However, in today’s day and age, we need to observe threats on a deeper level for practical mitigation and several questions must be asked. What activity is occurring over that channel? Are there anomalies? What data is in transit? Is it malicious by nature or simply some text being delivered to the browser? What URL/Server is the data in transit from — have they been red flagged?

The list goes on, and these are the questions we face here in FortiGuard Labs on an hourly basis, having to react and push out dynamic threat definitions. You can get an idea of how often this happens with our latest service report.

To that end, there are many industry tests performed on a regular basis against particular security functions — firewall, antivirus, antispam, web filtering, intrusion prevention (IPS), and so forth, all of which rely on varying degrees of environments and configuration parameters.

Take, for example, the latest test made public today by NSS Labs (more about this here) regarding TCP split-handshakes. The lab provided a test in which, to get a pass, the *firewall* must be able to block a split-handshake. That’s it. Other important environmental considerations, such as antivirus and intrusion prevention, were not taken into consideration. The critical questions I posed earlier are then negated since antivirus and deep packet inspection are also not enabled. The problem is that this tests an outdated firewall concept.  Many qualified research firms, from Gartner to IDC to Frost & Sullivan, all support an integrated security approach for enterprises for many reasons. The main reason, of course, is that is what customers are requiring.

Before going further, it’s important to share a little bit of detail about the split handshake concept. The most common TCP handshake is the 3-way handshake (SYN, SYN-ACK, ACK). Less common is the simultaneous open handshake, where both devices act as clients trying to reach each other: using an active OPEN state, they both send SYNs and await ACK responses from each other before establishing connection. The split-handshake combines both of these methods, using stages (like the simultaneous open connection) but effectively reversing the direction of client-server flow once the connection is established.

Therein lies the problem, since inspection logic may be fooled. It should be noted that threats we see today traverse through normal (3-way handshake) established TCP connections using attacks higher than layer 4 (transport), in particular layer 7 (application). Stopping this particular split-handshake attack alone will not guarantee you protection against the vast majority of real-world attack scenarios we observe in our labs.

In the particular case of the NSS test, FortiGuard Labs released an IPS signature to inspect and detect/block split-handshake traffic before a connection is established, dynamically available to all customers through Fortinet’s Distribution Network.  This is the same process we use to push out hot signatures on breaking threats such as software vulnerabilities and botnets – no downtime, no immediate firmware update required.  It’s a flexible, real-time approach to modern threats. We also apply this beyond IPS, from antivirus to web content filtering rating for the latest web sites serving malware. This is where UTM truly separates itself from both legacy and point product solutions. Any devices with IPS enabled now have the benefit of identifying split-handshake traffic, AND all other malicious traffic such as vulnerability exploitation or botnet communication.

As mentioned in our previous blog post, our development team has worked in parallel on a firmware fix purely for the firewall itself. Though, as I mentioned, fewer and fewer companies are relying on standalone firewall without multi-function protection, because integrated security remains the best approach for protecting against a wide range of threats.

First, on September 16, the United States Patent and Trademark Office (US PTO) issued a formal order granting Fortinet’s petition to re-examine the validity of Trend Micro’s patent on antivirus functionality, the 5,623,600 patent, stating that a “substantial new question of patentability” exists with respect to the patent based on prior art currently being considered by the US PTO.

Second, and most notably, a member of the open source community has recently filed a separate petition (control number 90/011,022) with the US PTO to re-examine the same Trend Micro patent presenting even more evidence of the patent’s invalidity. This is significant because it validates Fortinet’s  position and it shows the resolve and resourcefulness of the open source community to challenge invalid patents that are a menace to the community.  Indeed, the open source community at large provided valuable assistance to Fortinet in researching its challenge to Trend Micro’s aggressive patent approach. Members of the open source community also instituted a boycott of Trend Micro’s products in reaction to Trend Micro’s aggressive assertion of its patent against an earlier victim.

Trend Micro has proved to be both aggressive and clever at asserting patents while avoiding judgment day for its 600 patent, and clearly it will continue to try to use procedural tactics to avoid the approaching wooden stakes. But, if the recent developments at the US PTO are an indication, fairness and common sense may prevail after all.

Monitor these re-exams by watching the US PTO public web site. Search for control number 90/009,801 or 90/011,022.

Malware Lifecycles

All malware have a life cycle. Some are like shooting stars, blasting across the Internet infecting everything in their path and going out with a bang with the next signature update, leaving much news buzz in their wake. Others creep along, slowly infiltrating systems with their variants, keeping their name alive for months to years. Still others have gone the way of the dinosaurs and only live in memory, no longer spreading or able to spread on modern operating systems, aka the zoo viruses. In general it is the actively spreading viruses that a user need be overly concerned about and use products providing coverage for these active malware.

Today viruses are still tracked using the Wild List, a vendor independent managed list of the most active viruses. This is used as a minimal benchmark for vendors, to ensure that customers are protected from the most actively reported threats. The viruses that slow down and eventually drop off of this list eventually find themselves on the list of zoo viruses and are rarely, if ever, seen in the wild again.

Under the Hood

Although there are many different vendors of antivirus products most vendors use very similar techniques and need to deal with the same issues when trying to detect a virus. Most viruses are contained in a file of some sort, either self executable or as part of a format where it can be executed by another host program (e.g. such as a macro virus embedded in a document). Roughly 80-85 percent of the effort when examining a file is decomposing the file into a usable form for signature scanning. Decomposing the file is the process of extracting or converting the data of that file to a form where the signature scanning routines can match any known viruses in its corresponding database. For example, an incoming file may be an archive file, such as a zip archive, containing an executable file. If the file is sent in an email it is often in an ASCII format called base64. The file needs to be converted back to binary for deeper examination. This in-depth decomposition of the file is very often required for the most sophisticated viruses and therefore the full file needs to be buffered.

Flow or stream based antivirus is one of the latest techniques being used by network based products for scanning. They have a high throughput and use state based engines to keep track of what they have scanned, but they do have some limitations that probably can’t be solved due to the format of certain types of files. For example, some archive formats can not be streamed due to complexities in parts of their algorithms so streaming scanners have difficulty with these files. Heavily encrypted files, packed executables and file infectors may be difficult to detect using these stream based methods since not all the data will be available to assist in decryption of the files. Viruses embedded in documents require more in-depth extraction routines which are probably not commonly used in stream based scanning. Some files, such as polymorphic or packed files, require emulation in order to extract the clear viral code from its encrypted cocoon. Without this level of decomposition the number of different detection signatures that would be required is staggering to imagine. It’s not all bad news however. Flow or stream based methods are quite effective and fast against certain types of malware such as static worms (executables that don’t change their binary composition when they spread), certain Trojans, spyware, adware and other more static malware. Stream methods are useful for large files too, having little file size limits, but if you consider most malware files are relatively small (so they can spread quickly) the only advantage would be on large archives of files (which are most likely manually created and infrequently spread).

What Do You Need?

In this part of the article I’ll discuss the different coverage needs and how you can configure the latest FortiGate products to provide the appropriate level of protection and coverage. First I’ll discuss some of the different users and their basic needs.

• The Need For Speed: Some users are not overly concerned about full coverage for every virus that ever existed. They just want the Internet as fast as they can get it. For these users basic protection against most malware that is actively spreading is normally sufficient. Many of these users will also use host based antivirus if they want more protection at the host but still keep high speed networking (e.g. ISPs need to provide certain levels of performance so they may augment protection with host based security bundles for their customers). I’ll call these “High Performance” Users.
• On the Fence: Users in this category desire a bit more coverage but decent performance too. The malware coverage will go further back in history to malware that has lived over about the last year or so, but not go as far back as the ancient viruses of the 70s and 80s. I’ll call these “Cautious” Users.
• Nothing is Getting In: These users don’t want any viruses, no matter how old, in their networks. These users may be willing to sacrifice a bit of performance for full detection of every malware that has ever existed. I’ll call these users “Guarded” Users.

First Things First, What’s in the Box?

In the next version of the FortiGate OS 4.2 there will be support (on some platforms) for larger antivirus databases and a new stream based antivirus scanning engine. The breakdown of the basic coverage types are a follows:

• Normal
  • This setting contains signatures for the most currently active threats. These threats are actively spreading on the Internet in some form or another, e.g.) via email, self spreading worms, etc.
• Extended
  • This setting extends the Normal setting to include signatures for recent but no longer active malware. Such as viruses that may have been actively spreading within the past year but have significantly or completely died off.
• Extreme
  • The extreme setting provides the largest coverage and includes coverage of nearly all malware detected by Fortinet including zoo viruses from ages past.
• Flow
  • The flow antivirus operates independently from the above settings and is used as an alternative to the proxy based antivirus settings (normal, extended and extreme). It is a stream based scanning method in which the network session is inspected in chunks. Although fast, there are limitations with stream based scanning technology such that not all files can be fully decomposed in order to properly scan for a virus. Flow based scanning is however very fast and effective against static threats such as worms, Trojans, spyware and related malware. The flow based antivirus will cover a subsection of what the extreme setting detects.

These settings can be enabled on a per VDOM basis and used for all antivirus protection profiles within that VDOM. As a side note, users can override a specific protection profile setting using the CLI if desired.

High Performance Users

For High performance users there is the option of using the Flow AV option, a stream based scanning engine, or the proxy based normal setting. This can be set per VDOM via the CLI or GUI. Navigate to the UTM menu and select the Antivirus->Virus Database menu item. On this page you will be able to configure your database settings that will be used by default by the antivirus protection profiles.

The normal antivirus database, containing detection for the most active threats, is available on all FortiGate models. Flow AV will only be available on certain newer models such as the FGT-80C, and other mid/high end models.

Cautious Users

For cautious users it is recommended to use the Extended setting. This provides coverage for both older threats, up to about one year, as well as any malware that is actively spreading. Older threats were previously active malware that have essentially died off and are no longer being reported to our servers. Although some of these threats continue to spread in small areas, they are no longer widespread.

The extended database is available on many of the newer mid to high end FortiGate Products.

Guarded Users

For guarded users the extreme setting is the way to go. This gives the largest coverage to prevent both the newest threats from entering the network as well as preventing users from downloading some old archives of legacy malware. Users also have the option of enabling the full grayware detection to scan for programs that may not necessarily be threatening but cause annoyance, such as adware.

The extreme database will be available on many of the newer mid to high end FortiGate Products.

Conclusion

When looking for a product to protect your network, be wary of what various products are offering. You may be looking for speed, but know the benefits and limitations of the different types of technologies so you can choose what is best for your network. Although the data sheet may look impressive in regards to performance numbers, ask what kind of coverage you are really getting. At least ensure that you can get coverage for the Wild List and other active threats with whatever product you choose. I hope this article helps you decide the type of coverage you require in your network and what products suit your needs. May your networks remain infection free.

Even in this time of economic uncertainty, I believe that innovation is our greatest strength. While other security vendors are merely coasting along, Fortinet is focused more than ever on expanding our vision for comprehensive and easily managed network security solutions. We are continuously updating our FortiOS firmware and each release builds upon our existing, pioneering innovations. For example, with FortiOS 3.0, Fortinet became the first security hardware company to offer VoIP / IM / P2P security; we were also the first security vendor to deliver integrated SSL VPN with complete content inspection. We’ve now built upon that technology to offer full application control and prioritization of more than 1,000 apps. Overall, our FortiOS 4.0 release delivers on two main objectives:

1. Give our FortiGate customers access to security technologies and features that were previously only available via a combination of standalone vendors
2. Continue to drive the increased security capabilities that help protect our customers from the never-ending and evolving threat landscape

FortiOS 4.0 introduces several features, the four most significant of which I want to highlight here:

• Application Control
• Data Leakage Prevention
• WAN Optimization
• SSL Inspection

Application Control

This feature is part new innovation and part extension of our existing security features. The idea of application control is to provide a more granular approach to enforcing security policies as part of a firewall solution. In essence, this technology can provide our customers with an additional way to identify and secure applications that can otherwise disguise themselves by utilizing common protocols typically allowed as part of a security policy (e.g. port 80).

This underlying technology is not new to FortiOS 4.0. In fact the previous versions of FortiOS implemented the dynamic detection capability for IM and P2P traffic, which are notorious for riding on common application protocols. What FortiOS 4.0 delivers is a significant maturation of this technology, with the ability to classify and define policies for more than 1,000 applications. With this extensive application control list, administrators can define even more granular policies that will detect applications based on behavior and other characteristics, irrespective of the underlying protocol they utilize as the transport.

Additionally, Fortinet has a team of researchers who are continually monitoring new applications and cloaking techniques on the ever-changing Internet. Thus, our customers can expect to receive continual updates to the list of identified applications via our subscription service option. While this type of granular application security policy constitutes a great addition to the typical firewall policies inherently available in FortiOS, it is the combination of advanced security processing (antivirus, IPS, content inspection) that is true security. Identifying the application is only one piece of the puzzle. Just identifying the application doesn’t ensure security – the content needs additional inspection to ensure there are no malicious threats contained within the data.

Data Leakage Prevention (DLP)

DLP is an emerging need that many of our customers are seeking, but they are quickly overwhelmed by the variety of fancy-sounding techniques employed in the industry (and their associated hefty price tags). Fortinet already has a decade of experience in content inspection. By leveraging our field-proven, mature inspection technologies for data in motion, we can provide customers with the foundation for DLP without the heavy investment others are asking from them.

Since we have always provided protection from malicious content/threats, the ability for customers to define data that needs to be identified and protected is a natural extension of this technology. Administrators can define simple or complex targets that we incorporate into our built-in inspection rule set, thus allowing corporations to identify and protect intellectual property that should not be transmitted outside the boundary of an organization, or even data that should not be transmitted between departments within an organization. This is complementary to the approach we take with our firewalls.

Our firewall technology has always delivered “outside in” and “inside out” protection; now we are simply looking for targets administrators define in concert with the targets our own threat researchers define. While protecting the network from malicious content/threats is one aspect of network security, DLP is increasingly a must-have for companies that need to ensure their competitive edge is not compromised by the intentional or unintentional transmission of confidential data across specific boundaries.

WAN Optimization

I am often asked why a leading provider of focused network and application security solutions would choose to integrate a network service like WAN optimization. But if you think about it, this network technology is a natural extension for our security technologies. Fortinet is constantly developing ways to enhance networking performance, such as our Network Processor-accelerated interfaces.

Plus, consider that a large portion of our customers utilize our VPN technology for remote site and remote user access. Encryption and compression technology can make it difficult for acceleration devices deployed outside the network perimeter to deliver meaningful results. Given that we are providing security services, including VPN, on both ends of the WAN connection, it made sense to us and to our customers to offer these WAN optimization features. The customers who requested these features – especially those managing complicated enterprise branch deployments – recognized that we were already providing to them the basic foundation required for WAN acceleration technology: application content reassembly and inspection.

Now, consider the scenario where a FortiGate is providing antivirus scanning for FTP, Web and email across a VPN to a remote office location. To deliver these leading security features, the FortiGate is designed to intercept application traffic and reassemble it for the purpose of security. Since we already intercept the application data, it is a logical extension to enable WAN optimization, including caching and compression techniques.

Finally, when you consider that we are coupling sophisticated security features designed to detect and remove unnecessary or malicious traffic with WAN optimization, you receive the highest possible experience with WAN optimization – bandwidth that carries “clean, optimized” traffic. When you consider what it would take from other vendors to deliver a clean, optimized WAN experience, Fortinet’s innovative all-in-one solution provides an ROI that is head and shoulders above the field.

SSL inspection

I see this as a must-have when customers need to be assured that the traffic entering (and exiting) their network is “clean” and safe. While secure socket layer (SSL) offers encryption and point-to-point protection for communications between two devices for privacy reasons, it can also “hide” possible threats that can ride on the data inside that tunnel.

Consider a user accessing a secured Web site via SSL, except that the Web site has been modified by hackers to deliver a malicious script.  This threat could be carried through the SSL connection all the way to the client on the inside of the corporate network.  With our ASIC-accelerated SSL inspection technology and sophisticated security features, the FortiGate will intercept the SSL traffic (transparently to the user or host) and inspect it for any possible threats before passing to the host.

Conversely, it may be just as important to ensure that traffic passed to your servers is inspected and protected from malicious content or threats, thus protecting against attacks from malicious SSL clients.

These are only a few of the most compelling features that we’ve released in FortiOS 4.0. We build these products to meet the demands of our customers, and our customers come to us because they expect us to be at the leading edge of innovation. We also expect and challenge ourselves to be at the leading edge of innovation, and that’s why I am especially proud of this new version of the operating system. With this release our customers will be able to experience these new cutting edge technologies along with the staple Fortinet network and security features that have fueled our continued growth and success.