However, in today’s day and age, we need to observe threats on a deeper level for practical mitigation and several questions must be asked. What activity is occurring over that channel? Are there anomalies? What data is in transit? Is it malicious by nature or simply some text being delivered to the browser? What URL/Server is the data in transit from — have they been red flagged?

The list goes on, and these are the questions we face here in FortiGuard Labs on an hourly basis, having to react and push out dynamic threat definitions. You can get an idea of how often this happens with our latest service report.

To that end, there are many industry tests performed on a regular basis against particular security functions — firewall, antivirus, antispam, web filtering, intrusion prevention (IPS), and so forth, all of which rely on varying degrees of environments and configuration parameters.

Take, for example, the latest test made public today by NSS Labs (more about this here) regarding TCP split-handshakes. The lab provided a test in which, to get a pass, the *firewall* must be able to block a split-handshake. That’s it. Other important environmental considerations, such as antivirus and intrusion prevention, were not taken into consideration. The critical questions I posed earlier are then negated since antivirus and deep packet inspection are also not enabled. The problem is that this tests an outdated firewall concept.  Many qualified research firms, from Gartner to IDC to Frost & Sullivan, all support an integrated security approach for enterprises for many reasons. The main reason, of course, is that is what customers are requiring.

Before going further, it’s important to share a little bit of detail about the split handshake concept. The most common TCP handshake is the 3-way handshake (SYN, SYN-ACK, ACK). Less common is the simultaneous open handshake, where both devices act as clients trying to reach each other: using an active OPEN state, they both send SYNs and await ACK responses from each other before establishing connection. The split-handshake combines both of these methods, using stages (like the simultaneous open connection) but effectively reversing the direction of client-server flow once the connection is established.

Therein lies the problem, since inspection logic may be fooled. It should be noted that threats we see today traverse through normal (3-way handshake) established TCP connections using attacks higher than layer 4 (transport), in particular layer 7 (application). Stopping this particular split-handshake attack alone will not guarantee you protection against the vast majority of real-world attack scenarios we observe in our labs.

In the particular case of the NSS test, FortiGuard Labs released an IPS signature to inspect and detect/block split-handshake traffic before a connection is established, dynamically available to all customers through Fortinet’s Distribution Network.  This is the same process we use to push out hot signatures on breaking threats such as software vulnerabilities and botnets – no downtime, no immediate firmware update required.  It’s a flexible, real-time approach to modern threats. We also apply this beyond IPS, from antivirus to web content filtering rating for the latest web sites serving malware. This is where UTM truly separates itself from both legacy and point product solutions. Any devices with IPS enabled now have the benefit of identifying split-handshake traffic, AND all other malicious traffic such as vulnerability exploitation or botnet communication.

As mentioned in our previous blog post, our development team has worked in parallel on a firmware fix purely for the firewall itself. Though, as I mentioned, fewer and fewer companies are relying on standalone firewall without multi-function protection, because integrated security remains the best approach for protecting against a wide range of threats.

Today NSS Labs, an independent security testing organization, issued a report which states it found holes in five of six network firewalls. Fortinet was named as one of these firewalls, and we want to address some misperceptions around this report.

NSS Labs tested the FortiGate-3950B platform using equipment supplied by an NSS customer. We have been working with NSS Labs over the last two months to remediate the issues raised in the test. NSS Labs incorrectly states that Fortinet does not currently provide customers with protection against a TCP split handshake.

In fact, FortiGate platforms are not susceptible to split handshake attacks when AV and IPS engines are enabled. Approximately 85% of our customers implement our product using multiple security components within one appliance.  Not only does this test support our premise that relying on a single technology can be less effective, it also supports the need to aggregate multiple security functions in an easy to use, low TCO product to provide the best protection.

We have been protecting our customers from split handshake attacks since 2006, when Fortinet developed an IPS signature (TCP.Stealth.Activity) that blocks the malicious activity related to the split handshake. This signature continues to protect customers today. Fortinet is creating a new IPS signature (TCP.Split.Handshake) to explicitly block the split handshake stealth approach, and will be available to all customers next week. Customers can enable a single IPS signature if they are not currently running the IPS feature that is included in the FortiGate consolidated security platform. Fortinet is also creating a patch for our firewall module to address the TCP split handshake issue, and we expect it will be available by the end of next week.

We feel strongly that integrated protection from multiple layers of security technology is the best approach for blocking this issue, and customers that have IPS working with their firewall are better protected against a wider range of threats. The majority of our customers recognize the benefit of deploying integrated functions, and thus are using firewall and IPS, as well as other security features.

Overall, we believe that the true threat lies in the exploits that can be passed over the established connection, and not the ability to establish a split handshake itself. During internal testing our researchers found that that the split handshake cannot be established when using FortiGate unified threat management functionality, and the attack cannot proceed.

Summary:

• We have been protecting customers for years with an existing IPS signature that blocks threats which could be passed along connections established via split handshake
• A new IPS signature will be available next week to customers to prevent establishing a TCP split handshake
• A firmware update for our firewall module for both FortiOS 4.0 MR2 and MR3 is in progress; we anticipate it being released by the end of next week

Winners will be announced in August. Questions related to this survey can be addressed to Rick Popko. Thank you for your participation.

Malware Lifecycles

All malware have a life cycle. Some are like shooting stars, blasting across the Internet infecting everything in their path and going out with a bang with the next signature update, leaving much news buzz in their wake. Others creep along, slowly infiltrating systems with their variants, keeping their name alive for months to years. Still others have gone the way of the dinosaurs and only live in memory, no longer spreading or able to spread on modern operating systems, aka the zoo viruses. In general it is the actively spreading viruses that a user need be overly concerned about and use products providing coverage for these active malware.

Today viruses are still tracked using the Wild List, a vendor independent managed list of the most active viruses. This is used as a minimal benchmark for vendors, to ensure that customers are protected from the most actively reported threats. The viruses that slow down and eventually drop off of this list eventually find themselves on the list of zoo viruses and are rarely, if ever, seen in the wild again.

Under the Hood

Although there are many different vendors of antivirus products most vendors use very similar techniques and need to deal with the same issues when trying to detect a virus. Most viruses are contained in a file of some sort, either self executable or as part of a format where it can be executed by another host program (e.g. such as a macro virus embedded in a document). Roughly 80-85 percent of the effort when examining a file is decomposing the file into a usable form for signature scanning. Decomposing the file is the process of extracting or converting the data of that file to a form where the signature scanning routines can match any known viruses in its corresponding database. For example, an incoming file may be an archive file, such as a zip archive, containing an executable file. If the file is sent in an email it is often in an ASCII format called base64. The file needs to be converted back to binary for deeper examination. This in-depth decomposition of the file is very often required for the most sophisticated viruses and therefore the full file needs to be buffered.

Flow or stream based antivirus is one of the latest techniques being used by network based products for scanning. They have a high throughput and use state based engines to keep track of what they have scanned, but they do have some limitations that probably can’t be solved due to the format of certain types of files. For example, some archive formats can not be streamed due to complexities in parts of their algorithms so streaming scanners have difficulty with these files. Heavily encrypted files, packed executables and file infectors may be difficult to detect using these stream based methods since not all the data will be available to assist in decryption of the files. Viruses embedded in documents require more in-depth extraction routines which are probably not commonly used in stream based scanning. Some files, such as polymorphic or packed files, require emulation in order to extract the clear viral code from its encrypted cocoon. Without this level of decomposition the number of different detection signatures that would be required is staggering to imagine. It’s not all bad news however. Flow or stream based methods are quite effective and fast against certain types of malware such as static worms (executables that don’t change their binary composition when they spread), certain Trojans, spyware, adware and other more static malware. Stream methods are useful for large files too, having little file size limits, but if you consider most malware files are relatively small (so they can spread quickly) the only advantage would be on large archives of files (which are most likely manually created and infrequently spread).

What Do You Need?

In this part of the article I’ll discuss the different coverage needs and how you can configure the latest FortiGate products to provide the appropriate level of protection and coverage. First I’ll discuss some of the different users and their basic needs.

• The Need For Speed: Some users are not overly concerned about full coverage for every virus that ever existed. They just want the Internet as fast as they can get it. For these users basic protection against most malware that is actively spreading is normally sufficient. Many of these users will also use host based antivirus if they want more protection at the host but still keep high speed networking (e.g. ISPs need to provide certain levels of performance so they may augment protection with host based security bundles for their customers). I’ll call these “High Performance” Users.
• On the Fence: Users in this category desire a bit more coverage but decent performance too. The malware coverage will go further back in history to malware that has lived over about the last year or so, but not go as far back as the ancient viruses of the 70s and 80s. I’ll call these “Cautious” Users.
• Nothing is Getting In: These users don’t want any viruses, no matter how old, in their networks. These users may be willing to sacrifice a bit of performance for full detection of every malware that has ever existed. I’ll call these users “Guarded” Users.

First Things First, What’s in the Box?

In the next version of the FortiGate OS 4.2 there will be support (on some platforms) for larger antivirus databases and a new stream based antivirus scanning engine. The breakdown of the basic coverage types are a follows:

• Normal
  • This setting contains signatures for the most currently active threats. These threats are actively spreading on the Internet in some form or another, e.g.) via email, self spreading worms, etc.
• Extended
  • This setting extends the Normal setting to include signatures for recent but no longer active malware. Such as viruses that may have been actively spreading within the past year but have significantly or completely died off.
• Extreme
  • The extreme setting provides the largest coverage and includes coverage of nearly all malware detected by Fortinet including zoo viruses from ages past.
• Flow
  • The flow antivirus operates independently from the above settings and is used as an alternative to the proxy based antivirus settings (normal, extended and extreme). It is a stream based scanning method in which the network session is inspected in chunks. Although fast, there are limitations with stream based scanning technology such that not all files can be fully decomposed in order to properly scan for a virus. Flow based scanning is however very fast and effective against static threats such as worms, Trojans, spyware and related malware. The flow based antivirus will cover a subsection of what the extreme setting detects.

These settings can be enabled on a per VDOM basis and used for all antivirus protection profiles within that VDOM. As a side note, users can override a specific protection profile setting using the CLI if desired.

High Performance Users

For High performance users there is the option of using the Flow AV option, a stream based scanning engine, or the proxy based normal setting. This can be set per VDOM via the CLI or GUI. Navigate to the UTM menu and select the Antivirus->Virus Database menu item. On this page you will be able to configure your database settings that will be used by default by the antivirus protection profiles.

The normal antivirus database, containing detection for the most active threats, is available on all FortiGate models. Flow AV will only be available on certain newer models such as the FGT-80C, and other mid/high end models.

Cautious Users

For cautious users it is recommended to use the Extended setting. This provides coverage for both older threats, up to about one year, as well as any malware that is actively spreading. Older threats were previously active malware that have essentially died off and are no longer being reported to our servers. Although some of these threats continue to spread in small areas, they are no longer widespread.

The extended database is available on many of the newer mid to high end FortiGate Products.

Guarded Users

For guarded users the extreme setting is the way to go. This gives the largest coverage to prevent both the newest threats from entering the network as well as preventing users from downloading some old archives of legacy malware. Users also have the option of enabling the full grayware detection to scan for programs that may not necessarily be threatening but cause annoyance, such as adware.

The extreme database will be available on many of the newer mid to high end FortiGate Products.

Conclusion

When looking for a product to protect your network, be wary of what various products are offering. You may be looking for speed, but know the benefits and limitations of the different types of technologies so you can choose what is best for your network. Although the data sheet may look impressive in regards to performance numbers, ask what kind of coverage you are really getting. At least ensure that you can get coverage for the Wild List and other active threats with whatever product you choose. I hope this article helps you decide the type of coverage you require in your network and what products suit your needs. May your networks remain infection free.

I wanted to mention our load balancing capability as another one of those surprising Fortinet free features.

Of course in the current economic climate, consolidation, something Fortinet has pioneered for the past decade, is always being sought and the more features that a unified solution can provide the better.  Realists will always point out, however, that consolidation only works when the features being offered are of a sufficient quality compared with other solutions on the market.  This is where the little known FortiGate load balancing feature often surprises.

The Fortinet load balancing feature set contains all of the features you would expect of a server load balancing solution.  Traffic can be balanced across backend servers based on multiple methods including static (failover), round robin, weighted to account for different sized servers, or based on the health and performance of the server including round trip time, number of connections.  The load balancer supports HTTP/S, SSL or generic TCP/UDP or IP protocols.  Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.  The load balancing feature is supported on all devices from the FG50B upwards and supports 10,000 virtual servers on the high end systems.

In addition to the load balancing features, there is also a range of heavy duty options including:

• SSL Offload where the decryption process is offloaded to the FortiGate custom ASIC to accelerate performance
• HTTP Multiplexing where multiple HTTP streams are pipelined into a single request to the backend server
• Intrusion Prevention performed on the traffic before distribution out to the servers, protecting them from attack.

Quite the UTM appliance…

The good news about all this is that it does give us an excuse to look at the speed of security devices. Picking up your favourite data sheet, you can see speeds quoted based on link speeds, up to values of throughput and maybe even some hint at the packet per second numbers. Of course, these numbers are based on test cases — and RFC2544 does a good job at defining how to navigate around these claims for network devices introducing the idea of testing based on differing packet sizes. It even suggests  packet sizes to use when testing 4M token ring. It was written in 1999, not quite the same longevity as our steam powered car, but not bad.

Complex environments generate increasingly complex test cases and of course with more and more features being consolidated in to a single device the ability to predict the likely performance of that device in all cases can become a real headache, particularly if you are reliant on a general purpose CPU. Providing dedicated hardware elements to offload the more intensive aspects of the performance helps greatly when generating test cases and solution designs. This is not a new idea, but can sometimes be lost in the feature race. Take a look at how hot your steam is….

Michael Xie is CTO of Fortinet and drives all of their development of true “Next Generation” security appliances. Hear him describe his views on speeds and feeds, routing and switching in the firewall, and cost per secure megabit.

Take a look and listen (click the picture to jump to video):

Much discussion about accessories, gadgets, gimmicks, colours and finish ensued and after a few hours the “ideal car” was selected. The sheer range of options was amazing, but of course selecting certain features rule out other features, and not all combinations are possible on all models, and then there’s the cost which keeps ticking up with each choice made. That initial ticket price was long forgotten — we were on the hook now!

It seems obvious now but as I left the showroom I realised that I hadn’t actually driven the chosen vehicle. A u-turn, somewhat embarrassed discussion, they thought I’d already driven one, and I thought they should have asked me. But a couple of signatures later and I drove away in the car I had selected, minus some features and with the addition of ugly metallic blue colour – they didn’t have the exact model to hand of course.  Disaster. It didn’t fit me, or I didn’t fit it, either way the ride was uncomfortable and tiring, I felt I’d been dragging the car around, not as it should be at all.

Returned to the showroom, handed back the keys and cancelled the previous set of paperwork. Of course I was no longer in the frame of mind to look further, the experience was ultimately an exercise in frustration.

I should have done more homework: financial position, what my actual requirements were, read some reviews had some expectation on price, and made sure I had a budget in mind which would not be swayed by those self leveling auto cornering, self cleaning, xeon dazzling headlights.

At the end of the day, it didn’t really matter how many features I added; the fundamental construction was not as I expected, the performance simply not good enough, with or without that  iPod connector. I still fancy changing the car but I’ll drive it first!

With cyber criminal organisations fueled by ludicrously profitable schemes, the end result we often see of a compromised system is a mixed bag of threats: trojan downloaders, botnets utilized to serve up affiliate drivers and other malicious components.

To further complicate matters, infrastructure has become increasingly integrated through the telecommunications industry (mobile threats) to the public internet, as well as once closed-circuit networks hosting critical infrastructure such as SCADA controlled utilities. To support this integration through various services (ie: the “Cloud”), software has become more complex and more interfaces / platforms are available to the end user. So, legacy threats are enhanced (mass mailers and social engineering schemes), new vulnerabilities and malware are introduced, while simultaneously migrating to these new interfaces / platforms in order to be efficient and robust. This is a growing problem, and yes, it is a description of the arms race with cyber crime and the many challenges which we are faced. Enter next generation threats.

The harsh reality is that we do not live in a world in which we can flip a magic switch to route all malicious traffic to /dev/null. In other words, we must learn to live with threats just as we learn to live with crime in the physical world. Thus, the key issue turns to how to properly address and manage these threats while not having an impact on day to day operations.

I was recently at the IT360 Conference in Toronto where I did a couple of presentations on precisely this, bearing in mind several factors. First, it is no secret that nowadays IT budgets are tight, so it is important to be able to address a wide array of threats while working within budget. Second, the sheer volume and variety of threats that was previously described has become so large in scope that effective management is vital in order to build up your best protection. My experience has been that the general thought process towards threat management is too granular. It can be reactive, and addressed with patchy security practices such as various point solutions. Additionally, a large chunk of budget can be allocated towards IT administrators / staff struggling with the fierce pace we see on the threat landscape today. This is not an efficient, nor effective way of dealing with modern threats. First, it is costly as it simply requires more man hours. Second, it takes away from job function and focus that could otherwise benefit business, productivity and security procedures.

So what is a pragmatic approach? Layered security (defense in depth) covering both client and server side issues, which addresses:

1) Transparency (not hindering business, placing roadblocks through blocking critical services and/or throughput)
2) Scalability
3) Cost Effectiveness
4) Management
5) Analysis & Alerts

Threats can come from any direction, through external sources, bridged infrastructures, and even the insider threat. Consolidated security appliances can address this big picture, while offering a universal solution that is manageable, employs less licensing than costly point solutions, and is quite scalable to the ever growing threat landscape. The idea behind using such a solution is that on top of receiving frequent updates to protect against threats of all nature, you can leverage a worldwide team with expertise in specific threat areas (unified), and maintain a working relationship with this team / your security vendor. You can do this without having to purchase multiple point solutions to address these specific areas, which inherently can erect several roadblocks – not to mention increased management complexity. This, I believe, is key. Suddenly, you have reduced the required man hours to protect your networks, and increased your protection through managed, layered security. Now your IT staff can focus on internal security efforts that are not practiced enough, such as patch management, workshops and education, threat exercises, and procedures/guidelines to address such concerns as laptops and mobile devices.