NGFW and Sandboxing

Next Generation Firewallsand Sandboxing

Joe Hughes, Directorwww.servicetech.co.uk

Summary

• What is a Next Generation Firewall (NGFW)?• Threat evolution

• Features

• Deployment

• Best practices

• What is Sandboxing?• Advanced threat protection.

• Features.

• Deployment.

Under constant attack

• Data breaches, targeted attacks, outages, customer and financial information stolen.

• How can this happen? I have antivirus!

• Attacks are becoming more sophisticated.

• Specially crafted attacks using custom and often highly tailored malware.

Advanced Threats

We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry

New security approaches

Next Generation

Firewall

Sandboxing &

Payload Analysis

NGFW : Next Generation Firewall

A high performance firewall with application awareness, deep packet inspection, intrusion prevention and threat

intelligence capabilities.

NGFW : How are NGFW different?

• Widening the “5-Tuple”

• Application awareness and DPI (Deep Packet Inspection)

• IP reputation database and Geo-IP Awareness

• User and device awareness.

• Intrusion Prevention System

• Defends against network borne attacks• DOS, XSS, Viruses, Buffer-Overflows, Brute-Force

• Primarily signature or pattern based 2014 Verizon Breach Report

NGFW : Performance is key

• 100Mbps, 1GE, 10GE, 40GE and 100GE networks = Big demands

• Measured in throughput (Gbps) and Latency (μs or ms).

• ASIC or x86 architectures.

• Encrypted traffic is growing rapidly.

• Widespread adoption of Cloud.

ASIC = Application Specific Integrated Circuit

NGFW : Deployment : Edge

Network Perimeter / Edge

• Secures North – South traffic.

• Protects against inbound attacks from the internet.

• Prevents, identifies and blocks malicious outbound traffic.

• Traditional role of a firewall.

NGFW : Deployment : Internal

Internal Network Firewall (INFW)

• Secures East – West traffic.

• Transparent, invisible.

• Identifies threats and intrusions, near-zero deployment.

• Throughput is key.

• 75% of datacentre traffic is east-west, compared to 17% north-south through the network edge*

• Virtualisation. Cloud. Flat networks.

*Remaining traffic is inter-dc traffic.

NGFW : Best practices and Features

1. Application awareness. Least privilege.

2. Intrusion Prevention.

3. IP reputation and Geo-IP.

4. External threat intelligence.

5. Zoning and Segmentation.

6. Management.

7. Monitoring.

Firewall Breaches

NGFW : Single vendor? Multi-vendor?

It is generally not more secure to use firewalls from multiple vendors to protect enterprise networks.

Most enterprises should standardize on a single firewall platform to minimize self-inflicted configuration errors

Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws

More companies are using outsourced services from MSSPs instead of, or working with, their existing IT resource.

NGFW : Network Traffic Analysis

Next Generation

Firewall

Sandboxing &

Payload Analysis

Advanced Threat Prevention

Sandboxing

Sandboxing : Introduction

Sandboxing : NGFW scenario

Sandboxing : What is a Sandbox?

• Secure virtual runtime environment exposes unknown threats.

• Physical appliance or virtual-machine.

• Tests files in a secure environment.

• Report (Good or Bad).

• Creates signatures that are used by the IPS system and endpoint protection.

Sandboxing : Operation

Call Back Detection

Full Virtual Sandbox

Code Emulation

Cloud File Query

AV Prefilter

• Quickly simulate intended activity with code emulation

• OS independent & immune to evasion – high catch rate

• Apply top-rated anti-malware engine

• Examine real-time, full lifecycle activity in the sandbox

to get the threat to expose itself

• Check community intelligence & file reputation

• Identify the ultimate aim, call back & exfiltration

• Mitigate w/ analytics

Sandboxing : How does it work?

• Files• Productivity (Word, Excel, PDF)• Archives (.rar, .zip, .tar.gz, .cab)• Executables (.exe, .dll)• Media (.avi, .mpeg, .mp3, .mp4)

• Protocols• HTTP, FTP, POP3, IMAP, SMTP, SMB, IM• SSL equivalent versions

• No such thing as a benign file.

• Blocking Macros or Executables doesn’t solve the issue.

Sandboxing : Deployment & Operation

• Sniffer – passive detection.

• Integrated – active detection.

• API – JSON submission. Application integration.

• Manual – Manual submission (by users).

• Automatic – Scan file shares (SMB/CIFS)

• Cloud

Sandboxing : Evasion

• Be scared – evasion techniques.

• Human interaction• Requires mouse clicks, scrolling or “human” behaviour to trigger.• RTF pFragments exploit is an example (“reverse Turing”)

• Configuration Specific• Understand Sandbox constraints• Execution time, analysis time.

• Environment Specific• Attempts to detect virtual environment.• VMTools, registry, drive serial numbers, MAC addresses, drivers

Sandboxing : Performance

• Files per Hour• Entry Level 160 per hour• Advanced 560 per hour

• AV scanning• Entry Level 6,000 per hour• Advanced 15,000 per hour

• Number of VMs• Entry Level 8• Advanced 28

• Microsoft licensing (Windows, Office)

Figures based on Fortinet FSA-1000D and FSA-3000D

Sandboxing : Effectiveness

• FortiSandbox• 99% detection.• Results delivered within 1 minute.• NSS Labs Breach Detection (BDS)• Evaluated on effectiveness and TCO per Mbps (bang per buck)

• Other vendors• Trend Micro• SourceFire (Cisco)• FireEye• AhnLab• OpenSource Option (Cuckoo, Sandboxie, Malwr)

Summary

• NGFW• Securing the network edge

• INFW in transparent or segmented mode

• East-West Traffic is 5x higher than North-South

• Sandboxing• Payload analysis.

• Classification of custom-malware, unknown, targeted and advanced threats. Creates signatures for use by IPS.

• Sniffer mode, API or integrated.

Thank you - Questions?