If you are looking for multi-layered approach, we do have EDU customers
having big success complementing 8e6 R3000 web filter with Palo Alto
Networks security appliance with Threat module. The PaloAlto
solution is NOT a UTM device --with multiple services. It can be
deployed as firewall -- or on one leg of existing FW cluster (example:
ASA) as IPS. The threat module provides all malware, spyware,
exploit, phishing protection with in-line AV scan at true multi-Gbps
speed. v3 release now includes SSL_VPN and "limited" bandwidth
shaping (no pun) for free.
The Palo Alto appliance classifies all network traffic with specific
layer7 identification engine -- currently matching 900+ applications.
Security policy then becomes not what you're going to block -- but
rather what you're going to allow. PA integrates with windows domain
via agent and all security policy can be specific to domain group.
all traffic is logged per username with specific Mbps.
check application list -- something very similar found in GUI for
security policy creation (see screenshot below):
http://ww2.paloaltonetworks.com/applipedia/
All security policy can leverage category, sub-cat, technology, risk
level, and characteristic -- in addition to security "zones" and domain
integration. Example: allow teachers to use sub-category IM with risk level 1-3
and NOT evasive (ie. instant messaging with low chance for payloads).
Our 8e6 R3000 + PA customers also block the "Proxy" category -- just
open URL above, scroll down in sub-cat, and click Proxy -- you'll see
everything in below pane.
In addition, the PA can block students using SSH clients (located on
USB tokens) to tunnel RDP traffic to SSH server running on port #443 at
home. This is standard evasive tactic we've seen latest in EDU K-12
-- since most firewalls today can't distinguish between encrypted HTTPS
and SSH traffic on port #443. The Palo Alto solution can make the
distinction and can easily block (in addition to audit who tries to do
this...)
We have many customers very happy with Palo Alto Networks platform
(it's the best thing from silicon valley today -- tier 1 funding,
winner best product at Interop, etc). We do have some customers
using specifically for IPS, malware, AV -- and application
visibility/audit -- placed inline on ONE leg of ASA cluster. The
product can easily do all -- firewall, IPS, etc -- due to hardware
architecture. If box says "1Gbps" throughput -- this is 500Mbps will
everything enabled (threat, av scanning, URL filtering, etc).
PA appliance comes with Application control (App-ID) and has options of
both (a) threat prevention -- IPS, malware, AV scanning, and (b) URL
filtering. They are quick to differentiate themselves from UTM story
-- because of hardware architecture (network processors, FPGA, security
processors) and full 10G support -- something no UTM vendor can
claim. Includes free SSL_VPN and packet shaping/rate limiting.
almost 900 specific applications identified on network -- see "browser"
below -- very similar to what's in PA GUI for secuirty policy. All
security policy can leverage specific application -- and/or include any
combo of criteria for all groups at top of table (category, subcat,
technology, risk, and characteristic). Example: only allow streaming
media apps with risk of 1-3 and non-evasive characteristic.
http://ww2.paloaltonetworks.com/applipedia/
The PA solution integrates with DOMAIN so all security policy (ie.
application usage) can be based on specific user/group.
I mention this because we have local customer downtown coming off
PA-2020 evaluation (they are buying PA-2050) and we could redirect to
you.
http://www.paloaltonetworks.com/products/pa2000.html
I mention this as potential path to consolidate your security
architecture. You could start in phase with PA as IPS/AV/malware on
one ASA leg (similar to Intrushield today) -- but expand to use of PA
for full firewall operation in future.
