1

Bitte die TZ 300 in eurem Partner Konto registrieren!!!

SonicWALL Update

Jean-Marc Baumann

Regional Manager Switzerland / Austria

3

SonicWALL’s Future

• SonicWALL will be an independant company

• Day «One» is 1. November 2016

• Channel of distribution will stay the same

4

SonicWALL Selling Models

Classic Sell-out

- Offer Hardware and Services to your customer and sell it

- The customer is the owner

MSP

- Offer Managed Security Services to your customer

- Sell or lease the appliance to the customer

- Offer additonal Service which makes you as a partner unique

- Manage Renewals over Flexspend

- Use GMS to managed centrally

SECaaS

- Offer security solution on a monthly payment to the customer

- Combine this model with the MSP model

Unique selling model offer from one Vendor – DELL SonicWALL

5

SonicWALL News

• Price Increase by 1. November 2016

• On Gen5 Services and Support (TZ215, NSA 220, NSA 2400, NSA 3500 etc.)

• Potential to upgrade to Gen 6

• Secure Upgrade Promo

• Renewal today

• The prices online are already higher

6

SonicWALL Partner Event

• 4. November 2016 – 9 to 5

• GDI Gottlieb Duttweiler Institute, Langhaldenstrasse 21, 8803

Rüschlikon/Zürich

• Technical Update / Sales Infos

• Free participation

• Registration: http://peak16.dell.com/regional/switzerland.html

Dell - Restricted - Confidential7

Dell SonicWALL CaptureAdvanced Threat Protection Service (Sandbox)Available Services, Trade-in and Total Secure

Product Description

Stand alone

SKU

Capture Advanced Threat

Protection Service (ATP)

Multi-engine threat analysis service detects and blocks

unknown and zero-day threats at the gateway

Bundled

SKUs

Advanced Gateway

Security Suite (AGSS)

Includes Comprehensive Gateway Security Suite (CGSS)

plus Capture ATP

Total Secure – Advanced

Edition

Includes appliance and Advanced Gateway Security

Suite (AGSS)

Secure Upgrade Plus –

Advanced Edition

Includes appliance and 2 or 3 years of AGSS heavily

discounted to customers who would like to upgrade their Gen5 SonicWALL

Dell - Restricted - Confidential8

Dell SonicWALL CaptureAdvanced Threat Protection Service (Sandbox)Available Services, Trade-in and Total Secure - examples

• Customer with existing Security Services (CGSS) – request Sandbox– Sell a “capture advance threat protection services” to add Sandbox to the

running security services

• Customer with existing Security Services (CGSS) – a renewal is needed– Sell an advanced gateway security suite to have Sandbox functionality

• Customer has a Gen5 Appliance (NSA 3500, NSA 2400) – Sell a “secure upgrade plus advanced edition” to upgrade the customer on the

actual hardware plus Sandbox

– The standard secure upgrade plus is still available (no Sandbox)

Sicherheit auf demhöchsten Level

Technical Training

Daniel Bühler

DPI-SSL

11

research shows that IT

administrators persist in disabling

key firewall features in order to

maintain network performance

levels

1/3 of all IT Manageradmitted to turning off firewall features or declining to enable certain

security functions in an effort to increase the performance of their networks.

It is unfortunate that turning off important firewall features

because of network performance concerns has started to become

common practice

Many organizations choose to turn-off DPI because of the high demands it places on

network resources

DPI yields upwards of a 40% degradation of

throughput

Avarage of 75%

or more performance degradation for DPI, anti-virus and

application control when all are enabled

Connected Security 360

Security: turn off DPI and other Firewall Functions

12

DPI Security Appliance Technologie1. Stateful Packet Inspection

– Packet Filtering

– Access Control Rules

– IPsec VPN

De

ep

Pa

ck

et

Insp

ec

tio

n

2. Intrusion Prevention– The front-line network defense against application attacks

3. Application Identification & Visualization– Can’t control what you can’t see

4. User Identification through Single Sign On (SSO)– Correlate network traffic with users

5. Application Control– Granular control (Allow Facebook, Block Social Gaming)

6. SSL Decryption– Don’t allow threats to tunnel through encrypted channels

7. Threat Prevention– Anti-X (Virus/Trojan/Malware)

8. SonicWALL Capture – Sandboxing

13

All of this is possible without sacrificing performance

14

Security Orientation – SPI vs. DPI

Deep Packet Inspection

Stateful Packet Inspection

15

Breaks the malware cycle

How does an NGFW secure the network???

Compromised “Good” Site

Malware Hosting Site

Page Visit

Malware Request

Exploit

Malware

SS

L D

ec

ryp

tio

n

URL Filtering

Intrusion Prevention

Network Anti-Virus

Cloud Anti-Virus

Botnet Filtering

Capture APT

16

Competitive architecture

Differentiator -> Scalable Architecture

Malware

Packet assembly-based process

17

Dell SonicWALL architecture (RFDPI)

Differentiator -> Scalable Architecture

U.S. Patents 7,310,815; 7,600,257; 7,738,380; 7,835,361

Packet reassembly-free process

18

Understanding Firewall Performance

19

Stateful (RFC 2544) 6 GbpsFirewall

Stateful + IPS 2 GbpsIntrusion Prevention

Stateful + AV 1.1 GbpsAnti-Malware

Stateful + AV + IPS 800 MbpsUTM or Full DPI

Stateful + AV + IPS + SSL SSL Decryption 500 Mbps

StatefulIMIX (Internet Mix)https://en.wikipedia.org/wiki/Internet_Mix

1.6 Gbps

21

Verständnis Firewall PerformanceDell SonicWALL

NSA3600Vendor AModell X(F200D)

Vendor BModell Y (SG-210)

Vendor CModell Z

(USG1100)

Preis ~3’ 995 $ ~2’998 $ ~ 3’149 $ 2’750 $

FirewallStateful (RFC 2544)

3.4 Gbit/s 3.0 Gbit/s 11 Gbit/s 6.0 Gbit/s

Intrusion PreventionStateful + IPS

Anti-MalwareStateful + AV

UTM or Full DPIStateful + AV + IPS

SSL DecryptionStateful + AV + IPS + SSL

IMIX (Internet Mix)

1.1 Gbit/s 1.7 Gbit/s 2 Gbit/s 550 Mbit/s

600 Mbit/s 600 Mbit/s 500 Mbit/s 500 Mbit/s

500 Mbit/s500 Mbit/s ? ?

? ? ?300 Mbit/s

? ? ?900 Mbit/s

22

DPI – Deep Paket Inspection

• The DPI throughput shows the combined performance of all Security features (GAV, IPS/IDS, Anti-Spyware, Content Filter etc.)

• Most vendors shows the throughput only for the individual security features – for GAV, for IPS etc.

• But only the DPI Performance is the right Data to size a solution – if this information is not available it’s not sure if the choosen product can hold up the internet bandwidth

Check out of the vendor shows the DPI througput!

23

Why DPI SSL?

24

Increased usage of SSL encryption

http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446http://siliconangle.com/blog/2014/05/20/the-internet-strikes-back-global-encrypted-ssl-traffic-booms/https://www.sandvine.com/trends/global-internet-phenomena/

25

Market trend – SSL Inspection

• Google and industry driving https

• SSL/TLS drives inspection engine cycles, requiring larger devices or fail-open/whitelisting

• Malware easily tunneled or not inspected due to overhead required

• NGFW sales cycle and sizing need to account for this growing requirement –upsell

• Differentiator for SonicWALL due to price/performance

26

DPI-SSL Inspection

Organizations not inspecting SSL traffic are blind to as much as 2/3 of the traffic on the network.

As much as 65 percent of corporate network traffic is encrypted using SSL.2015 Dell Security Threat Report

HTTPS, SMTPS, NNTPS, LDAPS, FTPS, TelnetS, IMAPS, IRCS, and POPS — and regardless of the port

27

DPI-SSL Awareness & Threat Prevention

Picture this…

He wasn’t expecting to be accessing an infected file containing the ZeuS Virus Exploit, which in turned downloaded the latest mainstream form of Ransomware…

The user opens an email from an individual that they know and trust. Their friend has sent them a list of jokes in attached PDF file. Looking for a good laugh the user opens the attachment….

An end-user on your network uses their corporate issued workstation to check their email.They access their PRIVAT Email Account through their browser.

28

DPI-SSL Awareness & Threat Prevention Cryptolocker

29

DPI-SSL Awareness & Threat Prevention

By leveraging patented RFDPI technology the Dell SonicWALL is capable of decrypting and inspecting SSL traffic on the fly, without proxying, for malware, intrusions and data leakage, and applies application, URL and content control policies in order to protect against threats hidden within SSL encrypted traffic.

Had the network been implemented with a Dell SonicWALL Appliance that is capable of DPI- SSL, then the encrypted traffic would have been inspected as it traversed the firewall. This would include access to third party HTTPS websites such as GMAIL. When the user attempted to download the infected file the SonicWALL would have flagged the event, blocked the malicious content, and alerted the user that the file was infected and it would also be evident in the log data for network administrators

Internet

30

Overview: Client / Server DPI-SSL

31

Overview: Client DPI-SSL

• Users behind (that is, a LAN) the firewall have their SSL traffic inspected by the NGFW/UTM appliance

• Owner of the NGFW/UTM appliance does not own the certificate and the original private key of the web server which the user is visiting

• NGFW/UTM appliance acts as a local certificate authority for every website that is visited by the user from the LAN

32

How does client DPI-SSL work?

Client DPI-SSL: sequence of events

1. User makes an HTTPS request outside the network (https://mail.google.com)

2. Server (mail.google.com) sends back a certificate containing the server’s public key signed by a trusted certificate authority

3. DPI-SSL module of the NGFW/UTM appliance will rewrite the certificate by signing it with either SonicWALL or locally trusted certificate authority and send it back to the LAN user

4. LAN user accepts the resigned certificate, and SSL negotiation can proceed between the LAN user and the NGFW/UTM appliance

5. At the same time, SSL negotiation between the NGFW/UTM appliance and the remote server (mail.google.com) takes place

33

Overview: Server DPI-SSL

• SSL sessions destined to the internal servers are inspected

• Owner of the NGFW/UTM appliance owns the certificate and the original private key of the web server which the user is visiting (thus, original certificate is imported into the appliance)

• The NGFW/UTM appliance serves the server’s original certificate to the visiting users and uses the server’s original private/public key pairs during SSL session negotiation

34

How does server DPI-SSL work?

Server DPI-SSL: sequence of events

1. User makes an HTTPS request from outside to the server on the internal network (https://forum.sonicwall.com)

2. The UTM appliance already has a copy of the server’s certificate along with the original private key

3. The DPI-SSL module of the NGFW/UTM appliance will send the user the original certificate, and SSL negotiation between the user and the UTM appliance takes place

4. At the same time, SSL negotiation between the NGFW/UTM appliance and the local internal server (forum.sonicwall.com) takes place

› Clear text from NGFW/UTM to the internal server is optional

o Requires NAT policy to change translated destination to HTTP/80

35

High-level architecture

• DPI-SSL is not really a proxy

• Runs on data plane cores

• Can inspect inside all SSL sessions on all ports independently of the protocol(HTTPS, FTPS, LDAPS, SMTPS, POPS, IMAP, NNTPS, Telnets, IRCS)

– SSH support is in development

• Cleartext + SSL protocols are supported (that is, SMTP Start TLS, Explicit HTTPS proxy)

• Both encrypted and decrypted data are being scanned

• Content can be scanned as well as injected (block pages)

• Services supported for client DPI-SSL:Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, App Rules, Content Filtering

• Services supported for server DPI-SSL:Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, App Rules

36

What are the industry limitations today?

• Processing power: key sizes, ciphers

• Knowledge of PKI, deployment pain

• Non-browser-based applications that leverage SSL(mobile, certain desktop apps)

• Distribution of certs in non-managed/trusted environments

• Connection count (memory allocation)

• Bypassing sites (whitelisting strategies)

37

DPI SSL Enhancements

38

Top News!!

39

DPI-SSL feature enablement update for the Gen6 NSA SeriesThere have been some questions related to enabling DPI-SSL by default on the Gen6 NSA series and just making it a feature available to customers at no charge.This will begin on April 1, 2016 as part of the SonicOS 6.2.5.1 release.

• DPI-SSL Requirements/FAQWhich NSA models will be eligible to have DPI-SSL enabled beginning on April 1, 2016?All Gen6 NSA firewalls - NSA 2600, 3600, 4600, 5600 and 6600 – registered on or after April 1, 2016 will be eligible to have DPI-SSL enabled as a feature on the appliance.

• What version of firmware should customers run on their NSA appliances in order to take advantage of DPI-SSL?We highly recommend customers upgrade to SonicOS version 6.2.5.1 or later. SonicOS 6.2.5.1 was web posted on MSW on March 29, 2016 and is available to all customers with a valid support contract.

• How does the customer activate the DPI-SSL feature on the NSA appliance?Once the firewall is running SonicOS 6.2.5.1 or later, on the License tab there will be a “Try” option for Deep Packet Inspection for SSL (DPI-SSL). Click on “Try” to activate the DPI-SSL perpetual license.

40

SonicOS 6.2.5 DPI SSL Enhancements

• CFS category-based exclusion/inclusion

• Increased default CA cert database

• Granular policies per CN/domain name

• Proxy environment support (exclusions)

• Subject alternate name support —*.google.com vs. youtube.com

• Dynamic Exclusions

• Management audit of default bypass behaviors

• Troubleshoot connection failures with one-click exclude

• Server certificate authentication (for exclusions and decryption)

• Default exemption database

• DPI-SSL session counter

• UI Enhancements

Increased Granularity

Easy to Use GUIEnhanced Debugging

41

Refreshed GUI — left to right tabs

DPI SSL Capacity Statistics (Cur/Peak/Max)

42

CFS Category Exclusion/Inclusion

Health

Financial transactions

43

Management audit of default bypass behaviors

It’s your list, configurable too

Click to reject a built-in

44

Audit first default exclusion updates

Enforce audit first policy

Notification: New firmware upgrade with changes to default exclusions

45

Pop-up enrollments action

1

2

46

Per common name exclusion options

Multiple entries at once!

Domain name exemptions for CFS Category exclusion

Skip authentication failures for this domain

47

Troubleshoot connection failures1

48

Always authenticate server

• Useful feature for security-minded customers– Most firewalls leave a security hole for excluded connections

– Most firewalls cannot detect MITM attacks on excluded connections

– Prevents potential client exploits that can take advantage of known exclusion domains

• Authentication happens inline during the connection flow– Separate knobs for decrypted and excluded connections

– Block connections that fail authentication

– Granular policy for exemptions to block-authentication-failures

49

DPI-SSL in WAN proxy environments

50

Subject alternate name support• Common use case is to exclude youtube.com

• Single server certificate contains multiple domains

• Can exclude for any of alternate domains, as well

• No longer need to exclude .google.com in order to exclude youtube.com

• Scan gmail.com, exclude docs.google.com

• Detect and block possible exploit evasive method of using fake/excluded common names

‘Always authenticate server’ should be turned on

51

Deploying DPI-SSL

52

Use caution when

enabling, understand impact to

traffic

Enable SSL client inspection

53

Site untrusted

54

Site given trust exception

55

Different SSL site requires

trust exception

56

Different browser/same

site requires trust exception

57

Using the self-signed SonicWALL certificate

58

Manual install of DPI-SSL

certificate

59

60

Trusted site

certificate with no

exceptions

61

Firefox challenges

• What about accessing HTTPS websites using Firefox?

• Chrome and Internet Explorer use the local certificate store for computer certificates, but not Firefox.

• We must import our certificate into Firefox’s trusted store for websites.

62

Manual install of DPI-SSL

certificatefor Firefox

63

Deploying via Active Directory Group Policy

64

Distribute certificate via Group Policy Management

65

Importing your domain’s CA and private root CA cert• Import the public root CA certificate into the certificate store of SonicOS

https://server/certsrv

Import certificate to Dell SonicWALL, select “Import a CA certificate”

• Import the private root CA certificate for DPI-SSL

Open MMC on CA Server and export, making sure to select the “export the private key” checkbox

Import certificate to Dell SonicWALL, select “Import a local end-user certificate with private key”

Go to DPI-SSL >>> Client SSL and select this certificate for DPI-SSL

• Download DPI-SSL_Importing_CA_Certs_Technote.pdf:

https://support.software.dell.com/download/downloads?id=5371893

66

Deploying via policy page (Guest Services)

67

Policy page without user authentication

• Guest Services allows you to configure a policy page for the users so that when users try to access the internet, the policy page is displayed, which they have to accept to be able to go online.

https://support.software.dell.com/sonicwall-nsa-series/kb/sw13857

68

What about Apple- Android- devices?

69

What about Apple devices?

• With iPads and iPhones, email the certificate via an encrypted email (or email) as an attachment. Open the email and double click on the certificate, and the device will prompt through installing — very fast and easy.

• Redirect HTTP / HTTPS traffic to internal website that contains link to certificate for download.

• With Mac computers, install it through Applications>Utilities>Keychain Access.app>Certificates.

70

What about Android devices?

• Redirect HTTP / HTTPS traffic to internal website that contains link to certificate for download.

• Connect the phone to the PC where the certificate is stored. Copy the certificate to the root of Internal Storage.Settings > Security screen and install from SD card.https://support.software.dell.com/sonicwall-nsa-series/kb/sw14026

• Email the certificate via an encrypted email (or email) as an attachment. Open the email and double click on the certificate, and the device will prompt through installing — very fast and easy.

71

Browsers and certificate stores — recap

• In Windows, Internet Explorer, Chrome and Opera use the Microsoft certificate store and can apply manually

• Firefox (manual or via NSS tool)

• NSS Certutil (http://community.spiceworks.com/how_to/15158-firefox-trust-a-local-certificate-authority-for-all-users-and-computers)

• Google Chromebooks have the Google Admin Console to push the certificate

72

Helpful KB articles

• Summary of All: DPI-SSL KBs and DPI-SSL Video (SW13506)

• UTM: Distribute SonicWALL DPI-SSL CA certificate to web browsers (SW10767)

• UTM: Distributing the Default SonicWALL DPI-SSL CA certificate to client computers using Group Policy (SW9734):(Note: There is an error in this article: Use Default Domain Policy, not Default Domain Controller Policy):

• How to manage around DPI-SSL connection limits? (SW13469)

• UTM: How to Configure Client DPI-SSL (Video Tutorial and KB Article) (SW8364)

Capture ATP

74

SuperMassive 9200-9600

Introducing SonicWALL cAPTureAdvanced Threat Protection Service

• Multi-engine sandbox detects more threats than single sandbox technology

• Broad file type analysis and operating system support

• Blocks until verdict at the gateway

• Rapid deployment of remediation signatures

• Reporting and alerts

Cloud service detects and blocks zero-day threats at the gateway

TZ500 – TZ600 NSA 2600 – 6600

75

Increase security effectiveness against 0-day threats

• Multi-engine advanced threat analysis detects more threats, can’t be evaded

– Virtualized sandbox

– Full system emulation

– Hypervisor level analysis

• Broad file type and OS environment analysis

– PE, MS Office, PDF, archives, JAR, APK

– Windows, Android and Mac OS

• Automated and manual file submission

– Secured sUDP transport

76

Increase security effectiveness against 0-day threats

77

Increase security effectiveness against 0-day threats

78

Increase security effectiveness against 0-day threats

Pre-processing:

Document pre-filtering

Multiple virus engines

Signature pre-filter

CloudAV pre-filter

PE file authenticode

Archive, Domain and more…..

79

Increase security effectiveness against 0-day threats

Pre-processing:

Document pre-filtering

Multiple virus engines

Signature pre-filter

CloudAV pre-filter

PE file authenticode

Archive, Domain and more …..

80

Increase security effectiveness against 0-day threats

Hash created

Intelligence convergence

81

Increase security effectiveness against 0-day threats

Signature created

Intelligence convergence

82

cAPTureUser experience

83

What’s new?

84

Mysonicwall Alerts and Notifications plan

85

Instant email

86

Reporting

87

Viewing threat reports

To view a threat report, click on any row on the log table on the status page:

88

Viewing threat reports

The report format varies depending on whether a full analysis was performed or the judgment was based on preprocessing. :

89

Viewing the threat report header

Colored banner:

• The colored banner is red for a malicious file, and blue for a clean file.

• The top entry displays the date and time that the file was submitted to Capture ATP for analysis.

• Below the date and time, a summary of the result is displayed.

Lower banner:

• The lower part of the banner contains the connection information.

• On the left is the IP address (IPv4) and port number of the connection source. This is the address from which the file was sent.

• In the middle is the firewall identified by its serial number or friendly name.

• On the right is the IP address (IPv4) and port number of the connection destination. This is the address to which the file is being sent.

90

Viewing threat reports

Preprocessor threat reports contain an Analysis Summary section on the left side, which summarizes the findings based on the four phases of analysis during preprocessing.

If the virus scanners detect known malware in the file, all virus names are listed in the content area of the report.

91

Viewing the threat report

Under the status boxes, the full analysis threat report displays multiple tables showing the results from each analysis engine.

The engines are designated by names from the Greek alphabet, such as Alpha, Beta, Gamma, etc.

Each row represents a separate environment, and indicates the operating system in which the engine was executed.

The overall score from the analysis in each environment is displayed in a highlighted box to the left of the operating system. The color of the box indicates whether the score triggered a malicious or non-malicious judgment:

The left side of the full analysis threat report displays a summary of the preprocessing results as an explanation of why live detonations were needed. The term live detonations is used to indicate that one or more analysis engines and multiple environments were used to analyze the file in the cloud servers.

92

FAQ: Sales and Tech What’s new?

93

Sales Tips and Tools

Is a 30-day free trial available for Capture?

Yes. SonicWALL firewall customers can go to the license management page on their firewall UI to select a 30-day free trial. (Note: trial requires SonicOS 6.2.6 or above, and is available to customers with a current support contract.)

Is Capture included with firewall purchase?

New Capture-available firewalls include a 30-day Capture service trial at no additional charge. (See list of Capture availability dates above.)

Is Capture available for NFR firewalls?

Capture is not included with NFR firewalls at this time. Capture NFR SKUs will be available October 1, 2016

Can I upgrade my CGSS service to include Capture?

Yes. You can purchase the Advanced Gateway Security Service (AGSS) subscription that includes Capture and use the mysonicwall.com co-termination feature to credit the remaining CGSS balance to the AGSS subscription.

94

Tech Talk

When a file is sent to the Capture cloud service for analysis and a verdict is returned, is the verdict stored by the firewall?

Yes. The file hash and verdict are saved locally and also in the Capture cloud service data base. The verdict is then available to all Capture subscribers via the Capture database.

How long is the file verdict retained by the firewall?

The firewall retains verdicts for 24 hours. The Capture cloud database retains the hashes and verdicts of all files analyzed, and uses that information to pre-filter all files sent to the Capture service.

If a file download completes while the verdict is still pending, will the admin be notified if the file is determined to be malicious?

Yes. The service continues to analyze the file in the cloud even after the download to the recipient is complete. Once the analysis is complete, the verdict will be logged at the firewall and a full analysis report will be posted to the Capture portal. The admin can setup email alerts to be notified when a verdict is received and logged by the firewall.

Where can I download the Capture ATP Feature Guide?https://documents.software.dell.com/sonicos/6.2.6.0/capture-atp-feature-guide/?ParentProduct=633

95

Tech Talk

How does a SonicWALL firewall with the Capture Service block a malicious file?

With the Capture service active and the block until verdict feature enabled, when a user downloads a file, the firewall transmits the file to the user and also mirrors files to the Capture cloud service. The firewall withholds the last few bits from file transmission until the service returns a verdict. If a good verdict is returned (or a good verdict for the file is stored in the firewall from a prior download and analysis), the firewall releases the final bits and the file download to the recipient completes. If a malicious verdict is returned, the bits are dropped, and the file download to the recipient fails.

If the firewall does not receive a prompt verdict for the file from the Capture service, the download will likely timeout and the recipient will need to retry the download. The time to return the verdict will be relatively fast, seconds or less, if the Capture service static pre-filters can determine a verdict. If the pre-filters cannot determine a verdict, the file is submitted to the sandboxes for execution and analysis and it can take a minute or more to determine a verdict.

To avoid delays downloading files, the Capture block until verdict feature can be disabled by the firewall admin. In this case, files are only blocked if a malicious verdict is promptly available. If not, the file download to the recipient will complete even if a verdict from the Capture service is still pending. When the verdict is returned to the firewall, an event is logged and the admin can be notified via a firewall alert email and can refer to the Capture file analysis report to determine information about the file download and respond to the incident as necessary.

96

Tech Talk

Will users be notified if a file they’re trying to download is being scanned for malicious content by the Capture sandbox?

Notifications depend on whether or not the file is being downloaded over HTTP/S, and whether full sandbox analysis is required.

For files downloaded over HTTP/S:

If the file is known as malicious, or a malicious verdict is quickly returned by the Capture pre-filter, the user will receive a block notification.

If the file is unknown and pre-filtering determines the need for full sanbox analysis, the download will likely timeout, and the user will have to retry the download. If the verdict remains pending, the user will receive notification that the download is being scanned for malicious content.

For other protocols, Capture block-till-verdict is not available. For example, for SMTP traffic:

If a prompt verdict determines the file is malicious, the end of the email sequence is prevented from completing transmission and the recipient connection is reset. The sender response will be as configured on the gateway anti-virus settings page.

If a prompt verdict is not available, the email and file attachment are transmitted to the recipient. The file is analyzed by Capture and a verdict returned and logged at the firewall. The admin can be notified via a firewall alert email, and can refer to the Capture file analysis report to determine information about the file and respond to the incident as necessary.

CFS 4.0

98

3. Wildcard Support

URL matching now accepts wildcards (*)

4. Confirm-Only

Confirm before accessing designated URLs

2. Policy-Level Block Page

Personalize block page messaging per policy using

CFS Action Objects

1. Block Page Override

Password required to override blocked content

8. New Category

Add Radicalization and Extremism category

7. Youtube Restricted Mode

Enforce Youtube’s Restrict Mode to only display

Youtube’s curated videos

6 SafeSearch Enforcement

Enforce SafeSearch for Google and Bing

5. Embedded URI Filtering

Embedded URIs (i.e. Google Translate no longer bypasses

blocked URLs)

Content Filtering Service 4.0: What’s New?

99

Key Benefits 1/2

• New powerful controls: IT Admins can now more granurarly define the learning experience:

– Temporary, password-restricted access with Block-page override (Passphrase)

– User acknowledgement: a confirm page can now be presented before user is granted access

– Throttle bandwidth: BWM (Bandwidth Management) objects can fine tune internet traffic

– Significantly enhanced granularity: virtually all settings are now configurable at the policy-level (vs global settings in CFS 3.0)

– Wildcard matching support and sub-domain lists allows for improved filtering within domain themselves.

• Improved compliance: new ‚Radicalization and Extremism‘ category now have the option to filter out web domains that are deemed as dangerous by government agencies.

100

Key Benefits 2/2

• Improved compliance: new ‚Radicalization and Extremism‘ category now have the option to filter out web domains that are deemed as dangerous by government agencies.

• Safer Youtube experience: enforcing Youtube‘s proprietary, parental-control Restricted Mode‘empowers schools with a safer video learning experience

• Centralized Policy Management: by displaying a single WYSWYG, priority-based policy view , IT Admins can now centrally better visualize, predict and manage all policies

101

Prioritized Policies

• Policies can now be visually managed from a central location

• Managed by priority link (#1= highest priority)

– Unlike CFS 3.0 (least restrictive/most permissive)

• Best practice: set most specific (least generic) policies to highest priority

102

Features Requiring CFS License

In CFS 4.0 these features will only work if a Content Filtering Service license is active (CGSS or Content Filtering Service Premium):

– Restrict Web Features

– CFS Exclusion and Administrator Usage

– HTTPs filtering

– URI lists

– Consent form

103

Security Services Content Filter

Content Filtering Service: Main Page

104

Migrating from CFS 3.0

104

105

Policy Migration

This section will explain the various steps that CFS 4.0 will internally execute when upgrading to CFS 4.0 from a previous version

• CFS 4.0 will do its best to automatically migrate policies from CFS 3.0

• CFS Policy migration components:

– Users and Zones mode

– App Rules mode

– Websense

• Best practice

– If upgrading firmware, manually check for potential inconsistencies/duplicate entries

– For better control/accuracy, remove the auto-generated policies and manually create them and link them to the auto-generated URI and Action objects

106

Policy Migration: Users and Zones

1. Migrates each old Policy

2. Migrates IP Address Range

3. Migrates from Group

4. Migrates from Zones

5. A default CFS Policy will be automatically created and appended

111

Policy Migration from App Rules

1. For each App Rule whose Policy is CFS and Action is set to CFS/HTTP block page or BMW:

– Generate new Profile object

– Generate new Action object

– Generate a new Policy object

2. CFS 4.0 will attempt to replicate existing priorities

3. A default CFS policy will be appended

115

Global CFS Settings in CFS 4.0

116

CFS Custom Category

• A domain can now be easily added to up to 4 categories

• Note: i.e.: aaa.com and www.aaa.comwould be rated independently

117

Updated Global Settings

117

New switch to turn CFS on/Off

118

Policy Objects – CFS Policy

• Policies remain in Security Services Content Filter

• Link to easily navigate to/from Firewall Content Filter Objects

• Highest priority policy listed atop

119

CFS Policies: Gluing All Together

Profile and Action Objects as well as Users, Scheduling are assigned to a Policy

120

Websense Settings UI

No adjustment needed when upgrading from CFS 3.0

121

CFS 3.0 vs 4.0: Use Case

Version User Groups Policy Order

CFS

3.0

Coordinator

HR HR

Most Permissive/Least Restrictive

Accounting Accounting

CFS

4.0

Coordinator HR - Accounting HR - Accounting Set To Highest

122

Use Case: Policy Comparison

• Single Policy • ‘Coordinator’ user now belongs to a single, combined group

CFS 3.0:

• Two different policies: ‘Accounting’ and ‘HR’• ‘Coordinator’ user belongs to two different groups ’HR’ and ‘Accounting’

CFS 4.0:

123

CFS Objects(Demo)

124

Policy Structure in CFS 4.0 1/2

• ‘Users and Zones’ and ‘CFS App Rules’ have merged into Security Services Content Filter

• CFS Object Design (Firewall Content Filter Objects):

– URI Objects: Allowed/Forbidden lists and includes Keywords, Restrict Web features from CFS 3.0

– Profile Objects: Defines URI lists and Category actions (block, allow, BWM, Confirm and Passphrase).

› SafeSearch, Youtube, Embedded URI filtering

– Action Objects: Granular configuration of the actions set in the profile

125

Policy Structure in CFS 4.0 2/2

• CFS Policies (Security Services Content Filter):

– Defines packet matching conditions (source/destination zone, users/groups)

– Applies corresponding Profile and Action objects

– Centrally managed and sorted by priority atop

› Best practice: From most granular (top) to more generic policies (bottom)

• 1 Connection 1 Policy

– A connection will no longer result in more than one policy

– In CFS 3.0, users belonging to multiple groups, each with a different policy, could cause predictability issues

– Users belonging to multiple groups now need to be added to a separate group and policy (set a higher priority)

126

URI List Objects: Assigned to Profile Objects

• URI Objects now support sub-domains

• Replaces “custom lists’ and ‘Keywords’

• Lists can be imported/exported

• Sub-support and wildcard matching; i.e.

www.*.com.

• URL list objects are later marked as

allowed/forbidden in Profile objects

127

Profile Object - SettingsAllowed URL list: for URLs WhitelistForbidden URL list: for URIs blacklistingNote: both lists have higher priority (verified earlier) than URI Categories

Allowed/Forbidden URL searching order: Defines the matching priority

Operation for Forbidden URL: if URI hits the Forbidden URI list, operation can be either block, confirm or require passphrase.

Domain Category Actions/Operations:• Allow: no URI restriction• Block: standard HTML block page• Passphrase: access only for a limited period of time (1-9999

minutes) if user enters valid password• BWM: applies Bandwidth Management Objects to category• Confirm: presents an ‘advisory’ page before accessing web

content

Operation: 1-click to set all categories to the selected Operation

Note: By default, categories 1 ~ 12 are blocked.

128

Domain Categories: Update

• New Category! 60: Radicalization and Extremism

• Internet Watch Foundation is added back

129

Profile Objects: Advanced Tab

Smart Filtering for Embedded URL: Filters embedded URIs when translated using Google Translate (https://translate.google.com)

Google Forced Safe Search: Google Safe Search enforcement does not require DPI-SSL

Enable Safe Search Enforcement: Safe Search enforcement for Yahoo.com, Lycos or Dogpile.com (does require DPI-SSL)

Youtube Restrict Mode: Enforces Youtube’s proprietary ‘parental controls’

Google Forced Safe Search: Google Safe Search enforcement does not require DPI-SSL

129

All Advanced Tab settings, including SafeSearch are configured within policies

130

Profile Object: Consent

• The original consent settings have been moved into Profile-level settings• Zones/AO/Users through different CFS Policies

131

Action Objects: Block

Main settings:• Wipe Cookies: The cookies inside the HTTP request will

the removed to protect privacy. (Can affect Safe Search enforcement except for Google/Bing)

• Enable Flow Reporting: UTM will send the HTTP/HTTPS to App Flow. For HTTPS requests, DPI-SSL needs to be active

Available tag/variables in Block page tab:

$$Reason$$: Displays confirmed reason (category or Forbidden URL List).

$$fw_interface$$: IP address of current interface

$$ClientIpAddr$$: IP address of the client

$$Policy$$: the CFS policy applied to the web request

Action Object configures the operation set in the Profile Object

132

Action Object: Passphrase Type

Enter Password: allows content access if user provides a given password

Mask Password: If enabled, requires re-entering password in Confirm Password

Active Time: allows content access for this time duration (up to 9999 minutes)

132

133

Passphrase In Action

After entering the correct password, user can access web content

134

Profile Object: Confirm Type

$$ConfirmLink$$: will display the “Continue” and “Close” links (must be used only once in HTML)

135

Confirm In Action

User is required to Acknowledge web access to proceed

136

Action Object – BWM (Bandwidth Management)

Per Policy: The bandwidth limit is individually applied to each policy

i.e.: two policies; each has an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s

Per Action: The bandwidth limit is shared across all policies to which it is applied

i.e.: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between both policies to 500kb/s

Designate Egress and Ingress BWM objects:Go to Firewall Settings BWM to configure them

Application Control

138

What is Application Control?

• Application Control provides a solution for setting policy rules for application signatures. Application Control policies include global App Control policies, and App Rules policies that are more targeted. SonicOS allows you to create certain types of App Control policies on the fly directly from the Dashboard > AppFlow Monitor page.

• As a set of application-specific policies, Application Control gives you granular control over network traffic on the level of users, email addresses, schedules, and IP-subnets. The primary functionality of this application-layer access control feature is to regulate Web browsing, file transfer, email, and email attachments.

• The ability to control application layer traffic in SonicOS is significantly enhanced with the ability to view real-time application traffic flows, and new ways to access the application signature database and to create application layer rules. SonicOS integrates application control with standard network control features for more powerful control over all network traffic.

139

App Control Advanced

140

App Control Advanced

141

Enabling App Control

142

Application Control Global Settings

• Used to enable Application Control

• Used to Configure or Reset App Control Settings

143

Signature Library

From General … …Specific• Used to select and configure:

– Category

– Application

– Viewed by

144

Configuring Application Control Policies

Application Control Policies can be configured:1. At the Category level: All and any subsets within2. For Specific Application: DocuSign3. For a Specific Signature: HTTPS Activity, ID XYZ

145

Application Control Settings

146

App Rules

147

Enabling App Rules

148

App Rules Action Objects

9 pre-defined actions

7 Preconfigured Action Objects

149

Create a Match Object

Create a Match Object

150

Create an App Rules Policy

151

Lab: Block Facebook

• From the Firewall -> Match Objects screen, click on Add New Match Object

• In the Name Filed type: is_facebook

• For the Match Object Type, select Application List

• For the Application Category, select SOCIAL-NETWORKING

• For the Application, select both the SOCIAL-NETWORKING Facebook options

• Click Add, then OK.

• From the Firewall > App Rules screen, click Enable App Rules

• Click the Add New Policy button

• In the Policy Name fiels type: block_facebook

• For the Match Object category, select the is_facebook object

• For the Action Object Category, select Reset/Drop

• Click OK and test it

Erfahrungsaustausch

How to differentiate?

Talk to the security Expert – 25 Years of Experience