Posts

Cloud Security: Making the Invisible … Visible

Living in Colorado and having 14,000-foot mountains in my backyard, there are times I end up driving into the clouds. One minute I can be traveling in sunshine and great weather and the next, a cloud surrounds my car.

Entering a cloud, things begin to lose visibility. Soon, you can barely make out anything around you. This is a good time to slow down and get clarity on your surroundings.

As the business market continues to drive into the cloud, it too comes with risk of diminished visibility. The major cloud providers give you tools to secure platforms in the cloud, but they don’t provide you the means of monitoring those solutions to know what is happening in the platform or within a cloud datacenter.

Besides a bill for your monthly traffic, compute and storage usage, you don’t have visibility of what the traffic is within the cloud.

For many, cloud security can be a challenging prospect as each provider has slightly different ways of implementing their security stack. You may have secured your cloud devices, but how do you know what traffic goes in and out of them? And just because you identify the appropriate ports and protocols that are allowed, that doesn’t mean your application can’t be compromised and data exfiltrated through those ports and protocols.

How to Gain Better Cloud Visibility

The challenge when working within the cloud is making the invisible, visible. Cloud providers do not rely upon layer 2 connections, but rather route all the traffic based upon their own algorithms/methods.

In most cloud systems, depending upon how well you’ve defined your security rules, when you launch a new device within a cloud environment, all the other devices within that environment can send traffic to and from each other. This is why micro-segmentation has become one of the cloud buzzwords; we needed the ability to restrict traffic at the host or interface level.

While micro-segmentation will allow you to restrict traffic, how do you inspect the traffic?

How Virtual Firewalls Secure Cloud Environments

SonicWall provides two products to help with this problem of visibility within the cloud: Network Security Virtual Firewall (NSv) and Web Application Firewall (WAF). These products each have their own purposes, but when implemented correctly, they will provide you visibility within the cloud.

Every cloud provider allows you to modify the default route paths and direct traffic within their infrastructure. With these routes, you can direct traffic in and out of NSv or WAF in order to provide additional visibility and inspection of the traffic within your cloud.

You can further improve cloud security by adding Deep Packet Inspection (DPI), Capture Advanced Threat Protection (ATP) multi-engine cloud sandboxing, which includes Real-Time Deep Memory Inspection (RTDMITM), and traffic reporting and analysis.

Setting up the custom route tables to direct traffic within a cloud provider can be a daunting task. SonicWall’s Remote Implementation Service for the NSv Firewalls can help.

Whether you use the SonicWall NSv or the WAF within the cloud, you will have the ability to shed light upon the traffic within the cloud and know that it’s appropriate for your environment. Take back control of your traffic by bringing it to a higher level — above the clouds.

SonicWall Partner Enabled Services

Optimize your investment in SonicWall products with professional services delivered by SonicWall Advanced Services Partners trained to provide world-class professional services for SonicWall customers.

How to Secure Your Website & Protect Your Brand Online

A study by the SMB Group in 2017 showed that more than 85 percent of small- and medium-sized (SMB) businesses and mid-tier enterprises are adopting digital transformation. This is changing the role of the traditional website from a “static set of HTML pages” to a highly dynamic online experience platform. The website is now the custodian of the organization’s digital brand.

But, as once said by Ben Parker (yes, Spiderman’s late uncle), “With great power comes great responsibility.”

IT executives now have to protect users — and their data used by the website — from a larger spectrum of web application threats. The recent Whitehat Security’s 2018 Application Security Report highlighted these concerns:

  • About 50 percent of vulnerabilities discovered on a website are Serious; remediation rates are less than 50 percent
  • The average time to fix a vulnerability ranges from 139 to 216 days
  • More than 30 percent of websites are still showing poor developer cybersecurity skills (e.g., information leakage, cross-site scripting and SQL injection)
  • SSL/TLS is not adopted well enough; 23 percent of those are weak and riddled with vulnerabilities

SonicWall WAF 2.0 was launched in April 2018 as a standalone virtual appliance deployable in public and private cloud environments. SonicWall WAF delivers an award-winning web application firewall technology that works alongside SonicWall next-generational firewalls (NGFW) to protect businesses and their digital brands.

The SonicWall WAF is backed by threat research from SonicWall Capture Labs for virtual patching of exploits, reducing the window of exposure significantly.

In fact, when the attacks associated with British Airways and Drupalgeddon came out, the SonicWall WAF was able to protect customers without any updates. With the SonicWall WAF, administrators can protect their websites from the wide spectrum of web threats including those targeting the vulnerabilities called out in the OWASP Top 10.

Five New Enhancements to SonicWall WAF 2.2

The next evolution of the product, SonicWall WAF 2.2 gains five significant new features and enhancements, including a new licensing model.

Real-Time Website Malware Prevention with Capture ATP Integration

With the increasing threat of malware, many websites are also at risk of advanced malware attacks like cryptojacking and the famous CTB-locker malware that targeted WordPress websites.

Malware is injected into websites through the use of vulnerable plugins or by using file-upload facilities available with many websites. SonicWall WAF now integrates with the Capture Advanced Threat Protection (ATP) sandbox service. It detects malware embedded in traffic streams by leveraging the industry-leading, multi-engine malware analysis platform, including Real-Time Deep Memory Inspection (RTDMI). Any attempts to inject or upload malicious files to a website would be inspected in-line (as opposed to after the fact) while maintaining an optimal user experience.

Simplifying Transport Layer Security, SSL Certificate Management with ‘Let’s Encrypt’

The biggest challenge for securing website communication is the need for legitimate SSL/TLS certificates for encryption and decryption. Legitimate certificates are expensive to purchase, manager, monitor and renew.

But with SonicWall WAF 2.2, organizations can take advantage of the Let’s Encrypt service through a built-in integration that not only offers free certificates, but will also automatically monitor and renew digital certificates.

This eliminates the administrative effort to enable SSL/TLS required on the website to turn on support for SSL/TLS.

By combining Let’s Encrypt integration, Perfect Forward Secrecy (PFS) and HTTP Strict Transport Security (HSTS), the SonicWall WAF ensures that websites are only accessible via a secured and encrypted channel, which also improves search engine visibility and ranking.

Seamless Multifactor Authentication Controls Access to Sensitive Content, Workflows

The most common cause of information leakage from websites stems from improper access control on websites, sometimes via unauthenticated pages and others because of the lack of strong authentication controls (remember the Equifax attack?).

With SonicWall WAF 2.2, administrators can redirect users to an authentication page for any part of the web application by leveraging an existing authentication page or with a WAF-delivered login page.

Administrators can also enforce second-factor authentication using client certificates or one-time passwords (OTPs) to validate users trying to log in to the web application are, indeed, genuine users.

API Support for Managed Cloud Service Providers

Cloud service providers often manage and host websites for their customers. In many cases, they leverage DevOps and programmable infrastructure using APIs to launch hosting environments, web application platforms and ready-to-use infrastructure. But if security is not embedded into these DevOps workflows, they leave gaping holes and become liable for website security.

With SonicWall WAF 2.2, administrators can automatically launch WAF virtual appliances and programmatically provision security for websites using scripts in DevOps workflows. This includes creating a web application to be protected, enabling exploit prevention, enabling Let’s Encrypt Integration for free SSL/TLS support and enabling Capture ATP integration for malware prevention.

New Utility-based Licensing Model, An innovation for WAF Virtual Appliances

With SonicWall WAF 2.2, organizations may purchase protection on a per-website basis. This helps reduce the total cost of ownership (TCO) by purchasing only what they need. Four types of websites are currently supported based on the amount of data that is transferred to/from the website per month.

Size Data Volume
Pro Website 10 GB per Month
Small Website 50 GB per Month
Medium Website 200 GB per Month
Large Website 500 GB per Month

A sizing calculator will recommend the compute requirements for the WAF virtual appliance and will provide guidance to website administrators on what type of license they need to buy based on a variety of metrics like sustained/peak throughput, average visits per day etc.

SonicWall WAF helps administrators secure their websites and their digital environment, thereby establishing trust in their digital brand.

Get to Know SonicWall WAF

The SonicWall Web Application Firewall (WAF) now integrates with the award-wining SonicWall Capture Advanced Threat Protection (ATP) sandbox service and Real-Time Deep Memory Inspection (RTDMI) technology. Explore how this innovative product can defend your websites and applications from both known and unknown cyber threats.

Botnets Targeting Obsolete Software

Overview: This is not a disclosure of a new vulnerability in SonicWall software. Customers with the current SonicWall Global Management System (GMS) 8.2 and above have nothing to worry about. The reported vulnerability relates to an old version of GMS (8.1), which was replaced in December 2016. Customers with GMS 8.1 and earlier releases should patch, per SonicWall guidance, as they are running out-of-support software. Best practice is to deploy a SonicWall next-generation firewall (NGFW) or a web application firewall (WAF) in front of GMS and other web servers to protect against such attacks. Look for global third-party validation on protection effectiveness, such as the 2018 NSS Labs NGFW Group Test. After rigorous testing, SonicWall firewalls earned the NSS Labs coveted ‘Recommended’ rating five times.


On Sept. 9, Palo Alto Networks Unit 42 published a blog post highlighting a developing trend of botnets picking up publicly known CVE exploits and weaponizing them against enterprise infrastructure. This marks a change in the botnet authors’ tactics from targeting consumer-grade routers and IP cameras to searching for higher-profile enterprise targets to harness additional endpoints for DDoS attacks.

The first botnet, Mirai, targeted the Apache Struts vulnerability from early 2017, which affects web servers around the world. On March 6, 2017, SonicWall provided protection against the Apache Struts vulnerability with the Intrusion Prevention Service (IPS) on the NGFW line, rolling out protection to all firewalls with licensed IPS service.

The second botnet highlighted in the Palo Alto Networks post, Gafgyt, picked up the Metasploit code for an XML-RPC vulnerability for an obsolete version of SonicWall GMS (8.1) central management software, which was replaced by GMS 8.2 in December 2016.

The bottom line: the reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Implementing Cybersecurity Best Practices

Current SonicWall GMS users are not at risk. However, there are broader lessons here for the industry and business owners:

  • Take End-of-Life and End-of-Support announcements seriously and update proactively. They become a compliance and security risk for critical systems and compromise an enterprise’s compliance and governance posture.
  • Security best practices dictate that you never expose a web server directly to the internet without a NGFW or WAF deployed in front.
  • A security layer between the internet and critical enterprise infrastructure, like web servers or centralized firewall management, provides the ability to virtually patch zero-day vulnerabilities and exploits while working out a sensible patching strategy. For example, a SonicWall NGFW with Intrusion Prevention or a SonicWall WAF can easily handle this task.

Using Third-Party Validation

The blog post does, however, underscore the rapidly-evolving nature of today’s threat landscape, evidenced by the mixing of malware and exploits to create new malware cocktails, and the need to use the latest and most effective security solutions to protect against them.

When selecting a product to protect your critical infrastructure, go beyond listening to vendor claims and look at globally recognized independent testing, such as the NSS Labs NGFW report, to validate security efficacy. Items that you should consider when selecting a security product for the modern threat landscape:

  1. NSS Labs specifically tests for protection on non-standard ports (not just 80/443, for example) because malware often uses non-standard ports to bypass traffic inspection. Products that lack inspection on non-standard ports are blind to many malware attacks, and are easily fooled into missing dangerous traffic and allowing malware and exploits to sail right through.

2018 NSS Labs NGFW Group Test Report — Evasion Resistance

2018 NSS Labs Next Generation Firewall Security Value MapTM (SVM)

  1. Evaluate your NGFW on security efficacy, and how it deals with malware cocktails, such as the recently exposed Intel-based, processor-level vulnerabilities like Spectre, Meltdown and Foreshadow.
  • SonicWall patented and patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology is proven to catch chip/processor attacks through its unique approach to real-time memory inspection.
  • SonicWall RTDMI protection can also be applied to mitigate malicious PDFs, Microsoft Office documents and executables. The focus on PDF and Office document protection is especially important. Attacks are shifting into this delivery mechanism as browsers clamped down on Flash and Java content, drying up a fertile area of exploit and malware delivery. For example, RTDMI discovered more than 12,300 never-before-seen attack variants in the first half of 2018 alone.
  • The SonicWall Capture Client endpoint suite plugs into the RTDMI engine to offer the same protection for users that are outside a protected network.

 

The Bottom Line

The reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Protect Web Applications Running Private, Public or Hybrid Cloud Environments

With the number of attempted web attacks ranging up to millions over the course a year, you need to ensure web application security. You need a solution that protects both your public and internal web properties.

Why you need a web application firewall

Today’s businesses strive to provide the highest possible service experience and engagement through different types of interactive web applications and user-friendly mobile applications. Over half of the world population uses the internet. Ninety three percent of them now go online, and perhaps stay online longer, using their mobile devices as opposed to their computers.

With the addition of the Internet-of-Things (IoT), we have now added tens of billions of devices already connected, communicating and exchanging data through web and mobile applications today — from TVs, digital wearables, cars, gaming consoles and vending units, to all sorts of smart appliances. This makes web applications more critical now than ever before. You need keep them all online and safe.

What makes a good web application firewall?

An ideal   solution requires a comprehensive foundation for application security, data leak prevention, performance and management. With most web servers vulnerable to a wide spectrum of web-based exploits, you need a dynamic web application firewall to provide continuous real-time protection for web properties, whether they are hosted on-premises or in the public cloud. A best-practices WAF solution requires feature-rich web security tools and services to keep web properties safe, undisrupted and in peak performance every single day.

SonicWall Web Application Firewall

Our award-winning solutions give you a defense-in-depth strategy to protect your web applications running in private, public or hybrid cloud environments. It offers you a complete, out-of-box compliance solution for application-centric security that is easy to manage and deploy.

The SonicWall WAF series arms you with advanced web security tools and services to protect your data and web properties against modern, web-based threats. It applies deep packet inspection of Layer 7 web traffic against a regularly updated database of known signatures, denies access upon detecting web application threats and redirects users to an explanatory error page.

In addition, the SonicWall WAF baselines regular web application usage and behavior, and identifies anomalies that may be indicative of attempts to compromise the application, steal data and/or cause a denial of service (DoS).

SonicWall WAF employs a combination of signature-based and application profiling deep-packet inspection, and high-performance, real-time intrusion scanning engine, to dynamically defend against evolving threats, as outlined by the Open Web Application Security Project (OWASP), as well as more advanced web application threats like denial-of-service (DoS) attacks and context-aware exploits.  Moreover, it learns, interrogates and baselines regular web application usage behaviors and identifies anomalies that may indicate attempts to compromise the application, steal data and/or cause a denial of service.

The WAF series gives you economy-of-scale benefits of virtualization. You can deploy it as a virtual appliance in private clouds based on VMWare or Microsoft Hyper-V; or in AWS or Microsoft Azure public cloud environments. This gives you all the security advantages of a physical WAF with the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management and cost reduction.

Acceleration features include load balancing, content caching, compression and connection multiplexing to improve performance of protected websites, and significantly reduce transactional costs. A robust dashboard gives you an easy-to-use, web-based management interface featuring status page overview of all monitoring and blocking activities, such as signature database status information and threats detected and prevented since boot-up.

The is available in four models that represent their inspection capacities and can be deployed on a broad range of public cloud, private cloud and virtualized deployment use cases.

To learn more about protecting web applications, explore our latest solution brief, “Best Practices for Web Application Firewall.”