How to expose shortcuts in competitive poc
16 likes12,500 views
This document provides configuration guidelines for conducting an apples-to-apples comparison of security vendors in a proof-of-concept environment. It recommends enabling advanced security profiles, full session logging, and disabling any shortcuts vendors may use to improve performance at the expense of security. Specific configuration steps are provided for Palo Alto Networks, Fortinet, and Cisco to expose and disable any shortcuts, such as verifying out-of-order packets are not bypassed in Palo Alto and disabling intelligent-mode scanning in Fortinet. The goal is to measure each vendor's true capabilities and performance under production-like settings.
![©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
Q2, 2016 | 1
GENERAL CONFIGURATION (FOR ALL VENDORS)
Networking - Use Layer 3 interfaces and routing instead of bridge mode/virtual wire/span port/port
mirror to reflect production network settings
Policy Rules - Create policy rules with NAT & full session logging which reflect production policies
and has effect on performance
Best Practices –Configure policy according to each vendor security best practices
Palo Alto Networks
Enable Advanced Security – set Vulnerability and Anti-spyware security profiles to strict and
Antivirus profile to drop (equivalent to CP recommended protection)
Logging – enable logging at the session start and at session end
Disable Shortcuts – disable DSRI on all policy rules to prevent partial scan of traffic (this feature is
activated in PoC to gain better performance results)
*Palo Alto Web GUI > Policies > Add/edit rule > Actions
When testing different vendors in a PoC, it is important to do an Apples-to-Apples Comparison in order
to measure all vendors’ capabilities equally. Unfortunately, some security vendors use shortcuts with
their security solutions and products (e.g. IPS, AV) in order to gain better performance results in a
competitive PoC, which do not reflect their actual functionality and performance in production networks.
Shortcuts can improve performance but on the expense of the solution overall security. The list below,
will show how to expose if a vendor attempted to shortcuts and how to disable those shortcuts in a PoC
HOW TO EXPOSE SHORTCUTS IN COMPETITIVE POC](https://image.slidesharecdn.com/howtoexposeshortcutsincompetitivepoc-160414051234/85/How-to-expose-shortcuts-in-competitive-poc-1-320.jpg)
![©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
Q2, 2016 | 2
Disable out-of-order Bypass –Palo Alto allow bypass of out-of-order packets by default.
Run the following command which disable bypass of out-of-order packets.(follow PAN best
practices guide https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/best-practices-for-securing-
your-network-from-layer-4-and-layer-7-evasions#16594 )
Check that out of order packets bypass is disabled by running the following commands:
> show system setting ctd state
Notify user for APP block : no
Alternative AHO : no
Skip CTD : no
Parse x-forwarded-for : no
Strip x-fwd-for : no
Bloom Filter : yes
HTTP Proxy Use Transaction : yes
Enable Regex Statistics : no
URL Category Query Timeout : 5
Bypass when exceeds queue limit for TCP: no
Bypass when exceeds queue limit for UDP: no
> show running application setting
Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no](https://image.slidesharecdn.com/howtoexposeshortcutsincompetitivepoc-160414051234/85/How-to-expose-shortcuts-in-competitive-poc-2-320.jpg)
![©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
Q2, 2016 | 3
Fortinet
Enable Advanced Security – set IPS and Anti-Virus security profiles to block malware in all
policy rules , and set AV profile to proxy mode vs. quick/flow mode which is often used n
POC but has minimum security effect
*Fortigate > Policies & Objects > IPv4 Policies > Add/edit rule > Security Profiles
Disable Shortcuts – disable intelligent-mode which scans only part of IPS/AV traffic
*Fortigate CLI > ‘config IPS global’ > ‘set intelligent-mode disable’
Cisco
Enable Advanced Security – set IPS security profile to security over connectivity
Disable Shortcuts – set the HTTP Client Body Extraction Depth to zero to inspect all HTTP
traffic
*FireSIGHT > Access Policy > Network Analysis Policy > create new > Choose ‘Security
over connectivity’ > go to ‘HTTP Configuration’ > change ‘HTTP Client Body Extraction
Depth’ from 4000 to 0](https://image.slidesharecdn.com/howtoexposeshortcutsincompetitivepoc-160414051234/85/How-to-expose-shortcuts-in-competitive-poc-3-320.jpg)
How to expose shortcuts in competitive poc
- 1. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content Q2, 2016 | 1 GENERAL CONFIGURATION (FOR ALL VENDORS) Networking - Use Layer 3 interfaces and routing instead of bridge mode/virtual wire/span port/port mirror to reflect production network settings Policy Rules - Create policy rules with NAT & full session logging which reflect production policies and has effect on performance Best Practices –Configure policy according to each vendor security best practices Palo Alto Networks Enable Advanced Security – set Vulnerability and Anti-spyware security profiles to strict and Antivirus profile to drop (equivalent to CP recommended protection) Logging – enable logging at the session start and at session end Disable Shortcuts – disable DSRI on all policy rules to prevent partial scan of traffic (this feature is activated in PoC to gain better performance results) *Palo Alto Web GUI > Policies > Add/edit rule > Actions When testing different vendors in a PoC, it is important to do an Apples-to-Apples Comparison in order to measure all vendors’ capabilities equally. Unfortunately, some security vendors use shortcuts with their security solutions and products (e.g. IPS, AV) in order to gain better performance results in a competitive PoC, which do not reflect their actual functionality and performance in production networks. Shortcuts can improve performance but on the expense of the solution overall security. The list below, will show how to expose if a vendor attempted to shortcuts and how to disable those shortcuts in a PoC HOW TO EXPOSE SHORTCUTS IN COMPETITIVE POC
- 2. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content Q2, 2016 | 2 Disable out-of-order Bypass –Palo Alto allow bypass of out-of-order packets by default. Run the following command which disable bypass of out-of-order packets.(follow PAN best practices guide https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/best-practices-for-securing- your-network-from-layer-4-and-layer-7-evasions#16594 ) Check that out of order packets bypass is disabled by running the following commands: > show system setting ctd state Notify user for APP block : no Alternative AHO : no Skip CTD : no Parse x-forwarded-for : no Strip x-fwd-for : no Bloom Filter : yes HTTP Proxy Use Transaction : yes Enable Regex Statistics : no URL Category Query Timeout : 5 Bypass when exceeds queue limit for TCP: no Bypass when exceeds queue limit for UDP: no > show running application setting Application setting: Application cache : yes Supernode : yes Heuristics : yes Cache Threshold : 16 Bypass when exceeds queue limit: no
- 3. ©2016 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content Q2, 2016 | 3 Fortinet Enable Advanced Security – set IPS and Anti-Virus security profiles to block malware in all policy rules , and set AV profile to proxy mode vs. quick/flow mode which is often used n POC but has minimum security effect *Fortigate > Policies & Objects > IPv4 Policies > Add/edit rule > Security Profiles Disable Shortcuts – disable intelligent-mode which scans only part of IPS/AV traffic *Fortigate CLI > ‘config IPS global’ > ‘set intelligent-mode disable’ Cisco Enable Advanced Security – set IPS security profile to security over connectivity Disable Shortcuts – set the HTTP Client Body Extraction Depth to zero to inspect all HTTP traffic *FireSIGHT > Access Policy > Network Analysis Policy > create new > Choose ‘Security over connectivity’ > go to ‘HTTP Configuration’ > change ‘HTTP Client Body Extraction Depth’ from 4000 to 0