Manager of Marketing Communications at Cerdant, Inc. em Cerdant, Inc.
6 de Jun de 2017•0 gostou•653 visualizações
1 de 18
SonicWALL Advanced Features
6 de Jun de 2017•0 gostou•653 visualizações
Baixar para ler offline
In this breakout session Cerdant's top engineers, Jeremiah Johnson and Jason Palm displayed how to get the most out of your SonicWALL device by utilizing advanced features like Capture ATP and DPI-SSL.
2. Increased SSL Use
Increased SSL/TSL Use
62%* of web traffic is encrypted
Cloud Application usage has increased
by 43% over the last year
Ransomware attack attempts have
risen from 4 million (2015) to 638
million in 2016
Typically delivered via SSL/TLS
Uninspected and trusted backdoor into
4. How It Works
Encrypted traffic passes
through the SonicWALL
Traffic is decrypted and
Sent on to its destination
This happens by utilizing a concept called “Man-in-the-middle”
A properly sized SonicWALL appliance,
fully licensed (preferred Gen 6)
Pre-Deployment of the SonicWALL DPI-
A careful review of policies and legal
Time…I cannot tell a lie
Although settings are simple,
deployment requires testing and
Cerdant suggests starting with a
small test group
Cerdant also suggests having a test
list of sites and/or appllications that
DPI-SSL could affect
6. …but does it work?
Test CFS via HTTPS
Test CFS via HTTPS
Check the certificate
10. Challenge: Zero Day
Explosion of unknown, zero day
266.5 million ransomware attempts in Q4
Hide in encrypted and unencrypted
7.3 trillion SSL/TLS connections 2016
Target multiple environments
including mobile and connected
Designed to evade sandbox analysis
11. SonicWall Solution: Capture ATP
Advanced Threat Protection
Multi-engine cloud sandbox detects more threats than single sandbox
Full system emulation
Hypervisor level analysis
Broad file type analysis and operating system support
PE, MS Office, PDF, Archives, JAR, APK
Windows, Android, Mac OS
Can block until verdict at the gateway (HTTP/S only)
Rapid deployment of threat intelligence
Reporting and alerts
* What it is not…
1. What are the SSL applications/ports proxied by Client DPI-SSL? The following applications are proxied by Client DPI-SSL
HTTPSFTPSLDAPSSMTPSPOPSIMAPNNTPSTelnetSIRCS2. Will connections to custom SSL ports be proxied by Client DPI-SSL?Yes. DPI-SSL examines SSL traffic regardless of the port number.
3. What versions of SSL/TLS protocol does Client DPI-SSL use when proxying SSL connections?SSLv3, TLS 1.0 (SSLv31) and SSLv23.
4. What is the default SSL protocol version of the proxied connections negotiated by Client DPI-SSL?By default, it is SSL 3.0. This can be changed in the diag page. If the default protocol (SSLv3) is selected then connections to sites with only TLS 1.0 and above will fail.
5. What is SSLv23?SSLv23 is a method by which the SonicWall will negotiate with either SSLv3 or TLSv1 depending on what the server supports.
6. Is it possible to use a certificate other than the default DPI-SSL CA certificate?Yes, an internal CA certificate with its private key must be imported into the SonicWall before it can be used in Client DPI-SSL for re-signing. Although the drop-down menu under Certificate re-signing Authority on the Client DPI-SSL page allows users to select any end-entity certificate imported into the SonicWall, an internal CA certificate is required to re-sign successfully.
7. Can I import a web server certificate obtained from a Public (or Private) CA for the purpose of DPI-SSL Client Inspection?No, see above.
8. I have enabled Client DPI-SSL and now all my hosts in the network get browser errors when going to a HTTPS website.When an SSL connection is attempted, Client DPI-SSL intercepts the traffic and presents a re-signed certificate to the browser. The issuer of the certificate would be the Default SonicWall DPI-SSL CA Certificate. This certificate must be trusted by the browser or other applications attempting SSL connections. To stop the browser warnings, import the Client DPI-SSL certificate into the browser's Certificate Store as a Trusted CA.
9. My SSL connections are being proxied by DPI-SSL. I am using the default Firewall DPI-SSL certificate. However, the connections to certain sites show a self-signed certificate. The Issued By and Issued To fields in the certificate show the FQDN of the site.When a host behind the SonicWall tries to access a HTTPS website, SonicWall performs separate SSL handshakes with the website and the host. During the SSL handshake between the SonicWall and the website, the website presents its certificate. If the CA of the said certificate is not in its certificate store, SonicWall re-signs the certificate as a self-signed certificate. This self-signed certificate wouldn’t be trusted by browsers and therefore the certificate error. To avoid this error, manually import the missing (Root and/or Intermediate) CA certificates of the website into the SonicWall’s certificate store.
10. With DPI-SSL Client Inspection enabled, when browsing to certain sites, the page loads successfuly but IE shows a yellow band with error message "Internet Explorer has blocked this website from security certificate errors." The webpage has a background script connecting over HTTPS to another site and that site's CA certificates are not in the SonicWall certificate store. Import the CA certificates into the SonicWall certificate store.
11. Can DPI-SSL block sites with untrusted certificates?Yes. Enable the option Block connections to sites with untrusted certificates in the diag page. This option is disabled by default.
12. Can Client DPI-SSL be excluded from proxying certain SSL traffic?Yes. Administrators can configure exclusions based on IP addresses, ports, users or by the certificate Common Names (CN).
13. Can Client DPI-SSL intercept and proxy SSL traffic beginning with the StartTLS command?Yes it can. As long as the Client Hello packet is sent within the first 512 bytes (by default), it will be proxied. This can be changed in the diag page under the DPI-SSL section. The maximum value is 8191.
14. How do I know whether Client DPI-SSL is intercepting and proxying SSL traffic?On a host behind the SonicWall, click on the "lock" icon in the browser address bar and view the certificate information. If Client DPI-SSL has proxied the connection, the Issued By of the certificate will be the default or custom DPI-SSL CA certificate.
15. How do I see packets decrypted by DPI-SSL Client Inspection?Decrypted packets can be captured in the Packet Monitor module of the SonicWall. Before starting the capture, enable the check box Monitor intermediate SSL decrypted traffic in the Advanced tab of Packet Monitor. The captured packets can be exported as Libpcap, HTML or text.
16. How do I warn users that DPI-SSL is being implemented on their SSL traffic?SonicWall does not recommend any particular method though CFS Consent Page can be deployed for this purpose.
17. Can Client DPI-SSL proxy SSL traffic from GVC clients when the UTM appliance is configured in Route-All (Tunnel All) VPN mode?SSL traffic of GVC and L2TP clients, when configured in Route-all (Tunnel All) mode, will be proxied by DPI-SSL.
18. How do I distribute the Client DPI-SSL CA certificate to different web browsers?In MS Windows, Internet Explorer, Chrome, Opera browsers share the system certificate store. When a CA certificate is imported as a Trusted Root CA into the Local Machine store or the Local User store, any certificate signed by the CA is trusted by these browsers. This can also be done using the Microsoft Certutil command-line utility with the following command:
certutil -addstore -f -enterprise -user root dpi-ssl.crt > NUL
The process can be automated via Group Policy and other such means. Refer this KB article for a detailed description of the process using Group Policy:
UTM: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group PolicyHere is a third-party blog on how to distribute the certificate as an exe file: How to distribute root certificates as exe filesMozilla Firefox, on the other hand, has its own certificate store and the CA certificate must be imported manually into this store. Alternatively, this can be done using the NSS Certutil utility with the following command:certutil -A -n "CN=SonicWall Firewall DPI-SSL" -t C -d C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\hbbc3850.default -i dpi-ssl.crt
Note: The utilities cited here are third-party applications and are referred here only as one of possibly many solutions for automatic deployment of CA certificates. SonicWall is not responsible for the functioning, or non-functioning for that matter, of these utilities.
19. How do I distribute the Client DPI-SSL certificate to mobile devices?Here is a third-party blog on how to distribute the certificate to mobile devices: Smooth root certificate deployment for mobile devices
20. How do I distribute Client DPI-SSL certificate to non-browser apps?Where the apps use the Local Machine certificate store for the Root CAs, importing it into the Local Machine store would suffice. Where the app has its own certificate store, the CA certificate must be imported manually into the store.
21. What is the maximum number of SSL connections supported by DPI-SSL Client Inspection?The maximum number varies by the SonicWall appliance model. The following table lists the maximum proxied connections supported by each model:
Gen 6*Requires firmware version 184.108.40.206 or laterGen 5*Requires firmware version 220.127.116.11 or laterProductMax Concurrent DPI-SSL connectionsProductMax Concurrent DPI-SSL connectionsSOHO100NSA 220/W 100TZ300250NSA 240100TZ400250NSA 250100TZ500250NSA 2400250TZ600250NSA 3500250NSA26001000NSA 4500350NSA36002000NSA 50001000NSA46003000NSA E55002000NSA5600 4000NSA E65003000NSA66006000NSA E75008000SM9200 8000NSA E85008000SM940010000SM960012000SM980048000 (24K per Blade)SM 1020048000 (24K per Blade)SM 1040096000 (24K per Blade)SM 10800192000 (24K per Blade)22. What happens when the device exceeds the maximum number of SSL connections?The default behaviour is to allow traffic without DPI-SSL inspection. This can be changed in the diag page of the SonicWall by disabling the option Allow SSL without proxy when connection limit exceeded. With this option disabled, SSL connections will be dropped when the number of SSL connections exceeds the maximum number.23. Why is the first connection attempt to a website that is added in Common Name (CN) Exclusion of Client DPI-SSL dropped?When a client attempts a connection to a CN excluded website the first time, SonicWall performs the server side SSL Handshake; discovers from the Certificate message that the site is in the CN exclusion list; drops the connection because the Handshake is done with SonicWall as the client; caches the IP address mapped to the Certificate Common Name. In the second attempt to connect to the website by way of automatic or manual refresh, SonicWall "knows" from the first packet itself (TCP SYN) that the connection needs to be exempted from DPI-SSL Client Inspection. This saves appliance resources by not having to do the server side SSL handshake all over again.
Good afternoon, I hope everyone is enjoying themselves and has found the conference to be informative. My name is Jason Palm, I’m a Network Security Engineer here at Cerdant.
I will be discussing one of SonicWALL’s newest services: Capture Advanced Threat Protection, or what we simply refer to as Capture. I’ll be giving an overview of how you can Capture More and Fear Less.
I know how much everyone loves power point slides. I promise to keep them to a minimum. I’ll follow the slides, which explain the service, with a quick “demo” of what Capture looks like running on a SonicWALL and if we have time I’ll take any questions at the end.
This new service specifically addresses the challenge of dealing with Zero Day Threats. It is easier now more than ever to create malware that has never been seen before, thus bypassing traditional signature based detection. And since it is so easy, it is no problem for hackers to repackage their threats and launch them again once they have been detected and signatures created.
The rapid increase in Zero Day threats is also fueled by the profitability of ransomware. Ransomware-as-a-service is a real thing, making it very easy and affordable to launch successful ransomware campaigns.
Animation 1: According the the 2017 SonicWALL Annual Threat Report the SonicWALL GRID Threat Network observed a mind boggling increase in ransomware; from nearly 4 million attack attempts in 2015 to 638 million in 2016 (you can see here 266.5 million in the fourth quarter of last year alone).
Animation 2: As Jeremiah just discussed, the increase in SSL/TLS traffic is being leveraged by cyber criminals to deliver these malware variants. The decryption and inspection of that traffic is now a necessity. So, having a solution like SonicWALL that can incorporate decryption is a key component of dealing with these threats.
Animation 3: And we’re no longer dealing with just windows environments. Android is still a prime target and susceptible to multiple threats. We have to account for multiple operating systems.
Animation 4: A few years ago network sandboxes were a hot item in dealing with zero day threats. Those solutions have seen a serious decline in efficacy as new strains of malware are able to avoid sandbox analysis and detection, in most cases simply by recognizing they’re running in a virtual environment and then changing behavior accordingly.
The SonicWALL solution to this challenge is Capture ATP. Spoiler alert: it is awesome! It was named CRNs Network Security Product of the Year for 2016. It is a service that we here at Cerdant are recommending to all our customers and one that I feel is an absolute necessity. Jeremiah and I have actually been beta testing Capture for over a year, as soon as it was made available for beta testing, and were very involved in that process leading up to the product launch in August of 2016. I run this on my home SonicWALL and have been extremely impressed and happy with it; we run it at Cerdant’s office. From a deployment standpoint, every new SonicWALL we deploy we recommend using this service.
So what is it?
Animation 1: First of all, it is a cloud based service that extends the functionality of Generation 6 SonicWALLs. All that is needed to utilize this service is the proper firmware and a Capture license. This includes a multi-engine cloud sandbox. SonicWALL has incorporated technologies from VMRay and LastLine to build a virtualized sandbox, hypervisor level analysis, and full-system emulation that resists evasion tactics. Since SonicWALL hosts this environment it is scalable and will evolve, it is architecteded to dynamically add new malware analysis technologies as the threat landscape evolves.
Animation 2: It supports a broad range of file types as you can see here (Executables, Office, PDFs, Archives, JAR, and APK). It also has multiple OS support. This solves the problem of only having a single sandbox with a single OS, or trying to maintain multiple sandboxes.
Animation 3: Files are sent to this cloud environment for analysis. In order to prevent potentially malicious files from entering the network files those files can be held at the gateway until a verdict is determined on whether those file are malicious or not. This is an easily configured setting and once we get to the live demo you’ll have a chance to see that.
Animation 4: This service ties directly into the GRID Threat Network as part of SonicWALL’s existing ecosystem. When a file is identified as malicious, a signature is immediately available to firewalls with SonicWall Capture subscriptions to prevent follow on attacks. As a Capture “subscriber” this is a huge advantage, you’re not only leveraging the cloud to analyze and render verdicts on files from your network but you’re also taking advantage of what the Capture clouds sees from all Capture subscribers. In addition, the malware is submitted to the SonicWall Threat Intelligence Team for further analysis and inclusion with threat information into the Gateway Anti-Virus and IPS signature databases, which will be incorporated into those updates within 48 hours.
Animation 5: This service includes its own set of reports and alerts for quick notification of any malicious detections.
Animation 6: A quick word on what Capture ATP is not…
There is no affiliation with the Association of Tennis Professionals. It will improve your security, it will not improve your tennis game.
It is not useful for capturing Pokemon. This is one of our Analysts, Arvin in front of our lab. Has anyone here spoken with Arvin before? One of the nicest guys you’ll ever meet. When were were doing our in house training for Capture the Pokemon Go craze was in full swing. We actually used this in one of training slides. If you get a chance to tour the office after this and happen to see Arvin be sure to ask him if he has had any luck Pokemon hunting lately.
Now that we now what Capture is, let’s look at how it is incorporated into the Gen 6 SonicWALLs by discussing the traffic flow.
Animations 1 & 2: First, traffic enters the network and is decrypted (once again, it is essential to utilize DPI-SSL if we want insight into all traffic).
Animation 3: Second, that traffic is then run through the SonicWALL’s existing security services. If policies are in place to prevent specific traffic, or if known malicious traffic is detected, it is dropped. Simple services like Content Filtering and Botnet filtering are still highly effective at preventing traffic from known havens of malware. From a deployment standpoint you’d be surprised how many conversations I have with new customers on the necessity of simple content filtering alone. A lot of admins don’t want the hassle or have been instructed not to cause disruption for users. The SonicWALL CFS engine actually has a web category for sites listed as “Malware”. I can’t think of too many good reasons to allow all your users to reach known Malware sites.
Animations 4, 5, & 6: At this point we’ve kept out the known bad, we allow the known good, and then we have files that are in that grey area as being “unknown”. These files are sent to the Capture cloud for analysis and judgement. Depending on your settings those files will either be delivered while being analyzed, or held at the gateway until a verdict is rendered and then delivered.
Now, let’s zoom in to see how file analysis is taking place in the Capture cloud by using some real data. Has anyone seen the movie 300? You know, the movie with the 300 Spartans, none of whom wear shirts and they look like the only thing they do is Crossfit all day every day. Interestingly enough, that is what Jeremiah looks like when he has his shirt off. The reason I know this is because every time he installs a Supermassive he rips his shirt off and runs around the office yelling “THIS IS CERDANT!”.
No seriously, this data was compiled from a single day sampling of 300 companies who are utilizing Capture.
1. So, in a single day these 300 companies sent a total of 28,800 files not know to the firewall to Capture for analysis. If you’re doing some quick math that roughly averages 100 files per company.
2. 18,100 were unique and will go through pre-filtering process before being sent to the sandbox.
3. So, if we’re saying 18,100 are unique. What happened to the other 10,700 files? Those were known or duplicates to the Capture service and didn’t require further processing. The file verdict was returned to the firewall and the file blocked or released per policy. This is where the sharing of info in the Capture cloud comes into play. As files are analyzed in the cloud hashes for those files are created and stored.
4. Now, of those unique files 15,450 were identified as good after further pre-filtering and allowed to pass through into the network. This includes comparison against a real-time list to see if anyone SW collaborates with knows about these files.
5. 130 were fairly new malware known by Capture pre-filter but not the firewall’s static-filters at the time of scan but will very soon.
6. After all pre-filtering the remaining 2,520 were sent to the multi-engine sandbox for analysis. In the demo shortly we’ll some details of what kind of anlysis is going on. Of these files most were identified as good and hashes created and added to the database so they don’t have to be analyzed again (further adding to the pre-filtering base of information).
7. In this example, six were found to be never-before-seen malware (aka Zero Day Threats).
These six were a mixture of Trojans, ransomware (Locky) and other malware.
In near real-time, six hashes for the newly discovered malicious files were submitted to the Capture database and all other Capture ATP subscribers immediately protected from follow-on attacks. These files were also sent to the SonicWall GRID team to analyze and create signatures to be added to the GAV and IPS updates within 48 hours.
This leads to one of the biggest question we get: What is the amount of data that is sent to the cloud and the speed of the service. In short, the speed of cloud-based analysis is fast:
1. Two seconds was the median processing time per file.
2. 83% of files are analyzed with a verdict in under five seconds.
3. An average of 32.6 MB was uploaded for each organization; the equivalent of watching a 10-minute YouTube video.
4. To understand the plight of the 300, they will see 2,450 new malware variants in a year which is more than eight per network.
Ok, enough with the slides. Let’s get logged into a demo SonicWALL and take a look at the Capture settings and reports. Disclaimer: this is a demo box with extensive testing for Capture, so we’ll be seeing an inordinate amount of malicious files as opposed to a production box (I would hope).
First we’ll look at the settings. As you can see Capture is simply another menu item in the SonicWALL GUI. The service is basically Enable or Disable. As you can see here it ties directly into GAV. It is worth pointing out that an active GAV subscription is required for Capture to operate. It operates using the same specified protocols as GAV.
We have the ability to specify the file types to include for Capture analysis using a simple checkbox. We can customize file size restrictions as well as object and hash exclusions.
Of particular note is the custom blocking behavior. This is where we can enable the ability to “Block Until Verdict”, meaning that file downloads via HTTP/S will not be allowed to complete until a verdict has been rendered. In either case, if a malicious file is detected an alert email will be sent to the specified recipients.
With that in mind, let’s take a look at the status window to get an idea of what the real time reporting entails. This is accessible via the SW GUI or via mysonicwall.com. This status windows shows file scanning history for the past 30 days, by hovering over the bar graph for any given day we get the number of files scanned and the % of those that were malicious. As mentioned, this particular device shows a high number of malicious detections due to testing.
Below this we have some file information. You can immediately see which files were analyzed and determined either “clean” or “Malicious”. By clicking on an individual file we get a specific information on that file.
Clean File 5/4 @ 10:2 AMMalicious File 5/2 @ 9:00 AM – get.vbn
This new service is highly effective and extremely simple to deploy. SonicWALL has done an outstanding job of addressing a very serious problem with a solution that adds a lot of value to existing devices without the need for additional hardware.