Posts

Protect Web Applications Running Private, Public or Hybrid Cloud Environments

With the number of attempted web attacks ranging up to millions over the course a year, you need to ensure web application security. You need a solution that protects both your public and internal web properties.

Why you need a web application firewall

Today’s businesses strive to provide the highest possible service experience and engagement through different types of interactive web applications and user-friendly mobile applications. Over half of the world population uses the internet. Ninety three percent of them now go online, and perhaps stay online longer, using their mobile devices as opposed to their computers.

With the addition of the Internet-of-Things (IoT), we have now added tens of billions of devices already connected, communicating and exchanging data through web and mobile applications today — from TVs, digital wearables, cars, gaming consoles and vending units, to all sorts of smart appliances. This makes web applications more critical now than ever before. You need keep them all online and safe.

What makes a good web application firewall?

An ideal   solution requires a comprehensive foundation for application security, data leak prevention, performance and management. With most web servers vulnerable to a wide spectrum of web-based exploits, you need a dynamic web application firewall to provide continuous real-time protection for web properties, whether they are hosted on-premises or in the public cloud. A best-practices WAF solution requires feature-rich web security tools and services to keep web properties safe, undisrupted and in peak performance every single day.

SonicWall Web Application Firewall

Our award-winning solutions give you a defense-in-depth strategy to protect your web applications running in private, public or hybrid cloud environments. It offers you a complete, out-of-box compliance solution for application-centric security that is easy to manage and deploy.

The SonicWall WAF series arms you with advanced web security tools and services to protect your data and web properties against modern, web-based threats. It applies deep packet inspection of Layer 7 web traffic against a regularly updated database of known signatures, denies access upon detecting web application threats and redirects users to an explanatory error page.

In addition, the SonicWall WAF baselines regular web application usage and behavior, and identifies anomalies that may be indicative of attempts to compromise the application, steal data and/or cause a denial of service (DoS).

SonicWall WAF employs a combination of signature-based and application profiling deep-packet inspection, and high-performance, real-time intrusion scanning engine, to dynamically defend against evolving threats, as outlined by the Open Web Application Security Project (OWASP), as well as more advanced web application threats like denial-of-service (DoS) attacks and context-aware exploits.  Moreover, it learns, interrogates and baselines regular web application usage behaviors and identifies anomalies that may indicate attempts to compromise the application, steal data and/or cause a denial of service.

The WAF series gives you economy-of-scale benefits of virtualization. You can deploy it as a virtual appliance in private clouds based on VMWare or Microsoft Hyper-V; or in AWS or Microsoft Azure public cloud environments. This gives you all the security advantages of a physical WAF with the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management and cost reduction.

Acceleration features include load balancing, content caching, compression and connection multiplexing to improve performance of protected websites, and significantly reduce transactional costs. A robust dashboard gives you an easy-to-use, web-based management interface featuring status page overview of all monitoring and blocking activities, such as signature database status information and threats detected and prevented since boot-up.

The is available in four models that represent their inspection capacities and can be deployed on a broad range of public cloud, private cloud and virtualized deployment use cases.

To learn more about protecting web applications, explore our latest solution brief, “Best Practices for Web Application Firewall.”

SonicWall Annual Threat Report Reveals the State of the Cybersecurity Arms Race

In the war against cyber crime, no one gets to avoid battle. That’s why it’s crucial that each of us is proactive in understanding the innovation and advancements being made on both sides of the cybersecurity arms race. To that end, today we introduced the 2017 SonicWall Annual Threat Report, offering clients, businesses, cybersecurity peers and industry media and analysts a detailed overview of the state of the cybersecurity landscape.

To map out the cybersecurity battlefield, we studied data gathered by the SonicWall Global Response Intelligence Defense (GRID) Threat Network throughout the year. Our findings supported what we already knew to be true – that 2016 was a highly innovative and successful year for both security teams and cyber criminals.

Security Industry Advances

Security teams claimed a solid share of victories in 2016. For the first time in years, our SonicWall GRID Threat Network detected a decline in the volume of unique malware samples and the number of malware attack attempts.  Unique samples collected in 2016 fell to 60 million compared with 64 million in 2015, whereas total attack attempts dropped to 7.87 billion from 8.19 billion in 2015. This is a strong indication that many security industry initiatives are helping protect companies from malicious breaches.  Below are some of the other areas where progress is clearly being made.

Decline of POS Malware Variants

Cybersecurity teams leveraged new technology and procedural improvements to gain important ground throughout the year. If you were one of the unlucky victims of the point-of-sale (POS) system attack crisis that shook the retail industry in 2014, you’ll be happy to learn that POS malware has waned enormously as a result of heightened security measures. The SonicWall GRID Threat Network saw the number of new POS malware variants decrease by 88 percent since 2015 and 93 percent since 2014. The primary difference between today’s security procedures and those that were common in 2014 is the addition of chip-and-PIN and chip-and-signature technology particularly in the United States, which undoubtedly played a big role in the positive shift.

Growth of SSL/TLS-Encrypted Traffic

The SonicWall GRID Threat Network observed that 62 percent of web traffic was Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted in 2016, making consumers and businesses safer in terms of data privacy and integrity while on the web. This is a trend we expect to continue in 2017, based on Google’s announcement that it has a long-term plan to begin marking HTTP traffic in its Chrome browser as “not secure.” NSS Labs estimates that 75 percent of web interactions will be HTTPS by 2019.

Decline of Dominant Exploit Kits

We also saw the disappearance of major exploit kits Angler, Nuclear and Neutrino after cybersecurity investigations exposed the likely authors, leading to a series of arrests by local and international law enforcement agencies. The SonicWall GRID Threat Network observed some smaller exploit kits trying to rise to fill the void. By the third quarter of 2016, runner-up Rig had evolved into three versions employing a variety of obfuscation techniques. The blow that dominant exploit kit families experienced earlier in 2016 is a significant win for the security industry.

Cyber Criminal Advances

As with any arms race, advances made by the good guys are often offset by advances made by the bad guys. This is why it’s critical for companies to not become complacent and remain alert to new threats and learn how to counterattack. Below are some of the areas where cyber criminals showed their ability to innovate and exploit new ways to launch attacks.

Explosive Growth in Ransomware

Perhaps the area where cyber criminals advanced the most was in the deployment of ransomware. According the SonicWall GRID Threat Network, ransomware attacks grew 167 times since 2015, from 3.8 million in 2015 to 638 million in 2016. The reason for this increase was likely a perfect storm of factors, including the rise of ransomware-as-a-service (RaaS) and mainstream access to Bitcoin. Another reason might simply be that as cybersecurity teams made it difficult for cyber criminals to make money in other ways, they had to look for a new paycheck.

Exploited Vulnerabilities in SSL/TLS Encryption

While the growth of SSL/TLS encryption is overall a positive trend, we can’t forget that it also offers criminals a prime way to sneak malware through company firewalls, a vulnerability that was exploited 72 percent more often in 2016 than in 2015, according to NSS Labs. The reason this security measure can become an attack vector is that most companies still do not have the right infrastructure in place to perform deep packet inspection (DPI) in order to detect malware hidden inside of SSL/TLS-encrypted web sessions. Companies must protect their networks against this hidden threat by upgrading to next-generation firewalls (NGFWs) that can inspect SSL/TLS traffic without creating performance issues.

IoT Became a New Threat Network

Many people who enjoy using Reddit, Netflix, Twitter or Spotify experienced another of our top threat trends firsthand. In October 2016, cyber criminals turned a massive number of compromised IoT devices into a botnet called Mirai that they then leveraged to mount multiple record-setting distributed denial-of-service (DDoS) attacks. The SonicWall GRID Threat Network found that at the height of the Mirai botnet usage in November 2016, the United States was by far the most targeted, with 70 percent of DDoS attacks aimed at the region, followed by Brazil (14 percent) and India (10 percent). The root cause leading to the Mirai attacks was unquestionably the lax security standards rampant in IoT device manufacturing today. Specifically, these devices do not prompt their owners to change their passwords, which makes them uncommonly vulnerable.

Combatting the New Cyber Threats

It’s worth noting that the technology already exists today to solve many of the new challenges cyber criminals threw at victims in 2016.  SSL/TLS traffic can be inspected for encrypted malware by NGFWs with high-performance SSL/TLS DPI capabilities.  For any type of new advanced threat like ransomware, it’s important to understand that traditional sandboxing solutions will only detect potential threats, but not prevent them. In order to prevent potential breaches, any network sandbox should block traffic until it reaches a verdict before it passes potential malware through to its intended target.  SonicWall’s family of NGFWs with SSL/DPI inspection coupled with the SonicWall Capture multi-engine cloud sandbox service is one approach to provide real-time breach prevention for new threats that emerge in the cybersecurity arms race.

If you’re reading this blog, you’re already taking an important first step toward prevention, as knowledge has always been one of the greatest weapons in the cybersecurity arms race. Take that knowledge and share it by training every team member in your organization on security best practices for email and online usage. Implement the technology you need to protect your network. And most importantly, stay up-to-date on the latest threats and cybersecurity innovations shaping the landscape. If you know where your enemy has been, you have a much better shot of guessing where he’s going.

BlackNurse DDoS Attack Can Interrupt your Network; Discover how SonicWall Blocks

Whenever there’s talk of a DDoS (distributed denial-of service) attack, network administrators think of multiple systems flooding a network device from various locations on the internet. However, when it comes to BlackNurse, a new & quite different type of DDoS, a single laptop can launch the attack to bring down the gateway firewall!

Last week the TDC SOC, Security Operations Center of Denmark Telecom, updated its report stating how BlackNurse, as a non-traditional DDoS attack can harm your network. Typically, a normal ping attack is based on an ICMP Type 8 Code 0, whereas BlackNurse is ICMP Type 3 Code 3. The attack will overload the firewall CPU which, as a result, causes an increase in dropped packets.

Unlike traditional ICMP flood attacks, BlackNurse can consume low-bandwidth pipes and disrupt the operations of your organization. Whether your uplink speed is 100Mbps or even 1Gbps, BlackNurse is effective even at bandwidths as low as 15Mbps.

The typical impact observed on firewalls is high CPU loads. In such cases users on the company’s local network will no longer be able to send or receive traffic to and from the internet. That’s because the firewall is busy processing the heavy load of incoming packets from the attack.

Now as a SonicWall firewall owner the first question coming to your mind is: Am I protected against BlackNurse?

The answer is: YES. All you need to do is to guarantee “ICMP Flood Protection” is enabled in Firewall Settings in user interface (see image below). In order to gain more information on configuring ICMP Flood Protection please refer to the SonicOS admin guide.

Screenshot of ICMP Flood Protection screen

According to Akamai’s September 2016 security report DDoS attacks are on the rise with 70 percent year over year. Security of our customers is our top priority, and SonicWall takes every measure to protect your network against all threats, DDoS included.

Please stay informed and updated with our SonicWall Threat Research updates here.