UPDATED Apr 17 with new information

Today NSS Labs, an independent security testing organization, issued a report which states it found holes in five of six network firewalls. Fortinet was named as one of these firewalls, and we want to address some misperceptions around this report.

NSS Labs tested the FortiGate-3950B platform using equipment supplied by an NSS customer. We have been working with NSS Labs over the last two months to remediate the issues raised in the test. NSS Labs incorrectly states that Fortinet does not currently provide customers with protection against a TCP split handshake.

In fact, FortiGate platforms are not susceptible to split handshake attacks when AV and IPS engines are enabled. Approximately 85% of our customers implement our product using multiple security components within one appliance.  Not only does this test support our premise that relying on a single technology can be less effective, it also supports the need to aggregate multiple security functions in an easy to use, low TCO product to provide the best protection.

We have been protecting our customers from split handshake attacks since 2006, when Fortinet developed an IPS signature (TCP.Stealth.Activity) that blocks the malicious activity related to the split handshake. This signature continues to protect customers today. Fortinet is creating a new IPS signature (TCP.Split.Handshake) to explicitly block the split handshake stealth approach, and will be available to all customers next week. Customers can enable a single IPS signature if they are not currently running the IPS feature that is included in the FortiGate consolidated security platform. Fortinet is also creating a patch for our firewall module to address the TCP split handshake issue, and we expect it will be available by the end of next week.

We feel strongly that integrated protection from multiple layers of security technology is the best approach for blocking this issue, and customers that have IPS working with their firewall are better protected against a wider range of threats. The majority of our customers recognize the benefit of deploying integrated functions, and thus are using firewall and IPS, as well as other security features.

Overall, we believe that the true threat lies in the exploits that can be passed over the established connection, and not the ability to establish a split handshake itself. During internal testing our researchers found that that the split handshake cannot be established when using FortiGate unified threat management functionality, and the attack cannot proceed.

Summary:

• We have been protecting customers for years with an existing IPS signature that blocks threats which could be passed along connections established via split handshake
• A new IPS signature will be available next week to customers to prevent establishing a TCP split handshake
• A firmware update for our firewall module for both FortiOS 4.0 MR2 and MR3 is in progress; we anticipate it being released by the end of next week

The recent widespread DoS attacks directed at a number of sites in the wake of l’affaire Assange has prompted several of our customers to ask how Fortinet can help them reduce the effects of a DoS attack.

The news has been full of examples of how participants in the so-called “Operation Payback” were able to affect operations for some financial services companies and payment processors in the wake of the Wikileaks document drops.

Although it is difficult to prevent a widespread DoS or DDOS attack from affecting your network operations, each FortiGate platform includes the FortiGate DoS Sensor to reduce the effect of a DoS attack. The Sensor can detect 12 types of network anomalies including syn_flood, port_scan, udp_flood and others that are common to DoS attack. Network administrators can set thresholds to moderate spikes in traffic load caused by DoS attacks.

As they say in medicine, prevention is often the best cure. The same is true for reducing the potential damage a DoS attack can cause any targeted system or domain. FortiGate platforms also enable you to implement a range of industry best practices that improve the overall health of the communal “bath water” we all share.

Fundamental to preventing DoS attacks is policy enforcement on both your network and client, to prevent the distribution of a botnet within your network. Additionally, blocking the communication between the command and control (C&C) server that manages the botnet and any compromised systems within your environment will reduce the threat, as will blocking botnet-generated traffic leaving your network.

Here are some industry best practices for reducing the DoS threat:

Ingress/egress filtering on the firewall
Ingress filtering can provide control to the incoming traffic and protect the network from being attacked and egress filtering can help contain the botnet activity and keep it from affecting other areas. FortiGate platforms include ingress/egress filtering.

Antispam filtering
The vast majority of bots are distributed via email, making it essential to deploy antispam technologies to block the malware from making a beachhead in your network. FortiGate platforms include antispam filtering. FortiMail provides advanced messaging security, including antispam filtering.

Enforce security measures on all hosts
Having proper host protection is one of the most effective measures against the propagation of the malicious software that turns systems into bots. Endpoint protection can prevent the installation of malicious code on systems. Network Access Control (NAC) can also enforce system hygiene requirements before allowing a system to connect to the network. Fortinet offers FortiClient endpoint protection for PCs and notebooks, and FortiGate includes key NAC functionality.

Audit Network on a regular basis
Regular network audits and vulnerability scans provide essential data regarding systems and applications that may reside on your network without your knowledge, as well as systems that need patches. These audits and scans identity potential weaknesses in your network, giving you the necessary action to plug those holes before the next attack. FortiAnalyzer, FortiScan and FortiGate platforms can perform vulnerability management scanning to increase your visibility of your network status.

Install IPS on your gateway
IPS can detect anomalous traffic, enabling you to block abnormal network activity and limit the damage from the attack. Implementing IPS at the edge of the network adds an essential layer of protection to the network. An integrated IPS/Firewall gateway reduces the complexity at the edge and provides a single management interface to deploy multiple layers of protection. FortiGate platforms include IPS functionality.

People frequently ask me about certifications and what they all mean. Here at Fortinet, we realize that looking at marketing specs or documentation isn’t always enough when you’re looking for the ideal security solution. After all, just because it looks good on paper doesn’t mean it’s the right product for you, right? So, we invest a lot of time getting our firmware and hardware products certified on a regular basis.

This is why we know it’s important to invest in third-party certifications, and make it a regular part of our development and product release cycles. Offerings such as the consumer programs developed by ICSA, cryptographic module validations developed by NIST, and international security certifications adopted by NIAP are important to us and I hope I can explain why they should be important to you as well. It wouldn’t be possible to list them all, but I will provide a little more insight into why the ones I’ve just listed are notable – just to get you started.

Firstly, there are many security products on the market today. Some focus on specific functionality, like firewall or IPS; others like the FortiGate appliances provide an all-in-one solution. All vendors claim their products are the best at what they do, but often use proprietary terminology that can confuse you. Buyers then need help cutting through the buzzwords and getting to the point – does the product do what you need it to do?

Certifications help remove much of the mystery when comparing products by providing baseline requirements that are applied to all vendors, providing a better chance of comparing apples-to-apples. Combined with their unbiased assessments on how well the tested product functions, you’ll already be better off.  Who doesn’t want a product that has been independently tested and given a stamp of approval by an objective party?

Unfortunately, there is one challenge with sifting through the various certification programs. The requirements are often vastly different. You can’t just compare one program to another. This is why we actively certify our products in multiple labs and programs. Each of the offerings listed above has a specific focus and targets a particular market and it allows us to make the product that much better. Keep in mind that even though all are significantly important to us, you might find that some are more relevant to your needs than others.

Third-party consumer certification labs, like ICSA, design test requirements for specific types of security products.  They have programs specific to firewall security, antivirus protection and VPN technologies. When products are tested and certified in these programs, the lab makes sure that the product does what it says it does, what it needs to do and that the products can work together. This way, you can select a FortiGate appliance and put it on your network with other vendor gear and not worry about compatibility issues. ICSA also holds multiple ISO certifications and is active in government certifications so you can rest assured that they are adequately qualified to perform these services.

If you work in the IT department for a government agency, financial institution or an up-and-coming company and don’t want your intellectual property falling into the wrong hands. FIPS PUB 140-2 and its Cryptographic Module Validation program might be enough for you. FIPS is often sought after when one wants to know that the product uses strong encryption, sound security practices for administration, built-in self-tests to ensure consistently secure and reliable operation. Even the lowest level of FIPS is intended to make sure that the crypto used on the system can’t be bypassed by someone mischievous using downloadable hacking tools, a disgruntled customer, or someone snooping around for your trade secrets.

But in classified environments, you or your management team may need even more than ICSA and FIPS certifications. You might need evidence that the source code was written with security in mind. That the various hardware and internal software components actually work properly together. Or even, might need to know for certain how effectively the vendor support will support you after you buy the product. We can’t, of course, give you the source code and design specs, or give every customer a day-tour of our support and operations facilities.  But we can get our products Common Criteria (or CC, if you prefer) certified. CC certifications are conducted by certified labs in over 20 countries world-wide and are mutually recognized. In other words, when a qualified lab in Canada has examined the product inside and out with a fine tooth comb and the Communications Security Establishment Canada issues the report, it’s also valid for other regions such as the US, UK and Australia.

I could go on, mentioning all the specific products that have been certified and go into more exhaustive detail of each of the offerings I’ve already mentioned. But as programs are constantly evolving, I’d prefer to point you to the official sites so that this blog entry will always remain relevant. Also, I invite you to have a look at our marketing pages, press releases and speak to our sales teams. If there is a specific product or certification you’re interested in, or just want more information on these certifications, let us know.

When it comes to antivirus, how much coverage do you need? Everyone has different concerns when it comes to antivirus coverage. Some people want to circle the wagons and let very little into their networks, while others need some basic protection but prefer speed, speed and more speed. In this article I’ll discuss the new antivirus features in the FortiOS 4.0 MR2 for the FortiGate family and how your device can be configured for your preferred level of coverage versus performance.

Malware Lifecycles

All malware have a life cycle. Some are like shooting stars, blasting across the Internet infecting everything in their path and going out with a bang with the next signature update, leaving much news buzz in their wake. Others creep along, slowly infiltrating systems with their variants, keeping their name alive for months to years. Still others have gone the way of the dinosaurs and only live in memory, no longer spreading or able to spread on modern operating systems, aka the zoo viruses. In general it is the actively spreading viruses that a user need be overly concerned about and use products providing coverage for these active malware.

Today viruses are still tracked using the Wild List, a vendor independent managed list of the most active viruses. This is used as a minimal benchmark for vendors, to ensure that customers are protected from the most actively reported threats. The viruses that slow down and eventually drop off of this list eventually find themselves on the list of zoo viruses and are rarely, if ever, seen in the wild again.

Under the Hood

Although there are many different vendors of antivirus products most vendors use very similar techniques and need to deal with the same issues when trying to detect a virus. Most viruses are contained in a file of some sort, either self executable or as part of a format where it can be executed by another host program (e.g. such as a macro virus embedded in a document). Roughly 80-85 percent of the effort when examining a file is decomposing the file into a usable form for signature scanning. Decomposing the file is the process of extracting or converting the data of that file to a form where the signature scanning routines can match any known viruses in its corresponding database. For example, an incoming file may be an archive file, such as a zip archive, containing an executable file. If the file is sent in an email it is often in an ASCII format called base64. The file needs to be converted back to binary for deeper examination. This in-depth decomposition of the file is very often required for the most sophisticated viruses and therefore the full file needs to be buffered.

Flow or stream based antivirus is one of the latest techniques being used by network based products for scanning. They have a high throughput and use state based engines to keep track of what they have scanned, but they do have some limitations that probably can’t be solved due to the format of certain types of files. For example, some archive formats can not be streamed due to complexities in parts of their algorithms so streaming scanners have difficulty with these files. Heavily encrypted files, packed executables and file infectors may be difficult to detect using these stream based methods since not all the data will be available to assist in decryption of the files. Viruses embedded in documents require more in-depth extraction routines which are probably not commonly used in stream based scanning. Some files, such as polymorphic or packed files, require emulation in order to extract the clear viral code from its encrypted cocoon. Without this level of decomposition the number of different detection signatures that would be required is staggering to imagine. It’s not all bad news however. Flow or stream based methods are quite effective and fast against certain types of malware such as static worms (executables that don’t change their binary composition when they spread), certain Trojans, spyware, adware and other more static malware. Stream methods are useful for large files too, having little file size limits, but if you consider most malware files are relatively small (so they can spread quickly) the only advantage would be on large archives of files (which are most likely manually created and infrequently spread).

What Do You Need?

In this part of the article I’ll discuss the different coverage needs and how you can configure the latest FortiGate products to provide the appropriate level of protection and coverage. First I’ll discuss some of the different users and their basic needs.

• The Need For Speed: Some users are not overly concerned about full coverage for every virus that ever existed. They just want the Internet as fast as they can get it. For these users basic protection against most malware that is actively spreading is normally sufficient. Many of these users will also use host based antivirus if they want more protection at the host but still keep high speed networking (e.g. ISPs need to provide certain levels of performance so they may augment protection with host based security bundles for their customers). I’ll call these “High Performance” Users.
• On the Fence: Users in this category desire a bit more coverage but decent performance too. The malware coverage will go further back in history to malware that has lived over about the last year or so, but not go as far back as the ancient viruses of the 70s and 80s. I’ll call these “Cautious” Users.
• Nothing is Getting In: These users don’t want any viruses, no matter how old, in their networks. These users may be willing to sacrifice a bit of performance for full detection of every malware that has ever existed. I’ll call these users “Guarded” Users.

First Things First, What’s in the Box?

In the next version of the FortiGate OS 4.2 there will be support (on some platforms) for larger antivirus databases and a new stream based antivirus scanning engine. The breakdown of the basic coverage types are a follows:

• Normal
  • This setting contains signatures for the most currently active threats. These threats are actively spreading on the Internet in some form or another, e.g.) via email, self spreading worms, etc.
• Extended
  • This setting extends the Normal setting to include signatures for recent but no longer active malware. Such as viruses that may have been actively spreading within the past year but have significantly or completely died off.
• Extreme
  • The extreme setting provides the largest coverage and includes coverage of nearly all malware detected by Fortinet including zoo viruses from ages past.
• Flow
  • The flow antivirus operates independently from the above settings and is used as an alternative to the proxy based antivirus settings (normal, extended and extreme). It is a stream based scanning method in which the network session is inspected in chunks. Although fast, there are limitations with stream based scanning technology such that not all files can be fully decomposed in order to properly scan for a virus. Flow based scanning is however very fast and effective against static threats such as worms, Trojans, spyware and related malware. The flow based antivirus will cover a subsection of what the extreme setting detects.

These settings can be enabled on a per VDOM basis and used for all antivirus protection profiles within that VDOM. As a side note, users can override a specific protection profile setting using the CLI if desired.

High Performance Users

For High performance users there is the option of using the Flow AV option, a stream based scanning engine, or the proxy based normal setting. This can be set per VDOM via the CLI or GUI. Navigate to the UTM menu and select the Antivirus->Virus Database menu item. On this page you will be able to configure your database settings that will be used by default by the antivirus protection profiles.

The normal antivirus database, containing detection for the most active threats, is available on all FortiGate models. Flow AV will only be available on certain newer models such as the FGT-80C, and other mid/high end models.

Cautious Users

For cautious users it is recommended to use the Extended setting. This provides coverage for both older threats, up to about one year, as well as any malware that is actively spreading. Older threats were previously active malware that have essentially died off and are no longer being reported to our servers. Although some of these threats continue to spread in small areas, they are no longer widespread.

The extended database is available on many of the newer mid to high end FortiGate Products.

Guarded Users

For guarded users the extreme setting is the way to go. This gives the largest coverage to prevent both the newest threats from entering the network as well as preventing users from downloading some old archives of legacy malware. Users also have the option of enabling the full grayware detection to scan for programs that may not necessarily be threatening but cause annoyance, such as adware.

The extreme database will be available on many of the newer mid to high end FortiGate Products.

Conclusion

When looking for a product to protect your network, be wary of what various products are offering. You may be looking for speed, but know the benefits and limitations of the different types of technologies so you can choose what is best for your network. Although the data sheet may look impressive in regards to performance numbers, ask what kind of coverage you are really getting. At least ensure that you can get coverage for the Wild List and other active threats with whatever product you choose. I hope this article helps you decide the type of coverage you require in your network and what products suit your needs. May your networks remain infection free.