Posts

How Everyone Can Implement SSL Decryption & Inspection

Since 2011, when Google announced it was switching to Hypertext Transfer Protocol Secure (HTTPS) by default, there has been a rapid increase in Secure Sockets Layer (SSL) sessions.

Initially, SSL sessions were reserved for only important traffic, where personal, financial or sensitive data was transferred. Now, it seems we can’t receive news or perform a simple search without an encrypted session.

In 2014 and 2015, SSL sessions accounted for about 52 percent of internet traffic. As cloud adoption grew, so did the SSL sessions. By 2017, SSL accounted for 68 percent of all internet traffic. Currently, SonicWall has seen encrypted traffic at almost 70 percent of the total traffic on the internet.

Secure sessions demonstrate that internet users are understanding and embracing session security and privacy. Unfortunately, as SSL sessions have increased, so have encrypted attacks. So far in 2018, SonicWall has seen a 275 percent increase of encrypted attacks since 2017. You find more numbers in the mid-year update of the 2018 SonicWall Cyber Threat Report.

What is DPI-SSL?

The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-SSL) to block encrypted attacks.

However, even firewall vendors that claim to offer SSL decryption and inspection may not have the processing power to handle the volume of SSL traffic moving across a network today.

DPI-SSL extends SonicWall’s Deep Packet Inspection technology to inspect encrypted HTTPS and SSL/TLS traffic. The traffic is decrypted transparently, scanned for threats, re-encrypted and sent along to its destination if no threats or vulnerabilities are found.

Available on all SonicWall next-generation firewalls (Generation 6 or newer), DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

It is important to have a secure and simple setup that minimizes configuration overhead and complexity. There are two primary paths for implementing DPI-SSL.

Option 1: Remote Implementation

Enabling DPI-SSL can sometimes be complex. Diverse sites and programs use certificates differently, some of which may be affected by DPI-SSL capabilities.

To confirm you have DPI-SSL implemented properly, leverage the SonicWall DPI-SSL Remote Implementation Service to ensure seamless and effective implementation of SonicWall DPI-SSL services.

The Remote Implementation Service for SonicWall DPI-SSL deploys and integrates the product into your environment within 10 business days. This service is delivered by Advanced Services Partners who have completed training and demonstrated expertise in DPI-SSL implementation and configuration.

Option 2: Leverage Easy-to-Use Guidance

For those considering in-house implementation, SonicWall also provides a number of knowledge base (KB) articles and resources that walk you through the DPI-SSL implementation process. Some of the most popular include:

These KBs, and others found within SonicWall’s support section or through the DPI-SSL Remote Implementation Service, ensure every type of user or organization has the resources  to properly activate DPI-SSL within their infrastructure to mitigate encrypted cyberattacks.

For additional guidance, watch “Initial DPI-SSL Configuration,” a popular SonicWall Firewall Series Tutorial.

DPI-SSL Adoption

Thankfully, SonicWall is witnessing gradual adoption of DPI-SSL add-on services. To best protect your environment, pair DPI-SSL capabilities with the Capture Advanced Threat Protection (ATP) cloud sandbox, Gateway Antivirus, Content Filtering and Intrusion Protection Services (IPS). All available in the SonicWall Advanced Gateway Security Suite, which delivers everything you need to protect your network from advanced cyberattacks.

Combine these services with a trusted and secure end-point protection software, such as SonicWall Capture Client, and you can provide a robust security posture that can protect devices — even when they are not behind your firewall.

SonicWall CEO: ‘It’s Time to Arm Up’ Against Malware, Encrypted Attacks

You can’t fight what you can’t see.

Cliché as it may sound, cybercriminals are using organizations’ lack of network visibility as a cornerstone for their attack strategies. Savvy threat actors are encrypting their malware payloads to cloak attacks and defeat standard security controls.

At RSA Conference 2018 in San Francisco, SonicWall president and CEO Bill Conner spoke with TechRepublic about the rapidly changing cyber arms race and the need to properly detect and inspect encrypted traffic, which made up 68 percent of all web traffic in 2017 — a 24 percent year-over-year increase from 2016.

“In Q1, you see a dramatic increase in malware and ransomware. We’re also seeing a dramatic increase in SSL encryption, and encryption being used to carry malware,” Conner told TechRepublic.

As Conner discussed, the 2018 Cyber Threat Report illustrated these challenges. But the threat landscape changes rapidly. In the first quarter of 2018 alone, the average SonicWall customer faced:

  • 7,739 malware attacks (151 percent increase over Q1 2017)
  • 173 ransomware attacks (226 percent increase over Q1 2017)
  • 335 encrypted threats (403 percent increase over Q1 2017)

By investing in updated solutions, and enabling SSL/TLS inspection capabilities, organizations can have the best of both security and performance. Many next-generation firewalls — like the SonicWall NSa series, for example — include DPI-SSL capabilities. However, these critical controls aren’t always activated or implemented properly, so it’s important to confer with your cyber security vendor or managed security services provider (MSSP) that you have the ability to decrypt and inspect SSL and TLS traffic.

Guidance on stopping encrypted cyber attacks

Encrypted threats will defeat even the most robust firewall if it’s not properly using deep packet inspection of SSL and TLS, often known as DPI-SSL.

If you choose not to inspect encrypted traffic — or if your firewall is limited in its ability to do so — you are truly missing a critical value of your firewall.

It is possible for organizations to enjoy the security benefits of SSL/TLS encryption without providing a hidden tunnel for attackers.

For practical guidance on implementing SSL and TLS decryption and inspection abilities, review “Encrypted Cyber Attacks: Real Data Unveils Hidden Danger within SSL, TLS Traffic” or watch the on-demand webcast, “Technical Deep Dive on how to Defeat Encrypted Threats with SonicWall DPI-SSL Technology.”

What is the Difference Between Traditional and Next-Generation Anti-Virus?

In previous webcasts and blogs, I’ve spoken of a woman who was the victim of a terrible ransomware attack as well as an intrusion on her computer. It was her first computer breach in over 25 years of business.

When these happened, she was running traditional anti-virus and minimal network security in front of her endpoints. These two attacks, which she believes cost her around $50,000 in damages, were alarming wakeup calls to the realities of today’s threat landscape.

One of the lessons learned by people like Elizabeth over the past three years of the ransomware age is that traditional signature-based anti-virus solutions are lacking the power to combat today’s flood of evasive malware.

This is why SonicWall is excited to launch our Capture Client, a client security solution that leverages the SentinelOne Endpoint Protection engine, powered by static and behavioral artificial intelligence, to deliver next-generation anti-virus (NGAV) capabilities.

So, what exactly is a NGAV solution, and why does it matter?

No signatures

Traditionally, anti-virus solutions (AVs) have required frequent (daily or weekly) updates of their signature databases to protect against the latest threats. Capture Client uses a static artificial intelligence (AI) engine to determine if new files are threats before they can execute. In addition, it has a behavioral AI engine to protect against file-less threats (e.g., PowerShell scripts, macros within documents, lateral movement, etc.).

No weekly updates

These AI engines do not require daily/weekly updates, as they “degrade” very gracefully over time. This is because the behavior analysis engines do the work instead of matching files to an ever-aging database of file IDs.

Even if customers upgrade their agents only once a year, they will have much greater protection than what traditional AV is able to provide. With the power of SentinelOne’s AI models, today’s zero-day attacks are instantly convicted by models developed in the past. This is the benefit of a mathematical approach to malware prevention, detection and response versus legacy, signature-based approaches.

No recurring scans

Apart from the management overhead of updating signatures, traditional AVs also recommend recurring disk scans to make sure threats did not get in. These recurring scans are a big source of frustration for the end users, as their productivity is impacted during the scans. With Capture Client, these recurring scans are not required at all. End-users get much better performance and, in many cases, do not even know or experience any slowdown caused by the AV.

No performance overhead

Another reason for the poor performance of traditional AVs is that they became bloated by implementing many features, such as endpoint firewall, full-disk encryption, etc. Many of these features are now available on modern operating systems. Capture Client was designed to orchestrate OS functionality instead of replicating it. This also translates into a much better end-user experience.

No cloud dependence

Another limitation of traditional AVs is their reliance on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database down to the device. So, they keep the vast majority of signatures in the cloud, and only push the most prevalent signatures down to the agent.

Furthermore, end users frequently work in cafés, airports, hotels and other commercial facilities. In most of these cases, the Wi-Fi provider is supported by ad revenues, and encourage users to download the host’s tools (i.e., adware) to get free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk. Capture Client is fully autonomous and protects the user in these situations. The efficacy of the agent isn’t impacted by its connection to the internet.

NGAV for endpoints

I invite you to learn more about Capture Client, which not only provides NGAV capabilities, but also seamlessly integrates with SonicWall firewalls and related capabilities, such as DPI-SSL certificate management, firewall enforcement and firewall-independent, cloud-based reporting.

To learn more, download the “SonicWall Capture Client powered by SentinelOne” data sheet.

What is the Difference Between Traditional and Next-Generation Anti-Virus?

In previous webcasts and blogs, I’ve spoken of a woman who was the victim of a terrible ransomware attack as well as an intrusion on her computer. It was her first computer breach in over 25 years of business.

When these happened, she was running traditional anti-virus and minimal network security in front of her endpoints. These two attacks, which she believes cost her around $50,000 in damages, were alarming wakeup calls to the realities of today’s threat landscape.

One of the lessons learned by people like Elizabeth over the past three years of the ransomware age is that traditional signature-based anti-virus solutions are lacking the power to combat today’s flood of evasive malware.

This is why SonicWall is excited to launch our Capture Client, a client security solution that leverages the SentinelOne Endpoint Protection engine, powered by static and behavioral artificial intelligence, to deliver next-generation anti-virus (NGAV) capabilities.

So, what exactly is a NGAV solution, and why does it matter?

No signatures

Traditionally, anti-virus solutions (AVs) have required frequent (daily or weekly) updates of their signature databases to protect against the latest threats. Capture Client uses a static artificial intelligence (AI) engine to determine if new files are threats before they can execute. In addition, it has a behavioral AI engine to protect against file-less threats (e.g., PowerShell scripts, macros within documents, lateral movement, etc.).

No weekly updates

These AI engines do not require daily/weekly updates, as they “degrade” very gracefully over time. This is because the behavior analysis engines do the work instead of matching files to an ever-aging database of file IDs.

Even if customers upgrade their agents only once a year, they will have much greater protection than what traditional AV is able to provide. With the power of SentinelOne’s AI models, today’s zero-day attacks are instantly convicted by models developed in the past. This is the benefit of a mathematical approach to malware prevention, detection and response versus legacy, signature-based approaches.

No recurring scans

Apart from the management overhead of updating signatures, traditional AVs also recommend recurring disk scans to make sure threats did not get in. These recurring scans are a big source of frustration for the end users, as their productivity is impacted during the scans. With Capture Client, these recurring scans are not required at all. End-users get much better performance and, in many cases, do not even know or experience any slowdown caused by the AV.

No performance overhead

Another reason for the poor performance of traditional AVs is that they became bloated by implementing many features, such as endpoint firewall, full-disk encryption, etc. Many of these features are now available on modern operating systems. Capture Client was designed to orchestrate OS functionality instead of replicating it. This also translates into a much better end-user experience.

No cloud dependence

Another limitation of traditional AVs is their reliance on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database down to the device. So, they keep the vast majority of signatures in the cloud, and only push the most prevalent signatures down to the agent.

Furthermore, end users frequently work in cafés, airports, hotels and other commercial facilities. In most of these cases, the Wi-Fi provider is supported by ad revenues, and encourage users to download the host’s tools (i.e., adware) to get free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk. Capture Client is fully autonomous and protects the user in these situations. The efficacy of the agent isn’t impacted by its connection to the internet.

NGAV for endpoints

I invite you to learn more about Capture Client, which not only provides NGAV capabilities, but also seamlessly integrates with SonicWall firewalls and related capabilities, such as DPI-SSL certificate management, firewall enforcement and firewall-independent, cloud-based reporting.

To learn more, download the “SonicWall Capture Client powered by SentinelOne” data sheet.

Download Datasheet

Why GDPR Makes it Urgent to Scan Encrypted Traffic for Data Loss

“Inspect every packet, every time.”

This has been my advice to any network admin or business owner for many years.  This is equally important in regards to encrypted traffic.  Much of the Internet has become encrypted, meaning that it can only be perused and accessed over HTTPS.  While this rightly includes traffic such as online banking and financial sites, it also now includes webmail, social media, online streaming video, music and even search engines.

While encryption of the Internet enables online privacy, it has also opened a new threat vector for hackers and criminals to hide malicious content.  If you encrypt the whole Internet, you encrypt all the threats traversing it.

The painful truth is that the vast majority of networks (including governments, international enterprises, educational, medical and consumer networks) have yet to implement a security solution capable of inspecting the encrypted traffic.  If you cannot inspect it, you can not protect it.  With over 80 percent of Internet traffic now encrypted, this has become an open pipeline for attacks.  More than 67 percent of all malware attacks are still delivered via email.  Guess what? That email is most often encrypted via HTTPS.

Inspecting encrypted traffic is paramount in preventing threats such as viruses, exploits, spyware and ransomware. Numerous articles, findings, testimonials and forensic analyses of recent breaches (such as at the IRS, OPM, JPMorgan Chase, Home Depot, Target and Equifax) focused on threat prevention. They reported that varying degrees of security had not been deployed or utilized, alerts were missed, traffic went uninspected, or updates and patches were not applied.  In some breaches, there were financial penalties for failing to protect end-user data, such as providing credit monitoring services for consumers, refunds for past services, or government-levied fines.

However, another critical reason to inspect encrypted traffic was rarely discussed. Yet, in six months, that reason will have incredible legal and financial implications that many are underestimating.  That reason is data loss.  And while organizations have sought to increase their threat prevention, only minor attention has been applied to data loss prevention (DLP).  Well, that is about to change drastically.

On May 25, 2018, the European Union General Data Protection Regulation (GDPR) goes into effect.  While this is an EU regulation, it will play a tremendous role in the ways data protection is controlled worldwide.  The following is an excerpt from the GDPR:

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. […] violating the core of Privacy by Design concepts[….] It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Pay close attention to that last line, especially if you are a cloud provider or consumer.  Any organization that hosts or processes data for citizens of an EU member country will be held accountable to this regulation. Make no mistake, countries outside of the EU, including the USA, are in the process of enacting similar legislations.

While threat prevention should always be a cornerstone in any network security architecture, data loss prevention will now be as well.  For example, one may have a decent anti-malware client and other solutions for threat prevention, but what is in place to prevent a staff member unwillingly or willingly executing an application that uploads confidential end user data like credit card numbers, address, phone numbers, or other personally identifiable information?  What is in place today to stop someone from accidentally or willingly “dragging and dropping” a PDF containing personally identifiable information (PII) to a public FTP Server, or uploading it to their personal webmail?  Remember: all of these connections are now encrypted.

Fortunately, you can easily apply data loss prevention rules on all SonicWall firewalls to inspect encrypted traffic and prevent data loss.  By leveraging incredibly powerful Deep Packet Inspection of SSL/TLS Encrypted Traffic (DPI-SSL), and applying keywords or phrases defined using Regular Express (RegEx), SonicWall firewalls are able to inspect all encrypted communications for PII in real time. Should an application, system, or employee attempt to upload PII, the SonicWall firewall can detect it, block the upload, and provide incident reporting of the event. That is how you can inspect every packet, every time. That is how you prevent the breach.

Download our “Best Practices for Stopping Encrypted Threats” to help you prevent that breach.

Innovate More, Fear Less at CETPA 2017 with SonicWall for Your School Network

Recently, the personal information of Palo Alto High School students was published via a website that allowed students to see class rankings, grade-point averages and identification numbers. Is your school network at risk?

Know your best defense against new threats. Join SonicWall at Booth 904 at the 2017 CETPA Annual Conference on Nov. 14-17 in Pasadena, California. With over 3,000 K-12 schools and districts relying on SonicWall next-generation firewalls and real-time automated breach detection and prevention with SonicWall Advanced Threat Protection cloud sandboxing service, we’ll be onsite to share our expertise on the latest threats and best practices to stop cyber attacks.

Can’t-miss highlights include:

  • Solving Real-world Network Security Issues in Today’s K-12 Campus Environment
    • Speaker: Jenna Burrows, Director of Business Services, Calistoga Joint Unified School District.
    • Date & Time: 4 p.m., Nov. 14
    • Location: Room 204
    • Learn how this district, with the help of SonicWall Silver partner Napa Valley Networks, provides over 900 students and staff with secure, uninterrupted network access, protects students from harmful web content and stops hackers from stealing confidential records. We’ll also explore advantages of a managed SonicWall’s Security-as-a-Service (SECaaS) approach to network security.

“It’s really hard for districts, at any point, to have to lay out a large amount of money,” for projects of this type, says Burrows. “It’s just not reasonable. There’s really no value in us purchasing it outright, and then, say, it’s obsolete in a couple years anyway. It makes a lot more sense for us to do it monthly. It (SonicWall Security-As-A-Service) provides more flexibility but it’s also much more reasonable in terms of breaking out the costs, not having to pay a large upfront amount.” said Jenna Burrows, Director of Business Services, Calistoga Joint Unified School District.

  • Vendor Shootout: Capture Advanced Threat Protection Sandbox
    • Presenter: Tim Johnson, System Engineer, SonicWall
    • Date & Time: 8 a.m., Nov. 16
    • Examine and compare the effectiveness of SonicWall’s Capture ATP, a leading cloud sandboxing solutions in preventing zero-day and advanced threats. Following the shootout, discuss your specific needs with our experts at booth 904 in the exhibit hall from 9-4 p.m.
  • SonicWall Live Demos
    • Date & Time: 9-4 p.m.

Throughout the event, we’ll be showcasing the SonicWall Advanced Threat Protection sandbox service, the new SonicOS 6.5, NSA 2650 next-gen firewall, SonicWave Wireless Access Points,  Cloud Analytics and Secure Mobile Access 12.1 with ongoing demonstrations focused on:

  •  Advanced Threats: Watch our award-winning multi-engine sandbox, SonicWall Capture ATP, scan network traffic in the cloud, and block unknown files until our Capture Threat Network reaches a verdict in near real-time.
  • Encrypted Threats: Most web-based malware is hidden by SSL/TLS encryption. Watch our DPI-SSL uncover hidden malicious attacks, block C&C communications and stop data exfiltration.
  • Wireless & Mobile Threats: Wi-Fi and mobile devices present a major security risk for students, faculty and administrators. View our Wireless and Mobile Access solutions, including the new Secure Mobile Access (SMA) 12.1 and SonicWave 802.11ac Wave 2 wireless access points.
  • Email Threats: Email remains a primary vector for attacks, such as ransomware. Discover how our next-gen Email Security solution can block spoofed email attacks with hosted and on-premise configurations.
  • Restricted Web Content: Protect students and employees, and meet K-12 regulatory compliance. Watch our Content Filtering Client block inappropriate, unproductive, illegal and malicious web content on school-issued devices taken off campus.

SonicWall is dedicated to helping K-12 schools and districts innovate more and fear less. Realize the promise of technology-driven learning environments, on campus and over the web.

Join us at the 2017 CETPA Annual Conference, tune in via Twitter #CETPA2017 and follow @SonicWall.

Equifax Data Breach: What Can We Learn?

Equifax just rolled into the history books as the victim of one of the most widespread and dangerous data breaches of all time. The breach happened on March 10, 2017, at which time the cyber criminals leveraged the critical remote code execution vulnerability CVE-2017-5638 on Apache Struts2. This attack highlights the value of an Intrusion Prevention System (IPS) and virtual patching security technologies.

SonicWall developed definitions for this vulnerability for our Intrusion Prevention Service and afterward saw a large growth of IPS hits by the beginning of the third week of March 2017. The first lesson we can gain from the data is how quickly hackers rush to exploit a critical vulnerability (see chart below).

Every announcement of this magnitude is like Black Friday for hackers. Also, seeing this one attack highlights how, in 2016, SonicWall blocked over 2.6 trillion IPS attacks on customer systems.

This means if there is a critical patch you either need to install it ASAP or have an automated solution in place that can block related attacks such as IPS (Learn how IPS works) until you can do so. This is the same lesson everyone should have learned years ago, if not since WannaCry. In fact, had people patched after WannaCry, none of us would have heard of NotPetya.

However, many believe that the conventional wisdom of patch and train is ultimately not working. If manual patching of vulnerable systems worked, why would the number of breaches continue to escalate?

A 2016 survey from Black Hat showed that even people who rate themselves as very knowledgeable about IT security can be coerced into clicking phishing links in emails. So, it seems that training alone is not the answer either.

We at SonicWall think there is a better way. We believe in automating as much of the protection as possible — on the network, for email, for mobile users, on Wi-Fi and at the endpoint. That is why we built our automated real-time breach prevention and detection platform. It’s why we believe in cloud-based, zero-day protection, and also why we built the Capture Advanced Threat Protection sandbox service into every element of our platform.

So, what can you do to keep yourself safe against these IT weak spots? Here is a list of best practices for staying safe in today’s dynamic, fast-moving threat landscape:

  • Implement automated real-time breach prevention. Deploy SonicWall next-generation firewalls with Gateway Anti-Virus and Intrusion Prevention Services (GAV/IPS) to stop known attacks like those on the critical Apache Struts2 vulnerability. SonicWall’s Deep Learning Algorithm, which learns from over 1 million sensors deployed around the globe, with the ability to push out real-time updates within minutes within GAV/IPS.
  • Use cloud-based sandboxing. Leverage SonicWall Capture ATP, our multi-engine cloud sandbox to discover and stop unknown attacks, such as new ransomware attacks.
  • Inspect TLS/SSL traffic. Because of the rise in malware being encrypted, always deploy SonicWall Deep Packet Inspection of all TLS/SSL (DPI-SSL) traffic. This will enable SonicWall security services to identify and block all known ransomware attacks.
  • Defend against phishing attacks. Implement advanced email security, such as SonicWall Email Security, that leverages malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65 percent of all ransomware attacks happen through phishing emails, so this needs to be a major focus when giving security awareness training.
  • Filter malicious content and sources. Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
  • Never stop patching. Apply the latest patches on all of your systems. Implement policy to ensure it happens and be consistent in verifying it is being followed.
  • Improve attack awareness. Train your users to shut off their computers if they suspect a malware infection. While their machine is likely compromised, this practice well help limit malware from using the endpoint as a launching point into the network.
  • Back up data. It is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event. For larger organizations, build redundant disaster recovery and business continuity plans to ensure operations are not impacted.

For more information, download 10 Ways to Securely Optimize Your Network.

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.

Why You Can Not Afford to Ignore SSL Inspection

I often get asked, “Why should we implement SSL inspection? We just upgraded our security from stateful inspection to deep inspection. If something is encrypted, is it not encrypted for a reason, for being secure?” Let me explain…

Back in the day, network traffic was well behaved. If you were a software vendor and wanted to offer a new application, you had to sign up with IANA and get a reserved port for your application. It is called a socket, the combination of a port number and a protocol such as TCP. The first firewalls were simple packet filters who controlled traffic to an application by controlling access to a socket. Firewalls evolved to stateful inspection, where you are not just controlling who has access to a socket but also the integrity of a TCP connection from the beginning of a proper handshake to closure. Once a connection is established, only this particular client and the application can communicate.

This whole paradigm changed when many more applications were developed than ports were available. Instead of applying for a new socket with IANA, software vendors zoned in on socket 80/TCP which is used by regular web servers. This also became a convenient port since most firewall policies would permit this port already. Recent Sonicwall research on customer networks shows that, today, over 90% of all connections use this port (or its cousin 443/tcp). The rest is mostly mail and DNS, and some voice-over-IP (VoIP) traffic. You may ask, “If everybody is using these two sockets, and I need to leave the socket open because a client could sit anywhere on the Internet (and for that matter a server could sit anywhere in the cloud), what is stateful inspection good for?” Exactly!

The security industry shifted towards deep inspection. Sonicwall was actually one of the very early players and evolved from SPI (Stateful Packet Inspection) to DPI (Deep Packet Inspection) over a decade ago, with many traditional security vendors only getting onto the bandwagon very recently. Deep inspection no longer cares about the socket, it cares about what data is transmitted, and whether it contains malicious content. With DPI, you can decide what applications do and do not go through your firewall. It is as granular as permitting Facebook, but denying “likes”, and does this regardless of which socket the application is using. DPI also protects from malicious content, both within the data stream as well as with embedded files, at a central network location.

What does this have to do with SSL inspection? SSL (Secure Socket Layer) is the most commonly used encryption technology on the Internet, as it allows virtually any client to build with any other server an encrypted connection, without building a prior trust relationship. Just like how SPI became less effective, DPI became less effective within the last two years. In order for DPI to look into traffic, it cannot be encrypted. Encrypted traffic looks to a firewall just like a random series of bits and bytes. If SPI became, to say it casually, “useless”, you see, the same happens to DPI right this very moment. Because all a malicious actor has to do is to encrypt the communication and can tunnel through the firewall, completely bypassing any security policy.

There are many reasons why this just happened overnight. For one, computers kept following Moore’s law, and became incredibly cheap and accessible. Malware is often distributed from breached machines, such as notebook computers, smart phones, or even the Internet of Things (such as your baby monitor). All of these devices can distribute encrypted malware while the performance impact on these devices is so minimal that the user will not notice. Another reason is that, with the Edward Snowden disclosures, many technology companies very vocally encouraged content providers to switch to encrypted traffic for pretty much anything in order to maintain citizen’s privacy from their own, or a different government. Now you add large operators of server farms to the mix, who can all be abused and (involuntarily) converted into malware distribution platforms, and you have the perfect storm. The firewall you “just” updated from SPI to DPI is on its way to become redundant as it becomes blind.

SonicWall calls SSL inspection DPI-SSL, which stands for Deep Packet Inspection of SSL encrypted traffic. Instead of the client, such as web browser, establishing an encrypted connection directly with a web server, DPI-SSL works by establishing an encrypted connection between the client and the SonicWall firewall. The SonicWall firewall then establishes an encrypted connection to the server so that the SonicWall firewall can inspect the traffic in-between. This all happens transparently and automatically, without user interaction, but with the user’s knowledge to maintain integrity.

But now you may be thinking:  “I just upgraded to deep inspection. Now I have to invest into SSL inspection technology?” This is true for most vendors, unfortunately. Over half of all vendors require you to purchase a dedicated platform to perform SSL decryption and re-encryption services. We at SonicWall believe that many vendors did not take investment protection seriously three years ago, when they promised investment protection to you when you bought the deep inspection solution. SonicWall as the leader of DPI, recognizes the importance of SSL inspection as well as the investment customer made into DPI already. For this reason, SonicWall issues DPI-SSL licenses free of charge.

The good news is that DPI-SSL is not just free, but also already built into your SonicWall Gen-6 TZ, NSA, or Super Massive appliance. Stay tuned for my next blog, where we will discuss technical details and how you implement DPI-SSL into your network.

Are You Seeing This? Uncovering Encrypted Threats

Night vision goggles. Airport x-ray machines. Secret decoder rings. What do they all have in common? Each helps you find something that is hidden, whether it’s an object or code that someone may not want you to discover. Your organization’s security solution needs to perform in a similar manner by inspecting encrypted traffic. Here’s why.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit google.com. More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Global Response Intelligence Defense (GRID) Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

On one hand, this is good news for everyone. Securing web sessions, whether the user is making a financial transaction, sending/receiving email or simply surfing the Internet, is a good thing. It’s also good business for organizations such as online retailers who receive sensitive personal and financial information from their customers and need to secure it from hackers. On the other hand, cyber criminals are now hiding their attacks in encrypted web traffic. Threats such as malware, intrusions, and ransomware are able to pass through the network undetected if they’re hidden using encryption. Cyber criminals are also using encryption to receive communications back from infected systems.

Given organizations’ growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not everyone does, however, especially smaller organizations. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

Let’s add a little more fuel to this. By now most people have heard of the “Internet of Things.” The idea is that we have all manner of devices available that can connect to the Internet and send/receive data. No longer is it just our PC, laptop, smartphone and tablet. It’s our TV, car, refrigerator, watch, security camera. Essentially anything that’s Internet-enabled. The number of connected devices is growing rapidly. Gartner forecasts there will be 8.4 billion connected “things” in use in 2017 and by 2020 that number will grow to 20.4 billion. That’s a lot of things that can be potentially taken over by malware delivered through encrypted traffic.

Here’s the big question every organization needs to ask. “Does our security solution (typically a firewall) have the ability to decrypt SSL/TLS-encrypted web traffic, scan it for threats, use deep packet inspection technology to stop malware, and do it all with little or no performance hit?” If your firewall is three years old or more, the answer is likely no. Legacy firewalls may decrypt the traffic and do some threat detection, but not prevention. Or, it may do everything that’s required, just very slowly which isn’t good either. The firewall shouldn’t be a bottleneck.

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website. Secret decoder ring not required.