The Threat Intelligence Challenges and Next-Generation Firewalls

Bandura cyber white paper title and logo

June 2020

The Threat Intelligence Challenges with Next-Generation Firewalls

Today’s networks are transforming at an unprecedented speed. Nation-state events and global crises are challenging every aspect of how business is conducted. Now more than ever, organizations are relying on their network infrastructure to maintain business continuity and support digital business initiatives. Unfortunately, one aspect of the digital economy that remains constant, is the threat to the network by cyber criminals. As they scramble to adopt new network paradigms, organizations continue to rely on their traditional security controls like Next- Generation Firewalls (NGFWs) to secure their businesses.

However, what many organizations are realizing is that their next generation firewalls are having a tough time keeping up with today’s threats. To be fair, organizations require a lot from their firewalls, including dealing with increasing network traffic, threat volumes, encrypted traffic, and a never-ending array of functions they’re asked to perform. However, there is a more fundamental challenge facing firewalls, that requires our attention, which is their reliance upon proprietary and closed threat intelligence to detect and block threats. Simply put, this means that they operate with too narrow a view of the threat landscape, and therefore struggle to keep up with today’s attacks.

In light of this and in an effort to better secure their networks, organizations have increasingly adopted threat intelligence as a means to identify and respond to evolving threats. However, as organizations look to operationalize threat intelligence, they find it challenging to integrate threat intelligence into their next-generation firewalls.

When combined, the limitations of broad-based threat visibility and an inability to integrate threat intelligence at scale, represent two significant challenges for next-generation firewalls. In this whitepaper, we will provide an overview of these challenges, provide real world data, discuss why these challenges exist, and briefly describe how the Bandura Cyber Threat Intelligence Firewall platform eliminates these challenges.

Challenge 1

Firewalls Rely On Proprietary & Closed Threat Intelligence

Cyber security vendors, especially mainstay, next-generation firewall vendors, have long advertised threat intelligence expertise as a differentiating value proposition beyond their product technology. It makes sense in an industry whose bread and butter relies on the ever evolving sophistication of cyber attacks. However, with so many different vendors, institutions, and government entities engaged in the pursuit of threat intelligence, its definition has become muddled. This has resulted in confusion around both the definition of what constitutes threat intelligence, as well as its uses.

Next-generation firewalls are powered by threat intelligence. However, the threat intelligence they use is wholly controlled by the vendor, and is typically both proprietary and closed. The threat intelligence they use to detect and block threats is predominantly based on threat activity they see within their own customer base supplemented by analysis from their internal “Intelligence” teams. Make no mistake, this threat intelligence is valuable. However, it alone is insufficient to protect organizations from today’s dynamic threats, because it provides too narrow a view of constantly evolving threat activity. Simply put, it’s just one vendor’s perspective.

Fortunately, the challenges with relying on single source threat intelligence are well known. For this reason, more organizations are supplementing the threat intelligence they get from existing controls with a broad-based view of threat intelligence that spans multiple, diverse sources. These sources include commercial threat intel providers like DomainTools, IntSights, Recorded Future, and others, open source threat intel (OSINT), government providers like DHS, and industry sharing communities like ISACs/ISAOs. This broad-based view of threat intelligence enables organizations to better protect themselves from cyber threats.

Challenge 2

Firewalls have Limited Ability to Integrate Third-Party Threat Intelligence

As organizations invest more in threat intelligence, they logically look to maximize its value by making it actionable thereby using that intelligence to detect and block threats. To make threat intelligence actionable, organizations first look to integrate it into existing security controls like firewalls. However, it doesn’t take long to realize the significant challenges that exist here.

The fact is, next-generation firewalls don’t “play nicely” with third-party threat intelligence. These legacy devices have significant limitations with respect to the volume and ways that third-party threat intelligence can be integrated. Volume limitations can include the total volume of third-party indicators, the size of external blocklists, and/or the number of lists that can be used. Firewalls also have significant limitations in the ways third-party threat feeds can be integrated into them with most firewalls only having the ability to consume text file lists of indicators over HTTPS. While some firewall providers have broadened their integration abilities to support standards like STIX/TAXII, using this capability requires an additional solution.

“The fact is, next-generation firewalls don’t ‘play nicely’ with third-party threat intelligence.”

Firewalls have Limited Ability to Integrate Third-Party Threat Intelligence

Third-party threat intelligence limitations within next-generation firewalls is a very real challenge facing organizations. Here at Bandura Cyber, we see it and hear it daily, as we interact with our customers and prospects. We often hear that this fundamental reality is a key reason why organizations purchase and deploy our Threat Intelligence Firewall platform. Importantly, real world data from leading firewall providers validates the limitations. Let’s take a look.

 

Palo Alto Networks External Dynamic Lists

 

Palo Alto Networks is arguably, the most popular Next-Generation Firewall on the market today. However, it is not without its own faults. In it’s PAN-OS® Administrator’s Guide, the company provides information on its External Dynamic Lists, which are defined as text files that are hosted on an external web server. The data clearly illustrates the limitations Palo Alto Networks’ next-gen firewalls have with respect to third-party threat indicators.

Specifically:

  • The PA-5200 Series and the PA-7000 Series firewalls, which are Palo Alto’s highend models, support a maximum of 150,000 total IP addresses; all other models support a maximum of 50,000 total IP addresses.
  • The maximum number of domains ranges from 50,000 to 4 million depending on the model. The upper end of the maximum range requires upgraded network processing cards.
  • On each firewall model, you can add a maximum of 30 custom External Dynamic Lists with unique sources.
Palo Alto Networks NGFW IP Address Limits
Infographic: Low End = 50,000, Mid Range & High End = 150,000
Palo Alto Networks NGFW Domain List Entry Limits
Infographic: Low end = 50,000, Mid range = 1,000,000, High end = 4,000,000
Bandura cyber server

By its own admission, the top-end Palo Alto Networks next-generation firewall, the PA-7080, which is marketed to large enterprises and service providers, can only handle 150,000 total third-party IP indicators and 4 Million total third-party domain indicators.

To put this into perspective, let’s compare Palo Alto Networks’ External Dynamic List limits with two threat feed examples. The first graphic below shows an IP Reputation feed that typically has over 4.5 Million indicators. The second graphic below shows a Malicious Domain Blocklist that is powered by threat intelligence from DomainTools. This blocklist represents domains with a risk score of 99 and higher (out of 100). As you can see, integrating these threat feeds into a Palo Alto Networks’ External Dynamic List is next to impossible.

Third Party IP Reputation Feed Example
Infographic: Palo Alto Networks IP Limit = 150,000, IP reputation feed = 4,577,191
Third Party Domain Blocklist Example
Infographic: IP limit = 4,000,000, Malicious Domain Blocklist = 23,818,917
Fortinet Threat Feeds (External Dynamic Block Lists)

Another leader in the next-gen firewall market is Fortinet. Similar to Palo Alto Networks, Fortinet has the ability to dynamically import external block list text files from an HTTP server. Text files can contain IP addresses, domain names, and hashes. Fortinet calls these dynamic block lists “Threat Feeds.”

Identifying third-party threat intelligence limitations with Fortinet is more challenging than Palo Alto due to limited data. However, one important data point illustrates key limitations. Fortinet indicates that the size of a blocklist file can be 10 MB, or 128,000 lines of text, whichever is most restrictive.

While it’s unclear if Fortinet has a total volume limit, what is clear is that integrating a large, third-party threat feed into Fortinet would be cumbersome requiring the separation of one large threat list into many smaller lists. For example, the IP Reputation feed would require over 30 separate lists and the DomainTools threat feed would require over 170 separate lists.

SonicWall Threat API

Data from SonicWall, a well established provider of firewall solutions to small and mid-sized businesses, also validates threat intelligence limitations. SonicWall’s Threat API “allows administrators to send lists of URLs or IP addresses to be blocked via command line.” Based on this, it appears there is no automated way to integrate third-party threat intelligence into SonicWall firewalls. SonicWall also indicates that the list is limited to 5,000 entries for all product versions.

Why Do Firewalls Have These Limitations?

Understanding the limitations firewalls have with respect to using third-party threat intelligence is the first step. Next, we must ask, why do these limitations exist? We believe there are two motivating factors: (1) lack of incentives; and (2) resource constraints.

 

Lack of Incentives

Firewall providers are in the business of providing solutions that protect networks. As mentioned earlier, their solutions are powered by their own proprietary threat intelligence. In fact, one of the key ways firewall providers compete against one another is based on their ability to detect and block threats. This is evidenced in annual firewall tests conducted by organizations like NSS Labs. This fuels a virtuous circle where firewall providers focus on improving their own detection capabilities. The focus on proprietary threat intelligence leads to a natural lack of incentive to use threat intelligence from other sources or to share threat intelligence with other systems.

 

Resource Constraints

The other major factor that we believe inhibits firewalls’ ability to work with thirdparty threat intelligence are resource constraints. Simply put, today’s firewalls perform multiple functions many of which are resource intensive. These functions include deep packet inspection in order to provide services like intrusion detection and prevention (IDS/IPS), URL filtering, and malware detection. The resource intensity of deep packet inspection is evident in the significant decrease in firewall throughput that occurs when these features are used. This decrease is typically in the area of 50%.

Adding further burden to resource requirements is that an increasing amount of traffic is encrypted. This means that firewalls need to decrypt the traffic in order to inspect the traffic for threats. This decryption requires significant additional resources. Many firewalls are now adding SD-WAN capabilities so the list of functions being added keeps growing.

Simply put, the more functions a firewall performs, the more resources this requires. With firewalls being challenged already to provide their own services, this leaves few resources to divert to process third-party threat intelligence feeds.

A Quick Look at the Bandura Cyber Threat Intelligence Firewall Platform

Over the last several years, Bandura Cyber has been at the forefront of driving a new category of cyber security technology that makes threat intelligence actionable. The Bandura Cyber Threat Intelligence Firewall platform aggregates and integrates threat intelligence in the cloud and makes it actionable by blocking known bad traffic before it hits your network.

Compared to traditional firewalls, the Bandura Cyber Threat Intelligence Firewall platform is:
  • Purpose-built to detect and block threats based on massive volumes of threat intelligence. It can block up to 150 million unique IP and domain threat indicators at line speed before they hit your network and security controls far exceeding the capabilities of next-generation firewalls. There are also no limitations on the number of lists or list sizes.
  • An open platform that can work with IP and domain threat intelligence from any source. The platform provides a broad array of “out of the box” threat feeds from commercial, open source, government, and industry and has the ability to integrate IP and domain threat intelligence from any source. This includes native support for standards like STIX/TAXII, open APIs, and “out of the box” connectors for Threat Intelligence Platforms, SIEMs, SOARs, and other systems.
  • Easy to deploy and manage with simple and intuitive policy management capabilities.
The Bandura Cyber Threat Intelligence Firewall Platform Complements Next- Generation Firewalls

A critical point is that the Threat Intelligence Firewall complements next-generation firewalls by providing organizations with another layer of protection. Threat Intelligence Firewalls eliminate the threat intelligence challenges facing next generation firewalls. However, you can also see that it’s complementary because next-generation firewalls have capabilities like deep packet inspection, that the Threat Intelligence Firewall does not have. Importantly, the Bandura Cyber Threat Intelligence Firewall platform not only provides another layer of network protection but it also improves the efficiency of firewalls enabling precious resources to focus on deep packet inspection, decryption, and other important functions.

Conclusion

Next-generation firewalls remain an important foundational component of network security. However, a reliance on proprietary and closed threat intelligence and an inability to integrate threat intelligence at scale are resulting in firewalls having a tough time keeping up with today’s threats. The Bandura Cyber Threat Intelligence Firewall platform is helping organizations to overcome these challenges and to make threat intelligence actionable in an easy, open, automated, and scalable way.

Shield graphic with the left half colored green and a B in the bottom left quadrant

BANDURA CYBER, INC.

TERMS OF SERVICE AGREEMENT 

IMPORTANT: UNLESS OTHERWISE AGREED IN WRITING SIGNED BY BOTH PARTIES, THIS TERMS OF SERVICE AGREEMENT (THE “AGREEMENT”) GOVERNS ALL USE BY YOU AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, “CUSTOMER”) OF THE BANDURA SOFTWARE AND THE BANDURA EQUIPMENT (THE “EQUIPMENT”) INCLUDING ALL SOFTWARE EMBEDDED IN THE EQUIPMENT AND ALL SOFTWARE (THE “SOFTWARE” AND TOGETHER WITH THE EQUIPMENT, THE “SOLUTION”) PROVIDED BY BANDURA CYBER, INC. (“BANDURA”) FOR USE IN CONNECTION WITH THE EQUIPMENT.

BANDURA IS WILLING TO PROVIDE THE SOLUTION TO CUSTOMER ONLY UPON THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY REQUESTING AN EVALUATION OF THE SOLUTION, ACCEPTING A QUOTE FOR THE SOLUTION, SUBMITTING AN ORDER FOR THE SOLUTION, OR BY USING ANY PART OF THE SOLUTION, CUSTOMER IS BINDING ITSELF TO ALL TERMS OF THIS AGREEMENT. IF CUSTOMER DOES NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN BANDURA IS UNWILLING TO LICENSE THE SOFTWARE OR PROVIDE THE EQUIPMENT TO IT AND (A) CUSTOMER MAY NOT USE THE SOFTWARE OR THE EQUIPMENT, AND (B) CUSTOMER MAY RETURN THE EQUIPMENT FOR A FULL REFUND. CUSTOMER’S RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM BANDURA OR AN AUTHORIZED BANDURA RESELLER, AND APPLIES ONLY IF CUSTOMER IS THE ORIGINAL END USER PURCHASER.

The following terms of Agreement govern Customer’s access and use of the Software.

License. Conditioned upon compliance with the terms and conditions of this Agreement, Bandura grants to Customer a nonexclusive and nontransferable license to use the Software and the Documentation for which Customer has paid any and all required license fees, as limited in time or scope by any Solution quotation, evaluation or order documents. “Documentation” means written information contained in user or technical manuals, training materials, and specifications specifically pertaining to the Software and made available by Bandura for use with the Software or the Equipment in any manner (including on CD-ROM, or on-line).

Customer’s license to use the Software shall be limited to, and Customer shall not use the Software except in connection with, the Equipment.

Unless otherwise expressly provided in the Documentation, Customer shall use the Software solely as embedded in the Equipment for Customer’s internal business purposes only.

General Limitations. This is a license, not a transfer of title, to the Software and Documentation. Unless otherwise stated in any other documentation agreed by the parties, title to Equipment shall pass to Customer upon delivery.  Bandura retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of Bandura, its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided in this Agreement, Customer shall have no right, and Customer specifically agrees not to

  • transfer, assign or sublicense its license rights to any other person or entity, or use the Software except in connection with the Equipment, and any attempted transfer, assignment, or sublicense shall be void;
  • modify, adapt, alter, or otherwise change the Software or create derivative works based upon the Software, or permit third parties to do the same;
  • reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction;
  • use or permit the Software to be used to perform services for third parties, whether on a service bureau or time sharing basis or otherwise, without the express written authorization of Bandura; or
  • disclose, provide, or otherwise make available the Software or trade secrets contained within the Software and/or Documentation in any form to any third party without the prior written consent of Bandura. Customer shall implement reasonable security measures to protect the Software and such trade

Software, Upgrades and Additional Copies. For purposes of this Agreement, “Software” shall include (and the terms and conditions of this Agreement shall apply to) computer programs, including firmware, as provided to Customer by Bandura, or an authorized Bandura reseller, or embedded or installed in the Equipment, and any upgrades, updates, bug fixes or modified versions thereto (collectively, “Upgrades”) or backup copies of the Software licensed or provided to Customer by Bandura or an authorized Bandura reseller.

NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID ANY AND ALL APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES; (2) USE OF UPGRADES IS LIMITED TO THE EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND (3) THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.

Proprietary Notices. Customer agrees to maintain and reproduce all copyright and other proprietary notices onallcopies,inanyform,oftheSoftwareinthesameformandmannerthatsuchcopyrightandotherproprietary notices are included on the Software. Except as expressly authorized in this Agreement, Customer shall not make any copies or duplicates of any Software without the prior written permission ofBandura.

Term, Automatic Renewal and Termination. This Agreement and the license granted herein shall remain effective for such period indicated in the quotation or order documents, provided that any fees therefor are paid by Customer.  Unless otherwise expressly stated in quotation or order documents, and until terminated in writing by either party no less than 30 days prior to the end of the initial term or the end of any renewal term, the license granted herein shall automatically renew for successive one year periods, and the applicable annual fees therefor shall be due and payable by Customer.  Customer’s rights under this Agreement will terminate immediately without notice from Bandura if Customer fails to comply with any provision of this Agreement. Upon termination, Customer shall destroy any and all copies of the Software, Upgrades and Documentation in its possession or control.

All confidentiality and indemnity obligations of Customer, all limitations of liability, all disclaimers and all restrictions of warranty contained in this Agreement shall survive termination of this Agreement.

Export Restrictions. The Equipment, Software and/or Documentation are subject to the export control laws and regulations of the United States, including, but not limited to, the U.S. Export Administration Act of 1979, as amended, and any successor U.S. legislation, and the Export Administration Regulations (“EAR”) administered by the U.S. Bureau of Industry and Security (“BIS”), in particular because the Equipment, Software and/or Documentation incorporate cryptographic functionality. Accordingly, Customer shall not export, reexport, transfer, or otherwise distribute or disseminate the Equipment, Software and/or Documentation without first obtaining any and all necessary licenses or approvals from BIS, including the issuance either to Bandura or Customer of a Commodity Classification and Automated Tracking System (CCATS) determination from BIS in accordance Section 740.17 or Section 742.15 of the EAR, and any other responsible U.S. Government agency. In particular, except as specifically authorized, Customer shall not export, reexport, transfer, or otherwise distribute or disseminate the Product (i) in or to any country then under U.S. embargo, currently Cuba, Iran, Sudan, Syria, and North Korea; (ii) to any entity or individual on the U.S. Treasury Department’s List of Specially Designated Nationals and Blocked Persons, or on the Entity List, Denied Persons List, or Unverified List, each if which is maintained by BIS; or (iii) for any end use prohibited pursuant to Part 744 of the EAR. Furthermore, Customer agrees not to export, reexport, transfer, or otherwise distribute or disseminate the product to any end user in a country other than the countries listed in Supplement No. 3 to Part 740. Customer will defend, indemnify, and hold BANDURA harmless from and against all fines, penalties, liabilities, damages, costs, and expenses incurred by BANDURA as a result of any violation of the U.S. export control laws and regulations.

U.S. Government End User Purchasers. The Software and the Documentation qualify as “commercial items,” as that term is defined at Federal Acquisition Regulation (“FAR”) (48 C.F.R.) 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which this Software License Agreement may be incorporated, Customer may provide to Government end user or, if this Agreement is direct, Government end user will acquire, the Software and Documentation with only those rights set forth in this Software License Agreement. Use of either the Software or Documentation or both constitutes agreement by the Government that the Software and Documentation are “commercial computer software” and “commercial computer software documentation,” and constitutes acceptance of the rights and restrictions herein.

Warranty, Disclaimer and Limitation of Liabilities

BANDURA WARRANTS, DURING THE TERM OF ANY LICENSE OR SUBSCRIPTION FOR THE SOLUTION IN EFFECT PURSUANT TO THIS AGREEMENT, THAT THE SOFTWARE WILL OPERATE IN ACCORDANCE WITH THE DOCUMENTATION IN ALL MATERIAL RESPECTS.  BANDURA’S SOLE OBLIGATION AND CUSTOMER’S SOLE REMEDY FOR ANY BREACH OF THE FOREGOING WARRANTY SHALL BE TO REPAIR THE SOFTWARE OR OTHERWISE MODIFY THE SOLUTION SO THAT THE SOFTWARE OPERATES IN ACCORDANCE WITH THE FOREGOING WARRANTY.

Hardware Warranty

Bandura Cyber warrants that for a period of twelve (12) months from shipment (the “Hardware Warranty Period”) the unmodified hardware portions will, under normal use, be free of substantial defects in materials and workmanship provided, however, that this warranty does not cover any Hardware component failures caused by: (i) accident; unusual physical, electrical or electromagnetic stress; neglect; misuse; fluctuations in electrical power beyond the applicable specifications; failure of air conditioning or humidity control; or (ii) installation, alteration or repair of the products by anyone other than Bandura Cyber or other persons expressly authorized by Bandura Cyber.

BANDURA SPECIFICALLY DISCLAIMS AND DOES NOT AGREE TO ANY IMPLIED WARRANTY, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTIBILITY, ANY IMPLIED WARRANTY OF FITNESS FOR A PARTICULAR OR ANY IMPLIED WARRANTY THAT THE HARDWARE OR SOFTWARE WILL NOT INFRINGE ANY PATENT, TRADEMARK, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHTS.

EXCEPT FOR ANY REMEDY SET FORTH IN THIS LIMITED WARRANTY, IN NO EVENT WILL BANDURA OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY LOSS, DAMAGES, CLAIMS OR COSTS WHATSOEVER INCLUDING ANY CONSEQUENTIAL, INDIRECT OR INCIDENTAL DAMAGES, ANY LOST PROFITS OR LOST SAVINGS, ANY DAMAGES RESULTING FROM BUSINESS INTERRUPTION, PERSONAL INJURY OR FAILURE TO MEET ANY DUTY OF CARE, OR CLAIMS BY A THIRD PARTY, EVEN IF A BANDURA REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS, DAMAGES, CLAIMS OR COSTS. REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL BANDURA OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, LOST PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE OR OTHERWISE AND EVEN IF BANDURA OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL BANDURA’S OR ITS SUPPLIERS’ OR LICENSORS’ LIABILITY TO CUSTOMER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF WARRANTY, OR OTHERWISE, EXCEED THE PRICE PAID BY CUSTOMER DURING THE 12 MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO LIABILITY.

THE FOREGOING LIMITATIONS AND EXCLUSIONS APPLY TO THE EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

Customer agrees that the limitations of liability and disclaimers set forth herein will apply regardless of whether Customer has accepted the Equipment, the Software or any other product or service delivered by Bandura. Customer acknowledges and agrees that Bandura has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties.

Miscellaneous. The Agreement shall be governed by and construed in accordance with the laws of the Commonwealth of Virgina, without reference to or application of choice of law rules or principles.

If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement shall remain in full force and effect.

Except as expressly provided herein, this Agreement constitutes the entire agreement between the parties with respect to the license of the Software and the Documentation and supersedes any conflicting or additional terms contained in any purchase order or elsewhere, all of which terms are excluded.

Any controversy or claim arising under or related to this Agreement shall be settled by arbitration in the Commonwealth of Virginia, United States of America in accordance with the arbitration rules of the American Arbitration Association before a single arbitrator and judgment upon the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Bandura and Customer shall each select an arbitrator, and those two selected arbitrators will select the single arbitrator to hear the controversy or claim.