On Jul 5, 2016, at 9:33 AM, Valdis.Kletnieks@vt.edu wrote:
On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is set to bypass filtering for IPv6.
Do you have any actual evidence (device logs, tcpdump, netflow, etc) that support that train of thought?
Remember that your Palo Alto isn't stopping 100% of the icky stuff on the IPv4 side either - the sad truth is that most commercial security software is only able to identify and block between 30% and 70% of the crap that's out in the wild.
That is only the percentage that it identifies from what it can see. It most likely can not see viruses in encrypted traffic. " • A forecast that 70% of global Internet traffic will be encrypted in 2016, with many networks exceeding 80%” https://www.sandvine.com/pr/2016/2/11/sandvine-70-of-global-internet-traffic... "In the fourth quarter of 2015 nearly 65 percent of all web connections that Dell observed were encrypted, leading to a lot more under-the-radar attacks, according to the company. Gartner has predicted that 50 percent of all network attacks will take advantage of SSL/TLS by 2017." http://www.darkreading.com/attacks-breaches/when-encryption-becomes-the-enem... This article mentions how difficult is it for Sandboxes to detect malware. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pd... This article mentions malware that changes it’s download image every 15 seconds. http://www.darkreading.com/vulnerabilities---threats/cerber-strikes-with-office-365-zero-day-attacks/d/d-id/1326070?_mc=NL_DR_EDT_DR_weekly_20160630&cid=NL_DR_EDT_DR_weekly_20160630&elqTrackId=1d7f1b5bcdb24c469164471a423f746b&elq=01e6838c279149a08e460cdbe3b8b54a&elqaid=70982&elqat=1&elqCampaignId=21896
There's also BYOD issues where a laptop comes in and infects all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on the outside, soft and chewy inside”).
In any case,your first two actions should be to recover the password for the Palo Alto, and make sure it has updated pattern definitions in effect on both IPv4 and IPv6 connections.
And your third should be to re-examine your vendor rules of engagement, to ensure your deliverables include things like passwords and update support so you're not stuck if your vendor goes belly up..
--- Bruce Curtis bruce.curtis@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University