Tag Archives: NGFW

What I expect from IT Asset Inventory

The main problem of vulnerability management, in my opinion, is that it is not always clear whether we know about ALL network hosts existing in our infrastructure or not. So, not the actual process of scanning and the detection of vulnerabilities, but the lack of knowledge what we should scan.

Knowing the total number of active hosts, this must be such a simple and basic thing. But for a large organization, this is not so trivial. To tell the truth, I do not know how to do IT Asset Inventory right. I’m not even sure who should be responsible this. There are so many different technological and organizational nuances. I will mention some of them below.

Who is responsible for inventorying IT assets?

But I can say with confidence that my basic requirement for IT Asset Inventory system will be the completeness of the scope, not the number of collected parameters. The very minimum is just to see that some network host existed and seemed active at some time.

Continue reading

Retrieving Palo Alto NGFW security events via API

It may seem like NGFW topic is not really related to vulnerability assessment and vulnerability management. In fact, correlation of security events in traffic with vulnerability scan data sometimes may give very interesting results. For example, if we have a Windows desktop host with critical vulnerabilities, it won’t be a big surprise to detect some botnet activity related to this host. Fixing of this hosts should be a high priority task. Moreover, Palo Alto NGFW now supports signatures for vulnerability detection, like Tenable PVS. It’s pretty logical: if you are already searching something in the network traffic, why not to look also for vulnerable software versions in the packet headers?

Palo Alto Monitor

I took this image from the official manual

At the “Monitoring” tab of Palo Alto NGFW GUI web-interface you can see a flow of security events, produced by Palo Alto security rules, standard or custom. With PA query language you may easily filter this events. It is also possible to produce reports. However, the standard reports Palo Alto are not very informative and only represent some statistics of attacks without any additional information. Much more interesting reports you can make using Palo Alto API.

Continue reading