Next Generation Firewalls and Sandboxing

Next Generation Firewalls and Sandboxing Joe Hughes, Director www.servicetech.co.uk

Summary What is a Next Generation Firewall (NGFW)? Threat evolution Features Deployment Best practices What is Sandboxing? Advanced threat protection. Features. Deployment.

Under constant attack Data breaches, targeted attacks, outages, customer and financial information stolen. How can this happen? I have antivirus! Attacks are becoming more sophisticated. Specially crafted attacks using custom and often highly tailored malware.

Advanced Threats We re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry

New security approaches Next Generation Firewall Sandboxing & Payload Analysis

NGFW : Next Generation Firewall A high performance firewall with application awareness, deep packet inspection, intrusion prevention and threat intelligence capabilities.

NGFW : How are NGFW different? Widening the 5-Tuple Application awareness and DPI (Deep Packet Inspection) IP reputation database and Geo-IP Awareness User and device awareness. Intrusion Prevention System Defends against network borne attacks DOS, XSS, Viruses, Buffer-Overflows, Brute-Force Primarily signature or pattern based 2014 Verizon Breach Report

NGFW : Performance is key 100Mbps, 1GE, 10GE, 40GE and 100GE networks = Big demands Measured in throughput (Gbps) and Latency (µs or ms). ASIC or x86 architectures. Encrypted traffic is growing rapidly. Widespread adoption of Cloud. ASIC = Application Specific Integrated Circuit

NGFW : Deployment : Edge Network Perimeter / Edge Secures North South traffic. Protects against inbound attacks from the internet. Prevents, identifies and blocks malicious outbound traffic. Traditional role of a firewall.

NGFW : Deployment : Internal Internal Network Firewall (INFW) Secures East West traffic. Transparent, invisible. Identifies threats and intrusions, near-zero deployment. Throughput is key. 75% of datacentre traffic is east-west, compared to 17% northsouth through the network edge* Virtualisation. Cloud. Flat networks. *Remaining traffic is inter-dc traffic.

NGFW : Best practices and Features 1. Application awareness. Least privilege. 2. Intrusion Prevention. 3. IP reputation and Geo-IP. 4. External threat intelligence. 5. Zoning and Segmentation. 6. Management. 7. Monitoring. Firewall Breaches

NGFW : Single vendor? Multi-vendor? It is generally not more secure to use firewalls from multiple vendors to protect enterprise networks. Most enterprises should standardize on a single firewall platform to minimize self-inflicted configuration errors Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws More companies are using outsourced services from MSSPs instead of, or working with, their existing IT resource.

NGFW : Network Traffic Analysis Next Generation Firewall Sandboxing & Payload Analysis

Sandboxing Advanced Threat Prevention

Sandboxing : Introduction

Sandboxing : NGFW scenario

Sandboxing : What is a Sandbox? Secure virtual runtime environment exposes unknown threats. Physical appliance or virtual-machine. Tests files in a secure environment. Report (Good or Bad). Creates signatures that are used by the IPS system and endpoint protection.

Sandboxing : Operation Call Back Detection Full Virtual Sandbox Code Emulation Cloud File Query Identify the ultimate aim, call back & exfiltration Mitigate w/ analytics Examine real-time, full lifecycle activity in the sandbox to get the threat to expose itself Quickly simulate intended activity with code emulation OS independent & immune to evasion high catch rate Check community intelligence & file reputation AV Prefilter Apply top-rated anti-malware engine

Sandboxing : How does it work? Files Productivity (Word, Excel, PDF) Archives (.rar,.zip,.tar.gz,.cab) Executables (.exe,.dll) Media (.avi,.mpeg,.mp3,.mp4) Protocols HTTP, FTP, POP3, IMAP, SMTP, SMB, IM SSL equivalent versions No such thing as a benign file. Blocking Macros or Executables doesn t solve the issue.

Sandboxing : Deployment & Operation Sniffer passive detection. Integrated active detection. API JSON submission. Application integration. Manual Manual submission (by users). Automatic Scan file shares (SMB/CIFS) Cloud

Sandboxing : Evasion Be scared evasion techniques. Human interaction Requires mouse clicks, scrolling or human behaviour to trigger. RTF pfragments exploit is an example ( reverse Turing ) Configuration Specific Understand Sandbox constraints Execution time, analysis time. Environment Specific Attempts to detect virtual environment. VMTools, registry, drive serial numbers, MAC addresses, drivers

Sandboxing : Performance Files per Hour Entry Level 160 per hour Advanced 560 per hour AV scanning Entry Level 6,000 per hour Advanced 15,000 per hour Number of VMs Entry Level 8 Advanced 28 Microsoft licensing (Windows, Office) Figures based on Fortinet FSA-1000D and FSA-3000D

Sandboxing : Effectiveness FortiSandbox 99% detection. Results delivered within 1 minute. NSS Labs Breach Detection (BDS) Evaluated on effectiveness and TCO per Mbps (bang per buck) Other vendors Trend Micro SourceFire (Cisco) FireEye AhnLab OpenSource Option (Cuckoo, Sandboxie, Malwr)

Summary NGFW Securing the network edge INFW in transparent or segmented mode East-West Traffic is 5x higher than North-South Sandboxing Payload analysis. Classification of custom-malware, unknown, targeted and advanced threats. Creates signatures for use by IPS. Sniffer mode, API or integrated.

Thank you - Questions? joe@servicetech.co.uk 07624 487335