Stormshield is a very good product but it's mainly designed for industrial scenarios and lacks some features that are essential for an enterprise NGFW (i.e. the protocol inspection covers very few protocols compared to PA/Checkpoint/etc). Unfortunately the enterprise NGFW scenario is dominated by US or Israeli companies, even if some niches brands like Stormshield for OT and Clavister for telcos are Europeans
Stormshield firewalls offer a plethora of IPS protections and signatures, not just OT related ones. There are different licenses, offering varying protections and signatures.
Stormshield firewalls can certainly be used in enterprise settings. OT environments are an added bonus where Stormshield firewalls can be used as a protective layer.
Stormshield's IPS is its major strength, being very well integrated in the overall firewall design. The whole firewall rulebase is designed in terms of its IPS; I am not aware of any firewall on the market that has such a nicely integrated IPS.
Also, at the point where one runs out of IPS options to configure, whereby I'm not referring to signatures in the general sense of the term, and one also has adapted all of Stormshield's available signatures to the needs of the particular environment, the real fun of creating new custom IPS signatures begins.
Stormshield's roots date back to 1998's NETASQ, and so I would say they are of a similar pedigree as Check Point, in terms of their history.
Disclaimer: I'm a Stormshield Platinum Partner and hold a CSNTS.
I was in a intercontinental flight few weeks ago and when everyone was sleeping my wife was able to open Instagram and scroll the feed, while other websites were not accessible.
I did not have a PC with me, but I immediately guessed about they are doing filtering based on SNI.
Appliances like Allot or Sandvine are in this market since more than a decade.
Antennas are really black magic: optimizing an antenna requires stocastich method like genetic algorithms, simulated annealing, etc.
Moreover if you want to model the radiation patterns and the electrical characteristics you need to use finite element calculation methods.
So, you need a lot of computation power as antenna are not a problem that can be solved in a closed form.
Source: I almost burnt my PC on simulating a dipole array while studying for the antennas course at the university
I have a customer facing role, then it's easy to get questions about details that I don't know from the customers.
My approach is easy: always being very transparent. I can say "I am not 100% sure, then I will verify with my colleagues and with R&D and let you know" or just "I don't know right now, but I am taking notes and let you know ASAP". This approach also helps me to ask the right questions to the customer, just to understand what the customer wants.
I was on the other side for years and I hate when consultants try to avoid the questions or give me foggy replies.
Almost 10 years ago I created couple of Twitter bots that can tweet like the leaders of two populisti Italian party. The quality of the tweets was sometimes not the best, but usually decent. It was impressive how many people starts following them in few weeks.
In a corporate environment you must use only the company DNS internal resolver and they are the only one that should go outside on port 53.
This is a basic security measure to detect and block every attempt of DNS tunnelling or exfiltration
This means that the security department is not doing a good job: things like iodine can be detected easily by a NGFW or by an analysis on DNS logs. This is a quite basic security posture.
Back when I was using it similarly to the other poster (say, 15 years ago) that wasn't the case. It's still a great litmus test of security posture today.
Just using DNS for data exfiltration, in general, is usually pretty fruitful. I wrote a "live off the land" data exfil script for Windows once, using the certutil and nslookup commands to base64 encode data and ship it out to my off-site DNS server.
I'll have to try it against a Palo Alto NGFW sometime and see what alarms I trip. I honestly never thought to try.
MFA is quite more complex to implement, especially if legacy applications are involved. Applying a basic DNS security monitoring is not hard, you can even implement with few policies on the border FW and something like an ELK stack.
The most difficult part is implementing an appropriate process
Stormshield is a very good product but it's mainly designed for industrial scenarios and lacks some features that are essential for an enterprise NGFW (i.e. the protocol inspection covers very few protocols compared to PA/Checkpoint/etc). Unfortunately the enterprise NGFW scenario is dominated by US or Israeli companies, even if some niches brands like Stormshield for OT and Clavister for telcos are Europeans