John Leyden: "UUUUUUUUUHHHHHHHHHHHH"

      If you're going to criticise someone in such a vehement fashion, surely it is only good manners to do it under your regular username rather than as an AC.

      Unless you lack the courage of your convictions and don't feel able to stand by your post?

      Poor show, IMO.

      1. Anonymous Coward
        Anonymous Coward

        Re: John Leyden: "UUUUUUUUUHHHHHHHHHHHH"

        Why? What difference does it make to readers what handle(s) I have chosen?

        I choose to mainly post anonymously for good reasons, primarily ones of privacy.

        If anyone at the Reg wants to look at my other posts or contact me they are certainly capable of doing so.

        "Unless you lack the courage of your convictions..." Your sentence is syntactically invalid. Maybe you should join John in his cave?

        1. Sorry, "Sorry that handle is already taken" is already taken.
          Meh

          Re: John Leyden: "UUUUUUUUUHHHHHHHHHHHH"

          Oh gosh! I'm being pilloried by someone who isn't even brave enough to identify himself!

          In the common parlance of today's yoof: Whatever.

          1. Anonymous Coward
            Anonymous Coward

            Sorry, "Sorry that handle is already taken" is already taken.

            I bow to you as a superior example of transparent attribution.

            I also note with significant mirth that you are fond of picking others up about their use of English, despite your own lack of competence.

            I think it would be valuable to bring to your awareness the fact that your browser includes spelling check functionality.

            1. Sorry, "Sorry that handle is already taken" is already taken.

              Re: Sorry, "Sorry that handle is already taken" is already taken.

              So, you've been stalking me eh? Naughty boy! :D

              You'll also notice that all my posts (gramatically correct and otherwise) are posted under my username. Not one of them is posted as an AC.... Which leads me back to my original point, which was that it is my opinion that you were out of order in criticising the author of the article (especially considering the name calling at the end of your post) without using your username. The fact that you chose to pick me up on my grammar/punctuation/whatever-else-you-can-think-of rather than adequately defend yourself simply indicates to me that you lack the courage of most people and prefer to hide behind anonymity.

              As for speel chekker, IE7 deosn't hvae it, konbhaed. :-D

              BTW, "Transparent attribution"?!? What does that even mean? :-)

              1. Sorry, "Sorry that handle is already taken" is already taken.

                Re: Sorry, "Sorry that handle is already taken" is already taken.

                And why has no-one brought any bloody popcorn to this bruhaha?

                Slackers. :-)

                1. Anonymous Coward
                  Anonymous Coward

                  Re: "What does that even mean?"

                  Hm... Not intelligent enough to understand my point. My patience grows thin.

                  1. Sorry, "Sorry that handle is already taken" is already taken.

                    Re: "What does that even mean?"

                    Perhaps you'd be so kind as to explain your point.

                    In small words for us hard of thinking types.

                    As for your patience, I couldn't give a toss, mate. :-)

      2. Sacioz
        Happy

        Re: John Leyden: "UUUUUUUUUHHHHHHHHHHHH"

        Even the dogs at the Kings Cross in Sydney , know who he is.

  5. Chris007
    FAIL

    nope

    Palo Alto man said "Traditional firewall assume traffic on port 22 is SSH and not something tunnelled over SSH," King explained. "So if an administrator sets up a SSH tunnel from his home machine to do back-ups and perform admin tasks you're setting up a node on a data centre network that his son also uses to play Call of Duty."

    If it's SSH traffic then your firewall will not stop it any more than anybody else's. Now if you analyse the initial setup and it doesn't look like an SSH session then yes you'll perhaps be able to stop it.

    1. Ben Tasker

      Re: nope

      If it's SSH traffic then your firewall will not stop it any more than anybody else's

      Unless of course it's going to perform a MITM. Now, would you trust a firewall that did that? I wouldn't.

      Now if you analyse the initial setup and it doesn't look like an SSH session then yes you'll perhaps be able to stop it.

      I'm guessing it'll miss a lot though!

      A better bet would be to look at how much data is being sent/received. A SSH session (assuming you're not using scp) doesn't transfer much. CoD would. Of course, this falls flat if you want to use X Forwarding, SCP or anything similar.

      1. Chris007
        Big Brother

        Re: nope

        As long as you use your own SSL Certs you'll be able to detect the MITM and avoid that pitfall.

        Good point on the traffic profiling but as you say, it falls down when you count other things.

        I think we can both agree that it's just another Snake Oil salesman at work.

        1. Ben Tasker

          Re: nope

          As long as you use your own SSL Certs you'll be able to detect the MITM and avoid that pitfall.

          Except of course, if that's how it's designed to work then a few sysadmin's are likely to detect the MITM and accept it's just how the firewall works.

          Yeah definitely a snake-oil thing based on what's been made available

  6. Anonymous Coward
    Anonymous Coward

    Virtual firewall in the Cloud ..

    Would a virtual firewall be anymore secure than a hardware firewall?

    "Palo Alto's virtual firewall technology, which integrates with VMware vSphere, screens intra-host data centre applications regardless of port or protocol"

    How would this 'firewall technology' scan encrypted communications. If the 'firewall technology' can read the data, then it isn't really encrypted.

  7. Anonymous Coward
    Anonymous Coward

    I don't know what Palo are offering but Mr 'Stick with the Tin' will have trouble with performance and not having enough physical NICs if he wants to use physical firewalls to scan or block everything traversing into, out of and most importantly WITHIN the virtual infrastructure.

    Jeff Wilson, principal analyst for security at Infonetics Research needs to understand the difference between virtualisation of security (e.g. a virtualised web security gateway) and security of virtualisation (e.g. a system that implements security within the virtual infrastructure). Once you get that, interpreting vendor buzzword press releases gets much simpler.

    Yagotthat?

This topic is closed for new posts.

Other stories you might like