> On Jul 5, 2016, at 9:33 AM, valdis.kletni...@vt.edu wrote: > > On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said: > >> We're having problems where viruses are getting through Firefox, and we >> think it's because our Palo Alto firewall is set to bypass filtering for >> IPv6. > > Do you have any actual evidence (device logs, tcpdump, netflow, etc) that > support that train of thought? > > Remember that your Palo Alto isn't stopping 100% of the icky stuff on the > IPv4 side either - the sad truth is that most commercial security software > is only able to identify and block between 30% and 70% of the crap that's > out in the wild.
That is only the percentage that it identifies from what it can see. It most likely can not see viruses in encrypted traffic. " • A forecast that 70% of global Internet traffic will be encrypted in 2016, with many networks exceeding 80%” https://www.sandvine.com/pr/2016/2/11/sandvine-70-of-global-internet-traffic-will-be-encrypted-in-2016.html "In the fourth quarter of 2015 nearly 65 percent of all web connections that Dell observed were encrypted, leading to a lot more under-the-radar attacks, according to the company. Gartner has predicted that 50 percent of all network attacks will take advantage of SSL/TLS by 2017." http://www.darkreading.com/attacks-breaches/when-encryption-becomes-the-enemys-best-friend/d/d-id/1324580 This article mentions how difficult is it for Sandboxes to detect malware. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-hot-knives-through-butter.pdf This article mentions malware that changes it’s download image every 15 seconds. http://www.darkreading.com/vulnerabilities---threats/cerber-strikes-with-office-365-zero-day-attacks/d/d-id/1326070?_mc=NL_DR_EDT_DR_weekly_20160630&cid=NL_DR_EDT_DR_weekly_20160630&elqTrackId=1d7f1b5bcdb24c469164471a423f746b&elq=01e6838c279149a08e460cdbe3b8b54a&elqaid=70982&elqat=1&elqCampaignId=21896 > There's also BYOD issues where a laptop comes in and infects > all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on > the outside, soft and chewy inside”). > In any case,your first two actions should be to recover the password for the > Palo Alto, and make sure it has updated pattern definitions in effect on both > IPv4 and IPv6 connections. > > And your third should be to re-examine your vendor rules of engagement, to > ensure your deliverables include things like passwords and update support > so you're not stuck if your vendor goes belly up.. > > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University