Next-gen firewalls need to evolve to avoid becoming irrelevant

Discussion in 'other firewalls' started by ronjor, Oct 31, 2014.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    "Sean Newman is a security strategist for Cisco Security Business Group"

    I suppose we should all buy one at Cisco. :D
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I use a NGFW at home, you'd be shocked.. Possibly even - mortified - to see how many threats/exploits/attacks it blocks in a short period of time. Probably the thing that causes us to lose more sleep in the IT field are blended threats but also it's getting difficult to protect infrastructure with the wide variety of deployed operating systems. You have your MAC OS's, Windows, Linux, iOS, AndroidOS, BSD, SMB, and then proprietary systems based on Unix such as Asterick, Tivo, and a multitude of others. All of these need protection of some type due to the blended threat matrix, and to individually deal with each device or OS is becoming impossible. Blended threats are beginning to impact the home, it's the latest emerging threat. As homes get a wider variety of devices, appliances, and systems, those blended threats are becoming very real.
     

    Attached Files:

  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    Untitled.png

    Impressive, have many tasks you got at hand
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Mayahana: very interesting, that... I see some cross-platform stuff there. Nasty.

    I currently have an old laptop configured as a network gateway/firewall for home, but I haven't configured it as a UTM box; partly because I worry about the gateway itself getting compromised, giving an attacker control over my network. It seems like having a bunch of services running on a gateway, constituting a single point of attack, could be a problem.

    (Also it is unfortunately not powerful enough to run Snort...)

    Anyway would you say there is some merit to setting it up for UTM? All the attacks flying around sound a bit worrisome, especially given the Windows machines on my network.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    What you see on that screenshot are blended threats, and that's the major issue these days. Attacks seem to be coming in blended, factoring a variety of different machines connected to networks (home or otherwise). This is where things get difficult, as you are attempting to secure a wide range of devices with a wide range of security solutions - all costing money, and in some cases, no security solution (SmartTV's etc). So a UTM becomes the best solution.

    I personally would put a traditional router on the gateway, or a nice Enterprise one if you can afford it. Then place your UTM behind that in transparent mode as your filtration. That lessons compromises because it's layered, and it requires someone to get through the gateway then get through the IPS on the transparent UTM. Nothing wrong with an old laptop as an Untangle machine, it doesn't take much power to run it. Even a cheap little ATOM Mini-Notebook would run it perfectly fine.

    The likelihood of snagging a blended threat increases with each engine/signature set you run. In my case I run Kaspersky UTM, Snort+Clam. Entirely different beasts, and in many cases entirely different signatures. If I remember, those SSL attacks are targeting my Tivo's. Tivo generally runs unpatched, or very slow in patching. As soon as a Tivo box starts broadcasting it starts getting tagged by exploits. Again, you aren't installing anything on a Tivo to prevent it, so you a UTM is your solution.
     
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    No tasks, everything was snagged at the gateway. That's all inbound threats, attempting to exploit vulnerabilities, or inject code. No UTM? Those generally hit the individual systems.

    BTW the name of the porn threat has nothing to do with porn.
     
    Last edited: Nov 3, 2014
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Thanks for the explanation @Mayahana. Now that I think of it I have a bunch of obsolete networked appliances. I'll take a look at the various UTM distros.
     
  9. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Something I discovered today... ZyXEL USG NGFW doesn't scan recursive archives, but Untangle does. In penetration testing I was able to sneak a recursive Eicar past ZyXEL, which was subsequently picked up by Untangle. That gives me some comfort knowing it 'has the back' of Kaspersky UTM.
     

    Attached Files:

  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Also most consumers/home users fail to realize the sheer number of 'true' downloads each day to their network. It goes far beyond downloading applications here and there. For example in my home we average 2,000+ downloads per day. How?

    1) Updates - various devices/programs/software.. Lots of updates. Your AV downloads packages, as does almost everything you have installed.
    2) All documents, PDF's, videos, photos, etc.
    3) Updates to games, launchers, and firmware.

    All told, it's vastly more than what people think, and only a UTM is really going to protect you from a wide range of threats, across a wide range of devices/appliances in the home. Of all of those downloads a traditional desktop AV is only going to protect you from a few, as most ignore updates, firmware, and other things. That's even if you get an AV installed on appliances and other OS gear like DVR's, etc.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I will look into this UTM stuff, but to be honest, at the moment I do not use a lot of devices that are connected to the web. I have two PC's (desktop + laptop), and I'm planning to buy a SMART TV, so I do not need a UTM at the moment.

    This is from the ESET thread. Good point, but if I had to choose between UTM and HIPS, the choice is quite easy. Besides, I'm not even into the realtime based "cloud AV" stuff.
     
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Rasheed, I agree.. You probably do have tablets and phones that connect? Remember phones background connect through connection optimizers to localized WiFi when possible, and they push files/updates through that WiFi. Same with Kindle, and other tablets. We have a 60" SmartTV in the home (LOVE IT) but it's been hacked already. Mostly because I have a pretty big bullseye, and get targeted often. But Smart Appliances tend to broadcast out 'Here I am, hack me!". There have been companies working to come up with antimalware solutions to smart appliances. However I think the consensus is that a push to move consumers to UTM-type solutions will be the best move. I have a couple Tivo's in the home, and Tivo is very slow about updating. One of the primary things my UTM's block are SSL Vulnerabilities in Tivo. Without a UTM my Tivo's would all likely have malware installed on them. Since they have hot connections, that malware can then mine our viewing habits, and potentially allow remote control of the device.

    Last night we had 32 devices connected on the home network, about 50% were windows, the rest were an amalgam of operating systems. Another example is a company I am analyzing something for, they have 22 iOS, 48 Android, 110 Windows, 5 Linux, 4 Unclassified devices on their network. Without a blended solution they are toast.
     
  13. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hello, yes but that's the point, you don't have to pick one of them, you can continue using a HIPS if you like. Using a AV without any cloud assistance at all is like using an AV from the 90's. Not that effective.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK, now I know why you're so into UTM's, interesting to read. But to answer your question, I do not use tablets or smart-phones at home. And I didn't know DVR's like Tivo were a target for malware? I also use a DVR, but at the moment it's not connected to the web.
     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    If you look at my UTM logs you will see a huge number of exploits targeting Tivo's (based on Linux). I've seen SmartTV's hacked, as well as some VOIP devices.

    http://www.techhive.com/article/2013790/dvrs-are-being-targeted-by-hackers-says-security-expert.html
    The scary part about the situation was that traffic wasn't being generated by the bank's infrastructure. "The traffic was coming from a DVR from a cable provider connected to the banks network," Stiansen added. "The DVR had been compromised and had compromised the whole network of the bank."
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ Mayahana

    This is kinda worrying, perhaps it's a good idea for me, to connect as less devices as possible to the web. Luckily my DVR can receive all signals via the cable signal, but my SMART TV will of course need a connection, especially if I want make use of NetFlix. Would be cooler if services like NetFlix were offered directly by the internet provider (via cable or IPTV signal), then there would be no need for a web connection.
     
Loading...