Date post: | 17-Aug-2015 |
Category: |
Documents |
Upload: | joe-hughes |
View: | 308 times |
Download: | 0 times |
Summary
• What is a Next Generation Firewall (NGFW)?• Threat evolution
• Features
• Deployment
• Best practices
• What is Sandboxing?• Advanced threat protection.
• Features.
• Deployment.
Under constant attack
• Data breaches, targeted attacks, outages, customer and financial information stolen.
• How can this happen? I have antivirus!
• Attacks are becoming more sophisticated.
• Specially crafted attacks using custom and often highly tailored malware.
Advanced Threats
We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry
NGFW : Next Generation Firewall
A high performance firewall with application awareness, deep packet inspection, intrusion prevention and threat
intelligence capabilities.
NGFW : How are NGFW different?
• Widening the “5-Tuple”
• Application awareness and DPI (Deep Packet Inspection)
• IP reputation database and Geo-IP Awareness
• User and device awareness.
• Intrusion Prevention System
• Defends against network borne attacks• DOS, XSS, Viruses, Buffer-Overflows, Brute-Force
• Primarily signature or pattern based 2014 Verizon Breach Report
NGFW : Performance is key
• 100Mbps, 1GE, 10GE, 40GE and 100GE networks = Big demands
• Measured in throughput (Gbps) and Latency (μs or ms).
• ASIC or x86 architectures.
• Encrypted traffic is growing rapidly.
• Widespread adoption of Cloud.
ASIC = Application Specific Integrated Circuit
NGFW : Deployment : Edge
Network Perimeter / Edge
• Secures North – South traffic.
• Protects against inbound attacks from the internet.
• Prevents, identifies and blocks malicious outbound traffic.
• Traditional role of a firewall.
NGFW : Deployment : Internal
Internal Network Firewall (INFW)
• Secures East – West traffic.
• Transparent, invisible.
• Identifies threats and intrusions, near-zero deployment.
• Throughput is key.
• 75% of datacentre traffic is east-west, compared to 17% north-south through the network edge*
• Virtualisation. Cloud. Flat networks.
*Remaining traffic is inter-dc traffic.
NGFW : Best practices and Features
1. Application awareness. Least privilege.
2. Intrusion Prevention.
3. IP reputation and Geo-IP.
4. External threat intelligence.
5. Zoning and Segmentation.
6. Management.
7. Monitoring.
Firewall Breaches
NGFW : Single vendor? Multi-vendor?
It is generally not more secure to use firewalls from multiple vendors to protect enterprise networks.
Most enterprises should standardize on a single firewall platform to minimize self-inflicted configuration errors
Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws
More companies are using outsourced services from MSSPs instead of, or working with, their existing IT resource.
Sandboxing : What is a Sandbox?
• Secure virtual runtime environment exposes unknown threats.
• Physical appliance or virtual-machine.
• Tests files in a secure environment.
• Report (Good or Bad).
• Creates signatures that are used by the IPS system and endpoint protection.
Sandboxing : Operation
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
• Quickly simulate intended activity with code emulation
• OS independent & immune to evasion – high catch rate
• Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity in the sandbox
to get the threat to expose itself
• Check community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration
• Mitigate w/ analytics
Sandboxing : How does it work?
• Files• Productivity (Word, Excel, PDF)• Archives (.rar, .zip, .tar.gz, .cab)• Executables (.exe, .dll)• Media (.avi, .mpeg, .mp3, .mp4)
• Protocols• HTTP, FTP, POP3, IMAP, SMTP, SMB, IM• SSL equivalent versions
• No such thing as a benign file.
• Blocking Macros or Executables doesn’t solve the issue.
Sandboxing : Deployment & Operation
• Sniffer – passive detection.
• Integrated – active detection.
• API – JSON submission. Application integration.
• Manual – Manual submission (by users).
• Automatic – Scan file shares (SMB/CIFS)
• Cloud
Sandboxing : Evasion
• Be scared – evasion techniques.
• Human interaction• Requires mouse clicks, scrolling or “human” behaviour to trigger.• RTF pFragments exploit is an example (“reverse Turing”)
• Configuration Specific• Understand Sandbox constraints• Execution time, analysis time.
• Environment Specific• Attempts to detect virtual environment.• VMTools, registry, drive serial numbers, MAC addresses, drivers
Sandboxing : Performance
• Files per Hour• Entry Level 160 per hour• Advanced 560 per hour
• AV scanning• Entry Level 6,000 per hour• Advanced 15,000 per hour
• Number of VMs• Entry Level 8• Advanced 28
• Microsoft licensing (Windows, Office)
Figures based on Fortinet FSA-1000D and FSA-3000D
Sandboxing : Effectiveness
• FortiSandbox• 99% detection.• Results delivered within 1 minute.• NSS Labs Breach Detection (BDS)• Evaluated on effectiveness and TCO per Mbps (bang per buck)
• Other vendors• Trend Micro• SourceFire (Cisco)• FireEye• AhnLab• OpenSource Option (Cuckoo, Sandboxie, Malwr)
Summary
• NGFW• Securing the network edge
• INFW in transparent or segmented mode
• East-West Traffic is 5x higher than North-South
• Sandboxing• Payload analysis.
• Classification of custom-malware, unknown, targeted and advanced threats. Creates signatures for use by IPS.
• Sniffer mode, API or integrated.