bitte die tz 300 in eurem partner konto registrieren!!!€¦ · advanced threat protection service...
TRANSCRIPT
1
Bitte die TZ 300 in eurem Partner Konto registrieren!!!
SonicWALL Update
Jean-Marc Baumann
Regional Manager Switzerland / Austria
3
SonicWALL’s Future
• SonicWALL will be an independant company
• Day «One» is 1. November 2016
• Channel of distribution will stay the same
4
SonicWALL Selling Models
Classic Sell-out
- Offer Hardware and Services to your customer and sell it
- The customer is the owner
MSP
- Offer Managed Security Services to your customer
- Sell or lease the appliance to the customer
- Offer additonal Service which makes you as a partner unique
- Manage Renewals over Flexspend
- Use GMS to managed centrally
SECaaS
- Offer security solution on a monthly payment to the customer
- Combine this model with the MSP model
Unique selling model offer from one Vendor – DELL SonicWALL
5
SonicWALL News
• Price Increase by 1. November 2016
• On Gen5 Services and Support (TZ215, NSA 220, NSA 2400, NSA 3500 etc.)
• Potential to upgrade to Gen 6
• Secure Upgrade Promo
• Renewal today
• The prices online are already higher
6
SonicWALL Partner Event
• 4. November 2016 – 9 to 5
• GDI Gottlieb Duttweiler Institute, Langhaldenstrasse 21, 8803
Rüschlikon/Zürich
• Technical Update / Sales Infos
• Free participation
• Registration: http://peak16.dell.com/regional/switzerland.html
Dell - Restricted - Confidential7
Dell SonicWALL CaptureAdvanced Threat Protection Service (Sandbox)Available Services, Trade-in and Total Secure
Product Description
Stand alone
SKU
Capture Advanced Threat
Protection Service (ATP)
Multi-engine threat analysis service detects and blocks
unknown and zero-day threats at the gateway
Bundled
SKUs
Advanced Gateway
Security Suite (AGSS)
Includes Comprehensive Gateway Security Suite (CGSS)
plus Capture ATP
Total Secure – Advanced
Edition
Includes appliance and Advanced Gateway Security
Suite (AGSS)
Secure Upgrade Plus –
Advanced Edition
Includes appliance and 2 or 3 years of AGSS heavily
discounted to customers who would like to upgrade their Gen5 SonicWALL
Dell - Restricted - Confidential8
Dell SonicWALL CaptureAdvanced Threat Protection Service (Sandbox)Available Services, Trade-in and Total Secure - examples
• Customer with existing Security Services (CGSS) – request Sandbox– Sell a “capture advance threat protection services” to add Sandbox to the
running security services
• Customer with existing Security Services (CGSS) – a renewal is needed– Sell an advanced gateway security suite to have Sandbox functionality
• Customer has a Gen5 Appliance (NSA 3500, NSA 2400) – Sell a “secure upgrade plus advanced edition” to upgrade the customer on the
actual hardware plus Sandbox
– The standard secure upgrade plus is still available (no Sandbox)
Sicherheit auf demhöchsten Level
Technical Training
Daniel Bühler
DPI-SSL
11
research shows that IT
administrators persist in disabling
key firewall features in order to
maintain network performance
levels
1/3 of all IT Manageradmitted to turning off firewall features or declining to enable certain
security functions in an effort to increase the performance of their networks.
It is unfortunate that turning off important firewall features
because of network performance concerns has started to become
common practice
Many organizations choose to turn-off DPI because of the high demands it places on
network resources
DPI yields upwards of a 40% degradation of
throughput
Avarage of 75%
or more performance degradation for DPI, anti-virus and
application control when all are enabled
Connected Security 360
Security: turn off DPI and other Firewall Functions
12
DPI Security Appliance Technologie1. Stateful Packet Inspection
– Packet Filtering
– Access Control Rules
– IPsec VPN
De
ep
Pa
ck
et
Insp
ec
tio
n
2. Intrusion Prevention– The front-line network defense against application attacks
3. Application Identification & Visualization– Can’t control what you can’t see
4. User Identification through Single Sign On (SSO)– Correlate network traffic with users
5. Application Control– Granular control (Allow Facebook, Block Social Gaming)
6. SSL Decryption– Don’t allow threats to tunnel through encrypted channels
7. Threat Prevention– Anti-X (Virus/Trojan/Malware)
8. SonicWALL Capture – Sandboxing
13
All of this is possible without sacrificing performance
14
Security Orientation – SPI vs. DPI
Deep Packet Inspection
Stateful Packet Inspection
15
Breaks the malware cycle
How does an NGFW secure the network???
Compromised “Good” Site
Malware Hosting Site
Page Visit
Malware Request
Exploit
Malware
SS
L D
ec
ryp
tio
n
URL Filtering
Intrusion Prevention
Network Anti-Virus
Cloud Anti-Virus
Botnet Filtering
Capture APT
16
Competitive architecture
Differentiator -> Scalable Architecture
Malware
Packet assembly-based process
17
Dell SonicWALL architecture (RFDPI)
Differentiator -> Scalable Architecture
U.S. Patents 7,310,815; 7,600,257; 7,738,380; 7,835,361
Packet reassembly-free process
18
Understanding Firewall Performance
19
Stateful (RFC 2544) 6 GbpsFirewall
Stateful + IPS 2 GbpsIntrusion Prevention
Stateful + AV 1.1 GbpsAnti-Malware
Stateful + AV + IPS 800 MbpsUTM or Full DPI
Stateful + AV + IPS + SSL SSL Decryption 500 Mbps
StatefulIMIX (Internet Mix)https://en.wikipedia.org/wiki/Internet_Mix
1.6 Gbps
21
Verständnis Firewall PerformanceDell SonicWALL
NSA3600Vendor AModell X(F200D)
Vendor BModell Y (SG-210)
Vendor CModell Z
(USG1100)
Preis ~3’ 995 $ ~2’998 $ ~ 3’149 $ 2’750 $
FirewallStateful (RFC 2544)
3.4 Gbit/s 3.0 Gbit/s 11 Gbit/s 6.0 Gbit/s
Intrusion PreventionStateful + IPS
Anti-MalwareStateful + AV
UTM or Full DPIStateful + AV + IPS
SSL DecryptionStateful + AV + IPS + SSL
IMIX (Internet Mix)
1.1 Gbit/s 1.7 Gbit/s 2 Gbit/s 550 Mbit/s
600 Mbit/s 600 Mbit/s 500 Mbit/s 500 Mbit/s
500 Mbit/s500 Mbit/s ? ?
? ? ?300 Mbit/s
? ? ?900 Mbit/s
22
DPI – Deep Paket Inspection
• The DPI throughput shows the combined performance of all Security features (GAV, IPS/IDS, Anti-Spyware, Content Filter etc.)
• Most vendors shows the throughput only for the individual security features – for GAV, for IPS etc.
• But only the DPI Performance is the right Data to size a solution – if this information is not available it’s not sure if the choosen product can hold up the internet bandwidth
Check out of the vendor shows the DPI througput!
23
Why DPI SSL?
24
Increased usage of SSL encryption
http://searchengineland.com/google-starts-giving-ranking-boost-secure-httpsssl-sites-199446http://siliconangle.com/blog/2014/05/20/the-internet-strikes-back-global-encrypted-ssl-traffic-booms/https://www.sandvine.com/trends/global-internet-phenomena/
25
Market trend – SSL Inspection
• Google and industry driving https
• SSL/TLS drives inspection engine cycles, requiring larger devices or fail-open/whitelisting
• Malware easily tunneled or not inspected due to overhead required
• NGFW sales cycle and sizing need to account for this growing requirement –upsell
• Differentiator for SonicWALL due to price/performance
26
DPI-SSL Inspection
Organizations not inspecting SSL traffic are blind to as much as 2/3 of the traffic on the network.
As much as 65 percent of corporate network traffic is encrypted using SSL.2015 Dell Security Threat Report
HTTPS, SMTPS, NNTPS, LDAPS, FTPS, TelnetS, IMAPS, IRCS, and POPS — and regardless of the port
27
DPI-SSL Awareness & Threat Prevention
Picture this…
He wasn’t expecting to be accessing an infected file containing the ZeuS Virus Exploit, which in turned downloaded the latest mainstream form of Ransomware…
The user opens an email from an individual that they know and trust. Their friend has sent them a list of jokes in attached PDF file. Looking for a good laugh the user opens the attachment….
An end-user on your network uses their corporate issued workstation to check their email.They access their PRIVAT Email Account through their browser.
28
DPI-SSL Awareness & Threat Prevention Cryptolocker
29
DPI-SSL Awareness & Threat Prevention
By leveraging patented RFDPI technology the Dell SonicWALL is capable of decrypting and inspecting SSL traffic on the fly, without proxying, for malware, intrusions and data leakage, and applies application, URL and content control policies in order to protect against threats hidden within SSL encrypted traffic.
Had the network been implemented with a Dell SonicWALL Appliance that is capable of DPI- SSL, then the encrypted traffic would have been inspected as it traversed the firewall. This would include access to third party HTTPS websites such as GMAIL. When the user attempted to download the infected file the SonicWALL would have flagged the event, blocked the malicious content, and alerted the user that the file was infected and it would also be evident in the log data for network administrators
Internet
30
Overview: Client / Server DPI-SSL
31
Overview: Client DPI-SSL
• Users behind (that is, a LAN) the firewall have their SSL traffic inspected by the NGFW/UTM appliance
• Owner of the NGFW/UTM appliance does not own the certificate and the original private key of the web server which the user is visiting
• NGFW/UTM appliance acts as a local certificate authority for every website that is visited by the user from the LAN
32
How does client DPI-SSL work?
Client DPI-SSL: sequence of events
1. User makes an HTTPS request outside the network (https://mail.google.com)
2. Server (mail.google.com) sends back a certificate containing the server’s public key signed by a trusted certificate authority
3. DPI-SSL module of the NGFW/UTM appliance will rewrite the certificate by signing it with either SonicWALL or locally trusted certificate authority and send it back to the LAN user
4. LAN user accepts the resigned certificate, and SSL negotiation can proceed between the LAN user and the NGFW/UTM appliance
5. At the same time, SSL negotiation between the NGFW/UTM appliance and the remote server (mail.google.com) takes place
33
Overview: Server DPI-SSL
• SSL sessions destined to the internal servers are inspected
• Owner of the NGFW/UTM appliance owns the certificate and the original private key of the web server which the user is visiting (thus, original certificate is imported into the appliance)
• The NGFW/UTM appliance serves the server’s original certificate to the visiting users and uses the server’s original private/public key pairs during SSL session negotiation
34
How does server DPI-SSL work?
Server DPI-SSL: sequence of events
1. User makes an HTTPS request from outside to the server on the internal network (https://forum.sonicwall.com)
2. The UTM appliance already has a copy of the server’s certificate along with the original private key
3. The DPI-SSL module of the NGFW/UTM appliance will send the user the original certificate, and SSL negotiation between the user and the UTM appliance takes place
4. At the same time, SSL negotiation between the NGFW/UTM appliance and the local internal server (forum.sonicwall.com) takes place
› Clear text from NGFW/UTM to the internal server is optional
o Requires NAT policy to change translated destination to HTTP/80
35
High-level architecture
• DPI-SSL is not really a proxy
• Runs on data plane cores
• Can inspect inside all SSL sessions on all ports independently of the protocol(HTTPS, FTPS, LDAPS, SMTPS, POPS, IMAP, NNTPS, Telnets, IRCS)
– SSH support is in development
• Cleartext + SSL protocols are supported (that is, SMTP Start TLS, Explicit HTTPS proxy)
• Both encrypted and decrypted data are being scanned
• Content can be scanned as well as injected (block pages)
• Services supported for client DPI-SSL:Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, App Rules, Content Filtering
• Services supported for server DPI-SSL:Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, App Rules
36
What are the industry limitations today?
• Processing power: key sizes, ciphers
• Knowledge of PKI, deployment pain
• Non-browser-based applications that leverage SSL(mobile, certain desktop apps)
• Distribution of certs in non-managed/trusted environments
• Connection count (memory allocation)
• Bypassing sites (whitelisting strategies)
37
DPI SSL Enhancements
38
Top News!!
39
DPI-SSL feature enablement update for the Gen6 NSA SeriesThere have been some questions related to enabling DPI-SSL by default on the Gen6 NSA series and just making it a feature available to customers at no charge.This will begin on April 1, 2016 as part of the SonicOS 6.2.5.1 release.
• DPI-SSL Requirements/FAQWhich NSA models will be eligible to have DPI-SSL enabled beginning on April 1, 2016?All Gen6 NSA firewalls - NSA 2600, 3600, 4600, 5600 and 6600 – registered on or after April 1, 2016 will be eligible to have DPI-SSL enabled as a feature on the appliance.
• What version of firmware should customers run on their NSA appliances in order to take advantage of DPI-SSL?We highly recommend customers upgrade to SonicOS version 6.2.5.1 or later. SonicOS 6.2.5.1 was web posted on MSW on March 29, 2016 and is available to all customers with a valid support contract.
• How does the customer activate the DPI-SSL feature on the NSA appliance?Once the firewall is running SonicOS 6.2.5.1 or later, on the License tab there will be a “Try” option for Deep Packet Inspection for SSL (DPI-SSL). Click on “Try” to activate the DPI-SSL perpetual license.
40
SonicOS 6.2.5 DPI SSL Enhancements
• CFS category-based exclusion/inclusion
• Increased default CA cert database
• Granular policies per CN/domain name
• Proxy environment support (exclusions)
• Subject alternate name support —*.google.com vs. youtube.com
• Dynamic Exclusions
• Management audit of default bypass behaviors
• Troubleshoot connection failures with one-click exclude
• Server certificate authentication (for exclusions and decryption)
• Default exemption database
• DPI-SSL session counter
• UI Enhancements
Increased Granularity
Easy to Use GUIEnhanced Debugging
41
Refreshed GUI — left to right tabs
DPI SSL Capacity Statistics (Cur/Peak/Max)
42
CFS Category Exclusion/Inclusion
Health
Financial transactions
43
Management audit of default bypass behaviors
It’s your list, configurable too
Click to reject a built-in
44
Audit first default exclusion updates
Enforce audit first policy
Notification: New firmware upgrade with changes to default exclusions
45
Pop-up enrollments action
1
2
46
Per common name exclusion options
Multiple entries at once!
Domain name exemptions for CFS Category exclusion
Skip authentication failures for this domain
47
Troubleshoot connection failures1
48
Always authenticate server
• Useful feature for security-minded customers– Most firewalls leave a security hole for excluded connections
– Most firewalls cannot detect MITM attacks on excluded connections
– Prevents potential client exploits that can take advantage of known exclusion domains
• Authentication happens inline during the connection flow– Separate knobs for decrypted and excluded connections
– Block connections that fail authentication
– Granular policy for exemptions to block-authentication-failures
49
DPI-SSL in WAN proxy environments
50
Subject alternate name support• Common use case is to exclude youtube.com
• Single server certificate contains multiple domains
• Can exclude for any of alternate domains, as well
• No longer need to exclude .google.com in order to exclude youtube.com
• Scan gmail.com, exclude docs.google.com
• Detect and block possible exploit evasive method of using fake/excluded common names
‘Always authenticate server’ should be turned on
51
Deploying DPI-SSL
52
Use caution when
enabling, understand impact to
traffic
Enable SSL client inspection
53
Site untrusted
54
Site given trust exception
55
Different SSL site requires
trust exception
56
Different browser/same
site requires trust exception
57
Using the self-signed SonicWALL certificate
58
Manual install of DPI-SSL
certificate
59
60
Trusted site
certificate with no
exceptions
61
Firefox challenges
• What about accessing HTTPS websites using Firefox?
• Chrome and Internet Explorer use the local certificate store for computer certificates, but not Firefox.
• We must import our certificate into Firefox’s trusted store for websites.
62
Manual install of DPI-SSL
certificatefor Firefox
63
Deploying via Active Directory Group Policy
64
Distribute certificate via Group Policy Management
65
Importing your domain’s CA and private root CA cert• Import the public root CA certificate into the certificate store of SonicOS
https://server/certsrv
Import certificate to Dell SonicWALL, select “Import a CA certificate”
• Import the private root CA certificate for DPI-SSL
Open MMC on CA Server and export, making sure to select the “export the private key” checkbox
Import certificate to Dell SonicWALL, select “Import a local end-user certificate with private key”
Go to DPI-SSL >>> Client SSL and select this certificate for DPI-SSL
• Download DPI-SSL_Importing_CA_Certs_Technote.pdf:
https://support.software.dell.com/download/downloads?id=5371893
66
Deploying via policy page (Guest Services)
67
Policy page without user authentication
• Guest Services allows you to configure a policy page for the users so that when users try to access the internet, the policy page is displayed, which they have to accept to be able to go online.
https://support.software.dell.com/sonicwall-nsa-series/kb/sw13857
68
What about Apple- Android- devices?
69
What about Apple devices?
• With iPads and iPhones, email the certificate via an encrypted email (or email) as an attachment. Open the email and double click on the certificate, and the device will prompt through installing — very fast and easy.
• Redirect HTTP / HTTPS traffic to internal website that contains link to certificate for download.
• With Mac computers, install it through Applications>Utilities>Keychain Access.app>Certificates.
70
What about Android devices?
• Redirect HTTP / HTTPS traffic to internal website that contains link to certificate for download.
• Connect the phone to the PC where the certificate is stored. Copy the certificate to the root of Internal Storage.Settings > Security screen and install from SD card.https://support.software.dell.com/sonicwall-nsa-series/kb/sw14026
• Email the certificate via an encrypted email (or email) as an attachment. Open the email and double click on the certificate, and the device will prompt through installing — very fast and easy.
71
Browsers and certificate stores — recap
• In Windows, Internet Explorer, Chrome and Opera use the Microsoft certificate store and can apply manually
• Firefox (manual or via NSS tool)
• NSS Certutil (http://community.spiceworks.com/how_to/15158-firefox-trust-a-local-certificate-authority-for-all-users-and-computers)
• Google Chromebooks have the Google Admin Console to push the certificate
72
Helpful KB articles
• Summary of All: DPI-SSL KBs and DPI-SSL Video (SW13506)
• UTM: Distribute SonicWALL DPI-SSL CA certificate to web browsers (SW10767)
• UTM: Distributing the Default SonicWALL DPI-SSL CA certificate to client computers using Group Policy (SW9734):(Note: There is an error in this article: Use Default Domain Policy, not Default Domain Controller Policy):
• How to manage around DPI-SSL connection limits? (SW13469)
• UTM: How to Configure Client DPI-SSL (Video Tutorial and KB Article) (SW8364)
Capture ATP
74
SuperMassive 9200-9600
Introducing SonicWALL cAPTureAdvanced Threat Protection Service
• Multi-engine sandbox detects more threats than single sandbox technology
• Broad file type analysis and operating system support
• Blocks until verdict at the gateway
• Rapid deployment of remediation signatures
• Reporting and alerts
Cloud service detects and blocks zero-day threats at the gateway
TZ500 – TZ600 NSA 2600 – 6600
75
Increase security effectiveness against 0-day threats
• Multi-engine advanced threat analysis detects more threats, can’t be evaded
– Virtualized sandbox
– Full system emulation
– Hypervisor level analysis
• Broad file type and OS environment analysis
– PE, MS Office, PDF, archives, JAR, APK
– Windows, Android and Mac OS
• Automated and manual file submission
– Secured sUDP transport
76
Increase security effectiveness against 0-day threats
77
Increase security effectiveness against 0-day threats
78
Increase security effectiveness against 0-day threats
Pre-processing:
Document pre-filtering
Multiple virus engines
Signature pre-filter
CloudAV pre-filter
PE file authenticode
Archive, Domain and more…..
79
Increase security effectiveness against 0-day threats
Pre-processing:
Document pre-filtering
Multiple virus engines
Signature pre-filter
CloudAV pre-filter
PE file authenticode
Archive, Domain and more …..
80
Increase security effectiveness against 0-day threats
Hash created
Intelligence convergence
81
Increase security effectiveness against 0-day threats
Signature created
Intelligence convergence
82
cAPTureUser experience
83
What’s new?
84
Mysonicwall Alerts and Notifications plan
85
Instant email
86
Reporting
87
Viewing threat reports
To view a threat report, click on any row on the log table on the status page:
88
Viewing threat reports
The report format varies depending on whether a full analysis was performed or the judgment was based on preprocessing. :
89
Viewing the threat report header
Colored banner:
• The colored banner is red for a malicious file, and blue for a clean file.
• The top entry displays the date and time that the file was submitted to Capture ATP for analysis.
• Below the date and time, a summary of the result is displayed.
Lower banner:
• The lower part of the banner contains the connection information.
• On the left is the IP address (IPv4) and port number of the connection source. This is the address from which the file was sent.
• In the middle is the firewall identified by its serial number or friendly name.
• On the right is the IP address (IPv4) and port number of the connection destination. This is the address to which the file is being sent.
90
Viewing threat reports
Preprocessor threat reports contain an Analysis Summary section on the left side, which summarizes the findings based on the four phases of analysis during preprocessing.
If the virus scanners detect known malware in the file, all virus names are listed in the content area of the report.
91
Viewing the threat report
Under the status boxes, the full analysis threat report displays multiple tables showing the results from each analysis engine.
The engines are designated by names from the Greek alphabet, such as Alpha, Beta, Gamma, etc.
Each row represents a separate environment, and indicates the operating system in which the engine was executed.
The overall score from the analysis in each environment is displayed in a highlighted box to the left of the operating system. The color of the box indicates whether the score triggered a malicious or non-malicious judgment:
The left side of the full analysis threat report displays a summary of the preprocessing results as an explanation of why live detonations were needed. The term live detonations is used to indicate that one or more analysis engines and multiple environments were used to analyze the file in the cloud servers.
92
FAQ: Sales and Tech What’s new?
93
Sales Tips and Tools
Is a 30-day free trial available for Capture?
Yes. SonicWALL firewall customers can go to the license management page on their firewall UI to select a 30-day free trial. (Note: trial requires SonicOS 6.2.6 or above, and is available to customers with a current support contract.)
Is Capture included with firewall purchase?
New Capture-available firewalls include a 30-day Capture service trial at no additional charge. (See list of Capture availability dates above.)
Is Capture available for NFR firewalls?
Capture is not included with NFR firewalls at this time. Capture NFR SKUs will be available October 1, 2016
Can I upgrade my CGSS service to include Capture?
Yes. You can purchase the Advanced Gateway Security Service (AGSS) subscription that includes Capture and use the mysonicwall.com co-termination feature to credit the remaining CGSS balance to the AGSS subscription.
94
Tech Talk
When a file is sent to the Capture cloud service for analysis and a verdict is returned, is the verdict stored by the firewall?
Yes. The file hash and verdict are saved locally and also in the Capture cloud service data base. The verdict is then available to all Capture subscribers via the Capture database.
How long is the file verdict retained by the firewall?
The firewall retains verdicts for 24 hours. The Capture cloud database retains the hashes and verdicts of all files analyzed, and uses that information to pre-filter all files sent to the Capture service.
If a file download completes while the verdict is still pending, will the admin be notified if the file is determined to be malicious?
Yes. The service continues to analyze the file in the cloud even after the download to the recipient is complete. Once the analysis is complete, the verdict will be logged at the firewall and a full analysis report will be posted to the Capture portal. The admin can setup email alerts to be notified when a verdict is received and logged by the firewall.
Where can I download the Capture ATP Feature Guide?https://documents.software.dell.com/sonicos/6.2.6.0/capture-atp-feature-guide/?ParentProduct=633
95
Tech Talk
How does a SonicWALL firewall with the Capture Service block a malicious file?
With the Capture service active and the block until verdict feature enabled, when a user downloads a file, the firewall transmits the file to the user and also mirrors files to the Capture cloud service. The firewall withholds the last few bits from file transmission until the service returns a verdict. If a good verdict is returned (or a good verdict for the file is stored in the firewall from a prior download and analysis), the firewall releases the final bits and the file download to the recipient completes. If a malicious verdict is returned, the bits are dropped, and the file download to the recipient fails.
If the firewall does not receive a prompt verdict for the file from the Capture service, the download will likely timeout and the recipient will need to retry the download. The time to return the verdict will be relatively fast, seconds or less, if the Capture service static pre-filters can determine a verdict. If the pre-filters cannot determine a verdict, the file is submitted to the sandboxes for execution and analysis and it can take a minute or more to determine a verdict.
To avoid delays downloading files, the Capture block until verdict feature can be disabled by the firewall admin. In this case, files are only blocked if a malicious verdict is promptly available. If not, the file download to the recipient will complete even if a verdict from the Capture service is still pending. When the verdict is returned to the firewall, an event is logged and the admin can be notified via a firewall alert email and can refer to the Capture file analysis report to determine information about the file download and respond to the incident as necessary.
96
Tech Talk
Will users be notified if a file they’re trying to download is being scanned for malicious content by the Capture sandbox?
Notifications depend on whether or not the file is being downloaded over HTTP/S, and whether full sandbox analysis is required.
For files downloaded over HTTP/S:
If the file is known as malicious, or a malicious verdict is quickly returned by the Capture pre-filter, the user will receive a block notification.
If the file is unknown and pre-filtering determines the need for full sanbox analysis, the download will likely timeout, and the user will have to retry the download. If the verdict remains pending, the user will receive notification that the download is being scanned for malicious content.
For other protocols, Capture block-till-verdict is not available. For example, for SMTP traffic:
If a prompt verdict determines the file is malicious, the end of the email sequence is prevented from completing transmission and the recipient connection is reset. The sender response will be as configured on the gateway anti-virus settings page.
If a prompt verdict is not available, the email and file attachment are transmitted to the recipient. The file is analyzed by Capture and a verdict returned and logged at the firewall. The admin can be notified via a firewall alert email, and can refer to the Capture file analysis report to determine information about the file and respond to the incident as necessary.
CFS 4.0
98
3. Wildcard Support
URL matching now accepts wildcards (*)
4. Confirm-Only
Confirm before accessing designated URLs
2. Policy-Level Block Page
Personalize block page messaging per policy using
CFS Action Objects
1. Block Page Override
Password required to override blocked content
8. New Category
Add Radicalization and Extremism category
7. Youtube Restricted Mode
Enforce Youtube’s Restrict Mode to only display
Youtube’s curated videos
6 SafeSearch Enforcement
Enforce SafeSearch for Google and Bing
5. Embedded URI Filtering
Embedded URIs (i.e. Google Translate no longer bypasses
blocked URLs)
Content Filtering Service 4.0: What’s New?
99
Key Benefits 1/2
• New powerful controls: IT Admins can now more granurarly define the learning experience:
– Temporary, password-restricted access with Block-page override (Passphrase)
– User acknowledgement: a confirm page can now be presented before user is granted access
– Throttle bandwidth: BWM (Bandwidth Management) objects can fine tune internet traffic
– Significantly enhanced granularity: virtually all settings are now configurable at the policy-level (vs global settings in CFS 3.0)
– Wildcard matching support and sub-domain lists allows for improved filtering within domain themselves.
• Improved compliance: new ‚Radicalization and Extremism‘ category now have the option to filter out web domains that are deemed as dangerous by government agencies.
100
Key Benefits 2/2
• Improved compliance: new ‚Radicalization and Extremism‘ category now have the option to filter out web domains that are deemed as dangerous by government agencies.
• Safer Youtube experience: enforcing Youtube‘s proprietary, parental-control Restricted Mode‘empowers schools with a safer video learning experience
• Centralized Policy Management: by displaying a single WYSWYG, priority-based policy view , IT Admins can now centrally better visualize, predict and manage all policies
101
Prioritized Policies
• Policies can now be visually managed from a central location
• Managed by priority link (#1= highest priority)
– Unlike CFS 3.0 (least restrictive/most permissive)
• Best practice: set most specific (least generic) policies to highest priority
102
Features Requiring CFS License
In CFS 4.0 these features will only work if a Content Filtering Service license is active (CGSS or Content Filtering Service Premium):
– Restrict Web Features
– CFS Exclusion and Administrator Usage
– HTTPs filtering
– URI lists
– Consent form
103
Security Services Content Filter
Content Filtering Service: Main Page
104
Migrating from CFS 3.0
104
105
Policy Migration
This section will explain the various steps that CFS 4.0 will internally execute when upgrading to CFS 4.0 from a previous version
• CFS 4.0 will do its best to automatically migrate policies from CFS 3.0
• CFS Policy migration components:
– Users and Zones mode
– App Rules mode
– Websense
• Best practice
– If upgrading firmware, manually check for potential inconsistencies/duplicate entries
– For better control/accuracy, remove the auto-generated policies and manually create them and link them to the auto-generated URI and Action objects
106
Policy Migration: Users and Zones
1. Migrates each old Policy
2. Migrates IP Address Range
3. Migrates from Group
4. Migrates from Zones
5. A default CFS Policy will be automatically created and appended
111
Policy Migration from App Rules
1. For each App Rule whose Policy is CFS and Action is set to CFS/HTTP block page or BMW:
– Generate new Profile object
– Generate new Action object
– Generate a new Policy object
2. CFS 4.0 will attempt to replicate existing priorities
3. A default CFS policy will be appended
115
Global CFS Settings in CFS 4.0
116
CFS Custom Category
• A domain can now be easily added to up to 4 categories
• Note: i.e.: aaa.com and www.aaa.comwould be rated independently
117
Updated Global Settings
117
New switch to turn CFS on/Off
118
Policy Objects – CFS Policy
• Policies remain in Security Services Content Filter
• Link to easily navigate to/from Firewall Content Filter Objects
• Highest priority policy listed atop
119
CFS Policies: Gluing All Together
Profile and Action Objects as well as Users, Scheduling are assigned to a Policy
120
Websense Settings UI
No adjustment needed when upgrading from CFS 3.0
121
CFS 3.0 vs 4.0: Use Case
Version User Groups Policy Order
CFS
3.0
Coordinator
HR HR
Most Permissive/Least Restrictive
Accounting Accounting
CFS
4.0
Coordinator HR - Accounting HR - Accounting Set To Highest
122
Use Case: Policy Comparison
• Single Policy • ‘Coordinator’ user now belongs to a single, combined group
CFS 3.0:
• Two different policies: ‘Accounting’ and ‘HR’• ‘Coordinator’ user belongs to two different groups ’HR’ and ‘Accounting’
CFS 4.0:
123
CFS Objects(Demo)
124
Policy Structure in CFS 4.0 1/2
• ‘Users and Zones’ and ‘CFS App Rules’ have merged into Security Services Content Filter
• CFS Object Design (Firewall Content Filter Objects):
– URI Objects: Allowed/Forbidden lists and includes Keywords, Restrict Web features from CFS 3.0
– Profile Objects: Defines URI lists and Category actions (block, allow, BWM, Confirm and Passphrase).
› SafeSearch, Youtube, Embedded URI filtering
– Action Objects: Granular configuration of the actions set in the profile
125
Policy Structure in CFS 4.0 2/2
• CFS Policies (Security Services Content Filter):
– Defines packet matching conditions (source/destination zone, users/groups)
– Applies corresponding Profile and Action objects
– Centrally managed and sorted by priority atop
› Best practice: From most granular (top) to more generic policies (bottom)
• 1 Connection 1 Policy
– A connection will no longer result in more than one policy
– In CFS 3.0, users belonging to multiple groups, each with a different policy, could cause predictability issues
– Users belonging to multiple groups now need to be added to a separate group and policy (set a higher priority)
126
URI List Objects: Assigned to Profile Objects
• URI Objects now support sub-domains
• Replaces “custom lists’ and ‘Keywords’
• Lists can be imported/exported
• Sub-support and wildcard matching; i.e.
www.*.com.
• URL list objects are later marked as
allowed/forbidden in Profile objects
127
Profile Object - SettingsAllowed URL list: for URLs WhitelistForbidden URL list: for URIs blacklistingNote: both lists have higher priority (verified earlier) than URI Categories
Allowed/Forbidden URL searching order: Defines the matching priority
Operation for Forbidden URL: if URI hits the Forbidden URI list, operation can be either block, confirm or require passphrase.
Domain Category Actions/Operations:• Allow: no URI restriction• Block: standard HTML block page• Passphrase: access only for a limited period of time (1-9999
minutes) if user enters valid password• BWM: applies Bandwidth Management Objects to category• Confirm: presents an ‘advisory’ page before accessing web
content
Operation: 1-click to set all categories to the selected Operation
Note: By default, categories 1 ~ 12 are blocked.
128
Domain Categories: Update
• New Category! 60: Radicalization and Extremism
• Internet Watch Foundation is added back
129
Profile Objects: Advanced Tab
Smart Filtering for Embedded URL: Filters embedded URIs when translated using Google Translate (https://translate.google.com)
Google Forced Safe Search: Google Safe Search enforcement does not require DPI-SSL
Enable Safe Search Enforcement: Safe Search enforcement for Yahoo.com, Lycos or Dogpile.com (does require DPI-SSL)
Youtube Restrict Mode: Enforces Youtube’s proprietary ‘parental controls’
Google Forced Safe Search: Google Safe Search enforcement does not require DPI-SSL
129
All Advanced Tab settings, including SafeSearch are configured within policies
130
Profile Object: Consent
• The original consent settings have been moved into Profile-level settings• Zones/AO/Users through different CFS Policies
131
Action Objects: Block
Main settings:• Wipe Cookies: The cookies inside the HTTP request will
the removed to protect privacy. (Can affect Safe Search enforcement except for Google/Bing)
• Enable Flow Reporting: UTM will send the HTTP/HTTPS to App Flow. For HTTPS requests, DPI-SSL needs to be active
Available tag/variables in Block page tab:
$$Reason$$: Displays confirmed reason (category or Forbidden URL List).
$$fw_interface$$: IP address of current interface
$$ClientIpAddr$$: IP address of the client
$$Policy$$: the CFS policy applied to the web request
Action Object configures the operation set in the Profile Object
132
Action Object: Passphrase Type
Enter Password: allows content access if user provides a given password
Mask Password: If enabled, requires re-entering password in Confirm Password
Active Time: allows content access for this time duration (up to 9999 minutes)
132
133
Passphrase In Action
After entering the correct password, user can access web content
134
Profile Object: Confirm Type
$$ConfirmLink$$: will display the “Continue” and “Close” links (must be used only once in HTML)
135
Confirm In Action
User is required to Acknowledge web access to proceed
136
Action Object – BWM (Bandwidth Management)
Per Policy: The bandwidth limit is individually applied to each policy
i.e.: two policies; each has an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s
Per Action: The bandwidth limit is shared across all policies to which it is applied
i.e.: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between both policies to 500kb/s
Designate Egress and Ingress BWM objects:Go to Firewall Settings BWM to configure them
Application Control
138
What is Application Control?
• Application Control provides a solution for setting policy rules for application signatures. Application Control policies include global App Control policies, and App Rules policies that are more targeted. SonicOS allows you to create certain types of App Control policies on the fly directly from the Dashboard > AppFlow Monitor page.
• As a set of application-specific policies, Application Control gives you granular control over network traffic on the level of users, email addresses, schedules, and IP-subnets. The primary functionality of this application-layer access control feature is to regulate Web browsing, file transfer, email, and email attachments.
• The ability to control application layer traffic in SonicOS is significantly enhanced with the ability to view real-time application traffic flows, and new ways to access the application signature database and to create application layer rules. SonicOS integrates application control with standard network control features for more powerful control over all network traffic.
139
App Control Advanced
140
App Control Advanced
141
Enabling App Control
142
Application Control Global Settings
• Used to enable Application Control
• Used to Configure or Reset App Control Settings
143
Signature Library
From General … …Specific• Used to select and configure:
– Category
– Application
– Viewed by
144
Configuring Application Control Policies
Application Control Policies can be configured:1. At the Category level: All and any subsets within2. For Specific Application: DocuSign3. For a Specific Signature: HTTPS Activity, ID XYZ
145
Application Control Settings
146
App Rules
147
Enabling App Rules
148
App Rules Action Objects
9 pre-defined actions
7 Preconfigured Action Objects
149
Create a Match Object
Create a Match Object
150
Create an App Rules Policy
151
Lab: Block Facebook
• From the Firewall -> Match Objects screen, click on Add New Match Object
• In the Name Filed type: is_facebook
• For the Match Object Type, select Application List
• For the Application Category, select SOCIAL-NETWORKING
• For the Application, select both the SOCIAL-NETWORKING Facebook options
• Click Add, then OK.
• From the Firewall > App Rules screen, click Enable App Rules
• Click the Add New Policy button
• In the Policy Name fiels type: block_facebook
• For the Match Object category, select the is_facebook object
• For the Action Object Category, select Reset/Drop
• Click OK and test it
Erfahrungsaustausch
How to differentiate?
Talk to the security Expert – 25 Years of Experience