Network Security, Part 2. Next-Generation Firewall

    If you look at the interactive map of current cyber attacksoccurring in the world in real time, it becomes obvious that the only place where there is no criminal cyber activity on Earth is Antarctica. 2014 was rich in high-profile hacks and data leaks. Hacking Apple iCloud, followed by uploading intimate photos of various famous people to the network, data leakage from 80 million clients from JP Morgan, Trojan to Regin on computers of the EU administration, hacking eBay, hacking Home Depot, DDoS attack on the Kremlin website, hacking of the Moscow metro network and etc. However, hacking Sony Entertainment is remarkable in that for the past three years, the company's infrastructure has been hacked for at least the third time. Therefore, before talking about modern firewalls,

    A few words about what actually happened. On Friday, November 21, 2014, Sony executives received a letter asking them to pay a certain amount so that Sony's IT infrastructure avoided the “massive bombardment." The letter did not attach importance, for many managers it fell into spam, but already on November 24, 2014, Sony employees, arriving at work on Monday morning, saw the following picture on their monitors:


    Most of the company's computers and IT services were inoperative. According to some sources, over the next few days, Sony employees did not use work computers and worked with a pen and paper. In the course of this attack (it is believed that the latent phase of the attack developed from several months to a year), data leaked from Sony (according to some estimates, totaling up to 100 terabytes) for millions of dollars. Subsequently, hackers uploaded several new films not yet released to the screens and a large amount of confidential information, including personal data of employees. According to various estimates, the approximate cumulative damage from this attack amounted to about $ 100 million.

    How did this happen and, most importantly, why?

    The malware involved in the attack on Sony Entertainment is called the Destover Trojan ; It is a wiper -type malware that can remove data from hard drives and overwrite MBR in the desired way. A wave of such attacks using various wipers has swept since 2012 in Central Asia (attack on Saudi Aramco, with the destruction of data on more than 30,000 computers, attack on the Qatari Rasgas, etc.) and so far ended with a high-profile story with Sony .

    According to experts, the attackers apparently gained full access to the Sony Entertainment internal network before they began to distribute this trojan to computers within the network. They acted according to the classical attack scheme shown in the figure below.

    Attack Lifecycle:



    1. Penetration (infiltration) is not known for certain (at least not publicly disclosed) how hackers initially entered the Sony network this time. Three versions are expected - insider help, classic phishing, or exploiting vulnerabilities in web services with the subsequent organization of backdoor. Ultimately, hackers gained access to the Sony network with administrator privileges.

    2. Study - further hackers built a map of the network and IT resources of Sony Entertainment, received account names and administrator passwords, access certificates, etc.

    3. Capture resources - having on their hands a resource map and all the necessary credentials to access them, hackers began to deploy malware on the company's resources and at the same time steal / remove valuable data from the Sony infrastructure.

    4. Damage and exit from the attack - at this stage, the wiper installed on the resources overwritten the data on the company's hard drives and eliminated the traces.

    5. Monetization - hackers tried to monetize the attack, offering Sony Entertainment executives ransom to prevent the destruction of IT infrastructure and the disclosure of confidential information. After the refusal, the hackers began to spread the stolen confidential data into the public network.

    The question remains open - why is this not the first time this happens with such a large and well-known company as Sony? According to experts, one of the key security issues at Sony is that their security system was built on a reactive basis and, as a subsequent audit of the infrastructure showed, potential threats were not recognized and prevented on time. The third high-profile hack in three years clearly says that Sony needs to change something in the network security structure and focus, apparently, on pro-active processing and prevention of threats.

    The Sony case and other hacking and data leakage stories of recent years confidently confirm that in order to combat emerging threats, a business should invest in next-generation network security tools that eliminate existing shortcomings of traditional security technologies. For example, the next-generation firewall (NGFW) was created primarily as a response to the inability of traditional Stateful FWs to detect threats in application traffic, such as http traffic. In addition, an important feature of NGFW is the ability to identify traffic and associate it with a specific user.

    GARTNER defines NGFWso: next-generation firewalls (NGFWs) are devices that perform deep packet inspection (beyond port / protocol), with the ability to inspect and block application-level traffic, including built-in intrusion prevention systems and intelligent traffic processing based on integration with external systems. At the same time, NGFW should not be confused with an isolated intrusion prevention system (IPS) or IPS, which includes a regular firewall that is not integrated with IPS in one solution. Briefly summarizing this definition, NGFW is a device with application-level traffic control, a built-in intrusion detection system and identification of user traffic identity .

    For some, the emergence of the NGFW concept causes the “deja vu” effect, there is a sense of similarity between NGFW and the UTM (Unified Threat Management) concept, common in the recent past. These are really similar approaches, attempts to effectively combine protection against several types of threats in one device at once. However, there are significant differences that allow you to uniquely separate these device classes among themselves and separate them from the traditional Stateful Firewall (hereinafter simply FW). The table below summarizes the main parameters and positioning of devices such as FW, UTM and NGFW.



    Thus, UTM AND NGFW are different classes of equipment designed to solve different types of tasks. And as GARTNER predicts for us, the time of traditional devices that provide network protection is gradually leaving for the replacement of a new type of device - NGFW.


    In 2013, HP announced the release of the HP TippingPoint Next-Generation Firewall (NGFW). HP NGFW is built in accordance with the concept described above and is designed to meet the needs of enterprises of different sizes in terms of network security, taking into account modern requirements for network efficiency, reliability and scalability of solutions. NGFW is implemented on the NGIPS platform with a reliability of 7 nines (99.99999% uptime) and allows you to identify and control network applications, reducing the company's potential risks from the implementation of complex network threats. In addition, for those who already have HP TippingPoint products (NGIPS,

    A remarkable feature of the HP NGFW solution is the presence in HP of a structure (DVLabs) that searches for vulnerabilities in software from various manufacturers and releases relevant updates to cover them. Brief statistics on the work of DVLabs, today:

    • 8,200+ out-of-the-box filters
    • About 20 new filters per week
    • Every 12th filter is a Zero Day filter
    • 379 zero day filters released in 2014
    • Medium pre-coverage vulnerability with zero day filter of 50 days
    • 10% application filters
    • 40% of the filters are running by default in the recommended settings.
    • 3,000 researchers participate in HP Security Research Zero Day

    Participation in the development of filters by external experts allows you to develop truly high-quality filters. By focusing on the root cause, this filter allows you to identify threats leaking through predefined template attacks. Moreover, the filters are built so that their use minimally affects the overall performance of the solution.

    Regarding the processing of application traffic, HP TippingPoint NGFW can control traffic both at the level of the application type and at the level of its various sub-types. At the same time, HP focuses on the main business applications relevant in the corporate environment. The graph below confirms that this policy is bearing fruit - HP is a leader in this area.



    Let's say a few words about the Zero Day Initiative (ZDI) program - what it is and why it is important. In Zero Day, Exploit is a vulnerability in software that is not yet known to the supplier and it is a security hole that could be exploited by hackers before the supplier realizes it and tries to fix it. The attempt to exploit the vulnerability can be different and include attempts to introduce malware / spyware into the infrastructure, attempts to access user information, etc. As soon as the vulnerability becomes known, a race begins between attackers and developers, who will release the corresponding software faster - exploit hackers or patch developers. And hackers in this race often win, for various reasons (inertia of the developer company, users do not immediately install the appropriate patches, etc.). With the ZDI program, HP takes the lead in this race and tries to act pro-actively, detecting and closing vulnerabilities before they are found and implemented by attackers. Recalling the Sony case, which was discussed at the beginning of the article, I dare to suggest that the use of ZDI could significantly help implement a proactive defense strategy for the company and, perhaps, the latest attack would not have such devastating consequences.

    This program has greatly expanded the scope of information security research, as well as significantly reduced the number of vulnerabilities entering black markets. As a result of the ZDI program, HP has been recognized as a leading vulnerability reporter, as shown in the diagrams below.
     




    Read a little more about the HP NGFW product. To date, there are 5 different device models on sale that differ primarily in performance. The table below shows devices with brief specifications and recommended uses.

    Branches / Small NetworksCorporate NetworksData center
    HP NGFW S1050FHP NGFW S3010F / S3020FHP NGFW S8005F / S8010F
    1RU
    2RU
    2RU
    500 Mbps
    1-2 Gbps
    5-10 Gbps
    10K new connections per second
    20K new connections per second
    50K new connections per second
    250K competitive compounds
    500K / 1M competitive compounds
    10M / 20M competitive compounds






    Key functional features of NGFW are summarized below:

    • Easy to install, configure and manage:
      • Installs in minutes;
      • "Set and forget" using the recommended IPS settings;
      • Intuitive web-based interface;
    • Central management using SMS:
      • Manage NGFW and IPS in one console;
      • Reuse of IPS and NGFW policies;
      • Fast and convenient reports;
      • Convenient event analysis;
      • RBAC based access;
    • Over 8,000 predefined filters
    • Focus on vulnerabilities, not on implemented attacks
      • Large investment in security research;
    • Built-in highly reliable (7 nines) IPS
    • Policy size does not significantly affect performance
    • Fault tolerance (support of work in the Active-Passive mode)

    Thank you for your attention, to be continued.

    Also popular now: